You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2016/03/31 22:31:55 UTC
svn commit: r1737283 - in /tomcat/tc6.0.x/trunk: ./ bin/
java/org/apache/tomcat/util/compat/ java/org/apache/tomcat/util/net/jsse/
java/org/apache/tomcat/util/net/jsse/res/ webapps/docs/ webapps/docs/config/
Author: markt
Date: Thu Mar 31 20:31:55 2016
New Revision: 1737283
URL: http://svn.apache.org/viewvc?rev=1737283&view=rev
Log:
TLS improvements
- enable stronger ephemeral DH keys by default
- filter out known weak ciphers from default list
Added:
tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/compat/
- copied from r1737248, tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/compat/
tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/compat/Jre6Compat.java (with props)
Removed:
tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/compat/JreVendor.java
Modified:
tomcat/tc6.0.x/trunk/ (props changed)
tomcat/tc6.0.x/trunk/bin/catalina.bat
tomcat/tc6.0.x/trunk/bin/catalina.sh
tomcat/tc6.0.x/trunk/build.xml
tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/compat/Jre7Compat.java
tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/compat/Jre8Compat.java
tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/compat/JreCompat.java
tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties
tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
tomcat/tc6.0.x/trunk/webapps/docs/config/http.xml
Propchange: tomcat/tc6.0.x/trunk/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Thu Mar 31 20:31:55 2016
@@ -1,3 +1,4 @@
-/tomcat/tc7.0.x/trunk:1190476,1224802,1243045,1298635,1304471,1311997,1312007,1331772,1333164,1333176,1348992,1354866,1371298,1371302,1371620,1402110,1409014,1413553,1413557,1413563,1430083,1438415,1446641-1446660,1447013,1453106,1453119,1484919,1486877,1500065,1503852,1505844,1513151,1521040,1526470,1536524,1539176-1539177,1544469,1544473,1552805,1558894,1558917,1561368,1561382,1561386,1561552,1561561,1561636,1561641,1561643,1561737,1562748,1564317,1568922,1570163,1577328,1577464-1577465,1578814,1586659,1586897,1586960,1588199,1588997,1589740,1589851,1589997,1590019,1590028,1590337,1590492,1590651,1590838,1590845,1590848,1590912,1593262,1593288,1593371,1593835,1594230,1595174,1595366,1600956,1601333,1601856,1601909,1609079,1609606,1617364,1617374,1617433,1617457-1617458,1624249,1626579,1627420,1627469,1632586,1637686,1637711,1640675,1642045,1643515,1643540,1643572,1643585-1643586,1643642,1643647,1644019,1648817,1656301,1658815,1659523,1659564,1664001,1664176,1665087,1666968,1666989
,1668541,1668635,1669802,1676557,1681183,1681841,1681865,1681867,1685829,1693109,1694293,1694433,1694875,1696381,1701945,1710353,1712656,1713873,1714000,1714005,1714540,1715213,1716221,1716417,1717107,1717210,1717212,1720236,1720398,1720443,1720464,1721814,1721883,1722645,1722801,1723151,1724435,1724553,1724675,1724797,1724806,1725931,1726631,1726808,1726813,1726815,1726817,1726819,1726917,1726919,1726922-1726924,1727031,1727034,1727043,1727158,1727672,1727903,1728450,1729363,1731010,1731119,1731956,1731978,1732362,1732674-1732675,1733942,1734116,1734134,1734532
+/tomcat/tc7.0.x/trunk:1190476,1224802,1243045,1298635,1304471,1311997,1312007,1331772,1333164,1333176,1348992,1354866,1371298,1371302,1371620,1402110,1409014,1413553,1413557,1413563,1430083,1438415,1446641-1446660,1447013,1453106,1453119,1484919,1486877,1500065,1503852,1505844,1513151,1521040,1526470,1536524,1539176-1539177,1544469,1544473,1552805,1558894,1558917,1561368,1561382,1561386,1561552,1561561,1561636,1561641,1561643,1561737,1562748,1564317,1568922,1570163,1577328,1577464-1577465,1578814,1586659,1586897,1586960,1588199,1588997,1589740,1589851,1589997,1590019,1590028,1590337,1590492,1590651,1590838,1590845,1590848,1590912,1593262,1593288,1593371,1593835,1594230,1595174,1595366,1600956,1601333,1601856,1601909,1609079,1609606,1617364,1617374,1617433,1617457-1617458,1624249,1626579,1627420,1627469,1632586,1637686,1637711,1640675,1642045,1643515,1643540,1643572,1643585-1643586,1643642,1643647,1644019,1648817,1656301,1658815,1659523,1659564,1664001,1664176,1665087,1666968,1666989
,1668541,1668635,1669802,1676557,1681183,1681841,1681865,1681867,1685829,1693109,1694293,1694433,1694875,1696381,1701945,1710353,1712656,1713873,1714000,1714005,1714540,1715213,1716221,1716417,1717107,1717210,1717212,1720236,1720398,1720443,1720464,1721814,1721883,1722645,1722801,1723151,1724435,1724553,1724675,1724797,1724806,1725931,1726631,1726808,1726813,1726815,1726817,1726819,1726917,1726919,1726922-1726924,1727031,1727034,1727043,1727158,1727672,1727903,1728450,1729363,1731010,1731119,1731956,1731978,1732362,1732674-1732675,1733942,1734116,1734134,1734532,1737249
/tomcat/tc8.0.x/trunk:1637685,1637709,1640674,1641726,1641729-1641730,1643513,1643539,1643571,1643581-1643582,1644018,1648816,1656300,1658801-1658803,1658811,1659522,1663997,1664175,1665086,1666967,1666988,1668634,1669801,1676556,1681182,1681840,1681864,1685827,1689921,1693108,1694291,1694427,1694873,1696379,1701944,1710347,1712618,1712655,1713872,1713998,1714004,1714538,1715207,1716216-1716217,1716414,1717208-1717209,1720235,1720396,1720442,1720463,1721813,1721882,1722800,1723130,1724434,1724674,1724792,1724803,1725929,1725963-1725965,1725970,1725974,1726172,1726175,1726179-1726182,1726195-1726198,1726200,1726203,1726226,1726576,1726630,1727029,1727037,1727671,1727900,1728449,1729362,1731009,1731955,1731977,1732360,1732672,1733941,1734115,1734133,1734531
-/tomcat/trunk:601180,606992,612607,630314,640888,652744,653247,656018,666232,673796,673820,677910,683969,683982,684001,684081,684234,684269-684270,685177,687503,687645,689402,690781,691392,691805,692748,693378,694992,695053,695311,696780,696782,698012,698227,698236,698613,699427,699634,701355,709294,709811,709816,710063,710066,710125,710205,711126,711600,712461,712467,713953,714002,718360,719119,719124,719602,719626,719628,720046,720069,721040,721286,721708,721886,723404,723738,726052,727303,728032,728768,728947,729057,729567,729569,729571,729681,729809,729815,729934,730250,730590,731651,732859,732863,734734,740675,740684,742677,742697,742714,744160,744238,746321,746384,746425,747834,747863,748344,750258,750291,750921,751286-751287,751289,751295,752323,753039,757335,757774,758249,758365,758596,758616,758664,759074,761601,762868,762929,762936-762937,763166,763183,763193,763228,763262,763298,763302,763325,763599,763611,763654,763681,763706,764985,764997,765662,768335,769979,770716,770
809,770876,772872,776921,776924,776935,776945,777464,777466,777576,777625,778379,778523-778524,781528,781779,782145,782791,783316,783696,783724,783756,783762,783766,783863,783934,784453,784602,784614,785381,785688,785768,785859,786468,786487,786490,786496,786667,787627,787770,787985,789389,790405,791041,791184,791194,791224,791243,791326,791328,791789,792740,793372,793757,793882,793981,794082,794673,794822,795043,795152,795210,795457,795466,797168,797425,797596,797607,802727,802940,804462,804544,804734,805153,809131,809603,810916,810977,812125,812137,812432,813001,813013,813866,814180,814708,814876,815972,816252,817442,817822,819339,819361,820110,820132,820874,820954,821397,828196,828201,828210,828225,828759,830378-830379,830999,831106,831774,831785,831828,831850,831860,832214,832218,833121,833545,834047,835036,835336,836405,881396,881412,883130,883134,883146,883165,883177,883362,883565,884341,885038,885231,885241,885260,885901,885991,886019,888072,889363,889606,889716,890139,890265
,890349-890350,890417,891185-891187,891583,892198,892341,892415,892464,892555,892812,892814,892817,892843,892887,893321,893493,894580,894586,894805,894831,895013,895045,895057,895191,895392,895703,896370,896384,897380-897381,897776,898126,898256,898468,898527,898555,898558,898718,898836,898906,899284,899348,899420,899653,899769-899770,899783,899788,899792,899916,899918-899919,899935,899949,903916,905020,905151,905722,905728,905735,907311,907513,907538,907652,907727,907819,907825,907864,908002,908721,908754,908759,909097,909206,909212,909525,909636,909869,909875,909887,910266,910370,910442,910471,910485,910974,915226,915737,915861,916097,916141,916157,916170,917598,917633,918093,918489,918594,918684,918787,918792,918799,918803,918885,919851,919914,920025,920055,920298,920449,920596,920824,920840,921444,922010,926716,927062,927621,928482,928695,928732,928798,931709,932357,932967,935105,935983,939491,939551,940064,941356,941463,943112,944409,944416,945231,945808,945835,945841,946686,94
8057,950164,950596,950614,950851,950905,951615,953434,954435,955648,955655,956832,957130,957830,958192,960701,961948,962865,962872,962881,962900,963106,963865,963868,964614,966177-966178,966292,966692,966863,981815,988448,991837,993042,1001955,1002185,1002263,1002274,1002349,1002359,1002362,1002481,1002514,1003461,1003481,1003488,1003556,1003572,1003581,1003861,1004393,1004409,1004415,1004868-1004869,1004912,1005452,1005467,1005647,1005802,1022120,1022134,1022323,1022415,1022606,1022623,1024224,1024251,1026042,1026784,1026912,1026920,1029767,1033415,1033448,1033842,1033897,1037715,1037794,1037887,1037924,1038041,1041892,1042022,1042029,1042447,1042452,1042494,1043983,1044944,1044987,1049264,1050249,1055055,1055236,1055458,1055975,1056264,1056828,1056889,1059881,1060486,1061412,1061442,1061446,1061503,1062398,1064652,1066244,1066772,1067039,1067139,1069824,1070139,1070420,1070609,1072042,1073184,1073393,1075458,1076212,1078409,1078412,1079801,1081118,1081334,1088179,1088460,1090022,1
094069,1094089,1095138,1097899,1099575,1099586,1099772,1099789,1100145,1100822,1101094,1101144,1124680,1130774,1133014,1137862,1137996,1138950,1138953,1139280,1140693,1141104,1141441,1142043,1142904,1143134,1143150,1145137,1148216,1148471,1152601,1156171,1156519,1164567,1167394,1172233-1172234,1172236,1173614,1174353,1174882,1174884,1175158,1175190,1176799,1177125,1177245,1177850,1177862,1178228,1178233,1178684,1181028,1181136,1184917,1184919,1185200,1185588,1186011,1186104,1186123,1186137,1186153,1186378,1186712,1186763,1186949,1187381,1189240,1189386,1190388-1190389,1190474,1198622,1201576,1203091,1224801,1233426,1243034,1243038,1244567,1298140,1298628-1298629,1304468,1311997,1331766,1333161,1333173,1342498,1342503,1348425,1348461-1348495,1348989,1350294,1351056,1351636-1351640,1352011,1354685,1354847,1354856,1356125,1359981,1371283,1409007,1413552,1413556,1413562,1417282,1430079,1430481,1430567,1435606,1435636,1435642,1438411,1439054,1441348,1446640,1446650,1447012,1453105,145311
2,1456666-1456678,1456713,1456721,1457968,1460342,1460533,1484862,1486875,1492570,1494143,1500062,1503851,1505843,1513148-1513149,1526469,1533312,1536520,1539157,1539173,1540374,1552804,1555163,1558811,1561054-1561065,1561067-1561070,1561072-1561075,1561083,1561190-1561192,1561635,1561640,1561732,1562742,1562746,1564309,1564312,1568921,1574004,1577315,1577324,1577463,1578812-1578813,1586658,1586894,1586959,1588193,1588197,1589737-1589738,1589763,1589837,1589842,1589980,1590018,1590302,1590646,1590648,1590835,1590842,1590911,1593259,1593261,1593335,1593834,1594229,1595171,1595289,1597532,1600955,1600963,1600978,1600984,1601329-1601330,1601332,1601855,1608963,1609061,1609593,1617362,1617365,1617383,1617456,1623392,1624247,1626579,1627033,1628978,1631155,1631520,1632584,1634117,1634130,1637684,1637695,1640655-1640658,1641656,1641660,1641692,1641707-1641718,1641721-1641722,1642564,1642606,1643045,1643054,1643570,1644017,1648815,1656299,1658799,1658802,1659521,1663995,1664174,1665085,166
6966,1666985,1668630,1669800,1676552,1681837-1681838,1681854,1685826,1687242,1689918,1693105,1694290,1694872,1696378,1701940,1710346,1712617,1712654,1713871,1713997,1714002,1715188,1715206,1716213-1716214,1716413,1716640,1716856,1716858,1716881-1716882,1716886,1716894,1720234,1720394,1720439,1720462,1721812,1721881,1722532,1722799,1722807,1722824,1722828-1722829,1722831,1722859,1723127,1723707,1723736,1724427,1724433,1724673,1724788,1724863,1725113,1725183,1725199,1725202,1725204,1725207,1725263-1725264,1725266,1725278,1725282,1725405,1725646,1725649-1725652,1725696-1725697,1725914,1725926,1726177,1726202,1726628,1726676,1726926,1727162,1727670,1727899,1728448,1729361,1731008,1731953,1731976,1732359,1733940,1734113,1734128,1734192
+/tomcat/tc8.5.x/trunk:1737199
+/tomcat/trunk:601180,606992,612607,630314,640888,652744,653247,656018,666232,673796,673820,677910,683969,683982,684001,684081,684234,684269-684270,685177,687503,687645,689402,690781,691392,691805,692748,693378,694992,695053,695311,696780,696782,698012,698227,698236,698613,699427,699634,701355,709294,709811,709816,710063,710066,710125,710205,711126,711600,712461,712467,713953,714002,718360,719119,719124,719602,719626,719628,720046,720069,721040,721286,721708,721886,723404,723738,726052,727303,728032,728768,728947,729057,729567,729569,729571,729681,729809,729815,729934,730250,730590,731651,732859,732863,734734,740675,740684,742677,742697,742714,744160,744238,746321,746384,746425,747834,747863,748344,750258,750291,750921,751286-751287,751289,751295,752323,753039,757335,757774,758249,758365,758596,758616,758664,759074,761601,762868,762929,762936-762937,763166,763183,763193,763228,763262,763298,763302,763325,763599,763611,763654,763681,763706,764985,764997,765662,768335,769979,770716,770
809,770876,772872,776921,776924,776935,776945,777464,777466,777576,777625,778379,778523-778524,781528,781779,782145,782791,783316,783696,783724,783756,783762,783766,783863,783934,784453,784602,784614,785381,785688,785768,785859,786468,786487,786490,786496,786667,787627,787770,787985,789389,790405,791041,791184,791194,791224,791243,791326,791328,791789,792740,793372,793757,793882,793981,794082,794673,794822,795043,795152,795210,795457,795466,797168,797425,797596,797607,802727,802940,804462,804544,804734,805153,809131,809603,810916,810977,812125,812137,812432,813001,813013,813866,814180,814708,814876,815972,816252,817442,817822,819339,819361,820110,820132,820874,820954,821397,828196,828201,828210,828225,828759,830378-830379,830999,831106,831774,831785,831828,831850,831860,832214,832218,833121,833545,834047,835036,835336,836405,881396,881412,883130,883134,883146,883165,883177,883362,883565,884341,885038,885231,885241,885260,885901,885991,886019,888072,889363,889606,889716,890139,890265
,890349-890350,890417,891185-891187,891583,892198,892341,892415,892464,892555,892812,892814,892817,892843,892887,893321,893493,894580,894586,894805,894831,895013,895045,895057,895191,895392,895703,896370,896384,897380-897381,897776,898126,898256,898468,898527,898555,898558,898718,898836,898906,899284,899348,899420,899653,899769-899770,899783,899788,899792,899916,899918-899919,899935,899949,903916,905020,905151,905722,905728,905735,907311,907513,907538,907652,907727,907819,907825,907864,908002,908721,908754,908759,909097,909206,909212,909525,909636,909869,909875,909887,910266,910370,910442,910471,910485,910974,915226,915737,915861,916097,916141,916157,916170,917598,917633,918093,918489,918594,918684,918787,918792,918799,918803,918885,919851,919914,920025,920055,920298,920449,920596,920824,920840,921444,922010,926716,927062,927621,928482,928695,928732,928798,931709,932357,932967,935105,935983,939491,939551,940064,941356,941463,943112,944409,944416,945231,945808,945835,945841,946686,94
8057,950164,950596,950614,950851,950905,951615,953434,954435,955648,955655,956832,957130,957830,958192,960701,961948,962865,962872,962881,962900,963106,963865,963868,964614,966177-966178,966292,966692,966863,981815,988448,991837,993042,1001955,1002185,1002263,1002274,1002349,1002359,1002362,1002481,1002514,1003461,1003481,1003488,1003556,1003572,1003581,1003861,1004393,1004409,1004415,1004868-1004869,1004912,1005452,1005467,1005647,1005802,1022120,1022134,1022323,1022415,1022606,1022623,1024224,1024251,1026042,1026784,1026912,1026920,1029767,1033415,1033448,1033842,1033897,1037715,1037794,1037887,1037924,1038041,1041892,1042022,1042029,1042447,1042452,1042494,1043983,1044944,1044987,1049264,1050249,1055055,1055236,1055458,1055975,1056264,1056828,1056889,1059881,1060486,1061412,1061442,1061446,1061503,1062398,1064652,1066244,1066772,1067039,1067139,1069824,1070139,1070420,1070609,1072042,1073184,1073393,1075458,1076212,1078409,1078412,1079801,1081118,1081334,1088179,1088460,1090022,1
094069,1094089,1095138,1097899,1099575,1099586,1099772,1099789,1100145,1100822,1101094,1101144,1124680,1130774,1133014,1137862,1137996,1138950,1138953,1139280,1140693,1141104,1141441,1142043,1142904,1143134,1143150,1145137,1148216,1148471,1152601,1156171,1156519,1164567,1167394,1172233-1172234,1172236,1173614,1174353,1174882,1174884,1175158,1175190,1176799,1177125,1177245,1177850,1177862,1178228,1178233,1178684,1181028,1181136,1184917,1184919,1185200,1185588,1186011,1186104,1186123,1186137,1186153,1186378,1186712,1186763,1186949,1187381,1189240,1189386,1190388-1190389,1190474,1198622,1201576,1203091,1224801,1233426,1243034,1243038,1244567,1298140,1298628-1298629,1304468,1311997,1331766,1333161,1333173,1342498,1342503,1348425,1348461-1348495,1348989,1350294,1351056,1351636-1351640,1352011,1354685,1354847,1354856,1356125,1359981,1371283,1409007,1413552,1413556,1413562,1417282,1430079,1430481,1430567,1435606,1435636,1435642,1438411,1439054,1441348,1446640,1446650,1447012,1453105,145311
2,1456666-1456678,1456713,1456721,1457968,1460342,1460533,1484862,1486875,1492570,1494143,1500062,1503851,1505843,1513148-1513149,1526469,1533312,1536520,1539157,1539173,1540374,1552804,1555163,1558811,1561054-1561065,1561067-1561070,1561072-1561075,1561083,1561190-1561192,1561635,1561640,1561732,1562742,1562746,1564309,1564312,1568921,1574004,1577315,1577324,1577463,1578812-1578813,1586658,1586894,1586959,1588193,1588197,1589737-1589738,1589763,1589837,1589842,1589980,1590018,1590302,1590646,1590648,1590835,1590842,1590911,1593259,1593261,1593335,1593834,1594229,1595171,1595289,1597532,1600955,1600963,1600978,1600984,1601329-1601330,1601332,1601855,1608963,1609061,1609593,1617362,1617365,1617383,1617456,1623392,1624247,1626579,1627033,1628978,1631155,1631520,1632584,1634117,1634130,1637684,1637695,1640655-1640658,1641656,1641660,1641692,1641707-1641718,1641721-1641722,1642564,1642606,1643045,1643054,1643570,1644017,1648815,1656299,1658799,1658802,1659521,1663995,1664174,1665085,166
6966,1666985,1668630,1669800,1676552,1681837-1681838,1681854,1685826,1687242,1689918,1693105,1694290,1694872,1696378,1701940,1710346,1712617,1712654,1713871,1713997,1714002,1715188,1715206,1716213-1716214,1716413,1716640,1716856,1716858,1716881-1716882,1716886,1716894,1720234,1720394,1720439,1720462,1721812,1721881,1722532,1722799,1722807,1722824,1722828-1722829,1722831,1722859,1723127,1723707,1723736,1724427,1724433,1724673,1724788,1724863,1725113,1725183,1725199,1725202,1725204,1725207,1725263-1725264,1725266,1725278,1725282,1725405,1725646,1725649-1725652,1725696-1725697,1725914,1725926,1726177,1726202,1726628,1726676,1726926,1727162,1727670,1727899,1728448,1729361,1731008,1731953,1731976,1732359,1733940,1734113,1734128,1734192,1737119
Modified: tomcat/tc6.0.x/trunk/bin/catalina.bat
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/bin/catalina.bat?rev=1737283&r1=1737282&r2=1737283&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/bin/catalina.bat (original)
+++ tomcat/tc6.0.x/trunk/bin/catalina.bat Thu Mar 31 20:31:55 2016
@@ -66,6 +66,10 @@ rem
rem -agentlib:jdwp=transport=%JPDA_TRANSPORT%,
rem address=%JPDA_ADDRESS%,server=y,suspend=%JPDA_SUSPEND%
rem
+rem JSSE_OPTS (Optional) Java runtime options used to control the TLS
+rem implementation when JSSE is used. Default is:
+rem "-Djdk.tls.ephemeralDHKeySize=2048"
+rem
rem LOGGING_CONFIG (Optional) Override Tomcat's logging config file
rem Example (all one line)
rem set LOGGING_CONFIG="-Djava.util.logging.config.file=%CATALINA_BASE%\conf\logging.properties"
@@ -141,6 +145,11 @@ goto juliClasspathDone
set "CLASSPATH=%CLASSPATH%%CATALINA_HOME%\bin\bootstrap.jar"
:juliClasspathDone
+if not "%JSSE_OPTS%" == "" goto gotJsseOpts
+set JSSE_OPTS="-Djdk.tls.ephemeralDHKeySize=2048"
+:gotJsseOpts
+set "JAVA_OPTS=%JAVA_OPTS% %JSSE_OPTS%"
+
if not "%LOGGING_CONFIG%" == "" goto noJuliConfig
set LOGGING_CONFIG=-Dnop
if not exist "%CATALINA_BASE%\conf\logging.properties" goto noJuliConfig
Modified: tomcat/tc6.0.x/trunk/bin/catalina.sh
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/bin/catalina.sh?rev=1737283&r1=1737282&r2=1737283&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/bin/catalina.sh (original)
+++ tomcat/tc6.0.x/trunk/bin/catalina.sh Thu Mar 31 20:31:55 2016
@@ -70,6 +70,10 @@
# -agentlib:jdwp=transport=$JPDA_TRANSPORT,
# address=$JPDA_ADDRESS,server=y,suspend=$JPDA_SUSPEND
#
+# JSSE_OPTS (Optional) Java runtime options used to control the TLS
+# implementation when JSSE is used. Default is:
+# "-Djdk.tls.ephemeralDHKeySize=2048"
+#
# CATALINA_PID (Optional) Path of the file which should contains the pid
# of catalina startup java process, when start (fork) is used
#
@@ -205,6 +209,11 @@ if $cygwin; then
JAVA_ENDORSED_DIRS=`cygpath --path --windows "$JAVA_ENDORSED_DIRS"`
fi
+if [ -z "$JSSE_OPTS" ] ; then
+ JSSE_OPTS="-Djdk.tls.ephemeralDHKeySize=2048"
+fi
+JAVA_OPTS="$JAVA_OPTS $JSSE_OPTS"
+
# Set juli LogManager config file if it is present and an override has not been issued
if [ -z "$LOGGING_CONFIG" ]; then
if [ -r "$CATALINA_BASE"/conf/logging.properties ]; then
Modified: tomcat/tc6.0.x/trunk/build.xml
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/build.xml?rev=1737283&r1=1737282&r2=1737283&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/build.xml (original)
+++ tomcat/tc6.0.x/trunk/build.xml Thu Mar 31 20:31:55 2016
@@ -227,7 +227,6 @@
<include name="org/apache/catalina/loader/Reloader.*" />
<include name="org/apache/catalina/security/SecurityClassLoad.*" />
<include name="org/apache/naming/JndiPermission.*" />
- <include name="org/apache/tomcat/util/compat/*" />
</patternset>
<patternset id="files.tomcat-juli">
Added: tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/compat/Jre6Compat.java
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/compat/Jre6Compat.java?rev=1737283&view=auto
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/compat/Jre6Compat.java (added)
+++ tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/compat/Jre6Compat.java Thu Mar 31 20:31:55 2016
@@ -0,0 +1,38 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.tomcat.util.compat;
+
+public class Jre6Compat extends JreCompat {
+
+ protected static final Class<?> sslParametersClass;
+
+ static {
+ Class<?> c = null;
+ try {
+ c = Class.forName("javax.net.ssl.SSLParameters");
+ } catch (SecurityException e) {
+ // Should never happen
+ } catch (ClassNotFoundException e) {
+ // Expected on Java 5
+ }
+ sslParametersClass = c;
+ }
+
+ static boolean isSupported() {
+ return sslParametersClass != null;
+ }
+}
Propchange: tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/compat/Jre6Compat.java
------------------------------------------------------------------------------
svn:eol-style = native
Modified: tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/compat/Jre7Compat.java
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/compat/Jre7Compat.java?rev=1737283&r1=1737248&r2=1737283&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/compat/Jre7Compat.java (original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/compat/Jre7Compat.java Thu Mar 31 20:31:55 2016
@@ -20,7 +20,7 @@ import java.lang.reflect.InvocationTarge
import java.lang.reflect.Method;
import java.util.Locale;
-class Jre7Compat extends JreCompat {
+class Jre7Compat extends Jre6Compat {
private static final Method forLanguageTagMethod;
Modified: tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/compat/Jre8Compat.java
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/compat/Jre8Compat.java?rev=1737283&r1=1737248&r2=1737283&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/compat/Jre8Compat.java (original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/compat/Jre8Compat.java Thu Mar 31 20:31:55 2016
@@ -20,36 +20,39 @@ import java.lang.reflect.InvocationTarge
import java.lang.reflect.Method;
import javax.net.ssl.SSLEngine;
-import javax.net.ssl.SSLParameters;
import javax.net.ssl.SSLServerSocket;
class Jre8Compat extends Jre7Compat {
private static final Method getSSLParametersMethod;
+ private static final Method getSSLParametersEngineMethod;
private static final Method setUseCipherSuitesOrderMethod;
private static final Method setSSLParametersMethod;
+ private static final Method setSSLParametersEngineMethod;
static {
Method m1 = null;
Method m2 = null;
Method m3 = null;
+ Method m4 = null;
+ Method m5 = null;
try {
- // Get this class first since it is Java 8+ only
- Class<?> c2 = Class.forName("javax.net.ssl.SSLParameters");
m1 = SSLServerSocket.class.getMethod("getSSLParameters");
- m2 = c2.getMethod("setUseCipherSuitesOrder", boolean.class);
- m3 = SSLServerSocket.class.getMethod("setSSLParameters", c2);
+ m2 = SSLEngine.class.getMethod("getSSLParameters");
+ m3 = sslParametersClass.getMethod("setUseCipherSuitesOrder", boolean.class);
+ m4 = SSLServerSocket.class.getMethod("setSSLParameters", sslParametersClass);
+ m5 = SSLEngine.class.getMethod("setSSLParameters", sslParametersClass);
} catch (SecurityException e) {
// Should never happen
} catch (NoSuchMethodException e) {
// Expected on Java < 8
- } catch (ClassNotFoundException e) {
- // Expected on Java < 7
}
getSSLParametersMethod = m1;
- setUseCipherSuitesOrderMethod = m2;
- setSSLParametersMethod = m3;
+ getSSLParametersEngineMethod = m2;
+ setUseCipherSuitesOrderMethod = m3;
+ setSSLParametersMethod = m4;
+ setSSLParametersEngineMethod = m5;
}
@@ -80,10 +83,11 @@ class Jre8Compat extends Jre7Compat {
@Override
public void setUseServerCipherSuitesOrder(SSLEngine engine,
boolean useCipherSuitesOrder) {
- SSLParameters sslParameters = engine.getSSLParameters();
+
try {
+ Object sslParameters = getSSLParametersEngineMethod.invoke(engine);
setUseCipherSuitesOrderMethod.invoke(sslParameters, Boolean.valueOf(useCipherSuitesOrder));
- engine.setSSLParameters(sslParameters);
+ setSSLParametersEngineMethod.invoke(engine, sslParameters);
} catch (IllegalArgumentException e) {
throw new UnsupportedOperationException(e);
} catch (IllegalAccessException e) {
Modified: tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/compat/JreCompat.java
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/compat/JreCompat.java?rev=1737283&r1=1737248&r2=1737283&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/compat/JreCompat.java (original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/compat/JreCompat.java Thu Mar 31 20:31:55 2016
@@ -33,24 +33,33 @@ public class JreCompat {
private static final JreCompat instance;
private static StringManager sm =
StringManager.getManager(JreCompat.class.getPackage().getName());
+ private static final boolean jre6Available;
private static final boolean jre7Available;
private static final boolean jre8Available;
static {
- // This is Tomcat 7 with a minimum Java version of Java 6. The latest
+ // This is Tomcat 6 with a minimum Java version of Java 5. The latest
// Java version the optional features require is Java 8.
// Look for the highest supported JVM first
if (Jre8Compat.isSupported()) {
instance = new Jre8Compat();
+ jre6Available = true;
jre7Available = true;
jre8Available = true;
} else if (Jre7Compat.isSupported()) {
instance = new Jre7Compat();
+ jre6Available = true;
jre7Available = true;
jre8Available = false;
+ } else if (Jre6Compat.isSupported()) {
+ instance = new Jre6Compat();
+ jre6Available = true;
+ jre7Available = false;
+ jre8Available = false;
} else {
instance = new JreCompat();
+ jre6Available = false;
jre7Available = false;
jre8Available = false;
}
@@ -62,7 +71,14 @@ public class JreCompat {
}
- // Java 6 implementation of Java 7 methods
+ // Java 5 implementation of Java 6 methods
+
+ public static boolean isJre6Available() {
+ return jre6Available;
+ }
+
+
+ // Java 5 implementation of Java 7 methods
public static boolean isJre7Available() {
return jre7Available;
@@ -110,7 +126,7 @@ public class JreCompat {
}
- // Java 6 implementation of Java 8 methods
+ // Java 5 implementation of Java 8 methods
public static boolean isJre8Available() {
return jre8Available;
Modified: tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java?rev=1737283&r1=1737282&r2=1737283&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java (original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java Thu Mar 31 20:31:55 2016
@@ -62,6 +62,7 @@ import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509KeyManager;
+import org.apache.tomcat.util.compat.JreCompat;
import org.apache.tomcat.util.res.StringManager;
/**
@@ -168,7 +169,44 @@ public class JSSESocketFactory
return;
}
- defaultServerCipherSuites = socket.getEnabledCipherSuites();
+ // Many of the default ciphers supported by older JRE versions are
+ // now considered insecure. This code attempts to filter them out
+ List<String> filteredCiphers = new ArrayList<String>();
+ for (String cipher : socket.getEnabledCipherSuites()) {
+ // Remove export ciphers - FREAK
+ if (cipher.toUpperCase(Locale.ENGLISH).contains("EXP")) {
+ log.debug(sm.getString("jsse.excludeDefaultCipher", cipher));
+ continue;
+ }
+ // Remove DES ciphers
+ if (cipher.toUpperCase(Locale.ENGLISH).contains("_DES_")) {
+ log.debug(sm.getString("jsse.excludeDefaultCipher", cipher));
+ continue;
+ }
+ // Remove RC4 ciphers
+ if (cipher.toUpperCase(Locale.ENGLISH).contains("_RC4_")) {
+ log.debug(sm.getString("jsse.excludeDefaultCipher", cipher));
+ continue;
+ }
+ // Remove DHE ciphers unless running on Java 8 or above
+ if (!JreCompat.isJre8Available() &&
+ cipher.toUpperCase(Locale.ENGLISH).contains("_DHE_")) {
+ log.debug(sm.getString("jsse.excludeDefaultCipher", cipher));
+ continue;
+ }
+ // Remove kRSA ciphers when running on Java 7 or above. Can't
+ // remove them for Java 6 since they are likely to be the only
+ // ones left
+ if (JreCompat.isJre7Available() &&
+ (cipher.toUpperCase(Locale.ENGLISH).startsWith("TLS_RSA_") ||
+ cipher.toUpperCase(Locale.ENGLISH).startsWith("SSL_RSA_"))) {
+ log.debug(sm.getString("jsse.excludeDefaultCipher", cipher));
+ continue;
+ }
+ filteredCiphers.add(cipher);
+ }
+
+ defaultServerCipherSuites = filteredCiphers.toArray(new String[filteredCiphers.size()]);
if (defaultServerCipherSuites.length == 0) {
log.warn(sm.getString("jsse.noDefaultCiphers"));
}
Modified: tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties?rev=1737283&r1=1737282&r2=1737283&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties (original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties Thu Mar 31 20:31:55 2016
@@ -21,6 +21,7 @@ jsse.requested_ciphers_not_supported=Non
jsse.enableable_ciphers=Specified SSL ciphers that are supported and enableable are : {0}
jsse.unsupported_ciphers=Some specified SSL ciphers are not supported by the SSL engine : {0}
jsse.unsupportedProtocol=The specified SSL protocol [{0}] is not supported
+jsse.excludeDefaultCipher=The SSL cipher [{0}] which is enabled by default in this JRE was excluded from the defaults used by Tomcat
jsse.excludeDefaultProtocol=The SSL protocol [{0}] which is enabled by default in this JRE was excluded from the defaults used by Tomcat
jsse.noDefaultCiphers=Unable to determine a default for ciphers. Set an explicit value to ensure the connector can start.
jsse.noDefaultProtocols=Unable to determine a default for sslEnabledProtocols. Set an explicit value to ensure the connector can start.
Modified: tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml?rev=1737283&r1=1737282&r2=1737283&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml Thu Mar 31 20:31:55 2016
@@ -75,6 +75,16 @@
Processor being added to the cache twice leading to broken responses.
(markt)
</fix>
+ <fix>
+ Limit the default TLS ciphers to those currently considered secure.
+ (markt)
+ </fix>
+ <add>
+ Add a new environment variable <code>JSSE_OPTS</code> that is intended
+ to be used to pass JVM wide configuration to the JSSE implementation.
+ The default value is <code>-Djdk.tls.ephemeralDHKeySize=2048</code>
+ which protects against weak Diffie-Hellman keys. (markt)
+ </add>
</changelog>
</subsection>
<subsection name="Web applications">
Modified: tomcat/tc6.0.x/trunk/webapps/docs/config/http.xml
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/config/http.xml?rev=1737283&r1=1737282&r2=1737283&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/config/http.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/config/http.xml Thu Mar 31 20:31:55 2016
@@ -794,12 +794,12 @@
<p>The comma separated list of encryption ciphers to support for HTTPS
connections. If specified, only the ciphers that are listed and supported
by the SSL implementation will be used. By default, the default ciphers
- for the JVM will be used. Note that this usually means that the weak
- export grade ciphers will be included in the list of available ciphers.
- The ciphers are specified using the JSSE cipher naming convention. The
- special value of <code>ALL</code> will enable all supported ciphers. This
- will include many that are not secure. <code>ALL</code> is intended for
- testing purposes only.</p>
+ for the JVM will be used less those considered to be insecure. Note that
+ with older JVMs this will result in a very limited set of ciphers being
+ available by default. The ciphers are specified using the JSSE cipher
+ naming convention. The special value of <code>ALL</code> will enable all
+ supported ciphers. This will include many that are not secure.
+ <code>ALL</code> is intended for testing purposes only.</p>
</attribute>
<attribute name="keyAlias" required="false">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org