BZ 51477: Support all SSL protocol combinations in the

APR/native connector.

This only works when using the native library
version 1.1.21 or later which is not yet released.

Older tcnative versions will use an unchanged
config parser. Otherwise non-supported protocol
combinations would be unnoticed.

For easier review of the changes in AprEndpoint
use "svn -x -w" to ignore white space.

git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@1145209 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/java/org/apache/tomcat/jni/Library.java b/java/org/apache/tomcat/jni/Library.java
index de71253..3c6634f 100644 (file)
--- a/java/org/apache/tomcat/jni/Library.java
+++ b/java/org/apache/tomcat/jni/Library.java
@@ -102,6 +102,8 @@ public final class Library {
     public static int TCN_PATCH_VERSION  = 0;
     /* TCN_IS_DEV_VERSION */
     public static int TCN_IS_DEV_VERSION = 0;
+    /* TCN_FULL_VERSION */
+    public static int TCN_FULL_VERSION   = 0;
     /* APR_MAJOR_VERSION */
     public static int APR_MAJOR_VERSION  = 0;
     /* APR_MINOR_VERSION */
@@ -178,6 +180,9 @@ public final class Library {
             TCN_MINOR_VERSION  = version(0x02);
             TCN_PATCH_VERSION  = version(0x03);
             TCN_IS_DEV_VERSION = version(0x04);
+            TCN_FULL_VERSION   = TCN_MAJOR_VERSION * 1000 +
+                                 TCN_MINOR_VERSION * 100 +
+                                 TCN_PATCH_VERSION;
             APR_MAJOR_VERSION  = version(0x11);
             APR_MINOR_VERSION  = version(0x12);
             APR_PATCH_VERSION  = version(0x13);

diff --git a/java/org/apache/tomcat/util/net/AprEndpoint.java b/java/org/apache/tomcat/util/net/AprEndpoint.java
index 0128d21..0fcf400 100644 (file)
--- a/java/org/apache/tomcat/util/net/AprEndpoint.java
+++ b/java/org/apache/tomcat/util/net/AprEndpoint.java
@@ -471,24 +471,52 @@ public class AprEndpoint extends AbstractEndpoint {
             }
 
             // SSL protocol
-            int value = SSL.SSL_PROTOCOL_ALL;
-            if ("SSLv2".equalsIgnoreCase(SSLProtocol)) {
-                value = SSL.SSL_PROTOCOL_SSLV2;
-            } else if ("SSLv3".equalsIgnoreCase(SSLProtocol)) {
-                value = SSL.SSL_PROTOCOL_SSLV3;
-            } else if ("TLSv1".equalsIgnoreCase(SSLProtocol)) {
-                value = SSL.SSL_PROTOCOL_TLSV1;
-            } else if ("SSLv2+SSLv3".equalsIgnoreCase(SSLProtocol)) {
-                value = SSL.SSL_PROTOCOL_SSLV2 | SSL.SSL_PROTOCOL_SSLV3;
-            } else if ("all".equalsIgnoreCase(SSLProtocol) ||
-                    SSLProtocol == null || SSLProtocol.length() == 0) {
-                // NOOP, use the default defined above
+            int value;
+            // This branch can be removed, once the required version is at least 1.1.21.
+            if (Library.TCN_FULL_VERSION <= 1120) {
+                value = SSL.SSL_PROTOCOL_ALL;
+                if ("SSLv2".equalsIgnoreCase(SSLProtocol)) {
+                    value = SSL.SSL_PROTOCOL_SSLV2;
+                } else if ("SSLv3".equalsIgnoreCase(SSLProtocol)) {
+                    value = SSL.SSL_PROTOCOL_SSLV3;
+                } else if ("TLSv1".equalsIgnoreCase(SSLProtocol)) {
+                    value = SSL.SSL_PROTOCOL_TLSV1;
+                } else if ("SSLv2+SSLv3".equalsIgnoreCase(SSLProtocol)) {
+                    value = SSL.SSL_PROTOCOL_SSLV2 | SSL.SSL_PROTOCOL_SSLV3;
+                } else if ("all".equalsIgnoreCase(SSLProtocol) ||
+                        SSLProtocol == null || SSLProtocol.length() == 0) {
+                    // NOOP, use the default defined above
+                } else {
+                    // Protocol not recognized, fail to start as it is safer than
+                    // continuing with the default which might enable more than the
+                    // is required
+                    throw new Exception(sm.getString(
+                            "endpoint.apr.invalidSslProtocol", SSLProtocol));
+                }
             } else {
-                // Protocol not recognized, fail to start as it is safer than
-                // continuing with the default which might enable more than the
-                // is required
-                throw new Exception(sm.getString(
-                        "endpoint.apr.invalidSslProtocol", SSLProtocol));
+                value = SSL.SSL_PROTOCOL_NONE;
+                if (SSLProtocol == null || SSLProtocol.length() == 0) {
+                    value = SSL.SSL_PROTOCOL_ALL;
+                } else {
+                        for (String protocol : SSLProtocol.split("\\+")) {
+                        protocol = protocol.trim();
+                        if ("SSLv2".equalsIgnoreCase(protocol)) {
+                            value |= SSL.SSL_PROTOCOL_SSLV2;
+                        } else if ("SSLv3".equalsIgnoreCase(protocol)) {
+                            value |= SSL.SSL_PROTOCOL_SSLV3;
+                        } else if ("TLSv1".equalsIgnoreCase(protocol)) {
+                            value |= SSL.SSL_PROTOCOL_TLSV1;
+                        } else if ("all".equalsIgnoreCase(protocol)) {
+                            value |= SSL.SSL_PROTOCOL_ALL;
+                        } else {
+                            // Protocol not recognized, fail to start as it is safer than
+                            // continuing with the default which might enable more than the
+                            // is required
+                            throw new Exception(sm.getString(
+                                    "endpoint.apr.invalidSslProtocol", SSLProtocol));
+                        }
+                    }
+                }
             }
 
             // Create SSL Context

diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 29a9d6c..8cedd45 100644 (file)
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -80,6 +80,11 @@
   <subsection name="Coyote">
     <changelog>
       <update>
+        <bug>51477</bug>Support all SSL protocol combinations in the APR/native
+        connector. This only works when using the native library version 1.1.21
+        or later, which is not yet released. (rjung)
+      </update>
+      <update>
         Various refactorings to reduce code duplication and unnecessary code in
         the connectors. (markt)
       </update>

diff --git a/webapps/docs/config/http.xml b/webapps/docs/config/http.xml
index ae5c241..b241d56 100644 (file)
--- a/webapps/docs/config/http.xml
+++ b/webapps/docs/config/http.xml
@@ -141,9 +141,9 @@
         either a blocking Java based connector or an APR/native based connector.
         If the <code>PATH</code> (Windows) or <code>LD_LIBRARY_PATH</code> (on
         most unix systems) environment variables contain the Tomcat native
-        library, the native/APR connector will be used. If the native library
+        library, the APR/native connector will be used. If the native library
         cannot be found, the blocking Java based connector will be used. Note
-        that the native/APR connector has different settings for HTTPS than the
+        that the APR/native connector has different settings for HTTPS than the
         Java connectors.<br/>
         To use an explicit protocol rather than rely on the auto-switching
         mechanism described above, the following values may be used:<br/>
@@ -1149,8 +1149,12 @@
 
     <attribute name="SSLProtocol" required="false">
       <p>Protocol which may be used for communicating with clients. The default
-      is "all", with other acceptable values being "SSLv2", "SSLv3", "TLSv1"
-      and "SSLv2+SSLv3".</p>
+      value is <code>all</code>, with other acceptable values being <code>SSLv2</code>,
+      <code>SSLv3</code>, <code>TLSv1</code> and <code>SSLv2+SSLv3</code>.
+      Starting with version 1.1.21 of the Tomcat native
+      library any combination of the three protocols concatenated with a
+      plus sign will be supported. Note that the protocol <code>SSLv2</code>
+      is inherently unsafe.</p>
     </attribute>
 
     <attribute name="SSLVerifyClient" required="false">