You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by rj...@apache.org on 2015/05/24 21:45:21 UTC
svn commit: r1681523 - in /tomcat/native/branches/1.1.x: ./
native/configure.in native/include/ssl_private.h native/src/sslcontext.c
xdocs/miscellaneous/changelog.xml
Author: rjung
Date: Sun May 24 19:45:21 2015
New Revision: 1681523
URL: http://svn.apache.org/r1681523
Log:
Port mod_ssl improvements to tcnative/ssl:
Partial backport of r1526168 from httpd/mod_ssl:
- unconditionally disable null and export-grade ciphers by always
prepending "!aNULL:!eNULL:!EXP:" to any cipher suite string
Custom tcnative builds with configure flag
--enable-insecure-export-ciphers can reenable support
for the insecure export and null ciphers.
Modified:
tomcat/native/branches/1.1.x/ (props changed)
tomcat/native/branches/1.1.x/native/configure.in
tomcat/native/branches/1.1.x/native/include/ssl_private.h
tomcat/native/branches/1.1.x/native/src/sslcontext.c
tomcat/native/branches/1.1.x/xdocs/miscellaneous/changelog.xml
Propchange: tomcat/native/branches/1.1.x/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Sun May 24 19:45:21 2015
@@ -1,3 +1,3 @@
-/tomcat/native/trunk:815411,988395,988402,988428,992208,1043611,1043696,1205445,1295445,1342003,1342008,1342013,1342020,1342024,1394258,1394342,1424947,1424971,1430753,1437081,1438342,1439337,1441884,1441886,1442579,1442581,1445972,1507113,1532577,1532590,1539594,1555184,1559180,1588195,1607262,1607267,1607278,1607291,1607477,1648821,1650119,1650304,1658557,1658641-1658642,1658724,1669302,1669496,1681126,1681150-1681151,1681172,1681189,1681218,1681295,1681298,1681314,1681323,1681419,1681505,1681507,1681509
+/tomcat/native/trunk:815411,988395,988402,988428,992208,1043611,1043696,1205445,1295445,1342003,1342008,1342013,1342020,1342024,1394258,1394342,1424947,1424971,1430753,1437081,1438342,1439337,1441884,1441886,1442579,1442581,1445972,1507113,1532577,1532590,1539594,1555184,1559180,1588195,1607262,1607267,1607278,1607291,1607477,1648821,1650119,1650304,1658557,1658641-1658642,1658724,1669302,1669496,1681126,1681147,1681150-1681151,1681172,1681189,1681218,1681295,1681298,1681314,1681323,1681419,1681505,1681507,1681509,1681520
/tomcat/tc7.0.x/trunk:1199985,1200164,1349932,1434887,1435769
/tomcat/trunk:815418,832198,1001939,1033916,1043103,1044729,1078522,1145209,1145285,1149092,1241356,1241406-1241407,1242254,1292671,1299980,1300102,1434905,1437083
Modified: tomcat/native/branches/1.1.x/native/configure.in
URL: http://svn.apache.org/viewvc/tomcat/native/branches/1.1.x/native/configure.in?rev=1681523&r1=1681522&r2=1681523&view=diff
==============================================================================
--- tomcat/native/branches/1.1.x/native/configure.in (original)
+++ tomcat/native/branches/1.1.x/native/configure.in Sun May 24 19:45:21 2015
@@ -162,6 +162,17 @@ AC_ARG_ENABLE(ocsp,
esac
])
+AC_ARG_ENABLE(insecure-export-ciphers,
+[AS_HELP_STRING([--enable-insecure-export-ciphers],[allow including insecure export and null ciphers in the cipher string (default is disabled=not allowed)])],
+[
+ case "${enableval}" in
+ yes )
+ APR_ADDTO(CFLAGS, [-DHAVE_EXPORT_CIPHERS])
+ AC_MSG_WARN([Enabling insecure export and null cipher support])
+ ;;
+ esac
+])
+
if $use_openssl ; then
TCN_CHECK_SSL_TOOLKIT
fi
Modified: tomcat/native/branches/1.1.x/native/include/ssl_private.h
URL: http://svn.apache.org/viewvc/tomcat/native/branches/1.1.x/native/include/ssl_private.h?rev=1681523&r1=1681522&r2=1681523&view=diff
==============================================================================
--- tomcat/native/branches/1.1.x/native/include/ssl_private.h (original)
+++ tomcat/native/branches/1.1.x/native/include/ssl_private.h Sun May 24 19:45:21 2015
@@ -175,6 +175,8 @@
#define OCSP_STATUS_REVOKED 1
#define OCSP_STATUS_UNKNOWN 2
+#define SSL_CIPHERS_ALWAYS_DISABLED ("!aNULL:!eNULL:!EXP:")
+
/* ECC: make sure we have at least 1.0.0 */
#if !defined(OPENSSL_NO_EC) && defined(TLSEXT_ECPOINTFORMAT_uncompressed)
#define HAVE_ECC 1
Modified: tomcat/native/branches/1.1.x/native/src/sslcontext.c
URL: http://svn.apache.org/viewvc/tomcat/native/branches/1.1.x/native/src/sslcontext.c?rev=1681523&r1=1681522&r2=1681523&view=diff
==============================================================================
--- tomcat/native/branches/1.1.x/native/src/sslcontext.c (original)
+++ tomcat/native/branches/1.1.x/native/src/sslcontext.c Sun May 24 19:45:21 2015
@@ -301,18 +301,40 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext,
tcn_ssl_ctxt_t *c = J2P(ctx, tcn_ssl_ctxt_t *);
TCN_ALLOC_CSTRING(ciphers);
jboolean rv = JNI_TRUE;
+#ifndef HAVE_EXPORT_CIPHERS
+ size_t len;
+ char *buf;
+#endif
UNREFERENCED(o);
TCN_ASSERT(ctx != 0);
if (!J2S(ciphers))
return JNI_FALSE;
-
+
+#ifndef HAVE_EXPORT_CIPHERS
+ /*
+ * Always disable NULL and export ciphers,
+ * no matter what was given in the config.
+ */
+ len = strlen(J2S(ciphers)) + strlen(SSL_CIPHERS_ALWAYS_DISABLED) + 1;
+ buf = malloc(len * sizeof(char *));
+ if (buf == NULL)
+ return JNI_FALSE;
+ memcpy(buf, SSL_CIPHERS_ALWAYS_DISABLED, strlen(SSL_CIPHERS_ALWAYS_DISABLED));
+ memcpy(buf + strlen(SSL_CIPHERS_ALWAYS_DISABLED), J2S(ciphers), strlen(J2S(ciphers)));
+ buf[len - 1] = '\0';
+ if (!SSL_CTX_set_cipher_list(c->ctx, buf)) {
+#else
if (!SSL_CTX_set_cipher_list(c->ctx, J2S(ciphers))) {
+#endif
char err[256];
ERR_error_string(ERR_get_error(), err);
tcn_Throw(e, "Unable to configure permitted SSL ciphers (%s)", err);
rv = JNI_FALSE;
}
+#ifndef HAVE_EXPORT_CIPHERS
+ free(buf);
+#endif
TCN_FREE_CSTRING(ciphers);
return rv;
}
Modified: tomcat/native/branches/1.1.x/xdocs/miscellaneous/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/native/branches/1.1.x/xdocs/miscellaneous/changelog.xml?rev=1681523&r1=1681522&r2=1681523&view=diff
==============================================================================
--- tomcat/native/branches/1.1.x/xdocs/miscellaneous/changelog.xml (original)
+++ tomcat/native/branches/1.1.x/xdocs/miscellaneous/changelog.xml Sun May 24 19:45:21 2015
@@ -39,6 +39,12 @@
<section name="Changes between 1.1.33 and 1.1.34">
<changelog>
<update>
+ Unconditionally disable export Ciphers. Use the
+ configure flag --enable-insecure-export-ciphers
+ for a custom build supporting those insecure ciphers.
+ (rjung)
+ </update>
+ <update>
Improve ephemeral key handling for DH and ECDH.
Parameter strength is by default derived from the
certificate key strength. It can be overwritten
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org