You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2019/04/18 22:16:19 UTC
[tomcat] branch 8.5.x updated: Don't warn that SSLv2Hello is
unavailable unless explicitly configured
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/8.5.x by this push:
new ecc0c5f Don't warn that SSLv2Hello is unavailable unless explicitly configured
ecc0c5f is described below
commit ecc0c5f8dd3afd125daea4a9e944224ff275208a
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Thu Apr 18 22:33:22 2019 +0100
Don't warn that SSLv2Hello is unavailable unless explicitly configured
---
java/org/apache/tomcat/util/net/SSLUtilBase.java | 17 ++++++++++++-----
java/org/apache/tomcat/util/net/jsse/JSSEUtil.java | 7 -------
.../org/apache/tomcat/util/net/openssl/OpenSSLUtil.java | 7 -------
webapps/docs/changelog.xml | 8 ++++++++
4 files changed, 20 insertions(+), 19 deletions(-)
diff --git a/java/org/apache/tomcat/util/net/SSLUtilBase.java b/java/org/apache/tomcat/util/net/SSLUtilBase.java
index dc2c52c..a20b5c5 100644
--- a/java/org/apache/tomcat/util/net/SSLUtilBase.java
+++ b/java/org/apache/tomcat/util/net/SSLUtilBase.java
@@ -89,13 +89,21 @@ public abstract class SSLUtilBase implements SSLUtil {
// Calculate the enabled protocols
Set<String> configuredProtocols = sslHostConfig.getProtocols();
- if (!isTls13Available() &&
+ Set<String> implementedProtocols = getImplementedProtocols();
+ // If TLSv1.3 is not implemented and not explicitly requested we can
+ // ignore it. It is included in the defaults so it may be configured.
+ if (!implementedProtocols.contains(Constants.SSL_PROTO_TLSv1_3) &&
!sslHostConfig.isExplicitlyRequestedProtocol(Constants.SSL_PROTO_TLSv1_3)) {
- // TLS 1.3 not implemented and not explicitly requested so ignore it
- // if present
configuredProtocols.remove(Constants.SSL_PROTO_TLSv1_3);
}
- Set<String> implementedProtocols = getImplementedProtocols();
+ // Newer JREs are dropping support for SSLv2Hello. If it is not
+ // implemented and not explicitly requested we can ignore it. It is
+ // included in the defaults so it may be configured.
+ if (!implementedProtocols.contains(Constants.SSL_PROTO_SSLv2Hello) &&
+ !sslHostConfig.isExplicitlyRequestedProtocol(Constants.SSL_PROTO_SSLv2Hello)) {
+ configuredProtocols.remove(Constants.SSL_PROTO_SSLv2Hello);
+ }
+
List<String> enabledProtocols =
getEnabled("protocols", getLog(), warnTls13, configuredProtocols, implementedProtocols);
if (enabledProtocols.contains("SSLv3")) {
@@ -527,7 +535,6 @@ public abstract class SSLUtilBase implements SSLUtil {
protected abstract Set<String> getImplementedProtocols();
protected abstract Set<String> getImplementedCiphers();
protected abstract Log getLog();
- protected abstract boolean isTls13Available();
protected abstract boolean isTls13RenegAuthAvailable();
protected abstract SSLContext createSSLContextInternal(List<String> negotiableProtocols) throws Exception;
}
diff --git a/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java b/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java
index 235fc4b..c30dac2 100644
--- a/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java
+++ b/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java
@@ -27,7 +27,6 @@ import java.util.Set;
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
import org.apache.tomcat.util.compat.JreVendor;
-import org.apache.tomcat.util.compat.TLS;
import org.apache.tomcat.util.net.Constants;
import org.apache.tomcat.util.net.SSLContext;
import org.apache.tomcat.util.net.SSLHostConfigCertificate;
@@ -134,12 +133,6 @@ public class JSSEUtil extends SSLUtilBase {
@Override
- protected boolean isTls13Available() {
- return TLS.isTlsv13Available();
- }
-
-
- @Override
protected boolean isTls13RenegAuthAvailable() {
// TLS 1.3 does not support authentication after the initial handshake
return false;
diff --git a/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java b/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java
index 74e115f..e8f0b9b 100644
--- a/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java
+++ b/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java
@@ -26,7 +26,6 @@ import javax.net.ssl.X509KeyManager;
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
-import org.apache.tomcat.jni.SSL;
import org.apache.tomcat.util.net.SSLContext;
import org.apache.tomcat.util.net.SSLHostConfigCertificate;
import org.apache.tomcat.util.net.SSLUtilBase;
@@ -63,12 +62,6 @@ public class OpenSSLUtil extends SSLUtilBase {
@Override
- protected boolean isTls13Available() {
- return SSL.version() >= 0x1010100f;
- }
-
-
- @Override
protected boolean isTls13RenegAuthAvailable() {
// OpenSSL does support authentication after the initial handshake
return true;
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index b8a0685..7dc0c42 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -81,6 +81,14 @@
</scode>
</changelog>
</subsection>
+ <subsection name="Coyote">
+ <changelog>
+ <fix>
+ When running on newer JREs that don't support SSLv2Hello, don't warn
+ that it is not available unless explicitly configured. (markt)
+ </fix>
+ </changelog>
+ </subsection>
</section>
<section name="Tomcat 8.5.40 (markt)" rtext="2019-04-12">
<subsection name="Catalina">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org