You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by sc...@apache.org on 2013/01/17 21:13:27 UTC
svn commit: r1434887 - in /tomcat/tc7.0.x/trunk: ./
java/org/apache/coyote/http11/ java/org/apache/tomcat/jni/
java/org/apache/tomcat/util/net/ java/org/apache/tomcat/util/net/res/
webapps/docs/ webapps/docs/config/
Author: schultz
Date: Thu Jan 17 20:13:27 2013
New Revision: 1434887
URL: http://svn.apache.org/viewvc?rev=1434887&view=rev
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=54324
Allow APR connector to disable TLS compression if OpenSSL supports it.
Modified:
tomcat/tc7.0.x/trunk/ (props changed)
tomcat/tc7.0.x/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java
tomcat/tc7.0.x/trunk/java/org/apache/tomcat/jni/SSL.java
tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/res/LocalStrings.properties
tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
tomcat/tc7.0.x/trunk/webapps/docs/config/http.xml
Propchange: tomcat/tc7.0.x/trunk/
------------------------------------------------------------------------------
Merged /tomcat/trunk:r1434882
Modified: tomcat/tc7.0.x/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java
URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java?rev=1434887&r1=1434886&r2=1434887&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java (original)
+++ tomcat/tc7.0.x/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java Thu Jan 17 20:13:27 2013
@@ -191,6 +191,12 @@ public class Http11AprProtocol extends A
public int getSSLVerifyDepth() { return ((AprEndpoint)endpoint).getSSLVerifyDepth(); }
public void setSSLVerifyDepth(int SSLVerifyDepth) { ((AprEndpoint)endpoint).setSSLVerifyDepth(SSLVerifyDepth); }
+ /**
+ * Disable SSL compression.
+ */
+ public boolean getSSLDisableCompression() { return ((AprEndpoint)endpoint).getSSLDisableCompression(); }
+ public void setSSLDisableCompression(boolean disable) { ((AprEndpoint)endpoint).setSSLDisableCompression(disable); }
+
// ----------------------------------------------------- JMX related methods
@Override
Modified: tomcat/tc7.0.x/trunk/java/org/apache/tomcat/jni/SSL.java
URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/tomcat/jni/SSL.java?rev=1434887&r1=1434886&r2=1434887&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/java/org/apache/tomcat/jni/SSL.java (original)
+++ tomcat/tc7.0.x/trunk/java/org/apache/tomcat/jni/SSL.java Thu Jan 17 20:13:27 2013
@@ -115,6 +115,8 @@ public final class SSL {
public static final int SSL_OP_ALL = 0x00000FFF;
/* As server, disallow session resumption on renegotiation */
public static final int SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION = 0x00010000;
+ /* Don't use compression even if supported */
+ public static final int SSL_OP_NO_COMPRESSION = 0x00020000;
/* Permit unsafe legacy renegotiation */
public static final int SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION = 0x00040000;
/* If set, always create a new key when using tmp_eddh parameters */
@@ -339,15 +341,16 @@ public final class SSL {
public static native String getLastError();
/**
- * Return true if SSL_OP_ if defined.
- * <p>
- * Currently used for testing weather the
- * SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION is supported by OpenSSL.
- * <p>
- * @param op SSL_OP to test.
- * @return true if SSL_OP is supported by OpenSSL library.
+ * Return true if all the requested SSL_OP_* are supported by OpenSSL.
+ *
+ * <i>Note that for versions of tcnative < 1.1.25, this method will
+ * return <code>true</code> if and only if <code>op</code>=
+ * {@link #SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION} and tcnative
+ * supports that flag.</i>
+ *
+ * @param Bitwise-OR of all SSL_OP_* to test.
+ *
+ * @return true if all SSL_OP_* are supported by OpenSSL library.
*/
public static native boolean hasOp(int op);
-
}
-
Modified: tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java?rev=1434887&r1=1434886&r2=1434887&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java (original)
+++ tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java Thu Jan 17 20:13:27 2013
@@ -327,6 +327,19 @@ public class AprEndpoint extends Abstrac
public void setSSLHonorCipherOrder(boolean SSLHonorCipherOrder) { this.SSLHonorCipherOrder = SSLHonorCipherOrder; }
public boolean getSSLHonorCipherOrder() { return SSLHonorCipherOrder; }
+ /**
+ * Disables compression of the SSL stream. This thwarts CRIME attack
+ * and possibly improves performance by not compressing uncompressible
+ * content such as JPEG, etc.
+ */
+ protected boolean SSLDisableCompression = false;
+
+ /**
+ * Set to <code>true</code> to disable SSL compression. This thwarts CRIME
+ * attack.
+ */
+ public void setSSLDisableCompression(boolean SSLDisableCompression) { this.SSLDisableCompression = SSLDisableCompression; }
+ public boolean getSSLDisableCompression() { return SSLDisableCompression; }
/**
* Port in use.
@@ -554,6 +567,23 @@ public class AprEndpoint extends Abstrac
}
}
+ // Disable compression if requested
+ if (SSLDisableCompression) {
+ boolean disableCompressionSupported = false;
+ try {
+ disableCompressionSupported = SSL.hasOp(SSL.SSL_OP_NO_COMPRESSION);
+ if (disableCompressionSupported)
+ SSLContext.setOptions(sslContext, SSL.SSL_OP_NO_COMPRESSION);
+ } catch (UnsatisfiedLinkError e) {
+ // Ignore
+ }
+ if (!disableCompressionSupported) {
+ // OpenSSL does not support ciphers ordering.
+ log.warn(sm.getString("endpoint.warn.noDisableCompression",
+ SSL.versionString()));
+ }
+ }
+
// List the ciphers that the client is permitted to negotiate
SSLContext.setCipherSuite(sslContext, SSLCipherSuite);
// Load Server key and certificate
Modified: tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/res/LocalStrings.properties
URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/res/LocalStrings.properties?rev=1434887&r1=1434886&r2=1434887&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/res/LocalStrings.properties (original)
+++ tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/res/LocalStrings.properties Thu Jan 17 20:13:27 2013
@@ -41,6 +41,8 @@ endpoint.process.fail=Error allocating s
endpoint.sendfile.error=Unexpected sendfile error
endpoint.sendfile.addfail=Sendfile failure: [{0}] {1}
endpoint.sendfile.nosupport=Disabling sendfile, since either the APR version or the system doesn't support it
+endpoint.warn.noDisableCompression='Disable compression' option is not supported
+ by the SSL library {0}
endpoint.warn.noInsecureReneg=Secure re-negotiation is not supported by the SSL library {0}
endpoint.warn.noHonorCipherOrder='Honor cipher order' option is not supported by the SSL library {0}
endpoint.warn.unlockAcceptorFailed=Acceptor thread [{0}] failed to unlock. Forcing hard socket shutdown.
Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?rev=1434887&r1=1434886&r2=1434887&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Thu Jan 17 20:13:27 2013
@@ -57,6 +57,10 @@
<subsection name="Coyote">
<changelog>
<fix>
+ <bug>54324</bug>: Allow APR connector to disable TLS compression
+ if OpenSSL supports it. (schultz)
+ </fix>
+ <fix>
<bug>54406</bug>: Fix NIO HTTPS connector to prune specified <code>
ciphers</code> and <code>sslEnableProtocols</code> options to those
supported by the SSL implementation, sharing logic with the BIO
Modified: tomcat/tc7.0.x/trunk/webapps/docs/config/http.xml
URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/config/http.xml?rev=1434887&r1=1434886&r2=1434887&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/webapps/docs/config/http.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/config/http.xml Thu Jan 17 20:13:27 2013
@@ -1201,6 +1201,12 @@
supported).</p>
</attribute>
+ <attribute name="SSLDisableCompression" required="false">
+ <p>Disables compression if set to <code>true</code> and OpenSSL supports
+ disabling comprssion. Default is <code>false</code> which inherits the
+ default compression setting in OpenSSL.</p>
+ </attribute>
+
<attribute name="SSLHonorCipherOrder" required="false">
<p>Set to <code>true</code> to enforce the server's cipher order
(from the <code>SSLCipherSuite</code> setting) instead of allowing
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org