You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by rj...@apache.org on 2015/05/22 19:42:09 UTC
svn commit: r1681167 - in /tomcat/native/trunk/native: configure.in
include/ssl_private.h src/sslcontext.c src/sslnetwork.c src/sslutils.c
Author: rjung
Date: Fri May 22 17:42:09 2015
New Revision: 1681167
URL: http://svn.apache.org/r1681167
Log:
Port mod_ssl improvements to tcnative/ssl:
Partial backport of r1527294 from httpd/mod_ssl:
- remove obsolete #defines / macros
- in ssl_private.h, regroup definitions based on whether
they depend on TLS extension support or not
- for ECC support, set HAVE_X and change the rather awkward
#ifndef OPENSSL_NO_X lines accordingly
For the discussion prior to taking this step, see
https://mail-archives.apache.org/mod_mbox/httpd-dev/201309.mbox/%3C524275C7.9060408%40velox.ch%3E
In addition:
- set and use HAVE_TLSV1_1 and HAVE_TLSV1_2 instead
of SSL_OP_NO_TLSv1_1 and SSL_OP_NO_TLSv1_2
- set and use HAVE_OCSP_STAPLING based on OCSP
availability
- drop configure option to enable OCSP in favor of
auto-detection
Modified:
tomcat/native/trunk/native/configure.in
tomcat/native/trunk/native/include/ssl_private.h
tomcat/native/trunk/native/src/sslcontext.c
tomcat/native/trunk/native/src/sslnetwork.c
tomcat/native/trunk/native/src/sslutils.c
Modified: tomcat/native/trunk/native/configure.in
URL: http://svn.apache.org/viewvc/tomcat/native/trunk/native/configure.in?rev=1681167&r1=1681166&r2=1681167&view=diff
==============================================================================
--- tomcat/native/trunk/native/configure.in (original)
+++ tomcat/native/trunk/native/configure.in Fri May 22 17:42:09 2015
@@ -149,17 +149,6 @@ AC_ARG_ENABLE(openssl,
esac
])
-AC_ARG_ENABLE(ocsp,
-[AS_HELP_STRING([--enable-ocsp],[Turn on OpenSSL OCSP verification support])],
-[
- case "${enableval}" in
- yes )
- APR_ADDTO(CFLAGS, [-DHAVE_OPENSSL_OCSP])
- AC_MSG_RESULT([Enabling OCSP verification support...])
- ;;
- esac
-])
-
if $use_openssl ; then
TCN_CHECK_SSL_TOOLKIT
fi
Modified: tomcat/native/trunk/native/include/ssl_private.h
URL: http://svn.apache.org/viewvc/tomcat/native/trunk/native/include/ssl_private.h?rev=1681167&r1=1681166&r2=1681167&view=diff
==============================================================================
--- tomcat/native/trunk/native/include/ssl_private.h (original)
+++ tomcat/native/trunk/native/include/ssl_private.h Fri May 22 17:42:09 2015
@@ -201,17 +201,39 @@
"In order to read them you have to provide the pass phrases.\n" \
"Enter password :"
-#define OCSP_STATUS_OK 0
-#define OCSP_STATUS_REVOKED 1
-#define OCSP_STATUS_UNKNOWN 2
-
#define SSL_CIPHERS_ALWAYS_DISABLED ("!aNULL:!eNULL:!EXP:")
-/* ECC: make sure we have at least 1.0.0 */
+#if defined(SSL_OP_NO_TLSv1_1)
+#define HAVE_TLSV1_1
+#endif
+
+#if defined(SSL_OP_NO_TLSv1_2)
+#define HAVE_TLSV1_2
+#endif
+
+/**
+ * The following features all depend on TLS extension support.
+ * Within this block, check again for features (not version numbers).
+ */
+#if !defined(OPENSSL_NO_TLSEXT) && defined(SSL_set_tlsext_host_name)
+
+#define HAVE_TLSEXT
+
+/* ECC */
#if !defined(OPENSSL_NO_EC) && defined(TLSEXT_ECPOINTFORMAT_uncompressed)
-#define HAVE_ECC 1
+#define HAVE_ECC
+#endif
+
+/* OCSP stapling */
+#if !defined(OPENSSL_NO_OCSP) && defined(SSL_CTX_set_tlsext_status_cb)
+#define HAVE_OCSP_STAPLING
+#define OCSP_STATUS_OK 0
+#define OCSP_STATUS_REVOKED 1
+#define OCSP_STATUS_UNKNOWN 2
#endif
+#endif /* !defined(OPENSSL_NO_TLSEXT) && defined(SSL_set_tlsext_host_name) */
+
typedef struct {
/* client can have any number of cert/key pairs */
const char *cert_file;
Modified: tomcat/native/trunk/native/src/sslcontext.c
URL: http://svn.apache.org/viewvc/tomcat/native/trunk/native/src/sslcontext.c?rev=1681167&r1=1681166&r2=1681167&view=diff
==============================================================================
--- tomcat/native/trunk/native/src/sslcontext.c (original)
+++ tomcat/native/trunk/native/src/sslcontext.c Fri May 22 17:42:09 2015
@@ -110,7 +110,7 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, ma
SSL_CTX *ctx = NULL;
if (protocol == SSL_PROTOCOL_TLSV1_2) {
-#ifdef SSL_OP_NO_TLSv1_2
+#ifdef HAVE_TLSV1_2
if (mode == SSL_MODE_CLIENT)
ctx = SSL_CTX_new(TLSv1_2_client_method());
else if (mode == SSL_MODE_SERVER)
@@ -119,7 +119,7 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, ma
ctx = SSL_CTX_new(TLSv1_2_method());
#endif
} else if (protocol == SSL_PROTOCOL_TLSV1_1) {
-#ifdef SSL_OP_NO_TLSv1_1
+#ifdef HAVE_TLSV1_1
if (mode == SSL_MODE_CLIENT)
ctx = SSL_CTX_new(TLSv1_1_client_method());
else if (mode == SSL_MODE_SERVER)
@@ -159,11 +159,11 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, ma
else
ctx = SSL_CTX_new(SSLv2_method());
#endif
-#ifndef SSL_OP_NO_TLSv1_2
+#ifndef HAVE_TLSV1_2
} else if (protocol & SSL_PROTOCOL_TLSV1_2) {
/* requested but not supported */
#endif
-#ifndef SSL_OP_NO_TLSv1_1
+#ifndef HAVE_TLSV1_1
} else if (protocol & SSL_PROTOCOL_TLSV1_1) {
/* requested but not supported */
#endif
@@ -210,11 +210,11 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, ma
SSL_CTX_set_options(c->ctx, SSL_OP_NO_SSLv3);
if (!(protocol & SSL_PROTOCOL_TLSV1))
SSL_CTX_set_options(c->ctx, SSL_OP_NO_TLSv1);
-#ifdef SSL_OP_NO_TLSv1_1
+#ifdef HAVE_TLSV1_1
if (!(protocol & SSL_PROTOCOL_TLSV1_1))
SSL_CTX_set_options(c->ctx, SSL_OP_NO_TLSv1_1);
#endif
-#ifdef SSL_OP_NO_TLSv1_2
+#ifdef HAVE_TLSV1_2
if (!(protocol & SSL_PROTOCOL_TLSV1_2))
SSL_CTX_set_options(c->ctx, SSL_OP_NO_TLSv1_2);
#endif
Modified: tomcat/native/trunk/native/src/sslnetwork.c
URL: http://svn.apache.org/viewvc/tomcat/native/trunk/native/src/sslnetwork.c?rev=1681167&r1=1681166&r2=1681167&view=diff
==============================================================================
--- tomcat/native/trunk/native/src/sslnetwork.c (original)
+++ tomcat/native/trunk/native/src/sslnetwork.c Fri May 22 17:42:09 2015
@@ -704,7 +704,6 @@ TCN_IMPLEMENT_CALL(jint, SSLSocket, getA
return len;
}
-
#else
/* OpenSSL is not supported.
* Create empty stubs.
Modified: tomcat/native/trunk/native/src/sslutils.c
URL: http://svn.apache.org/viewvc/tomcat/native/trunk/native/src/sslutils.c?rev=1681167&r1=1681166&r2=1681167&view=diff
==============================================================================
--- tomcat/native/trunk/native/src/sslutils.c (original)
+++ tomcat/native/trunk/native/src/sslutils.c Fri May 22 17:42:09 2015
@@ -30,14 +30,13 @@
extern int WIN32_SSL_password_prompt(tcn_pass_cb_t *data);
#endif
-#ifdef HAVE_OPENSSL_OCSP
+#ifdef HAVE_OCSP_STAPLING
#include <openssl/bio.h>
#include <openssl/ocsp.h>
/* defines with the values as seen by the asn1parse -dump openssl command */
#define ASN1_SEQUENCE 0x30
#define ASN1_OID 0x06
#define ASN1_STRING 0x86
-#pragma message("Using OCSP")
static int ssl_verify_OCSP(int ok, X509_STORE_CTX *ctx);
static int ssl_ocsp_request(X509 *cert, X509 *issuer);
#endif
@@ -553,7 +552,7 @@ int SSL_callback_SSL_verify(int ok, X509
SSL_set_verify_result(ssl, X509_V_OK);
}
-#ifdef HAVE_OPENSSL_OCSP
+#ifdef HAVE_OCSP_STAPLING
/* First perform OCSP validation if possible */
if (ok) {
/* If there was an optional verification error, it's not
@@ -651,7 +650,7 @@ void SSL_callback_handshake(const SSL *s
}
-#ifdef HAVE_OPENSSL_OCSP
+#ifdef HAVE_OCSP_STAPLING
/* Function that is used to do the OCSP verification */
static int ssl_verify_OCSP(int ok, X509_STORE_CTX *ctx)
@@ -1158,5 +1157,5 @@ static int ssl_ocsp_request(X509 *cert,
return OCSP_STATUS_UNKNOWN;
}
-#endif /* HAS_OCSP_ENABLED */
+#endif /* HAVE_OCSP_STAPLING */
#endif /* HAVE_OPENSSL */
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org