Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=50173

author markt <markt@13f79535-47bb-0310-9956-ffa450edef68>

Sun, 17 Apr 2011 00:02:29 +0000 (00:02 +0000)

committer markt <markt@13f79535-47bb-0310-9956-ffa450edef68>

Sun, 17 Apr 2011 00:02:29 +0000 (00:02 +0000)
author markt <markt@13f79535-47bb-0310-9956-ffa450edef68>
Sun, 17 Apr 2011 00:02:29 +0000 (00:02 +0000)
committer markt <markt@13f79535-47bb-0310-9956-ffa450edef68>
Sun, 17 Apr 2011 00:02:29 +0000 (00:02 +0000)
diff --git a/java/org/apache/tomcat/util/net/AprEndpoint.java b/java/org/apache/tomcat/util/net/AprEndpoint.java

index 194e18c..6f4cb65 100644 (file)
--- a/java/org/apache/tomcat/util/net/AprEndpoint.java
+++ b/java/org/apache/tomcat/util/net/AprEndpoint.java
@@ -478,7 +478,17 @@ public class AprEndpoint extends AbstractEndpoint {
                  value = SSL.SSL_PROTOCOL_TLSV1;
              } else if ("SSLv2+SSLv3".equalsIgnoreCase(SSLProtocol)) {
                  value = SSL.SSL_PROTOCOL_SSLV2 | SSL.SSL_PROTOCOL_SSLV3;
+            } else if ("all".equalsIgnoreCase(SSLProtocol) ||
+                    SSLProtocol == null || SSLProtocol.length() == 0) {
+                // NOOP, use the default defined above
+            } else {
+                // Protocol not recognized, fail to start as it is safer than
+                // continuing with the default which might enable more than the
+                // is required
+                throw new Exception(sm.getString(
+                        "endpoint.apr.invalidSslProtocol", SSLProtocol));
              }
+
              // Create SSL Context
              sslContext = SSLContext.make(rootPool, value, SSL.SSL_MODE_SERVER);
              if (SSLInsecureRenegotiation) {
diff --git a/java/org/apache/tomcat/util/net/res/LocalStrings.properties b/java/org/apache/tomcat/util/net/res/LocalStrings.properties

index 96bdd7e..cc6b16a 100644 (file)
--- a/java/org/apache/tomcat/util/net/res/LocalStrings.properties
+++ b/java/org/apache/tomcat/util/net/res/LocalStrings.properties
@@ -46,3 +46,4 @@ endpoint.warn.unlockAcceptorFailed=Acceptor thread [{0}] failed to unlock. Forci
  endpoint.debug.channelCloseFail=Failed to close channel
  endpoint.debug.socketCloseFail=Failed to close socket
  endpoint.apr.noSslCertFile=Connector attribute SSLCertificateFile must be defined when using SSL with APR
+endpoint.apr.invalidSslProtocol=An invalid value [{0}] was provided for the SSLProtocol attribute
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml

index 5852523..cffcb46 100644 (file)
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -87,6 +87,11 @@
          timeout is set to zero or less. Based on a patch provided by Chris.
          (markt)
        </fix>
+      <fix>
+        <bug>51073</bug>: Throw an exception and do not start the APR connector
+        if it is configured for SSL and an invalid value is provided for
+        SSLProtocol. (markt)
+      </fix>
      </changelog>
    </subsection>
    <subsection name="Jasper">
author	markt <markt@13f79535-47bb-0310-9956-ffa450edef68>
	Sun, 17 Apr 2011 00:02:29 +0000 (00:02 +0000)
committer	markt <markt@13f79535-47bb-0310-9956-ffa450edef68>
	Sun, 17 Apr 2011 00:02:29 +0000 (00:02 +0000)
java/org/apache/tomcat/util/net/AprEndpoint.java		patch \| blob \| history
java/org/apache/tomcat/util/net/res/LocalStrings.properties		patch \| blob \| history
webapps/docs/changelog.xml		patch \| blob \| history