From ddfe726a0aa368fcfda9028a1fa3f881ce02f091 Mon Sep 17 00:00:00 2001 From: rjung Date: Mon, 11 Jul 2011 15:44:10 +0000 Subject: [PATCH] BZ 51477: Support all SSL protocol combinations in the APR/native connector. This only works when using the native library version 1.1.21 or later which is not yet released. Older tcnative versions will use an unchanged config parser. Otherwise non-supported protocol combinations would be unnoticed. For easier review of the changes in AprEndpoint use "svn -x -w" to ignore white space. git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@1145209 13f79535-47bb-0310-9956-ffa450edef68 --- java/org/apache/tomcat/jni/Library.java | 5 ++ java/org/apache/tomcat/util/net/AprEndpoint.java | 62 +++++++++++++++++------- webapps/docs/changelog.xml | 5 ++ webapps/docs/config/http.xml | 12 +++-- 4 files changed, 63 insertions(+), 21 deletions(-) diff --git a/java/org/apache/tomcat/jni/Library.java b/java/org/apache/tomcat/jni/Library.java index de71253e8..3c6634ffc 100644 --- a/java/org/apache/tomcat/jni/Library.java +++ b/java/org/apache/tomcat/jni/Library.java @@ -102,6 +102,8 @@ public final class Library { public static int TCN_PATCH_VERSION = 0; /* TCN_IS_DEV_VERSION */ public static int TCN_IS_DEV_VERSION = 0; + /* TCN_FULL_VERSION */ + public static int TCN_FULL_VERSION = 0; /* APR_MAJOR_VERSION */ public static int APR_MAJOR_VERSION = 0; /* APR_MINOR_VERSION */ @@ -178,6 +180,9 @@ public final class Library { TCN_MINOR_VERSION = version(0x02); TCN_PATCH_VERSION = version(0x03); TCN_IS_DEV_VERSION = version(0x04); + TCN_FULL_VERSION = TCN_MAJOR_VERSION * 1000 + + TCN_MINOR_VERSION * 100 + + TCN_PATCH_VERSION; APR_MAJOR_VERSION = version(0x11); APR_MINOR_VERSION = version(0x12); APR_PATCH_VERSION = version(0x13); diff --git a/java/org/apache/tomcat/util/net/AprEndpoint.java b/java/org/apache/tomcat/util/net/AprEndpoint.java index 0128d218d..0fcf400ff 100644 --- a/java/org/apache/tomcat/util/net/AprEndpoint.java +++ b/java/org/apache/tomcat/util/net/AprEndpoint.java @@ -471,24 +471,52 @@ public class AprEndpoint extends AbstractEndpoint { } // SSL protocol - int value = SSL.SSL_PROTOCOL_ALL; - if ("SSLv2".equalsIgnoreCase(SSLProtocol)) { - value = SSL.SSL_PROTOCOL_SSLV2; - } else if ("SSLv3".equalsIgnoreCase(SSLProtocol)) { - value = SSL.SSL_PROTOCOL_SSLV3; - } else if ("TLSv1".equalsIgnoreCase(SSLProtocol)) { - value = SSL.SSL_PROTOCOL_TLSV1; - } else if ("SSLv2+SSLv3".equalsIgnoreCase(SSLProtocol)) { - value = SSL.SSL_PROTOCOL_SSLV2 | SSL.SSL_PROTOCOL_SSLV3; - } else if ("all".equalsIgnoreCase(SSLProtocol) || - SSLProtocol == null || SSLProtocol.length() == 0) { - // NOOP, use the default defined above + int value; + // This branch can be removed, once the required version is at least 1.1.21. + if (Library.TCN_FULL_VERSION <= 1120) { + value = SSL.SSL_PROTOCOL_ALL; + if ("SSLv2".equalsIgnoreCase(SSLProtocol)) { + value = SSL.SSL_PROTOCOL_SSLV2; + } else if ("SSLv3".equalsIgnoreCase(SSLProtocol)) { + value = SSL.SSL_PROTOCOL_SSLV3; + } else if ("TLSv1".equalsIgnoreCase(SSLProtocol)) { + value = SSL.SSL_PROTOCOL_TLSV1; + } else if ("SSLv2+SSLv3".equalsIgnoreCase(SSLProtocol)) { + value = SSL.SSL_PROTOCOL_SSLV2 | SSL.SSL_PROTOCOL_SSLV3; + } else if ("all".equalsIgnoreCase(SSLProtocol) || + SSLProtocol == null || SSLProtocol.length() == 0) { + // NOOP, use the default defined above + } else { + // Protocol not recognized, fail to start as it is safer than + // continuing with the default which might enable more than the + // is required + throw new Exception(sm.getString( + "endpoint.apr.invalidSslProtocol", SSLProtocol)); + } } else { - // Protocol not recognized, fail to start as it is safer than - // continuing with the default which might enable more than the - // is required - throw new Exception(sm.getString( - "endpoint.apr.invalidSslProtocol", SSLProtocol)); + value = SSL.SSL_PROTOCOL_NONE; + if (SSLProtocol == null || SSLProtocol.length() == 0) { + value = SSL.SSL_PROTOCOL_ALL; + } else { + for (String protocol : SSLProtocol.split("\\+")) { + protocol = protocol.trim(); + if ("SSLv2".equalsIgnoreCase(protocol)) { + value |= SSL.SSL_PROTOCOL_SSLV2; + } else if ("SSLv3".equalsIgnoreCase(protocol)) { + value |= SSL.SSL_PROTOCOL_SSLV3; + } else if ("TLSv1".equalsIgnoreCase(protocol)) { + value |= SSL.SSL_PROTOCOL_TLSV1; + } else if ("all".equalsIgnoreCase(protocol)) { + value |= SSL.SSL_PROTOCOL_ALL; + } else { + // Protocol not recognized, fail to start as it is safer than + // continuing with the default which might enable more than the + // is required + throw new Exception(sm.getString( + "endpoint.apr.invalidSslProtocol", SSLProtocol)); + } + } + } } // Create SSL Context diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index 29a9d6c95..8cedd45e8 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -80,6 +80,11 @@ + 51477Support all SSL protocol combinations in the APR/native + connector. This only works when using the native library version 1.1.21 + or later, which is not yet released. (rjung) + + Various refactorings to reduce code duplication and unnecessary code in the connectors. (markt) diff --git a/webapps/docs/config/http.xml b/webapps/docs/config/http.xml index ae5c241cf..b241d56ba 100644 --- a/webapps/docs/config/http.xml +++ b/webapps/docs/config/http.xml @@ -141,9 +141,9 @@ either a blocking Java based connector or an APR/native based connector. If the PATH (Windows) or LD_LIBRARY_PATH (on most unix systems) environment variables contain the Tomcat native - library, the native/APR connector will be used. If the native library + library, the APR/native connector will be used. If the native library cannot be found, the blocking Java based connector will be used. Note - that the native/APR connector has different settings for HTTPS than the + that the APR/native connector has different settings for HTTPS than the Java connectors.
To use an explicit protocol rather than rely on the auto-switching mechanism described above, the following values may be used:
@@ -1149,8 +1149,12 @@

Protocol which may be used for communicating with clients. The default - is "all", with other acceptable values being "SSLv2", "SSLv3", "TLSv1" - and "SSLv2+SSLv3".

+ value is all, with other acceptable values being SSLv2, + SSLv3, TLSv1 and SSLv2+SSLv3. + Starting with version 1.1.21 of the Tomcat native + library any combination of the three protocols concatenated with a + plus sign will be supported. Note that the protocol SSLv2 + is inherently unsafe.

 -- 2.11.0