[tomcat-native] 02/05: New upstream release (1.1.32) Disabled SSLv3 support

Emmanuel Bourg ebourg-guest at moszumanska.debian.org
Wed Dec 3 22:02:06 UTC 2014


This is an automated email from the git hooks/post-receive script.

ebourg-guest pushed a commit to branch master
in repository tomcat-native.

commit 34213774c41014e273ffc763679ac14052ec0c14
Author: Emmanuel Bourg <ebourg at apache.org>
Date:   Mon Nov 17 12:39:24 2014 +0100

    New upstream release (1.1.32)
    Disabled SSLv3 support
---
 debian/changelog                       |   8 +++
 debian/patches/drop_sslv2_support.diff | 109 ++++++++++++---------------------
 2 files changed, 48 insertions(+), 69 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 593c2ca..1008477 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+tomcat-native (1.1.32~repack-1) UNRELEASED; urgency=medium
+
+  * Team upload.
+  * New upstream release
+  * Disabled SSLv3 support
+
+ -- Emmanuel Bourg <ebourg at apache.org>  Mon, 17 Nov 2014 10:51:16 +0100
+
 tomcat-native (1.1.31-1) unstable; urgency=medium
 
   * Team upload.
diff --git a/debian/patches/drop_sslv2_support.diff b/debian/patches/drop_sslv2_support.diff
index 7ea9c06..bc6fbdc 100644
--- a/debian/patches/drop_sslv2_support.diff
+++ b/debian/patches/drop_sslv2_support.diff
@@ -1,5 +1,4 @@
-Description: Drop all support for SSLv2 protocol since it's use has been
- deprecated, because of weaknesses in the security of the protocol.
+Description: Drop all support for SSLv2 and SSLv3 due to weaknesses in the protocols
 Author: Damien Raude-Morvan <drazzib at debian.org>
 Last-Update: 2013-08-12
 Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=622141
@@ -22,87 +21,55 @@ Forwarded: https://issues.apache.org/bugzilla/show_bug.cgi?id=51056
          try {
              /* Create SSL Context, one for each Virtual Host */
 -            serverCtx = SSLContext.make(serverPool, SSL.SSL_PROTOCOL_SSLV2 | SSL.SSL_PROTOCOL_SSLV3, SSL.SSL_MODE_SERVER);
-+            serverCtx = SSLContext.make(serverPool, SSL.SSL_PROTOCOL_SSLV3, SSL.SSL_MODE_SERVER);
++            serverCtx = SSLContext.make(serverPool, SSL.SSL_PROTOCOL_TLSV1 | SSL.SSL_PROTOCOL_TLSV1_1 | SSL.SSL_PROTOCOL_TLSV1_2, SSL.SSL_MODE_SERVER);
              /* List the ciphers that the client is permitted to negotiate. */
              SSLContext.setCipherSuite(serverCtx, serverCiphers);
              /* Load Server key and certificate */
---- a/jni/java/org/apache/tomcat/jni/SSL.java
-+++ b/jni/java/org/apache/tomcat/jni/SSL.java
-@@ -67,7 +67,6 @@
-      * Define the SSL Protocol options
-      */
-     public static final int SSL_PROTOCOL_NONE  = 0;
--    public static final int SSL_PROTOCOL_SSLV2 = (1<<0);
-     public static final int SSL_PROTOCOL_SSLV3 = (1<<1);
-     public static final int SSL_PROTOCOL_TLSV1 = (1<<2);
-     public static final int SSL_PROTOCOL_ALL   = (SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1);
---- a/jni/java/org/apache/tomcat/jni/SSLContext.java
-+++ b/jni/java/org/apache/tomcat/jni/SSLContext.java
-@@ -29,9 +29,7 @@
-      * @param pool The pool to use.
-      * @param protocol The SSL protocol to use. It can be one of:
-      * <PRE>
--     * SSL_PROTOCOL_SSLV2
-      * SSL_PROTOCOL_SSLV3
--     * SSL_PROTOCOL_SSLV2 | SSL_PROTOCOL_SSLV3
-      * SSL_PROTOCOL_TLSV1
-      * SSL_PROTOCOL_ALL
-      * </PRE>
 --- a/jni/native/include/ssl_private.h
 +++ b/jni/native/include/ssl_private.h
-@@ -114,10 +114,9 @@
-  * Define the SSL Protocol options
-  */
- #define SSL_PROTOCOL_NONE       (0)
--#define SSL_PROTOCOL_SSLV2      (1<<0)
- #define SSL_PROTOCOL_SSLV3      (1<<1)
+@@ -119,7 +119,7 @@
  #define SSL_PROTOCOL_TLSV1      (1<<2)
--#define SSL_PROTOCOL_ALL        (SSL_PROTOCOL_SSLV2|SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1)
-+#define SSL_PROTOCOL_ALL        (SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1)
+ #define SSL_PROTOCOL_TLSV1_1    (1<<3)
+ #define SSL_PROTOCOL_TLSV1_2    (1<<4)
+-#define SSL_PROTOCOL_ALL        (SSL_PROTOCOL_SSLV2|SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1|SSL_PROTOCOL_TLSV1_1|SSL_PROTOCOL_TLSV1_2)
++#define SSL_PROTOCOL_ALL        (SSL_PROTOCOL_TLSV1|SSL_PROTOCOL_TLSV1_1|SSL_PROTOCOL_TLSV1_2)
  
  #define SSL_MODE_CLIENT         (0)
  #define SSL_MODE_SERVER         (1)
 --- a/jni/native/src/sslcontext.c
 +++ b/jni/native/src/sslcontext.c
-@@ -72,6 +72,7 @@
-     UNREFERENCED(o);
- 
-     switch (protocol) {
-+#ifndef OPENSSL_NO_SSL2
-         case SSL_PROTOCOL_SSLV2:
-             if (mode == SSL_MODE_CLIENT)
-                 ctx = SSL_CTX_new(SSLv2_client_method());
-@@ -80,6 +81,7 @@
-             else
-                 ctx = SSL_CTX_new(SSLv2_method());
-         break;
-+#endif
-         case SSL_PROTOCOL_SSLV3:
-             if (mode == SSL_MODE_CLIENT)
-                 ctx = SSL_CTX_new(SSLv3_client_method());
-@@ -88,6 +90,7 @@
-             else
-                 ctx = SSL_CTX_new(SSLv3_method());
-         break;
-+#ifndef OPENSSL_NO_SSL2
-         case SSL_PROTOCOL_SSLV2 | SSL_PROTOCOL_SSLV3:
-         case SSL_PROTOCOL_SSLV2 | SSL_PROTOCOL_TLSV1:
-         case SSL_PROTOCOL_ALL:
-@@ -99,7 +102,13 @@
-             else
-                 ctx = SSL_CTX_new(SSLv23_method());
-         break;
+@@ -96,6 +96,7 @@
+             ctx = SSL_CTX_new(TLSv1_server_method());
+         else
+             ctx = SSL_CTX_new(TLSv1_method());
++#ifndef OPENSSL_NO_SSL3
+     } else if (protocol == SSL_PROTOCOL_SSLV3) {
+         if (mode == SSL_MODE_CLIENT)
+             ctx = SSL_CTX_new(SSLv3_client_method());
+@@ -103,6 +104,7 @@
+             ctx = SSL_CTX_new(SSLv3_server_method());
+         else
+             ctx = SSL_CTX_new(SSLv3_method());
 +#endif
+ #ifndef OPENSSL_NO_SSL2
+     } else if (protocol == SSL_PROTOCOL_SSLV2) {
+         if (mode == SSL_MODE_CLIENT)
+@@ -121,12 +123,14 @@
+         /* requested but not supported */
+ #endif
+     } else {
 +#ifndef OPENSSL_NO_SSL2
-         case SSL_PROTOCOL_TLSV1:
-+#else
-+	case SSL_PROTOCOL_ALL:
-+	case SSL_PROTOCOL_TLSV1:
+         if (mode == SSL_MODE_CLIENT)
+             ctx = SSL_CTX_new(SSLv23_client_method());
+         else if (mode == SSL_MODE_SERVER)
+             ctx = SSL_CTX_new(SSLv23_server_method());
+         else
+             ctx = SSL_CTX_new(SSLv23_method());
 +#endif
-             if (mode == SSL_MODE_CLIENT)
-                 ctx = SSL_CTX_new(TLSv1_client_method());
-             else if (mode == SSL_MODE_SERVER)
-@@ -127,8 +136,10 @@
+     }
+ 
+     if (!ctx) {
+@@ -148,10 +152,14 @@
      if (c->bio_os != NULL)
          BIO_set_fp(c->bio_os, stderr, BIO_NOCLOSE | BIO_FP_TEXT);
      SSL_CTX_set_options(c->ctx, SSL_OP_ALL);
@@ -110,6 +77,10 @@ Forwarded: https://issues.apache.org/bugzilla/show_bug.cgi?id=51056
      if (!(protocol & SSL_PROTOCOL_SSLV2))
          SSL_CTX_set_options(c->ctx, SSL_OP_NO_SSLv2);
 +#endif
++#ifndef OPENSSL_NO_SSL3
      if (!(protocol & SSL_PROTOCOL_SSLV3))
          SSL_CTX_set_options(c->ctx, SSL_OP_NO_SSLv3);
++#endif
      if (!(protocol & SSL_PROTOCOL_TLSV1))
+         SSL_CTX_set_options(c->ctx, SSL_OP_NO_TLSv1);
+ #ifdef SSL_OP_NO_TLSv1_1

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat-native.git



More information about the pkg-java-commits mailing list