You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2016/04/05 20:02:26 UTC
svn commit: r1737862 -
/tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
Author: markt
Date: Tue Apr 5 18:02:25 2016
New Revision: 1737862
URL: http://svn.apache.org/viewvc?rev=1737862&view=rev
Log:
With a minimum version of OpenSSL 1.0.2, these features are always available.
Modified:
tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
Modified: tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
URL: http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java?rev=1737862&r1=1737861&r2=1737862&view=diff
==============================================================================
--- tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java (original)
+++ tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java Tue Apr 5 18:02:25 2016
@@ -194,82 +194,32 @@ public class OpenSSLContext implements o
return;
}
try {
- boolean legacyRenegSupported = false;
- try {
- legacyRenegSupported = SSL.hasOp(SSL.SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
- if (legacyRenegSupported)
- if (sslHostConfig.getInsecureRenegotiation()) {
- SSLContext.setOptions(ctx, SSL.SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
- } else {
- SSLContext.clearOptions(ctx, SSL.SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
- }
- } catch (UnsatisfiedLinkError e) {
- // Ignore
- }
- if (!legacyRenegSupported) {
- // OpenSSL does not support unsafe legacy renegotiation.
- log.warn(netSm.getString("endpoint.warn.noInsecureReneg",
- SSL.versionString()));
+ if (sslHostConfig.getInsecureRenegotiation()) {
+ SSLContext.setOptions(ctx, SSL.SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
+ } else {
+ SSLContext.clearOptions(ctx, SSL.SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
}
+
// Use server's preference order for ciphers (rather than
// client's)
- boolean orderCiphersSupported = false;
- try {
- orderCiphersSupported = SSL.hasOp(SSL.SSL_OP_CIPHER_SERVER_PREFERENCE);
- if (orderCiphersSupported) {
- if (sslHostConfig.getHonorCipherOrder()) {
- SSLContext.setOptions(ctx, SSL.SSL_OP_CIPHER_SERVER_PREFERENCE);
- } else {
- SSLContext.clearOptions(ctx, SSL.SSL_OP_CIPHER_SERVER_PREFERENCE);
- }
- }
- } catch (UnsatisfiedLinkError e) {
- // Ignore
- }
- if (!orderCiphersSupported) {
- // OpenSSL does not support ciphers ordering.
- log.warn(netSm.getString("endpoint.warn.noHonorCipherOrder",
- SSL.versionString()));
+ if (sslHostConfig.getHonorCipherOrder()) {
+ SSLContext.setOptions(ctx, SSL.SSL_OP_CIPHER_SERVER_PREFERENCE);
+ } else {
+ SSLContext.clearOptions(ctx, SSL.SSL_OP_CIPHER_SERVER_PREFERENCE);
}
// Disable compression if requested
- boolean disableCompressionSupported = false;
- try {
- disableCompressionSupported = SSL.hasOp(SSL.SSL_OP_NO_COMPRESSION);
- if (disableCompressionSupported) {
- if (sslHostConfig.getDisableCompression()) {
- SSLContext.setOptions(ctx, SSL.SSL_OP_NO_COMPRESSION);
- } else {
- SSLContext.clearOptions(ctx, SSL.SSL_OP_NO_COMPRESSION);
- }
- }
- } catch (UnsatisfiedLinkError e) {
- // Ignore
- }
- if (!disableCompressionSupported) {
- // OpenSSL does not support ciphers ordering.
- log.warn(netSm.getString("endpoint.warn.noDisableCompression",
- SSL.versionString()));
+ if (sslHostConfig.getDisableCompression()) {
+ SSLContext.setOptions(ctx, SSL.SSL_OP_NO_COMPRESSION);
+ } else {
+ SSLContext.clearOptions(ctx, SSL.SSL_OP_NO_COMPRESSION);
}
// Disable TLS Session Tickets (RFC4507) to protect perfect forward secrecy
- boolean disableSessionTicketsSupported = false;
- try {
- disableSessionTicketsSupported = SSL.hasOp(SSL.SSL_OP_NO_TICKET);
- if (disableSessionTicketsSupported) {
- if (sslHostConfig.getDisableSessionTickets()) {
- SSLContext.setOptions(ctx, SSL.SSL_OP_NO_TICKET);
- } else {
- SSLContext.clearOptions(ctx, SSL.SSL_OP_NO_TICKET);
- }
- }
- } catch (UnsatisfiedLinkError e) {
- // Ignore
- }
- if (!disableSessionTicketsSupported) {
- // OpenSSL is too old to support TLS Session Tickets.
- log.warn(netSm.getString("endpoint.warn.noDisableSessionTickets",
- SSL.versionString()));
+ if (sslHostConfig.getDisableSessionTickets()) {
+ SSLContext.setOptions(ctx, SSL.SSL_OP_NO_TICKET);
+ } else {
+ SSLContext.clearOptions(ctx, SSL.SSL_OP_NO_TICKET);
}
// Set session cache size, if specified
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org