You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by sc...@apache.org on 2015/02/27 03:48:24 UTC
svn commit: r1662627 - in /tomcat/tc8.0.x/trunk: ./
java/org/apache/tomcat/util/net/ java/org/apache/tomcat/util/net/res/
webapps/docs/ webapps/docs/config/
Author: schultz
Date: Fri Feb 27 02:48:23 2015
New Revision: 1662627
URL: http://svn.apache.org/r1662627
Log:
Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=55988
Respect TLS server cipher ordering in JSSE-based connectors.
Based upon a patch provided by Ognjen Blagojevic.
Modified:
tomcat/tc8.0.x/trunk/ (props changed)
tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java
tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/Nio2Endpoint.java
tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/NioEndpoint.java
tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/res/LocalStrings.properties
tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml
tomcat/tc8.0.x/trunk/webapps/docs/config/http.xml
Propchange: tomcat/tc8.0.x/trunk/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Fri Feb 27 02:48:23 2015
@@ -1 +1 @@
-/tomcat/trunk:1636524,1637156,1637176,1637188,1637331,1637684,1637695,1638720-1638725,1639653,1640010,1640083-1640084,1640088,1640275,1640322,1640347,1640361,1640365,1640403,1640410,1640652,1640655-1640658,1640688,1640700-1640883,1640903,1640976,1640978,1641000,1641026,1641038-1641039,1641051-1641052,1641058,1641064,1641300,1641369,1641374,1641380,1641486,1641634,1641656-1641692,1641704,1641707-1641718,1641720-1641722,1641735,1641981,1642233,1642280,1642554,1642564,1642595,1642606,1642668,1642679,1642697,1642699,1642766,1643002,1643045,1643054-1643055,1643066,1643121,1643128,1643206,1643209-1643210,1643216,1643249,1643270,1643283,1643309-1643310,1643323,1643365-1643366,1643370-1643371,1643465,1643474,1643536,1643570,1643634,1643649,1643651,1643654,1643675,1643731,1643733-1643734,1643761,1643766,1643814,1643937,1643963,1644017,1644169,1644201-1644203,1644321,1644323,1644516,1644523,1644529,1644535,1644730,1644768,1644784-1644785,1644790,1644793,1644815,1644884,1644886,1644890,1644892
,1644910,1644924,1644929-1644930,1644935,1644989,1645011,1645247,1645355,1645357-1645358,1645455,1645465,1645469,1645471,1645473,1645475,1645486-1645488,1645626,1645641,1645685,1645743,1645763,1645951-1645953,1645955,1645993,1646098-1646106,1646178,1646220,1646302,1646304,1646420,1646470-1646471,1646476,1646559,1646717-1646723,1646773,1647026,1647042,1647530,1647655,1648304,1648815,1648907,1650081,1650365,1651116,1651120,1651280,1651470,1652938,1652970,1653041,1653471,1653550,1653574,1653797,1653815-1653816,1653819,1653840,1653857,1653888,1653972,1654013,1654030,1654050,1654123,1654148,1654159,1654513,1654515,1654517,1654522,1654524,1654725,1654735,1654766,1654785,1654851-1654852,1654978,1655122-1655124,1655126-1655127,1655129-1655130,1655132-1655133,1655312,1655438,1655441,1655454,1655558,1656087,1656299,1656319,1656331,1656345,1656350,1656590,1656648-1656650,1656657,1657041,1657054,1657374,1657492,1657510,1657565,1657580,1657584,1657586,1657589,1657592,1657607,1657609,1657682,1657
907,1658207,1658734,1658781,1658790,1658799,1658802,1658804,1658833,1658840,1658966,1659043,1659053,1659059,1659188-1659189,1659216,1659263,1659293,1659304,1659306-1659307,1659382,1659384,1659428,1659471,1659486,1659505,1659516,1659521,1659524,1659559,1659562,1659803,1659806,1659814,1659833,1659862,1659905,1659919,1659948,1659967,1659983-1659984,1660060,1660074,1660077,1660133,1660168,1660331-1660332,1660353,1660358,1660924,1661386,1661867,1661972,1661990,1662200,1662308-1662309,1662548
+/tomcat/trunk:1636524,1637156,1637176,1637188,1637331,1637684,1637695,1638720-1638725,1639653,1640010,1640083-1640084,1640088,1640275,1640322,1640347,1640361,1640365,1640403,1640410,1640652,1640655-1640658,1640688,1640700-1640883,1640903,1640976,1640978,1641000,1641026,1641038-1641039,1641051-1641052,1641058,1641064,1641300,1641369,1641374,1641380,1641486,1641634,1641656-1641692,1641704,1641707-1641718,1641720-1641722,1641735,1641981,1642233,1642280,1642554,1642564,1642595,1642606,1642668,1642679,1642697,1642699,1642766,1643002,1643045,1643054-1643055,1643066,1643121,1643128,1643206,1643209-1643210,1643216,1643249,1643270,1643283,1643309-1643310,1643323,1643365-1643366,1643370-1643371,1643465,1643474,1643536,1643570,1643634,1643649,1643651,1643654,1643675,1643731,1643733-1643734,1643761,1643766,1643814,1643937,1643963,1644017,1644169,1644201-1644203,1644321,1644323,1644516,1644523,1644529,1644535,1644730,1644768,1644784-1644785,1644790,1644793,1644815,1644884,1644886,1644890,1644892
,1644910,1644924,1644929-1644930,1644935,1644989,1645011,1645247,1645355,1645357-1645358,1645455,1645465,1645469,1645471,1645473,1645475,1645486-1645488,1645626,1645641,1645685,1645743,1645763,1645951-1645953,1645955,1645993,1646098-1646106,1646178,1646220,1646302,1646304,1646420,1646470-1646471,1646476,1646559,1646717-1646723,1646773,1647026,1647042,1647530,1647655,1648304,1648815,1648907,1650081,1650365,1651116,1651120,1651280,1651470,1652938,1652970,1653041,1653471,1653550,1653574,1653797,1653815-1653816,1653819,1653840,1653857,1653888,1653972,1654013,1654030,1654050,1654123,1654148,1654159,1654513,1654515,1654517,1654522,1654524,1654725,1654735,1654766,1654785,1654851-1654852,1654978,1655122-1655124,1655126-1655127,1655129-1655130,1655132-1655133,1655312,1655438,1655441,1655454,1655558,1656087,1656299,1656319,1656331,1656345,1656350,1656590,1656648-1656650,1656657,1657041,1657054,1657374,1657492,1657510,1657565,1657580,1657584,1657586,1657589,1657592,1657607,1657609,1657682,1657
907,1658207,1658734,1658781,1658790,1658799,1658802,1658804,1658833,1658840,1658966,1659043,1659053,1659059,1659188-1659189,1659216,1659263,1659293,1659304,1659306-1659307,1659382,1659384,1659428,1659471,1659486,1659505,1659516,1659521,1659524,1659559,1659562,1659803,1659806,1659814,1659833,1659862,1659905,1659919,1659948,1659967,1659983-1659984,1660060,1660074,1660077,1660133,1660168,1660331-1660332,1660353,1660358,1660924,1661386,1661867,1661972,1661990,1662200,1662308-1662309,1662548,1662614
Modified: tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java
URL: http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java?rev=1662627&r1=1662626&r2=1662627&view=diff
==============================================================================
--- tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java (original)
+++ tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java Fri Feb 27 02:48:23 2015
@@ -18,6 +18,8 @@ package org.apache.tomcat.util.net;
import java.io.File;
import java.io.OutputStreamWriter;
+import java.lang.reflect.InvocationTargetException;
+import java.lang.reflect.Method;
import java.net.InetAddress;
import java.net.InetSocketAddress;
import java.util.ArrayList;
@@ -31,6 +33,8 @@ import java.util.concurrent.Executor;
import java.util.concurrent.TimeUnit;
import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.SSLEngine;
+import javax.net.ssl.SSLParameters;
import org.apache.juli.logging.Log;
import org.apache.tomcat.util.IntrospectionUtils;
@@ -728,12 +732,29 @@ public abstract class AbstractEndpoint<S
public abstract void stopInternal() throws Exception;
public final void init() throws Exception {
+ testServerCipherSuitesOrderSupport();
if (bindOnInit) {
bind();
bindState = BindState.BOUND_ON_INIT;
}
}
+ private void testServerCipherSuitesOrderSupport() {
+ // Only test this feature if the user explicitly requested its use.
+ if(!"".equals(getUseServerCipherSuitesOrder().trim())) {
+ try {
+ // This method is only available in Java 8+
+ // Check to see if the method exists, and then call it.
+ SSLParameters.class.getMethod("setUseCipherSuitesOrder",
+ Boolean.TYPE);
+ }
+ catch (NoSuchMethodException nsme) {
+ throw new UnsupportedOperationException(sm.getString("endpoint.jsse.cannotHonorServerCipherOrder"),
+ nsme);
+ }
+ }
+ }
+
public final void start() throws Exception {
if (bindState == BindState.UNBOUND) {
bind();
@@ -934,6 +955,10 @@ public abstract class AbstractEndpoint<S
*/
public abstract String[] getCiphersUsed();
+ private String useServerCipherSuitesOrder = "";
+ public String getUseServerCipherSuitesOrder() { return useServerCipherSuitesOrder;}
+ public void setUseServerCipherSuitesOrder(String s) { this.useServerCipherSuitesOrder = s;}
+
private String keyAlias = null;
public String getKeyAlias() { return keyAlias;}
public void setKeyAlias(String s ) { keyAlias = s;}
@@ -1035,6 +1060,51 @@ public abstract class AbstractEndpoint<S
protected final Set<SocketWrapper<S>> waitingRequests = Collections
.newSetFromMap(new ConcurrentHashMap<SocketWrapper<S>, Boolean>());
+ /**
+ * Configures SSLEngine to honor cipher suites ordering based upon
+ * endpoint configuration.
+ *
+ * @throws InvalidAlgorithmParameterException If the runtime JVM doesn't
+ * support this setting.
+ */
+ protected void configureUseServerCipherSuitesOrder(SSLEngine engine) {
+ String useServerCipherSuitesOrderStr = this
+ .getUseServerCipherSuitesOrder().trim();
+
+ // Only use this feature if the user explicitly requested its use.
+ if(!"".equals(useServerCipherSuitesOrderStr)) {
+ SSLParameters sslParameters = engine.getSSLParameters();
+ boolean useServerCipherSuitesOrder =
+ ("true".equalsIgnoreCase(useServerCipherSuitesOrderStr)
+ || "yes".equalsIgnoreCase(useServerCipherSuitesOrderStr));
+
+ try {
+ // This method is only available in Java 8+
+ // Check to see if the method exists, and then call it.
+ Method m = SSLParameters.class.getMethod("setUseCipherSuitesOrder",
+ Boolean.TYPE);
+
+ m.invoke(sslParameters, Boolean.valueOf(useServerCipherSuitesOrder));
+ }
+ catch (NoSuchMethodException nsme) {
+ throw new UnsupportedOperationException(sm.getString("endpoint.jsse.cannotHonorServerCipherOrder"),
+ nsme);
+ } catch (InvocationTargetException ite) {
+ // Should not happen
+ throw new UnsupportedOperationException(sm.getString("endpoint.jsse.cannotHonorServerCipherOrder"),
+ ite);
+ } catch (IllegalArgumentException iae) {
+ // Should not happen
+ throw new UnsupportedOperationException(sm.getString("endpoint.jsse.cannotHonorServerCipherOrder"),
+ iae);
+ } catch (IllegalAccessException e) {
+ // Should not happen
+ throw new UnsupportedOperationException(sm.getString("endpoint.jsse.cannotHonorServerCipherOrder"),
+ e);
+ }
+ engine.setSSLParameters(sslParameters);
+ }
+ }
/**
* The async timeout thread.
Modified: tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/Nio2Endpoint.java
URL: http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/Nio2Endpoint.java?rev=1662627&r1=1662626&r2=1662627&view=diff
==============================================================================
--- tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/Nio2Endpoint.java (original)
+++ tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/Nio2Endpoint.java Fri Feb 27 02:48:23 2015
@@ -563,7 +563,9 @@ public class Nio2Endpoint extends Abstra
engine.setEnabledCipherSuites(enabledCiphers);
engine.setEnabledProtocols(enabledProtocols);
+ configureUseServerCipherSuitesOrder(engine);
handler.onCreateSSLEngine(engine);
+
return engine;
}
Modified: tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/NioEndpoint.java
URL: http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/NioEndpoint.java?rev=1662627&r1=1662626&r2=1662627&view=diff
==============================================================================
--- tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/NioEndpoint.java (original)
+++ tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/NioEndpoint.java Fri Feb 27 02:48:23 2015
@@ -588,7 +588,9 @@ public class NioEndpoint extends Abstrac
engine.setEnabledCipherSuites(enabledCiphers);
engine.setEnabledProtocols(enabledProtocols);
+ configureUseServerCipherSuitesOrder(engine);
handler.onCreateSSLEngine(engine);
+
return engine;
}
Modified: tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/res/LocalStrings.properties
URL: http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/res/LocalStrings.properties?rev=1662627&r1=1662626&r2=1662627&view=diff
==============================================================================
--- tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/res/LocalStrings.properties (original)
+++ tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/res/LocalStrings.properties Fri Feb 27 02:48:23 2015
@@ -63,6 +63,7 @@ endpoint.apr.pollUnknownEvent=A socket w
endpoint.apr.remoteport=APR socket [{0}] opened with remote port [{1}]
endpoint.nio.selectorCloseFail=Failed to close selector when closing the poller
endpoint.nio2.exclusiveExecutor=The NIO2 connector requires an exclusive executor to operate properly on shutdown
+endpoint.jsse.cannotHonorServerCipherOrder=Java Runtime does not support "useServerCipherSuitesOrder". You must use Java 8 or later to use this feature.
channel.nio.interrupted=The current thread was interrupted
channel.nio.ssl.notHandshaking=NOT_HANDSHAKING during handshake
Modified: tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml?rev=1662627&r1=1662626&r2=1662627&view=diff
==============================================================================
--- tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml Fri Feb 27 02:48:23 2015
@@ -61,6 +61,11 @@
Directory. (kfujino)
</fix>
<fix>
+ <bug>55988</bug>: Add support for Java 8 JSSE server-preferred TLS
+ cipher suite ordering. This feature requires Java 8.
+ Based upon a patch provided by Ognjen Blagojevic. (schultz)
+ </fix>
+ <fix>
Correct a regression in the fix for <bug>57190</bug> that incorrectly
required the path passed to
<code>ServletContext.getContext(String)</code> to be an exact match to a
Modified: tomcat/tc8.0.x/trunk/webapps/docs/config/http.xml
URL: http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/webapps/docs/config/http.xml?rev=1662627&r1=1662626&r2=1662627&view=diff
==============================================================================
--- tomcat/tc8.0.x/trunk/webapps/docs/config/http.xml (original)
+++ tomcat/tc8.0.x/trunk/webapps/docs/config/http.xml Fri Feb 27 02:48:23 2015
@@ -1086,6 +1086,17 @@
</p>
</attribute>
+ <attribute name="useServerCipherSuitesOrder" required="false">
+ <p>
+ Set to <code>true</code> to enforce the server's cipher order
+ (from the <code>ciphers</code> setting). Set to <code>false</code>
+ to choose the first acceptable cipher suite presented by the client.
+ <b>Use of this feature requires Java 8 or later.</b>
+ Default is <i>undefined</i>, leaving the choice up to the JSSE
+ implementation.
+ </p>
+ </attribute>
+
<attribute name="ciphers" required="false">
<p>If specified and using ',' as a separator, only the ciphers that are
listed and supported by the SSL implementation will be used.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: svn commit: r1662627 - in /tomcat/tc8.0.x/trunk: ./
java/org/apache/tomcat/util/net/ java/org/apache/tomcat/util/net/res/
webapps/docs/ webapps/docs/config/
Posted by Christopher Schultz <ch...@christopherschultz.net>.
All,
On 2/26/15 9:48 PM, schultz@apache.org wrote:
> Author: schultz
> Date: Fri Feb 27 02:48:23 2015
> New Revision: 1662627
>
> URL: http://svn.apache.org/r1662627
> Log:
> Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=55988
> Respect TLS server cipher ordering in JSSE-based connectors.
> Based upon a patch provided by Ognjen Blagojevic.
>
> Modified:
> tomcat/tc8.0.x/trunk/ (props changed)
> tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java
> tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/Nio2Endpoint.java
> tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/NioEndpoint.java
> tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/res/LocalStrings.properties
> tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml
> tomcat/tc8.0.x/trunk/webapps/docs/config/http.xml
I missed the JioEndpoint in this patch. I'm working on an additional
patch to add it.
-chris
> Propchange: tomcat/tc8.0.x/trunk/
> ------------------------------------------------------------------------------
> --- svn:mergeinfo (original)
> +++ svn:mergeinfo Fri Feb 27 02:48:23 2015
> @@ -1 +1 @@
> -/tomcat/trunk:1636524,1637156,1637176,1637188,1637331,1637684,1637695,1638720-1638725,1639653,1640010,1640083-1640084,1640088,1640275,1640322,1640347,1640361,1640365,1640403,1640410,1640652,1640655-1640658,1640688,1640700-1640883,1640903,1640976,1640978,1641000,1641026,1641038-1641039,1641051-1641052,1641058,1641064,1641300,1641369,1641374,1641380,1641486,1641634,1641656-1641692,1641704,1641707-1641718,1641720-1641722,1641735,1641981,1642233,1642280,1642554,1642564,1642595,1642606,1642668,1642679,1642697,1642699,1642766,1643002,1643045,1643054-1643055,1643066,1643121,1643128,1643206,1643209-1643210,1643216,1643249,1643270,1643283,1643309-1643310,1643323,1643365-1643366,1643370-1643371,1643465,1643474,1643536,1643570,1643634,1643649,1643651,1643654,1643675,1643731,1643733-1643734,1643761,1643766,1643814,1643937,1643963,1644017,1644169,1644201-1644203,1644321,1644323,1644516,1644523,1644529,1644535,1644730,1644768,1644784-1644785,1644790,1644793,1644815,1644884,1644886,1644890,164489
2
> ,1644910,1644924,1644929-1644930,1644935,1644989,1645011,1645247,1645355,1645357-1645358,1645455,1645465,1645469,1645471,1645473,1645475,1645486-1645488,1645626,1645641,1645685,1645743,1645763,1645951-1645953,1645955,1645993,1646098-1646106,1646178,1646220,1646302,1646304,1646420,1646470-1646471,1646476,1646559,1646717-1646723,1646773,1647026,1647042,1647530,1647655,1648304,1648815,1648907,1650081,1650365,1651116,1651120,1651280,1651470,1652938,1652970,1653041,1653471,1653550,1653574,1653797,1653815-1653816,1653819,1653840,1653857,1653888,1653972,1654013,1654030,1654050,1654123,1654148,1654159,1654513,1654515,1654517,1654522,1654524,1654725,1654735,1654766,1654785,1654851-1654852,1654978,1655122-1655124,1655126-1655127,1655129-1655130,1655132-1655133,1655312,1655438,1655441,1655454,1655558,1656087,1656299,1656319,1656331,1656345,1656350,1656590,1656648-1656650,1656657,1657041,1657054,1657374,1657492,1657510,1657565,1657580,1657584,1657586,1657589,1657592,1657607,1657609,1657682,165
7
> 907,1658207,1658734,1658781,1658790,1658799,1658802,1658804,1658833,1658840,1658966,1659043,1659053,1659059,1659188-1659189,1659216,1659263,1659293,1659304,1659306-1659307,1659382,1659384,1659428,1659471,1659486,1659505,1659516,1659521,1659524,1659559,1659562,1659803,1659806,1659814,1659833,1659862,1659905,1659919,1659948,1659967,1659983-1659984,1660060,1660074,1660077,1660133,1660168,1660331-1660332,1660353,1660358,1660924,1661386,1661867,1661972,1661990,1662200,1662308-1662309,1662548
> +/tomcat/trunk:1636524,1637156,1637176,1637188,1637331,1637684,1637695,1638720-1638725,1639653,1640010,1640083-1640084,1640088,1640275,1640322,1640347,1640361,1640365,1640403,1640410,1640652,1640655-1640658,1640688,1640700-1640883,1640903,1640976,1640978,1641000,1641026,1641038-1641039,1641051-1641052,1641058,1641064,1641300,1641369,1641374,1641380,1641486,1641634,1641656-1641692,1641704,1641707-1641718,1641720-1641722,1641735,1641981,1642233,1642280,1642554,1642564,1642595,1642606,1642668,1642679,1642697,1642699,1642766,1643002,1643045,1643054-1643055,1643066,1643121,1643128,1643206,1643209-1643210,1643216,1643249,1643270,1643283,1643309-1643310,1643323,1643365-1643366,1643370-1643371,1643465,1643474,1643536,1643570,1643634,1643649,1643651,1643654,1643675,1643731,1643733-1643734,1643761,1643766,1643814,1643937,1643963,1644017,1644169,1644201-1644203,1644321,1644323,1644516,1644523,1644529,1644535,1644730,1644768,1644784-1644785,1644790,1644793,1644815,1644884,1644886,1644890,164489
2
> ,1644910,1644924,1644929-1644930,1644935,1644989,1645011,1645247,1645355,1645357-1645358,1645455,1645465,1645469,1645471,1645473,1645475,1645486-1645488,1645626,1645641,1645685,1645743,1645763,1645951-1645953,1645955,1645993,1646098-1646106,1646178,1646220,1646302,1646304,1646420,1646470-1646471,1646476,1646559,1646717-1646723,1646773,1647026,1647042,1647530,1647655,1648304,1648815,1648907,1650081,1650365,1651116,1651120,1651280,1651470,1652938,1652970,1653041,1653471,1653550,1653574,1653797,1653815-1653816,1653819,1653840,1653857,1653888,1653972,1654013,1654030,1654050,1654123,1654148,1654159,1654513,1654515,1654517,1654522,1654524,1654725,1654735,1654766,1654785,1654851-1654852,1654978,1655122-1655124,1655126-1655127,1655129-1655130,1655132-1655133,1655312,1655438,1655441,1655454,1655558,1656087,1656299,1656319,1656331,1656345,1656350,1656590,1656648-1656650,1656657,1657041,1657054,1657374,1657492,1657510,1657565,1657580,1657584,1657586,1657589,1657592,1657607,1657609,1657682,165
7
> 907,1658207,1658734,1658781,1658790,1658799,1658802,1658804,1658833,1658840,1658966,1659043,1659053,1659059,1659188-1659189,1659216,1659263,1659293,1659304,1659306-1659307,1659382,1659384,1659428,1659471,1659486,1659505,1659516,1659521,1659524,1659559,1659562,1659803,1659806,1659814,1659833,1659862,1659905,1659919,1659948,1659967,1659983-1659984,1660060,1660074,1660077,1660133,1660168,1660331-1660332,1660353,1660358,1660924,1661386,1661867,1661972,1661990,1662200,1662308-1662309,1662548,1662614
>
> Modified: tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java
> URL: http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java?rev=1662627&r1=1662626&r2=1662627&view=diff
> ==============================================================================
> --- tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java (original)
> +++ tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java Fri Feb 27 02:48:23 2015
> @@ -18,6 +18,8 @@ package org.apache.tomcat.util.net;
>
> import java.io.File;
> import java.io.OutputStreamWriter;
> +import java.lang.reflect.InvocationTargetException;
> +import java.lang.reflect.Method;
> import java.net.InetAddress;
> import java.net.InetSocketAddress;
> import java.util.ArrayList;
> @@ -31,6 +33,8 @@ import java.util.concurrent.Executor;
> import java.util.concurrent.TimeUnit;
>
> import javax.net.ssl.KeyManagerFactory;
> +import javax.net.ssl.SSLEngine;
> +import javax.net.ssl.SSLParameters;
>
> import org.apache.juli.logging.Log;
> import org.apache.tomcat.util.IntrospectionUtils;
> @@ -728,12 +732,29 @@ public abstract class AbstractEndpoint<S
> public abstract void stopInternal() throws Exception;
>
> public final void init() throws Exception {
> + testServerCipherSuitesOrderSupport();
> if (bindOnInit) {
> bind();
> bindState = BindState.BOUND_ON_INIT;
> }
> }
>
> + private void testServerCipherSuitesOrderSupport() {
> + // Only test this feature if the user explicitly requested its use.
> + if(!"".equals(getUseServerCipherSuitesOrder().trim())) {
> + try {
> + // This method is only available in Java 8+
> + // Check to see if the method exists, and then call it.
> + SSLParameters.class.getMethod("setUseCipherSuitesOrder",
> + Boolean.TYPE);
> + }
> + catch (NoSuchMethodException nsme) {
> + throw new UnsupportedOperationException(sm.getString("endpoint.jsse.cannotHonorServerCipherOrder"),
> + nsme);
> + }
> + }
> + }
> +
> public final void start() throws Exception {
> if (bindState == BindState.UNBOUND) {
> bind();
> @@ -934,6 +955,10 @@ public abstract class AbstractEndpoint<S
> */
> public abstract String[] getCiphersUsed();
>
> + private String useServerCipherSuitesOrder = "";
> + public String getUseServerCipherSuitesOrder() { return useServerCipherSuitesOrder;}
> + public void setUseServerCipherSuitesOrder(String s) { this.useServerCipherSuitesOrder = s;}
> +
> private String keyAlias = null;
> public String getKeyAlias() { return keyAlias;}
> public void setKeyAlias(String s ) { keyAlias = s;}
> @@ -1035,6 +1060,51 @@ public abstract class AbstractEndpoint<S
> protected final Set<SocketWrapper<S>> waitingRequests = Collections
> .newSetFromMap(new ConcurrentHashMap<SocketWrapper<S>, Boolean>());
>
> + /**
> + * Configures SSLEngine to honor cipher suites ordering based upon
> + * endpoint configuration.
> + *
> + * @throws InvalidAlgorithmParameterException If the runtime JVM doesn't
> + * support this setting.
> + */
> + protected void configureUseServerCipherSuitesOrder(SSLEngine engine) {
> + String useServerCipherSuitesOrderStr = this
> + .getUseServerCipherSuitesOrder().trim();
> +
> + // Only use this feature if the user explicitly requested its use.
> + if(!"".equals(useServerCipherSuitesOrderStr)) {
> + SSLParameters sslParameters = engine.getSSLParameters();
> + boolean useServerCipherSuitesOrder =
> + ("true".equalsIgnoreCase(useServerCipherSuitesOrderStr)
> + || "yes".equalsIgnoreCase(useServerCipherSuitesOrderStr));
> +
> + try {
> + // This method is only available in Java 8+
> + // Check to see if the method exists, and then call it.
> + Method m = SSLParameters.class.getMethod("setUseCipherSuitesOrder",
> + Boolean.TYPE);
> +
> + m.invoke(sslParameters, Boolean.valueOf(useServerCipherSuitesOrder));
> + }
> + catch (NoSuchMethodException nsme) {
> + throw new UnsupportedOperationException(sm.getString("endpoint.jsse.cannotHonorServerCipherOrder"),
> + nsme);
> + } catch (InvocationTargetException ite) {
> + // Should not happen
> + throw new UnsupportedOperationException(sm.getString("endpoint.jsse.cannotHonorServerCipherOrder"),
> + ite);
> + } catch (IllegalArgumentException iae) {
> + // Should not happen
> + throw new UnsupportedOperationException(sm.getString("endpoint.jsse.cannotHonorServerCipherOrder"),
> + iae);
> + } catch (IllegalAccessException e) {
> + // Should not happen
> + throw new UnsupportedOperationException(sm.getString("endpoint.jsse.cannotHonorServerCipherOrder"),
> + e);
> + }
> + engine.setSSLParameters(sslParameters);
> + }
> + }
>
> /**
> * The async timeout thread.
>
> Modified: tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/Nio2Endpoint.java
> URL: http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/Nio2Endpoint.java?rev=1662627&r1=1662626&r2=1662627&view=diff
> ==============================================================================
> --- tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/Nio2Endpoint.java (original)
> +++ tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/Nio2Endpoint.java Fri Feb 27 02:48:23 2015
> @@ -563,7 +563,9 @@ public class Nio2Endpoint extends Abstra
> engine.setEnabledCipherSuites(enabledCiphers);
> engine.setEnabledProtocols(enabledProtocols);
>
> + configureUseServerCipherSuitesOrder(engine);
> handler.onCreateSSLEngine(engine);
> +
> return engine;
> }
>
>
> Modified: tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/NioEndpoint.java
> URL: http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/NioEndpoint.java?rev=1662627&r1=1662626&r2=1662627&view=diff
> ==============================================================================
> --- tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/NioEndpoint.java (original)
> +++ tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/NioEndpoint.java Fri Feb 27 02:48:23 2015
> @@ -588,7 +588,9 @@ public class NioEndpoint extends Abstrac
> engine.setEnabledCipherSuites(enabledCiphers);
> engine.setEnabledProtocols(enabledProtocols);
>
> + configureUseServerCipherSuitesOrder(engine);
> handler.onCreateSSLEngine(engine);
> +
> return engine;
> }
>
>
> Modified: tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/res/LocalStrings.properties
> URL: http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/res/LocalStrings.properties?rev=1662627&r1=1662626&r2=1662627&view=diff
> ==============================================================================
> --- tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/res/LocalStrings.properties (original)
> +++ tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/res/LocalStrings.properties Fri Feb 27 02:48:23 2015
> @@ -63,6 +63,7 @@ endpoint.apr.pollUnknownEvent=A socket w
> endpoint.apr.remoteport=APR socket [{0}] opened with remote port [{1}]
> endpoint.nio.selectorCloseFail=Failed to close selector when closing the poller
> endpoint.nio2.exclusiveExecutor=The NIO2 connector requires an exclusive executor to operate properly on shutdown
> +endpoint.jsse.cannotHonorServerCipherOrder=Java Runtime does not support "useServerCipherSuitesOrder". You must use Java 8 or later to use this feature.
>
> channel.nio.interrupted=The current thread was interrupted
> channel.nio.ssl.notHandshaking=NOT_HANDSHAKING during handshake
>
> Modified: tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml
> URL: http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml?rev=1662627&r1=1662626&r2=1662627&view=diff
> ==============================================================================
> --- tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml (original)
> +++ tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml Fri Feb 27 02:48:23 2015
> @@ -61,6 +61,11 @@
> Directory. (kfujino)
> </fix>
> <fix>
> + <bug>55988</bug>: Add support for Java 8 JSSE server-preferred TLS
> + cipher suite ordering. This feature requires Java 8.
> + Based upon a patch provided by Ognjen Blagojevic. (schultz)
> + </fix>
> + <fix>
> Correct a regression in the fix for <bug>57190</bug> that incorrectly
> required the path passed to
> <code>ServletContext.getContext(String)</code> to be an exact match to a
>
> Modified: tomcat/tc8.0.x/trunk/webapps/docs/config/http.xml
> URL: http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/webapps/docs/config/http.xml?rev=1662627&r1=1662626&r2=1662627&view=diff
> ==============================================================================
> --- tomcat/tc8.0.x/trunk/webapps/docs/config/http.xml (original)
> +++ tomcat/tc8.0.x/trunk/webapps/docs/config/http.xml Fri Feb 27 02:48:23 2015
> @@ -1086,6 +1086,17 @@
> </p>
> </attribute>
>
> + <attribute name="useServerCipherSuitesOrder" required="false">
> + <p>
> + Set to <code>true</code> to enforce the server's cipher order
> + (from the <code>ciphers</code> setting). Set to <code>false</code>
> + to choose the first acceptable cipher suite presented by the client.
> + <b>Use of this feature requires Java 8 or later.</b>
> + Default is <i>undefined</i>, leaving the choice up to the JSSE
> + implementation.
> + </p>
> + </attribute>
> +
> <attribute name="ciphers" required="false">
> <p>If specified and using ',' as a separator, only the ciphers that are
> listed and supported by the SSL implementation will be used.
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>