From bcab6935b43c2ef58bccd2603fc1549ff6b1cc72 Mon Sep 17 00:00:00 2001 From: markt Date: Sun, 17 Apr 2011 00:02:29 +0000 Subject: [PATCH] Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=50173 Throw an exception and do not start the APR connector if it is configured for SSL and an invalid value is provided for SSLProtocol. git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@1094089 13f79535-47bb-0310-9956-ffa450edef68 --- java/org/apache/tomcat/util/net/AprEndpoint.java | 10 ++++++++++ java/org/apache/tomcat/util/net/res/LocalStrings.properties | 1 + webapps/docs/changelog.xml | 5 +++++ 3 files changed, 16 insertions(+) diff --git a/java/org/apache/tomcat/util/net/AprEndpoint.java b/java/org/apache/tomcat/util/net/AprEndpoint.java index 194e18ce0..6f4cb65aa 100644 --- a/java/org/apache/tomcat/util/net/AprEndpoint.java +++ b/java/org/apache/tomcat/util/net/AprEndpoint.java @@ -478,7 +478,17 @@ public class AprEndpoint extends AbstractEndpoint { value = SSL.SSL_PROTOCOL_TLSV1; } else if ("SSLv2+SSLv3".equalsIgnoreCase(SSLProtocol)) { value = SSL.SSL_PROTOCOL_SSLV2 | SSL.SSL_PROTOCOL_SSLV3; + } else if ("all".equalsIgnoreCase(SSLProtocol) || + SSLProtocol == null || SSLProtocol.length() == 0) { + // NOOP, use the default defined above + } else { + // Protocol not recognized, fail to start as it is safer than + // continuing with the default which might enable more than the + // is required + throw new Exception(sm.getString( + "endpoint.apr.invalidSslProtocol", SSLProtocol)); } + // Create SSL Context sslContext = SSLContext.make(rootPool, value, SSL.SSL_MODE_SERVER); if (SSLInsecureRenegotiation) { diff --git a/java/org/apache/tomcat/util/net/res/LocalStrings.properties b/java/org/apache/tomcat/util/net/res/LocalStrings.properties index 96bdd7ee3..cc6b16ac4 100644 --- a/java/org/apache/tomcat/util/net/res/LocalStrings.properties +++ b/java/org/apache/tomcat/util/net/res/LocalStrings.properties @@ -46,3 +46,4 @@ endpoint.warn.unlockAcceptorFailed=Acceptor thread [{0}] failed to unlock. Forci endpoint.debug.channelCloseFail=Failed to close channel endpoint.debug.socketCloseFail=Failed to close socket endpoint.apr.noSslCertFile=Connector attribute SSLCertificateFile must be defined when using SSL with APR +endpoint.apr.invalidSslProtocol=An invalid value [{0}] was provided for the SSLProtocol attribute diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index 585252319..cffcb469c 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -87,6 +87,11 @@ timeout is set to zero or less. Based on a patch provided by Chris. (markt) + + 51073: Throw an exception and do not start the APR connector + if it is configured for SSL and an invalid value is provided for + SSLProtocol. (markt) + -- 2.11.0