You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by rj...@apache.org on 2015/05/22 17:30:13 UTC

svn commit: r1681147 - in /tomcat/native/trunk/native: include/ssl_private.h src/sslcontext.c

Author: rjung
Date: Fri May 22 15:30:13 2015
New Revision: 1681147

URL: http://svn.apache.org/r1681147
Log:
Port mod_ssl improvements to tcnative/ssl:

Partial backport of r1526168 from httpd/mod_ssl:

Streamline ephemeral key handling:

- unconditionally disable null and export-grade ciphers by always
  prepending "!aNULL:!eNULL:!EXP:" to any cipher suite string

For additional background, see
https://mail-archives.apache.org/mod_mbox/httpd-dev/201309.mbox/%3C52358ED1.2070704@velox.ch%3E

Modified:
    tomcat/native/trunk/native/include/ssl_private.h
    tomcat/native/trunk/native/src/sslcontext.c

Modified: tomcat/native/trunk/native/include/ssl_private.h
URL: http://svn.apache.org/viewvc/tomcat/native/trunk/native/include/ssl_private.h?rev=1681147&r1=1681146&r2=1681147&view=diff
==============================================================================
--- tomcat/native/trunk/native/include/ssl_private.h (original)
+++ tomcat/native/trunk/native/include/ssl_private.h Fri May 22 15:30:13 2015
@@ -210,6 +210,7 @@
 #define OCSP_STATUS_REVOKED   1
 #define OCSP_STATUS_UNKNOWN   2
 
+#define SSL_CIPHERS_ALWAYS_DISABLED         ("!aNULL:!eNULL:!EXP:")
 
 /* ECC: make sure we have at least 1.0.0 */
 #if !defined(OPENSSL_NO_EC) && defined(TLSEXT_ECPOINTFORMAT_uncompressed)

Modified: tomcat/native/trunk/native/src/sslcontext.c
URL: http://svn.apache.org/viewvc/tomcat/native/trunk/native/src/sslcontext.c?rev=1681147&r1=1681146&r2=1681147&view=diff
==============================================================================
--- tomcat/native/trunk/native/src/sslcontext.c (original)
+++ tomcat/native/trunk/native/src/sslcontext.c Fri May 22 15:30:13 2015
@@ -379,13 +379,25 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext,
     TCN_ASSERT(ctx != 0);
     if (!J2S(ciphers))
         return JNI_FALSE;
-
-    if (!SSL_CTX_set_cipher_list(c->ctx, J2S(ciphers))) {
+    
+    /*
+     *  Always disable NULL and export ciphers,
+     *  no matter what was given in the config.
+     */
+    size_t len = strlen(J2S(ciphers)) + strlen(SSL_CIPHERS_ALWAYS_DISABLED) + 1;
+    char *buf = malloc(len * sizeof(char *));
+    if (buf == NULL)
+        return JNI_FALSE;
+    memcpy(buf, SSL_CIPHERS_ALWAYS_DISABLED, strlen(SSL_CIPHERS_ALWAYS_DISABLED));
+    memcpy(buf + strlen(SSL_CIPHERS_ALWAYS_DISABLED), J2S(ciphers), strlen(J2S(ciphers)));
+    buf[len - 1] = '\0';
+    if (!SSL_CTX_set_cipher_list(c->ctx, buf)) {
         char err[256];
         ERR_error_string(ERR_get_error(), err);
         tcn_Throw(e, "Unable to configure permitted SSL ciphers (%s)", err);
         rv = JNI_FALSE;
     }
+    free(buf);
     TCN_FREE_CSTRING(ciphers);
     return rv;
 }



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org