You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by sc...@apache.org on 2012/08/09 18:17:01 UTC

svn commit: r1371283 - in /tomcat/trunk: java/org/apache/coyote/http11/Http11AprProtocol.java java/org/apache/tomcat/util/net/AprEndpoint.java java/org/apache/tomcat/util/net/res/LocalStrings.properties webapps/docs/config/http.xml

Author: schultz
Date: Thu Aug  9 16:17:01 2012
New Revision: 1371283

URL: http://svn.apache.org/viewvc?rev=1371283&view=rev
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=53481
Added support for SSL_OP_CIPHER_SERVER_PREFERENCE / SSLHonorCipherOrder.

Modified:
    tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java
    tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
    tomcat/trunk/java/org/apache/tomcat/util/net/res/LocalStrings.properties
    tomcat/trunk/webapps/docs/config/http.xml

Modified: tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java?rev=1371283&r1=1371282&r2=1371283&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java (original)
+++ tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java Thu Aug  9 16:17:01 2012
@@ -118,6 +118,17 @@ public class Http11AprProtocol extends A
 
 
     /**
+     * SSL honor cipher order.
+	 *
+     * Set to <code>true</code> to enforce the <i>server's</i> cipher order
+     * instead of the default which is to allow the client to choose a
+     * preferred cipher.
+     */
+    public boolean getSSLHonorCipherOrder() { return ((AprEndpoint)endpoint).getSSLHonorCipherOrder(); }
+    public void setSSLHonorCipherOrder(boolean SSLHonorCipherOrder) { ((AprEndpoint)endpoint).setSSLHonorCipherOrder(SSLHonorCipherOrder); }
+
+
+    /**
      * SSL certificate file.
      */
     public String getSSLCertificateFile() { return ((AprEndpoint)endpoint).getSSLCertificateFile(); }

Modified: tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java?rev=1371283&r1=1371282&r2=1371283&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java Thu Aug  9 16:17:01 2012
@@ -317,6 +317,15 @@ public class AprEndpoint extends Abstrac
     public void setSSLInsecureRenegotiation(boolean SSLInsecureRenegotiation) { this.SSLInsecureRenegotiation = SSLInsecureRenegotiation; }
     public boolean getSSLInsecureRenegotiation() { return SSLInsecureRenegotiation; }
 
+    protected boolean SSLHonorCipherOrder = false;
+    /**
+     * Set to <code>true</code> to enforce the <i>server's</i> cipher order
+     * instead of the default which is to allow the client to choose a
+     * preferred cipher.
+     */
+    public void setSSLHonorCipherOrder(boolean SSLHonorCipherOrder) { this.SSLHonorCipherOrder = SSLHonorCipherOrder; }
+    public boolean getSSLHonorCipherOrder() { return SSLHonorCipherOrder; }
+
 
     /**
      * Port in use.
@@ -526,6 +535,24 @@ public class AprEndpoint extends Abstrac
                                           SSL.versionString()));
                 }
             }
+
+            // Set cipher order: client (default) or server
+            if (SSLHonorCipherOrder) {
+                boolean orderCiphersSupported = false;
+                try {
+                    orderCiphersSupported = SSL.hasOp(SSL.SSL_OP_CIPHER_SERVER_PREFERENCE);
+                    if (orderCiphersSupported)
+                        SSLContext.setOptions(sslContext, SSL.SSL_OP_CIPHER_SERVER_PREFERENCE);
+                } catch (UnsatisfiedLinkError e) {
+                    // Ignore
+                }
+                if (!orderCiphersSupported) {
+                    // OpenSSL does not support ciphers ordering.
+                    log.warn(sm.getString("endpoint.warn.noHonorCipherOrder",
+                                          SSL.versionString()));
+                }
+            }
+
             // List the ciphers that the client is permitted to negotiate
             SSLContext.setCipherSuite(sslContext, SSLCipherSuite);
             // Load Server key and certificate

Modified: tomcat/trunk/java/org/apache/tomcat/util/net/res/LocalStrings.properties
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/res/LocalStrings.properties?rev=1371283&r1=1371282&r2=1371283&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/res/LocalStrings.properties (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/res/LocalStrings.properties Thu Aug  9 16:17:01 2012
@@ -30,8 +30,9 @@ endpoint.poll.error=Unexpected poller er
 endpoint.process.fail=Error allocating socket processor
 endpoint.sendfile.error=Unexpected sendfile error
 endpoint.sendfile.addfail=Sendfile failure: [{0}] {1}
-endpoint.warn.noInsecureReneg=Secure renegotation is not supported by the SSL library {0}
+endpoint.warn.noInsecureReneg=Secure re-negotiation is not supported by the SSL library {0}
 endpoint.warn.unlockAcceptorFailed=Acceptor thread [{0}] failed to unlock. Forcing hard socket shutdown.
+endpoint.warn.noHonorCipherOrder='Honor cipher order' option is not supported by the SSL library {0}
 endpoint.debug.channelCloseFail=Failed to close channel
 endpoint.debug.socketCloseFail=Failed to close socket
 endpoint.apr.noSslCertFile=Connector attribute SSLCertificateFile must be defined when using SSL with APR

Modified: tomcat/trunk/webapps/docs/config/http.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/http.xml?rev=1371283&r1=1371282&r2=1371283&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/config/http.xml (original)
+++ tomcat/trunk/webapps/docs/config/http.xml Thu Aug  9 16:17:01 2012
@@ -1177,6 +1177,12 @@
       supported).</p>
     </attribute>
 
+    <attribute name="SSLHonorCipherOrder" required="false">
+      <p>Set to <code>true</code> to enforce the server's cipher order
+      (from the <code>SSLCipherSuite</code> setting) instead of allowing
+      the client to choose the cipher (which is the default).</p>
+    </attribute>
+
     <attribute name="SSLPassword" required="false">
       <p>Pass phrase for the encrypted private key. If "SSLPassword" is not
       provided, the callback function should prompt for the pass phrase.</p>



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org