You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by rj...@apache.org on 2015/05/24 21:45:21 UTC

svn commit: r1681523 - in /tomcat/native/branches/1.1.x: ./ native/configure.in native/include/ssl_private.h native/src/sslcontext.c xdocs/miscellaneous/changelog.xml

Author: rjung
Date: Sun May 24 19:45:21 2015
New Revision: 1681523

URL: http://svn.apache.org/r1681523
Log:
Port mod_ssl improvements to tcnative/ssl:

Partial backport of r1526168 from httpd/mod_ssl:

- unconditionally disable null and export-grade ciphers by always
  prepending "!aNULL:!eNULL:!EXP:" to any cipher suite string

Custom tcnative builds with configure flag
--enable-insecure-export-ciphers can reenable support
for the insecure export and null ciphers.

Modified:
    tomcat/native/branches/1.1.x/   (props changed)
    tomcat/native/branches/1.1.x/native/configure.in
    tomcat/native/branches/1.1.x/native/include/ssl_private.h
    tomcat/native/branches/1.1.x/native/src/sslcontext.c
    tomcat/native/branches/1.1.x/xdocs/miscellaneous/changelog.xml

Propchange: tomcat/native/branches/1.1.x/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Sun May 24 19:45:21 2015
@@ -1,3 +1,3 @@
-/tomcat/native/trunk:815411,988395,988402,988428,992208,1043611,1043696,1205445,1295445,1342003,1342008,1342013,1342020,1342024,1394258,1394342,1424947,1424971,1430753,1437081,1438342,1439337,1441884,1441886,1442579,1442581,1445972,1507113,1532577,1532590,1539594,1555184,1559180,1588195,1607262,1607267,1607278,1607291,1607477,1648821,1650119,1650304,1658557,1658641-1658642,1658724,1669302,1669496,1681126,1681150-1681151,1681172,1681189,1681218,1681295,1681298,1681314,1681323,1681419,1681505,1681507,1681509
+/tomcat/native/trunk:815411,988395,988402,988428,992208,1043611,1043696,1205445,1295445,1342003,1342008,1342013,1342020,1342024,1394258,1394342,1424947,1424971,1430753,1437081,1438342,1439337,1441884,1441886,1442579,1442581,1445972,1507113,1532577,1532590,1539594,1555184,1559180,1588195,1607262,1607267,1607278,1607291,1607477,1648821,1650119,1650304,1658557,1658641-1658642,1658724,1669302,1669496,1681126,1681147,1681150-1681151,1681172,1681189,1681218,1681295,1681298,1681314,1681323,1681419,1681505,1681507,1681509,1681520
 /tomcat/tc7.0.x/trunk:1199985,1200164,1349932,1434887,1435769
 /tomcat/trunk:815418,832198,1001939,1033916,1043103,1044729,1078522,1145209,1145285,1149092,1241356,1241406-1241407,1242254,1292671,1299980,1300102,1434905,1437083

Modified: tomcat/native/branches/1.1.x/native/configure.in
URL: http://svn.apache.org/viewvc/tomcat/native/branches/1.1.x/native/configure.in?rev=1681523&r1=1681522&r2=1681523&view=diff
==============================================================================
--- tomcat/native/branches/1.1.x/native/configure.in (original)
+++ tomcat/native/branches/1.1.x/native/configure.in Sun May 24 19:45:21 2015
@@ -162,6 +162,17 @@ AC_ARG_ENABLE(ocsp,
   esac
 ])
 
+AC_ARG_ENABLE(insecure-export-ciphers,
+[AS_HELP_STRING([--enable-insecure-export-ciphers],[allow including insecure export and null ciphers in the cipher string (default is disabled=not allowed)])],
+[
+  case "${enableval}" in
+    yes )
+       APR_ADDTO(CFLAGS, [-DHAVE_EXPORT_CIPHERS])
+       AC_MSG_WARN([Enabling insecure export and null cipher support])
+       ;;
+  esac
+])
+
 if $use_openssl ; then
   TCN_CHECK_SSL_TOOLKIT
 fi

Modified: tomcat/native/branches/1.1.x/native/include/ssl_private.h
URL: http://svn.apache.org/viewvc/tomcat/native/branches/1.1.x/native/include/ssl_private.h?rev=1681523&r1=1681522&r2=1681523&view=diff
==============================================================================
--- tomcat/native/branches/1.1.x/native/include/ssl_private.h (original)
+++ tomcat/native/branches/1.1.x/native/include/ssl_private.h Sun May 24 19:45:21 2015
@@ -175,6 +175,8 @@
 #define OCSP_STATUS_REVOKED   1
 #define OCSP_STATUS_UNKNOWN   2
 
+#define SSL_CIPHERS_ALWAYS_DISABLED         ("!aNULL:!eNULL:!EXP:")
+
 /* ECC: make sure we have at least 1.0.0 */
 #if !defined(OPENSSL_NO_EC) && defined(TLSEXT_ECPOINTFORMAT_uncompressed)
 #define HAVE_ECC              1

Modified: tomcat/native/branches/1.1.x/native/src/sslcontext.c
URL: http://svn.apache.org/viewvc/tomcat/native/branches/1.1.x/native/src/sslcontext.c?rev=1681523&r1=1681522&r2=1681523&view=diff
==============================================================================
--- tomcat/native/branches/1.1.x/native/src/sslcontext.c (original)
+++ tomcat/native/branches/1.1.x/native/src/sslcontext.c Sun May 24 19:45:21 2015
@@ -301,18 +301,40 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext,
     tcn_ssl_ctxt_t *c = J2P(ctx, tcn_ssl_ctxt_t *);
     TCN_ALLOC_CSTRING(ciphers);
     jboolean rv = JNI_TRUE;
+#ifndef HAVE_EXPORT_CIPHERS
+    size_t len;
+    char *buf;
+#endif
 
     UNREFERENCED(o);
     TCN_ASSERT(ctx != 0);
     if (!J2S(ciphers))
         return JNI_FALSE;
-    
+
+#ifndef HAVE_EXPORT_CIPHERS
+    /*
+     *  Always disable NULL and export ciphers,
+     *  no matter what was given in the config.
+     */
+    len = strlen(J2S(ciphers)) + strlen(SSL_CIPHERS_ALWAYS_DISABLED) + 1;
+    buf = malloc(len * sizeof(char *));
+    if (buf == NULL)
+        return JNI_FALSE;
+    memcpy(buf, SSL_CIPHERS_ALWAYS_DISABLED, strlen(SSL_CIPHERS_ALWAYS_DISABLED));
+    memcpy(buf + strlen(SSL_CIPHERS_ALWAYS_DISABLED), J2S(ciphers), strlen(J2S(ciphers)));
+    buf[len - 1] = '\0';
+    if (!SSL_CTX_set_cipher_list(c->ctx, buf)) {
+#else
     if (!SSL_CTX_set_cipher_list(c->ctx, J2S(ciphers))) {
+#endif
         char err[256];
         ERR_error_string(ERR_get_error(), err);
         tcn_Throw(e, "Unable to configure permitted SSL ciphers (%s)", err);
         rv = JNI_FALSE;
     }
+#ifndef HAVE_EXPORT_CIPHERS
+    free(buf);
+#endif
     TCN_FREE_CSTRING(ciphers);
     return rv;
 }

Modified: tomcat/native/branches/1.1.x/xdocs/miscellaneous/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/native/branches/1.1.x/xdocs/miscellaneous/changelog.xml?rev=1681523&r1=1681522&r2=1681523&view=diff
==============================================================================
--- tomcat/native/branches/1.1.x/xdocs/miscellaneous/changelog.xml (original)
+++ tomcat/native/branches/1.1.x/xdocs/miscellaneous/changelog.xml Sun May 24 19:45:21 2015
@@ -39,6 +39,12 @@
 <section name="Changes between 1.1.33 and 1.1.34">
   <changelog>
     <update>
+      Unconditionally disable export Ciphers. Use the
+      configure flag --enable-insecure-export-ciphers
+      for a custom build supporting those insecure ciphers.
+      (rjung)
+    </update>
+    <update>
       Improve ephemeral key handling for DH and ECDH.
       Parameter strength is by default derived from the
       certificate key strength. It can be overwritten



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org