You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2015/04/21 22:56:14 UTC
svn commit: r1675198 - in /tomcat/trunk:
java/org/apache/tomcat/util/net/AprEndpoint.java
java/org/apache/tomcat/util/net/SSLHostConfig.java
webapps/docs/config/http.xml
Author: markt
Date: Tue Apr 21 20:56:14 2015
New Revision: 1675198
URL: http://svn.apache.org/r1675198
Log:
Document the protocols attribute for SSLHostConfig and align the implementation with it.
Modified:
tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java
tomcat/trunk/webapps/docs/config/http.xml
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java?rev=1675198&r1=1675197&r2=1675198&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java Tue Apr 21 20:56:14 2015
@@ -499,7 +499,9 @@ public class AprEndpoint extends Abstrac
value = SSL.SSL_PROTOCOL_ALL;
} else {
for (String protocol : sslHostConfig.getProtocols()) {
- if ("SSLv2".equalsIgnoreCase(protocol)) {
+ if ("SSLv2Hello".equalsIgnoreCase(protocol)) {
+ // NO-OP. OpenSSL always supports SSLv2Hello
+ } else if ("SSLv2".equalsIgnoreCase(protocol)) {
value |= SSL.SSL_PROTOCOL_SSLV2;
} else if ("SSLv3".equalsIgnoreCase(protocol)) {
value |= SSL.SSL_PROTOCOL_SSLV3;
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java?rev=1675198&r1=1675197&r2=1675198&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java Tue Apr 21 20:56:14 2015
@@ -27,6 +27,10 @@ public class SSLHostConfig {
private Set<String> protocols = new HashSet<>();
+ public SSLHostConfig() {
+ // Set defaults that can't be (easily) set when defining the fields.
+ setProtocols("all");
+ }
public void setHostName(String hostName) {
this.hostName = hostName;
@@ -40,16 +44,20 @@ public class SSLHostConfig {
public void setProtocols(String input) {
// OpenSSL and JSSE use the same names.
- if (input.trim().equalsIgnoreCase("all")) {
- input = "TLSv1+TLSv1.1+TLSv1.2";
- }
-
String[] values = input.split(",|\\+");
+ protocols.clear();
+
for (String value: values) {
String trimmed = value.trim();
if (trimmed.length() > 0) {
- protocols.add(trimmed);
+ if (input.trim().equalsIgnoreCase("all")) {
+ protocols.add("TLSv1");
+ protocols.add("TLSv1.1");
+ protocols.add("TLSv1.2");
+ } else {
+ protocols.add(trimmed);
+ }
}
}
}
Modified: tomcat/trunk/webapps/docs/config/http.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/http.xml?rev=1675198&r1=1675197&r2=1675198&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/config/http.xml (original)
+++ tomcat/trunk/webapps/docs/config/http.xml Tue Apr 21 20:56:14 2015
@@ -1050,7 +1050,7 @@
<attributes>
- <attribute name="hostName" required="true">
+ <attribute name="hostName" required="false">
<p>The name of the SSL Host. This should either be the fully qualified
domain name (e.g. <code>tomcat.apache.org</code>) or a wild card domain
name (e.g. <code>*.apache.org</code>). If not specified, the default value
@@ -1058,7 +1058,20 @@
</attribute>
<attribute name="protocols" required="false">
- <p></p>
+ <p>The names of the protocols to support when communicating with clients.
+ This should be a comma separated list of any combination of the following:
+ </p>
+ <ul><li>SSLv2Hello</li><li>SSLv2</li><li>SSLv3</li><li>TLSv1</li>
+ <li>TLSv1.1</li><li>TLSv1.2</li><li>all</li></ul>
+ <p>Note that OpenSSL based secure connectors will always support
+ <code>SSLv2Hello</code> regardless of whether or not it is included in the
+ value for this attribute.</p>
+ <p>Note that <code>all</code> is an alias for
+ <code>TLSv1,TLSv1.1,TLSv1.2</code>.</p>
+ <p>Note that <code>SSLv2</code> and <code>SSLv3</code> are inherently
+ unsafe.</p>
+ <p>If not specified, the default value of <code>all</code> will be
+ used.</p>
</attribute>
</attributes>
@@ -1191,16 +1204,9 @@
</attribute>
<attribute name="sslEnabledProtocols" required="false">
- <p>The comma separated list of SSL protocols to support for HTTPS
- connections. If specified, only the protocols that are listed and
- supported by the SSL implementation will be enabled. If not specified,
- the JVM default (excluding SSLv2 and SSLv3 if the JVM enables either or
- both of them by default) is used. The permitted values may be obtained
- from the JVM documentation for the allowed values for
- <code>SSLSocket.setEnabledProtocols()</code> e.g.
- <a href="http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#jssenames">
- Oracle Java 7</a>. Note: There is overlap between this attribute and
- <code>sslProtocol</code>.</p>
+ <p>This is an alias for the <code>protocols</code> attribute of the
+ default <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a>
+ element.</p>
</attribute>
<attribute name="sslImplementationName" required="false">
@@ -1386,13 +1392,9 @@
</attribute>
<attribute name="SSLProtocol" required="false">
- <p>Protocol which may be used for communicating with clients. The default
- value is <code>all</code>, which is equivalent to <code>TLSv1+TLSv1.1+TLSv1.2</code>
- with other acceptable values being <code>SSLv2</code>,
- <code>SSLv3</code>, <code>TLSv1</code>, <code>TLSv1.1</code>, <code>TLSv1.2</code>
- and any combination of these protocols concatenated with a plus sign.
- Note that both protocols <code>SSLv2</code> and <code>SSLv3</code> are
- inherently unsafe.</p>
+ <p>This is an alias for the <code>protocols</code> attribute of the
+ default <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a>
+ element.</p>
</attribute>
<attribute name="SSLVerifyClient" required="false">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: svn commit: r1675198 - in /tomcat/trunk: java/org/apache/tomcat/util/net/AprEndpoint.java
java/org/apache/tomcat/util/net/SSLHostConfig.java webapps/docs/config/http.xml
Posted by Mark Thomas <ma...@apache.org>.
On 06/05/2015 13:41, Mark Thomas wrote:
> On 06/05/2015 02:24, Konstantin Kolinko wrote:
>> 2015-04-21 23:56 GMT+03:00 <ma...@apache.org>:
>>> Author: markt
>>> Date: Tue Apr 21 20:56:14 2015
>>> New Revision: 1675198
>>>
>>> URL: http://svn.apache.org/r1675198
>>> Log:
>>> Document the protocols attribute for SSLHostConfig and align the implementation with it.
>>>
>>> Modified:
>>> tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
>>> tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java
>>> tomcat/trunk/webapps/docs/config/http.xml
>>>
>>
>> (...)
>>
>>> Modified: tomcat/trunk/webapps/docs/config/http.xml
>>> URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/http.xml?rev=1675198&r1=1675197&r2=1675198&view=diff
>>> ==============================================================================
>>> --- tomcat/trunk/webapps/docs/config/http.xml (original)
>>> +++ tomcat/trunk/webapps/docs/config/http.xml Tue Apr 21 20:56:14 2015
>>> @@ -1050,7 +1050,7 @@
>>>
>>> <attributes>
>>>
>>> - <attribute name="hostName" required="true">
>>> + <attribute name="hostName" required="false">
>>> <p>The name of the SSL Host. This should either be the fully qualified
>>> domain name (e.g. <code>tomcat.apache.org</code>) or a wild card domain
>>> name (e.g. <code>*.apache.org</code>). If not specified, the default value
>>> @@ -1058,7 +1058,20 @@
>>> </attribute>
>>>
>>> <attribute name="protocols" required="false">
>>> - <p></p>
>>> + <p>The names of the protocols to support when communicating with clients.
>>> + This should be a comma separated list of any combination of the following:
>>> + </p>
>>> + <ul><li>SSLv2Hello</li><li>SSLv2</li><li>SSLv3</li><li>TLSv1</li>
>>> + <li>TLSv1.1</li><li>TLSv1.2</li><li>all</li></ul>
>>> + <p>Note that OpenSSL based secure connectors will always support
>>> + <code>SSLv2Hello</code> regardless of whether or not it is included in the
>>> + value for this attribute.</p>
>>> + <p>Note that <code>all</code> is an alias for
>>> + <code>TLSv1,TLSv1.1,TLSv1.2</code>.</p>
>>> + <p>Note that <code>SSLv2</code> and <code>SSLv3</code> are inherently
>>> + unsafe.</p>
>>> + <p>If not specified, the default value of <code>all</code> will be
>>> + used.</p>
>>> </attribute>
>>
>>
>>
>>
>> As far as I remember from reading the source code, the above phrase
>> "Note that OpenSSL based secure connectors will always support
>> SSLv2Hello regardless of whether or not it is included in the value
>> for this attribute." about "protocols" attribute is not true.
>>
>>
>> I think that it works as following:
>>
>> 1) If "protocols" includes several protocols (like in
>> "TLSv1,TLSv1.1,TLSv1.2") then OpenSSL configures a generic handshake
>> method that supports SSLv2Hello.
>>
>> 2) If "protocols" includes only one protocol (e.g. "TLSv1" or
>> "TLSv1.2"), it configures a handshake method for that specific
>> protocol, and SSLv2Hello is not enabled.
>>
>> In our sslcontext.c of Tomcat-Native 1.1.x:
>>
>> The case of 1) uses
>> ctx = SSL_CTX_new(SSLv23_server_method());
>>
>> The case of 2) uses
>> ctx = SSL_CTX_new(TLSv1_2_server_method());
>> ctx = SSL_CTX_new(TLSv1_1_server_method());
>> ctx = SSL_CTX_new(TLSv1_server_method());
>> etc.
>
> Interesting. I should be able to change things so both JSSE and OpenSSL
> based connectors work the same way. I'll take a look.
Maybe not then. I'll work on some better language for the docs.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: svn commit: r1675198 - in /tomcat/trunk: java/org/apache/tomcat/util/net/AprEndpoint.java
java/org/apache/tomcat/util/net/SSLHostConfig.java webapps/docs/config/http.xml
Posted by Mark Thomas <ma...@apache.org>.
On 06/05/2015 02:24, Konstantin Kolinko wrote:
> 2015-04-21 23:56 GMT+03:00 <ma...@apache.org>:
>> Author: markt
>> Date: Tue Apr 21 20:56:14 2015
>> New Revision: 1675198
>>
>> URL: http://svn.apache.org/r1675198
>> Log:
>> Document the protocols attribute for SSLHostConfig and align the implementation with it.
>>
>> Modified:
>> tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
>> tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java
>> tomcat/trunk/webapps/docs/config/http.xml
>>
>
> (...)
>
>> Modified: tomcat/trunk/webapps/docs/config/http.xml
>> URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/http.xml?rev=1675198&r1=1675197&r2=1675198&view=diff
>> ==============================================================================
>> --- tomcat/trunk/webapps/docs/config/http.xml (original)
>> +++ tomcat/trunk/webapps/docs/config/http.xml Tue Apr 21 20:56:14 2015
>> @@ -1050,7 +1050,7 @@
>>
>> <attributes>
>>
>> - <attribute name="hostName" required="true">
>> + <attribute name="hostName" required="false">
>> <p>The name of the SSL Host. This should either be the fully qualified
>> domain name (e.g. <code>tomcat.apache.org</code>) or a wild card domain
>> name (e.g. <code>*.apache.org</code>). If not specified, the default value
>> @@ -1058,7 +1058,20 @@
>> </attribute>
>>
>> <attribute name="protocols" required="false">
>> - <p></p>
>> + <p>The names of the protocols to support when communicating with clients.
>> + This should be a comma separated list of any combination of the following:
>> + </p>
>> + <ul><li>SSLv2Hello</li><li>SSLv2</li><li>SSLv3</li><li>TLSv1</li>
>> + <li>TLSv1.1</li><li>TLSv1.2</li><li>all</li></ul>
>> + <p>Note that OpenSSL based secure connectors will always support
>> + <code>SSLv2Hello</code> regardless of whether or not it is included in the
>> + value for this attribute.</p>
>> + <p>Note that <code>all</code> is an alias for
>> + <code>TLSv1,TLSv1.1,TLSv1.2</code>.</p>
>> + <p>Note that <code>SSLv2</code> and <code>SSLv3</code> are inherently
>> + unsafe.</p>
>> + <p>If not specified, the default value of <code>all</code> will be
>> + used.</p>
>> </attribute>
>
>
>
>
> As far as I remember from reading the source code, the above phrase
> "Note that OpenSSL based secure connectors will always support
> SSLv2Hello regardless of whether or not it is included in the value
> for this attribute." about "protocols" attribute is not true.
>
>
> I think that it works as following:
>
> 1) If "protocols" includes several protocols (like in
> "TLSv1,TLSv1.1,TLSv1.2") then OpenSSL configures a generic handshake
> method that supports SSLv2Hello.
>
> 2) If "protocols" includes only one protocol (e.g. "TLSv1" or
> "TLSv1.2"), it configures a handshake method for that specific
> protocol, and SSLv2Hello is not enabled.
>
> In our sslcontext.c of Tomcat-Native 1.1.x:
>
> The case of 1) uses
> ctx = SSL_CTX_new(SSLv23_server_method());
>
> The case of 2) uses
> ctx = SSL_CTX_new(TLSv1_2_server_method());
> ctx = SSL_CTX_new(TLSv1_1_server_method());
> ctx = SSL_CTX_new(TLSv1_server_method());
> etc.
Interesting. I should be able to change things so both JSSE and OpenSSL
based connectors work the same way. I'll take a look.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: svn commit: r1675198 - in /tomcat/trunk: java/org/apache/tomcat/util/net/AprEndpoint.java
java/org/apache/tomcat/util/net/SSLHostConfig.java webapps/docs/config/http.xml
Posted by Konstantin Kolinko <kn...@gmail.com>.
2015-04-21 23:56 GMT+03:00 <ma...@apache.org>:
> Author: markt
> Date: Tue Apr 21 20:56:14 2015
> New Revision: 1675198
>
> URL: http://svn.apache.org/r1675198
> Log:
> Document the protocols attribute for SSLHostConfig and align the implementation with it.
>
> Modified:
> tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
> tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java
> tomcat/trunk/webapps/docs/config/http.xml
>
(...)
> Modified: tomcat/trunk/webapps/docs/config/http.xml
> URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/http.xml?rev=1675198&r1=1675197&r2=1675198&view=diff
> ==============================================================================
> --- tomcat/trunk/webapps/docs/config/http.xml (original)
> +++ tomcat/trunk/webapps/docs/config/http.xml Tue Apr 21 20:56:14 2015
> @@ -1050,7 +1050,7 @@
>
> <attributes>
>
> - <attribute name="hostName" required="true">
> + <attribute name="hostName" required="false">
> <p>The name of the SSL Host. This should either be the fully qualified
> domain name (e.g. <code>tomcat.apache.org</code>) or a wild card domain
> name (e.g. <code>*.apache.org</code>). If not specified, the default value
> @@ -1058,7 +1058,20 @@
> </attribute>
>
> <attribute name="protocols" required="false">
> - <p></p>
> + <p>The names of the protocols to support when communicating with clients.
> + This should be a comma separated list of any combination of the following:
> + </p>
> + <ul><li>SSLv2Hello</li><li>SSLv2</li><li>SSLv3</li><li>TLSv1</li>
> + <li>TLSv1.1</li><li>TLSv1.2</li><li>all</li></ul>
> + <p>Note that OpenSSL based secure connectors will always support
> + <code>SSLv2Hello</code> regardless of whether or not it is included in the
> + value for this attribute.</p>
> + <p>Note that <code>all</code> is an alias for
> + <code>TLSv1,TLSv1.1,TLSv1.2</code>.</p>
> + <p>Note that <code>SSLv2</code> and <code>SSLv3</code> are inherently
> + unsafe.</p>
> + <p>If not specified, the default value of <code>all</code> will be
> + used.</p>
> </attribute>
As far as I remember from reading the source code, the above phrase
"Note that OpenSSL based secure connectors will always support
SSLv2Hello regardless of whether or not it is included in the value
for this attribute." about "protocols" attribute is not true.
I think that it works as following:
1) If "protocols" includes several protocols (like in
"TLSv1,TLSv1.1,TLSv1.2") then OpenSSL configures a generic handshake
method that supports SSLv2Hello.
2) If "protocols" includes only one protocol (e.g. "TLSv1" or
"TLSv1.2"), it configures a handshake method for that specific
protocol, and SSLv2Hello is not enabled.
In our sslcontext.c of Tomcat-Native 1.1.x:
The case of 1) uses
ctx = SSL_CTX_new(SSLv23_server_method());
The case of 2) uses
ctx = SSL_CTX_new(TLSv1_2_server_method());
ctx = SSL_CTX_new(TLSv1_1_server_method());
ctx = SSL_CTX_new(TLSv1_server_method());
etc.
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org