You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by rj...@apache.org on 2015/05/24 21:34:43 UTC

svn commit: r1681520 - in /tomcat/native/trunk/native: configure.in src/sslcontext.c

Author: rjung
Date: Sun May 24 19:34:43 2015
New Revision: 1681520

URL: http://svn.apache.org/r1681520
Log:
Allow to disable the export cipher filtering
using the configure flag
--enable-insecure-export-ciphers.

Of course the SSL toolkit must have support
for them as well to be able to use them.

Modified:
    tomcat/native/trunk/native/configure.in
    tomcat/native/trunk/native/src/sslcontext.c

Modified: tomcat/native/trunk/native/configure.in
URL: http://svn.apache.org/viewvc/tomcat/native/trunk/native/configure.in?rev=1681520&r1=1681519&r2=1681520&view=diff
==============================================================================
--- tomcat/native/trunk/native/configure.in (original)
+++ tomcat/native/trunk/native/configure.in Sun May 24 19:34:43 2015
@@ -149,6 +149,17 @@ AC_ARG_ENABLE(openssl,
   esac
 ])
 
+AC_ARG_ENABLE(insecure-export-ciphers,
+[AS_HELP_STRING([--enable-insecure-export-ciphers],[allow including insecure export and null ciphers in the cipher string (default is disabled=not allowed)])],
+[
+  case "${enableval}" in
+    yes )
+       APR_ADDTO(CFLAGS, [-DHAVE_EXPORT_CIPHERS])
+       AC_MSG_WARN([Enabling insecure export and null cipher support])
+       ;;
+  esac
+])
+
 if $use_openssl ; then
   TCN_CHECK_SSL_TOOLKIT
 fi

Modified: tomcat/native/trunk/native/src/sslcontext.c
URL: http://svn.apache.org/viewvc/tomcat/native/trunk/native/src/sslcontext.c?rev=1681520&r1=1681519&r2=1681520&view=diff
==============================================================================
--- tomcat/native/trunk/native/src/sslcontext.c (original)
+++ tomcat/native/trunk/native/src/sslcontext.c Sun May 24 19:34:43 2015
@@ -363,30 +363,40 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext,
     tcn_ssl_ctxt_t *c = J2P(ctx, tcn_ssl_ctxt_t *);
     TCN_ALLOC_CSTRING(ciphers);
     jboolean rv = JNI_TRUE;
+#ifndef HAVE_EXPORT_CIPHERS
+    size_t len;
+    char *buf;
+#endif
 
     UNREFERENCED(o);
     TCN_ASSERT(ctx != 0);
     if (!J2S(ciphers))
         return JNI_FALSE;
-    
+
+#ifndef HAVE_EXPORT_CIPHERS
     /*
      *  Always disable NULL and export ciphers,
      *  no matter what was given in the config.
      */
-    size_t len = strlen(J2S(ciphers)) + strlen(SSL_CIPHERS_ALWAYS_DISABLED) + 1;
-    char *buf = malloc(len * sizeof(char *));
+    len = strlen(J2S(ciphers)) + strlen(SSL_CIPHERS_ALWAYS_DISABLED) + 1;
+    buf = malloc(len * sizeof(char *));
     if (buf == NULL)
         return JNI_FALSE;
     memcpy(buf, SSL_CIPHERS_ALWAYS_DISABLED, strlen(SSL_CIPHERS_ALWAYS_DISABLED));
     memcpy(buf + strlen(SSL_CIPHERS_ALWAYS_DISABLED), J2S(ciphers), strlen(J2S(ciphers)));
     buf[len - 1] = '\0';
     if (!SSL_CTX_set_cipher_list(c->ctx, buf)) {
+#else
+    if (!SSL_CTX_set_cipher_list(c->ctx, J2S(ciphers))) {
+#endif
         char err[256];
         ERR_error_string(ERR_get_error(), err);
         tcn_Throw(e, "Unable to configure permitted SSL ciphers (%s)", err);
         rv = JNI_FALSE;
     }
+#ifndef HAVE_EXPORT_CIPHERS
     free(buf);
+#endif
     TCN_FREE_CSTRING(ciphers);
     return rv;
 }



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org