You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2015/02/13 13:10:53 UTC
svn commit: r1659530 - in /tomcat/tc8.0.x/trunk: ./
java/org/apache/tomcat/util/net/ java/org/apache/tomcat/util/net/jsse/
java/org/apache/tomcat/util/net/jsse/openssl/ webapps/docs/
Author: markt
Date: Fri Feb 13 12:10:53 2015
New Revision: 1659530
URL: http://svn.apache.org/r1659530
Log:
We have the full list of SSL/TLS ciphers and the associated effective bit strength so use it.
Modified:
tomcat/tc8.0.x/trunk/ (props changed)
tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/SSLSupport.java
tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSEImplementation.java
tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESupport.java
tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/jsse/openssl/Cipher.java
tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml
Propchange: tomcat/tc8.0.x/trunk/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Fri Feb 13 12:10:53 2015
@@ -1 +1 @@
-/tomcat/trunk:1636524,1637156,1637176,1637188,1637331,1637684,1637695,1638720-1638725,1639653,1640010,1640083-1640084,1640088,1640275,1640322,1640347,1640361,1640365,1640403,1640410,1640652,1640655-1640658,1640688,1640700-1640883,1640903,1640976,1640978,1641000,1641026,1641038-1641039,1641051-1641052,1641058,1641064,1641300,1641369,1641374,1641380,1641486,1641634,1641656-1641692,1641704,1641707-1641718,1641720-1641722,1641735,1641981,1642233,1642280,1642554,1642564,1642595,1642606,1642668,1642679,1642697,1642699,1642766,1643002,1643045,1643054-1643055,1643066,1643121,1643128,1643206,1643209-1643210,1643216,1643249,1643270,1643283,1643309-1643310,1643323,1643365-1643366,1643370-1643371,1643465,1643474,1643536,1643570,1643634,1643649,1643651,1643654,1643675,1643731,1643733-1643734,1643761,1643766,1643814,1643937,1643963,1644017,1644169,1644201-1644203,1644321,1644323,1644516,1644523,1644529,1644535,1644730,1644768,1644784-1644785,1644790,1644793,1644815,1644884,1644886,1644890,1644892
,1644910,1644924,1644929-1644930,1644935,1644989,1645011,1645247,1645355,1645357-1645358,1645455,1645465,1645469,1645471,1645473,1645475,1645486-1645488,1645626,1645641,1645685,1645743,1645763,1645951-1645953,1645955,1645993,1646098-1646106,1646178,1646220,1646302,1646304,1646420,1646470-1646471,1646476,1646559,1646717-1646723,1646773,1647026,1647042,1647530,1647655,1648304,1648815,1648907,1650081,1650365,1651116,1651120,1651280,1651470,1652938,1652970,1653041,1653471,1653550,1653574,1653797,1653815-1653816,1653819,1653840,1653857,1653888,1653972,1654013,1654030,1654050,1654123,1654148,1654159,1654513,1654515,1654517,1654522,1654524,1654725,1654735,1654766,1654785,1654851-1654852,1654978,1655122-1655124,1655126-1655127,1655129-1655130,1655132-1655133,1655312,1655438,1655441,1655454,1655558,1656087,1656299,1656319,1656331,1656345,1656350,1656590,1656648-1656650,1656657,1657041,1657054,1657374,1657492,1657510,1657565,1657580,1657584,1657586,1657589,1657592,1657607,1657609,1657682,1657
907,1658207,1658734,1658781,1658790,1658799,1658802,1658804,1658833,1658840,1658966,1659043,1659053,1659059,1659188-1659189,1659216,1659263,1659293,1659304,1659306-1659307,1659382,1659384,1659428,1659471,1659486,1659505,1659516,1659521
+/tomcat/trunk:1636524,1637156,1637176,1637188,1637331,1637684,1637695,1638720-1638725,1639653,1640010,1640083-1640084,1640088,1640275,1640322,1640347,1640361,1640365,1640403,1640410,1640652,1640655-1640658,1640688,1640700-1640883,1640903,1640976,1640978,1641000,1641026,1641038-1641039,1641051-1641052,1641058,1641064,1641300,1641369,1641374,1641380,1641486,1641634,1641656-1641692,1641704,1641707-1641718,1641720-1641722,1641735,1641981,1642233,1642280,1642554,1642564,1642595,1642606,1642668,1642679,1642697,1642699,1642766,1643002,1643045,1643054-1643055,1643066,1643121,1643128,1643206,1643209-1643210,1643216,1643249,1643270,1643283,1643309-1643310,1643323,1643365-1643366,1643370-1643371,1643465,1643474,1643536,1643570,1643634,1643649,1643651,1643654,1643675,1643731,1643733-1643734,1643761,1643766,1643814,1643937,1643963,1644017,1644169,1644201-1644203,1644321,1644323,1644516,1644523,1644529,1644535,1644730,1644768,1644784-1644785,1644790,1644793,1644815,1644884,1644886,1644890,1644892
,1644910,1644924,1644929-1644930,1644935,1644989,1645011,1645247,1645355,1645357-1645358,1645455,1645465,1645469,1645471,1645473,1645475,1645486-1645488,1645626,1645641,1645685,1645743,1645763,1645951-1645953,1645955,1645993,1646098-1646106,1646178,1646220,1646302,1646304,1646420,1646470-1646471,1646476,1646559,1646717-1646723,1646773,1647026,1647042,1647530,1647655,1648304,1648815,1648907,1650081,1650365,1651116,1651120,1651280,1651470,1652938,1652970,1653041,1653471,1653550,1653574,1653797,1653815-1653816,1653819,1653840,1653857,1653888,1653972,1654013,1654030,1654050,1654123,1654148,1654159,1654513,1654515,1654517,1654522,1654524,1654725,1654735,1654766,1654785,1654851-1654852,1654978,1655122-1655124,1655126-1655127,1655129-1655130,1655132-1655133,1655312,1655438,1655441,1655454,1655558,1656087,1656299,1656319,1656331,1656345,1656350,1656590,1656648-1656650,1656657,1657041,1657054,1657374,1657492,1657510,1657565,1657580,1657584,1657586,1657589,1657592,1657607,1657609,1657682,1657
907,1658207,1658734,1658781,1658790,1658799,1658802,1658804,1658833,1658840,1658966,1659043,1659053,1659059,1659188-1659189,1659216,1659263,1659293,1659304,1659306-1659307,1659382,1659384,1659428,1659471,1659486,1659505,1659516,1659521,1659524
Modified: tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/SSLSupport.java
URL: http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/SSLSupport.java?rev=1659530&r1=1659529&r2=1659530&view=diff
==============================================================================
--- tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/SSLSupport.java (original)
+++ tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/SSLSupport.java Fri Feb 13 12:10:53 2015
@@ -57,24 +57,6 @@ public interface SSLSupport {
/**
- * A mapping table to determine the number of effective bits in the key
- * when using a cipher suite containing the specified cipher name. The
- * underlying data came from the TLS Specification (RFC 2246), Appendix C.
- */
- static final CipherData ciphers[] = {
- new CipherData("_WITH_NULL_", 0),
- new CipherData("_WITH_IDEA_CBC_", 128),
- new CipherData("_WITH_RC2_CBC_40_", 40),
- new CipherData("_WITH_RC4_40_", 40),
- new CipherData("_WITH_RC4_128_", 128),
- new CipherData("_WITH_DES40_CBC_", 40),
- new CipherData("_WITH_DES_CBC_", 56),
- new CipherData("_WITH_3DES_EDE_CBC_", 168),
- new CipherData("_WITH_AES_128_CBC_", 128),
- new CipherData("_WITH_AES_256_CBC_", 256)
- };
-
- /**
* The cipher suite being used on this connection.
*/
public String getCipherSuite() throws IOException;
@@ -108,26 +90,6 @@ public interface SSLSupport {
/**
* The current session Id.
*/
- public String getSessionId()
- throws IOException;
- /**
- * Simple data class that represents the cipher being used, along with the
- * corresponding effective key size. The specified phrase must appear in the
- * name of the cipher suite to be recognized.
- */
-
- final class CipherData {
-
- public String phrase = null;
-
- public int keySize = 0;
-
- public CipherData(String phrase, int keySize) {
- this.phrase = phrase;
- this.keySize = keySize;
- }
-
- }
-
+ public String getSessionId() throws IOException;
}
Modified: tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSEImplementation.java
URL: http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSEImplementation.java?rev=1659530&r1=1659529&r2=1659530&view=diff
==============================================================================
--- tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSEImplementation.java (original)
+++ tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSEImplementation.java Fri Feb 13 12:10:53 2015
@@ -37,6 +37,13 @@ import org.apache.tomcat.util.net.Server
public class JSSEImplementation extends SSLImplementation {
+ public JSSEImplementation() {
+ // Make sure the keySizeCache is loaded now as part of connector startup
+ // else the cache will be populated on first use which will slow that
+ // request down.
+ JSSESupport.init();
+ }
+
@Override
public String getImplementationName(){
return "JSSE";
Modified: tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESupport.java
URL: http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESupport.java?rev=1659530&r1=1659529&r2=1659530&view=diff
==============================================================================
--- tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESupport.java (original)
+++ tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESupport.java Fri Feb 13 12:10:53 2015
@@ -23,8 +23,8 @@ import java.io.InputStream;
import java.net.SocketException;
import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;
+import java.util.HashMap;
import java.util.Map;
-import java.util.WeakHashMap;
import javax.net.ssl.HandshakeCompletedEvent;
import javax.net.ssl.HandshakeCompletedListener;
@@ -35,6 +35,7 @@ import javax.security.cert.X509Certifica
import org.apache.tomcat.util.net.SSLSessionManager;
import org.apache.tomcat.util.net.SSLSupport;
+import org.apache.tomcat.util.net.jsse.openssl.Cipher;
import org.apache.tomcat.util.res.StringManager;
/** JSSESupport
@@ -59,8 +60,24 @@ class JSSESupport implements SSLSupport,
private static final StringManager sm =
StringManager.getManager("org.apache.tomcat.util.net.jsse.res");
- private static final Map<SSLSession,Integer> keySizeCache =
- new WeakHashMap<>();
+ private static final Map<String,Integer> keySizeCache = new HashMap<>();
+
+ static {
+ for (Cipher cipher : Cipher.values()) {
+ for (String jsseName : cipher.getJsseNames()) {
+ keySizeCache.put(jsseName, Integer.valueOf(cipher.getStrength_bits()));
+ }
+ }
+ }
+
+ /*
+ * NO-OP method provided to make it easy for other classes in this package
+ * to trigger the loading of this class and the population of the
+ * keySizeCache.
+ */
+ static void init() {
+ // NO-OP
+ }
protected SSLSocket ssl;
protected SSLSession session;
@@ -205,33 +222,13 @@ class JSSESupport implements SSLSupport,
* Copied from <code>org.apache.catalina.valves.CertificateValve</code>
*/
@Override
- public Integer getKeySize()
- throws IOException {
+ public Integer getKeySize() throws IOException {
// Look up the current SSLSession
- SSLSupport.CipherData c_aux[]=ciphers;
- if (session == null)
+ if (session == null) {
return null;
-
- Integer keySize = null;
- synchronized(keySizeCache) {
- keySize = keySizeCache.get(session);
}
- if (keySize == null) {
- int size = 0;
- String cipherSuite = session.getCipherSuite();
- for (int i = 0; i < c_aux.length; i++) {
- if (cipherSuite.indexOf(c_aux[i].phrase) >= 0) {
- size = c_aux[i].keySize;
- break;
- }
- }
- keySize = Integer.valueOf(size);
- synchronized(keySizeCache) {
- keySizeCache.put(session, keySize);
- }
- }
- return keySize;
+ return keySizeCache.get(session.getCipherSuite());
}
@Override
Modified: tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/jsse/openssl/Cipher.java
URL: http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/jsse/openssl/Cipher.java?rev=1659530&r1=1659529&r2=1659530&view=diff
==============================================================================
--- tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/jsse/openssl/Cipher.java (original)
+++ tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/jsse/openssl/Cipher.java Fri Feb 13 12:10:53 2015
@@ -34,7 +34,7 @@ import java.util.Set;
* @see <a href="https://www.openssl.org/docs/apps/ciphers.html"
* >Mapping of OpenSSL cipher suites names to registry names</a>
*/
-enum Cipher {
+public enum Cipher {
/* The RSA ciphers */
// Cipher 01
TLS_RSA_WITH_NULL_MD5(
Modified: tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml?rev=1659530&r1=1659529&r2=1659530&view=diff
==============================================================================
--- tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml Fri Feb 13 12:10:53 2015
@@ -130,6 +130,11 @@
<bug>57581</bug>: Change statistics byte counter in coyote Request
object to be long to allow values above 2Gb. (kkolinko)
</fix>
+ <update>
+ Use the data that supports cipher defintion using OpenSSL syntax to
+ improve the quality of values provided for the
+ <code>javax.servlet.request.key_size</code> request attribute. (markt)
+ </update>
</changelog>
</subsection>
<subsection name="Jasper">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org