You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by rj...@apache.org on 2015/05/24 21:34:43 UTC
svn commit: r1681520 - in /tomcat/native/trunk/native: configure.in
src/sslcontext.c
Author: rjung
Date: Sun May 24 19:34:43 2015
New Revision: 1681520
URL: http://svn.apache.org/r1681520
Log:
Allow to disable the export cipher filtering
using the configure flag
--enable-insecure-export-ciphers.
Of course the SSL toolkit must have support
for them as well to be able to use them.
Modified:
tomcat/native/trunk/native/configure.in
tomcat/native/trunk/native/src/sslcontext.c
Modified: tomcat/native/trunk/native/configure.in
URL: http://svn.apache.org/viewvc/tomcat/native/trunk/native/configure.in?rev=1681520&r1=1681519&r2=1681520&view=diff
==============================================================================
--- tomcat/native/trunk/native/configure.in (original)
+++ tomcat/native/trunk/native/configure.in Sun May 24 19:34:43 2015
@@ -149,6 +149,17 @@ AC_ARG_ENABLE(openssl,
esac
])
+AC_ARG_ENABLE(insecure-export-ciphers,
+[AS_HELP_STRING([--enable-insecure-export-ciphers],[allow including insecure export and null ciphers in the cipher string (default is disabled=not allowed)])],
+[
+ case "${enableval}" in
+ yes )
+ APR_ADDTO(CFLAGS, [-DHAVE_EXPORT_CIPHERS])
+ AC_MSG_WARN([Enabling insecure export and null cipher support])
+ ;;
+ esac
+])
+
if $use_openssl ; then
TCN_CHECK_SSL_TOOLKIT
fi
Modified: tomcat/native/trunk/native/src/sslcontext.c
URL: http://svn.apache.org/viewvc/tomcat/native/trunk/native/src/sslcontext.c?rev=1681520&r1=1681519&r2=1681520&view=diff
==============================================================================
--- tomcat/native/trunk/native/src/sslcontext.c (original)
+++ tomcat/native/trunk/native/src/sslcontext.c Sun May 24 19:34:43 2015
@@ -363,30 +363,40 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext,
tcn_ssl_ctxt_t *c = J2P(ctx, tcn_ssl_ctxt_t *);
TCN_ALLOC_CSTRING(ciphers);
jboolean rv = JNI_TRUE;
+#ifndef HAVE_EXPORT_CIPHERS
+ size_t len;
+ char *buf;
+#endif
UNREFERENCED(o);
TCN_ASSERT(ctx != 0);
if (!J2S(ciphers))
return JNI_FALSE;
-
+
+#ifndef HAVE_EXPORT_CIPHERS
/*
* Always disable NULL and export ciphers,
* no matter what was given in the config.
*/
- size_t len = strlen(J2S(ciphers)) + strlen(SSL_CIPHERS_ALWAYS_DISABLED) + 1;
- char *buf = malloc(len * sizeof(char *));
+ len = strlen(J2S(ciphers)) + strlen(SSL_CIPHERS_ALWAYS_DISABLED) + 1;
+ buf = malloc(len * sizeof(char *));
if (buf == NULL)
return JNI_FALSE;
memcpy(buf, SSL_CIPHERS_ALWAYS_DISABLED, strlen(SSL_CIPHERS_ALWAYS_DISABLED));
memcpy(buf + strlen(SSL_CIPHERS_ALWAYS_DISABLED), J2S(ciphers), strlen(J2S(ciphers)));
buf[len - 1] = '\0';
if (!SSL_CTX_set_cipher_list(c->ctx, buf)) {
+#else
+ if (!SSL_CTX_set_cipher_list(c->ctx, J2S(ciphers))) {
+#endif
char err[256];
ERR_error_string(ERR_get_error(), err);
tcn_Throw(e, "Unable to configure permitted SSL ciphers (%s)", err);
rv = JNI_FALSE;
}
+#ifndef HAVE_EXPORT_CIPHERS
free(buf);
+#endif
TCN_FREE_CSTRING(ciphers);
return rv;
}
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org