[tomcat-native] 02/05: New upstream release (1.1.32) Disabled SSLv3 support
Emmanuel Bourg
ebourg-guest at moszumanska.debian.org
Wed Dec 3 22:02:06 UTC 2014
This is an automated email from the git hooks/post-receive script.
ebourg-guest pushed a commit to branch master
in repository tomcat-native.
commit 34213774c41014e273ffc763679ac14052ec0c14
Author: Emmanuel Bourg <ebourg at apache.org>
Date: Mon Nov 17 12:39:24 2014 +0100
New upstream release (1.1.32)
Disabled SSLv3 support
---
debian/changelog | 8 +++
debian/patches/drop_sslv2_support.diff | 109 ++++++++++++---------------------
2 files changed, 48 insertions(+), 69 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index 593c2ca..1008477 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+tomcat-native (1.1.32~repack-1) UNRELEASED; urgency=medium
+
+ * Team upload.
+ * New upstream release
+ * Disabled SSLv3 support
+
+ -- Emmanuel Bourg <ebourg at apache.org> Mon, 17 Nov 2014 10:51:16 +0100
+
tomcat-native (1.1.31-1) unstable; urgency=medium
* Team upload.
diff --git a/debian/patches/drop_sslv2_support.diff b/debian/patches/drop_sslv2_support.diff
index 7ea9c06..bc6fbdc 100644
--- a/debian/patches/drop_sslv2_support.diff
+++ b/debian/patches/drop_sslv2_support.diff
@@ -1,5 +1,4 @@
-Description: Drop all support for SSLv2 protocol since it's use has been
- deprecated, because of weaknesses in the security of the protocol.
+Description: Drop all support for SSLv2 and SSLv3 due to weaknesses in the protocols
Author: Damien Raude-Morvan <drazzib at debian.org>
Last-Update: 2013-08-12
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=622141
@@ -22,87 +21,55 @@ Forwarded: https://issues.apache.org/bugzilla/show_bug.cgi?id=51056
try {
/* Create SSL Context, one for each Virtual Host */
- serverCtx = SSLContext.make(serverPool, SSL.SSL_PROTOCOL_SSLV2 | SSL.SSL_PROTOCOL_SSLV3, SSL.SSL_MODE_SERVER);
-+ serverCtx = SSLContext.make(serverPool, SSL.SSL_PROTOCOL_SSLV3, SSL.SSL_MODE_SERVER);
++ serverCtx = SSLContext.make(serverPool, SSL.SSL_PROTOCOL_TLSV1 | SSL.SSL_PROTOCOL_TLSV1_1 | SSL.SSL_PROTOCOL_TLSV1_2, SSL.SSL_MODE_SERVER);
/* List the ciphers that the client is permitted to negotiate. */
SSLContext.setCipherSuite(serverCtx, serverCiphers);
/* Load Server key and certificate */
---- a/jni/java/org/apache/tomcat/jni/SSL.java
-+++ b/jni/java/org/apache/tomcat/jni/SSL.java
-@@ -67,7 +67,6 @@
- * Define the SSL Protocol options
- */
- public static final int SSL_PROTOCOL_NONE = 0;
-- public static final int SSL_PROTOCOL_SSLV2 = (1<<0);
- public static final int SSL_PROTOCOL_SSLV3 = (1<<1);
- public static final int SSL_PROTOCOL_TLSV1 = (1<<2);
- public static final int SSL_PROTOCOL_ALL = (SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1);
---- a/jni/java/org/apache/tomcat/jni/SSLContext.java
-+++ b/jni/java/org/apache/tomcat/jni/SSLContext.java
-@@ -29,9 +29,7 @@
- * @param pool The pool to use.
- * @param protocol The SSL protocol to use. It can be one of:
- * <PRE>
-- * SSL_PROTOCOL_SSLV2
- * SSL_PROTOCOL_SSLV3
-- * SSL_PROTOCOL_SSLV2 | SSL_PROTOCOL_SSLV3
- * SSL_PROTOCOL_TLSV1
- * SSL_PROTOCOL_ALL
- * </PRE>
--- a/jni/native/include/ssl_private.h
+++ b/jni/native/include/ssl_private.h
-@@ -114,10 +114,9 @@
- * Define the SSL Protocol options
- */
- #define SSL_PROTOCOL_NONE (0)
--#define SSL_PROTOCOL_SSLV2 (1<<0)
- #define SSL_PROTOCOL_SSLV3 (1<<1)
+@@ -119,7 +119,7 @@
#define SSL_PROTOCOL_TLSV1 (1<<2)
--#define SSL_PROTOCOL_ALL (SSL_PROTOCOL_SSLV2|SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1)
-+#define SSL_PROTOCOL_ALL (SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1)
+ #define SSL_PROTOCOL_TLSV1_1 (1<<3)
+ #define SSL_PROTOCOL_TLSV1_2 (1<<4)
+-#define SSL_PROTOCOL_ALL (SSL_PROTOCOL_SSLV2|SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1|SSL_PROTOCOL_TLSV1_1|SSL_PROTOCOL_TLSV1_2)
++#define SSL_PROTOCOL_ALL (SSL_PROTOCOL_TLSV1|SSL_PROTOCOL_TLSV1_1|SSL_PROTOCOL_TLSV1_2)
#define SSL_MODE_CLIENT (0)
#define SSL_MODE_SERVER (1)
--- a/jni/native/src/sslcontext.c
+++ b/jni/native/src/sslcontext.c
-@@ -72,6 +72,7 @@
- UNREFERENCED(o);
-
- switch (protocol) {
-+#ifndef OPENSSL_NO_SSL2
- case SSL_PROTOCOL_SSLV2:
- if (mode == SSL_MODE_CLIENT)
- ctx = SSL_CTX_new(SSLv2_client_method());
-@@ -80,6 +81,7 @@
- else
- ctx = SSL_CTX_new(SSLv2_method());
- break;
-+#endif
- case SSL_PROTOCOL_SSLV3:
- if (mode == SSL_MODE_CLIENT)
- ctx = SSL_CTX_new(SSLv3_client_method());
-@@ -88,6 +90,7 @@
- else
- ctx = SSL_CTX_new(SSLv3_method());
- break;
-+#ifndef OPENSSL_NO_SSL2
- case SSL_PROTOCOL_SSLV2 | SSL_PROTOCOL_SSLV3:
- case SSL_PROTOCOL_SSLV2 | SSL_PROTOCOL_TLSV1:
- case SSL_PROTOCOL_ALL:
-@@ -99,7 +102,13 @@
- else
- ctx = SSL_CTX_new(SSLv23_method());
- break;
+@@ -96,6 +96,7 @@
+ ctx = SSL_CTX_new(TLSv1_server_method());
+ else
+ ctx = SSL_CTX_new(TLSv1_method());
++#ifndef OPENSSL_NO_SSL3
+ } else if (protocol == SSL_PROTOCOL_SSLV3) {
+ if (mode == SSL_MODE_CLIENT)
+ ctx = SSL_CTX_new(SSLv3_client_method());
+@@ -103,6 +104,7 @@
+ ctx = SSL_CTX_new(SSLv3_server_method());
+ else
+ ctx = SSL_CTX_new(SSLv3_method());
+#endif
+ #ifndef OPENSSL_NO_SSL2
+ } else if (protocol == SSL_PROTOCOL_SSLV2) {
+ if (mode == SSL_MODE_CLIENT)
+@@ -121,12 +123,14 @@
+ /* requested but not supported */
+ #endif
+ } else {
+#ifndef OPENSSL_NO_SSL2
- case SSL_PROTOCOL_TLSV1:
-+#else
-+ case SSL_PROTOCOL_ALL:
-+ case SSL_PROTOCOL_TLSV1:
+ if (mode == SSL_MODE_CLIENT)
+ ctx = SSL_CTX_new(SSLv23_client_method());
+ else if (mode == SSL_MODE_SERVER)
+ ctx = SSL_CTX_new(SSLv23_server_method());
+ else
+ ctx = SSL_CTX_new(SSLv23_method());
+#endif
- if (mode == SSL_MODE_CLIENT)
- ctx = SSL_CTX_new(TLSv1_client_method());
- else if (mode == SSL_MODE_SERVER)
-@@ -127,8 +136,10 @@
+ }
+
+ if (!ctx) {
+@@ -148,10 +152,14 @@
if (c->bio_os != NULL)
BIO_set_fp(c->bio_os, stderr, BIO_NOCLOSE | BIO_FP_TEXT);
SSL_CTX_set_options(c->ctx, SSL_OP_ALL);
@@ -110,6 +77,10 @@ Forwarded: https://issues.apache.org/bugzilla/show_bug.cgi?id=51056
if (!(protocol & SSL_PROTOCOL_SSLV2))
SSL_CTX_set_options(c->ctx, SSL_OP_NO_SSLv2);
+#endif
++#ifndef OPENSSL_NO_SSL3
if (!(protocol & SSL_PROTOCOL_SSLV3))
SSL_CTX_set_options(c->ctx, SSL_OP_NO_SSLv3);
++#endif
if (!(protocol & SSL_PROTOCOL_TLSV1))
+ SSL_CTX_set_options(c->ctx, SSL_OP_NO_TLSv1);
+ #ifdef SSL_OP_NO_TLSv1_1
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat-native.git
More information about the pkg-java-commits
mailing list