/* SSL_OP_ALL: various bug workarounds that should be rather harmless.
* This used to be 0x000FFFFFL before 0.9.7. */
public static final int SSL_OP_ALL = 0x00000FFF;
-
/* As server, disallow session resumption on renegotiation */
public static final int SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION = 0x00010000;
+ /* Permit unsafe legacy renegotiation */
+ public static final int SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION = 0x00040000;
+ /* If set, always create a new key when using tmp_eddh parameters */
+ public static final int SSL_OP_SINGLE_ECDH_USE = 0x00080000;
/* If set, always create a new key when using tmp_dh parameters */
public static final int SSL_OP_SINGLE_DH_USE = 0x00100000;
/* Set to always use the tmp_rsa key when doing RSA operations,
* Return last SSL error string
*/
public static native String getLastError();
+
+ /**
+ * Return true if SSL_OP_ if defined.
+ * <p>
+ * Currently used for testing weather the
+ * SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION is supported by OpenSSL.
+ * <p>
+ * @param op SSL_OP to test.
+ * @return true if SSL_OP is supported by OpenSSL library.
+ */
+ public static native boolean hasOp(int op);
+
}
+
public void setSSLVerifyDepth(int SSLVerifyDepth) { this.SSLVerifyDepth = SSLVerifyDepth; }
+ /**
+ * SSL allow insecure renegotiation for the the client that does not
+ * support the secure renegotiation.
+ */
+ protected boolean SSLInsecureRenegotiation = false;
+ public void seSSLInsecureRenegotiation(boolean SSLInsecureRenegotiation) { this.SSLInsecureRenegotiation = SSLInsecureRenegotiation; }
+ public boolean getSSLInsecureRenegotiation() { return SSLInsecureRenegotiation; }
+
// --------------------------------------------------------- Public Methods
}
// Create SSL Context
sslContext = SSLContext.make(rootPool, value, SSL.SSL_MODE_SERVER);
+ if (SSLInsecureRenegotiation) {
+ if (SSL.hasOp(SSL.SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
+ SSLContext.setOptions(sslContext, SSL.SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
+ else {
+ // OpenSSL does not support unsafe legacy renegotiation.
+ log.warn(sm.getString("endpoint.warn.noInsecureReneg",
+ SSL.versionString()));
+ }
+ }
// List the ciphers that the client is permitted to negotiate
SSLContext.setCipherSuite(sslContext, SSLCipherSuite);
// Load Server key and certificate
endpoint.sendfile.error=Unexpected sendfile error
endpoint.sendfile.addfail=Sednfile failure: [{0}] {1}
endpoint.sendfile.nosupport=Disabling sendfile, since either the APR version or the system doesn't support it
+endpoint.warn.noInsecureReneg=Secure renegotation is not supported by the SSL library {0}
<subsection name="Coyote">
<changelog>
<update>
+ Port SSLInsecureRenegotiation from mod_ssl. This requires
+ to use tomcat-native 1.2.21 that have option to detect this
+ support from OpenSSL library. (mturk)
+ </update>
+ <update>
Allow bigger AJP packets also for request bodies and responses
using the packetSize attribute of the Connector. (rjung)
</update>
projects / tomcat7.0 / commitdiff