You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2016/09/20 13:39:31 UTC
svn commit: r1761574 - in /tomcat/trunk:
java/org/apache/tomcat/util/net/jsse/JSSEUtil.java
java/org/apache/tomcat/util/net/jsse/LocalStrings.properties
webapps/docs/changelog.xml
Author: markt
Date: Tue Sep 20 13:39:30 2016
New Revision: 1761574
URL: http://svn.apache.org/viewvc?rev=1761574&view=rev
Log:
Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=60138
Fix the SSLHostConfig so that the protocols attribute is limited to the protocols supported by the current JSSE implementation rather than the default protocols used by the implementation.
Modified:
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/LocalStrings.properties
tomcat/trunk/webapps/docs/changelog.xml
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java?rev=1761574&r1=1761573&r2=1761574&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java Tue Sep 20 13:39:30 2016
@@ -49,8 +49,6 @@ import javax.net.ssl.CertPathTrustManage
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.ManagerFactoryParameters;
-import javax.net.ssl.SSLServerSocket;
-import javax.net.ssl.SSLServerSocketFactory;
import javax.net.ssl.SSLSessionContext;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
@@ -95,29 +93,22 @@ public class JSSEUtil extends SSLUtilBas
throw new IllegalArgumentException(e);
}
- // There is no standard way to determine the default protocols and
- // cipher suites so create a server socket to see what the defaults are
- SSLServerSocketFactory ssf = context.getServerSocketFactory();
- implementedProtocols = new HashSet<>();
- try (SSLServerSocket socket = (SSLServerSocket) ssf.createServerSocket()) {
- // Filter out all the SSL protocols (SSLv2 and SSLv3) from the
- // defaults since they are no longer considered secure but allow
- // SSLv2Hello
- for (String protocol : socket.getEnabledProtocols()) {
- String protocolUpper = protocol.toUpperCase(Locale.ENGLISH);
- if (!"SSLV2HELLO".equals(protocolUpper)) {
- if (protocolUpper.contains("SSL")) {
- log.debug(sm.getString("jsse.excludeDefaultProtocol", protocol));
- continue;
- }
+ String[] implementedProtocolsArray = context.getSupportedSSLParameters().getProtocols();
+ implementedProtocols = new HashSet<>(implementedProtocolsArray.length);
+
+ // Filter out all the SSL protocols (SSLv2 and SSLv3) from the list of
+ // implemented protocols since they are no longer considered secure but
+ // allow SSLv2Hello. This has the effect of making it impossible to use
+ // SSLv2 or SSLv3 without source code changes.
+ for (String protocol : implementedProtocolsArray) {
+ String protocolUpper = protocol.toUpperCase(Locale.ENGLISH);
+ if (!"SSLV2HELLO".equals(protocolUpper)) {
+ if (protocolUpper.contains("SSL")) {
+ log.debug(sm.getString("jsse.excludeProtocol", protocol));
+ continue;
}
- implementedProtocols.add(protocol);
}
- } catch (IOException e) {
- // This is very likely to be fatal but there is a slim chance that
- // the JSSE implementation just doesn't like creating unbound
- // sockets so allow the code to proceed.
-
+ implementedProtocols.add(protocol);
}
if (implementedProtocols.size() == 0) {
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/jsse/LocalStrings.properties
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/LocalStrings.properties?rev=1761574&r1=1761573&r2=1761574&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/jsse/LocalStrings.properties (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/jsse/LocalStrings.properties Tue Sep 20 13:39:30 2016
@@ -19,7 +19,7 @@ jsse.invalidTrustManagerClassName=The tr
jsse.requested_ciphers_not_supported=None of the ciphers specified are supported by the SSL engine : {0}
jsse.enableable_ciphers=Specified SSL ciphers that are supported and enableable are : {0}
jsse.unsupported_ciphers=Some specified SSL ciphers are not supported by the SSL engine : {0}
-jsse.excludeDefaultProtocol=The SSL protocol [{0}] which is enabled by default in this JRE was excluded from the defaults used by Tomcat
+jsse.excludeProtocol=The SSL protocol [{0}] which is supported in this JRE was excluded from the protocols available to Tomcat
jsse.noDefaultCiphers=Unable to determine a default for ciphers for [{0}]. Set an explicit value to ensure the connector can start.
jsse.noDefaultProtocols=Unable to determine a default for sslEnabledProtocols. Set an explicit value to ensure the connector can start.
jsse.exceptionOnClose=Failure to close socket.
Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1761574&r1=1761573&r2=1761574&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Tue Sep 20 13:39:30 2016
@@ -74,6 +74,12 @@
Tatsuya Bessho. (kfujino)
</fix>
<fix>
+ <bug>60138</bug>: Fix the <code>SSLHostConfig</code> so that the
+ <code>protocols</code> attribute is limited to the protocols supported
+ by the current JSSE implementation rather than the default protocols
+ used by the implementation. (markt)
+ </fix>
+ <fix>
<bug>60146</bug>: Improve performance for resource retrieval by making
calls to WebResource.getInputStream() trigger caching if the resource is
small enough. Patch provided by mohitchugh. (markt)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org