You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by sc...@apache.org on 2015/02/27 05:05:46 UTC

svn commit: r1662632 - in /tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/jsse: JSSESocketFactory.java res/LocalStrings.properties

Author: schultz
Date: Fri Feb 27 04:05:46 2015
New Revision: 1662632

URL: http://svn.apache.org/r1662632
Log:
Additional fix for https://bz.apache.org/bugzilla/show_bug.cgi?id=55988
Include support for useServerCipherSuiteOrder for Java BIO connector.

Modified:
    tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
    tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties

Modified: tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
URL: http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java?rev=1662632&r1=1662631&r2=1662632&view=diff
==============================================================================
--- tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java (original)
+++ tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java Fri Feb 27 04:05:46 2015
@@ -22,6 +22,8 @@ import java.io.FileInputStream;
 import java.io.FileNotFoundException;
 import java.io.IOException;
 import java.io.InputStream;
+import java.lang.reflect.InvocationTargetException;
+import java.lang.reflect.Method;
 import java.net.InetAddress;
 import java.net.ServerSocket;
 import java.net.Socket;
@@ -52,6 +54,7 @@ import javax.net.ssl.KeyManagerFactory;
 import javax.net.ssl.ManagerFactoryParameters;
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLException;
+import javax.net.ssl.SSLParameters;
 import javax.net.ssl.SSLServerSocket;
 import javax.net.ssl.SSLServerSocketFactory;
 import javax.net.ssl.SSLSession;
@@ -773,6 +776,52 @@ public class JSSESocketFactory implement
     }
 
     /**
+     * Configures SSLEngine to honor cipher suites ordering based upon
+     * endpoint configuration.
+     *
+     * @throws InvalidAlgorithmParameterException If the runtime JVM doesn't
+     *         support this setting.
+     */
+    protected void configureUseServerCipherSuitesOrder(SSLServerSocket socket) {
+        String useServerCipherSuitesOrderStr = endpoint
+                .getUseServerCipherSuitesOrder().trim();
+
+        // Only use this feature if the user explicitly requested its use.
+        if(!"".equals(useServerCipherSuitesOrderStr)) {
+            SSLParameters sslParameters = socket.getSSLParameters();
+            boolean useServerCipherSuitesOrder =
+                    ("true".equalsIgnoreCase(useServerCipherSuitesOrderStr)
+                            || "yes".equalsIgnoreCase(useServerCipherSuitesOrderStr));
+
+            try {
+                // This method is only available in Java 8+
+                // Check to see if the method exists, and then call it.
+                Method m = SSLParameters.class.getMethod("setUseCipherSuitesOrder",
+                                                         Boolean.TYPE);
+
+                m.invoke(sslParameters, Boolean.valueOf(useServerCipherSuitesOrder));
+            }
+            catch (NoSuchMethodException nsme) {
+                throw new UnsupportedOperationException(sm.getString("endpoint.jsse.cannotHonorServerCipherOrder"),
+                                                        nsme);
+            } catch (InvocationTargetException ite) {
+                // Should not happen
+                throw new UnsupportedOperationException(sm.getString("endpoint.jsse.cannotHonorServerCipherOrder"),
+                                                        ite);
+            } catch (IllegalArgumentException iae) {
+                // Should not happen
+                throw new UnsupportedOperationException(sm.getString("endpoint.jsse.cannotHonorServerCipherOrder"),
+                                                        iae);
+            } catch (IllegalAccessException e) {
+                // Should not happen
+                throw new UnsupportedOperationException(sm.getString("endpoint.jsse.cannotHonorServerCipherOrder"),
+                                                        e);
+            }
+            socket.setSSLParameters(sslParameters);
+        }
+    }
+
+    /**
      * Configures the given SSL server socket with the requested cipher suites,
      * protocol versions, and need for client authentication
      */
@@ -786,6 +835,7 @@ public class JSSESocketFactory implement
         // we don't know if client auth is needed -
         // after parsing the request we may re-handshake
         configureClientAuth(socket);
+        configureUseServerCipherSuitesOrder(socket);
     }
 
     /**

Modified: tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties
URL: http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties?rev=1662632&r1=1662631&r2=1662632&view=diff
==============================================================================
--- tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties (original)
+++ tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties Fri Feb 27 04:05:46 2015
@@ -35,3 +35,4 @@ jsseSupport.serverRenegDisabled=SSL serv
 jsseSupport.unexpectedData=Unexpected data read from input stream
 jsse.openssl.unknownElement=Unknown element in cipher string: {0}
 jsse.openssl.effectiveCiphers=Ciphers used: {0}
+jsse.cannotHonorServerCipherOrder=Java Runtime does not support "useServerCipherSuitesOrder". You must use Java 8 or later to use this feature.



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org