diff --git a/.gitignore b/.gitignore index a88dd95..e655dd6 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/tomcatjss-7.1.2.tar.gz +SOURCES/tomcatjss-7.2.1.tar.gz diff --git a/.tomcatjss.metadata b/.tomcatjss.metadata index 5506bd5..f50e322 100644 --- a/.tomcatjss.metadata +++ b/.tomcatjss.metadata @@ -1 +1 @@ -add33e765de6154beee8927ea3bd5879cfa353bc SOURCES/tomcatjss-7.1.2.tar.gz +45e28de0d84a01b8e8dd4ee72737fa9426ac7109 SOURCES/tomcatjss-7.2.1.tar.gz diff --git a/SOURCES/tomcatjss-Build-Tomcat-7.0.68.patch b/SOURCES/tomcatjss-Build-Tomcat-7.0.68.patch deleted file mode 100644 index b3eb8dc..0000000 --- a/SOURCES/tomcatjss-Build-Tomcat-7.0.68.patch +++ /dev/null @@ -1,13 +0,0 @@ ---- src/org/apache/tomcat/util/net/jss/JSSSupport.java 2015-04-20 12:34:46.000000000 -0600 -+++ src/org/apache/tomcat/util/net/jss/JSSSupport.java 2015-08-05 15:10:53.000000000 -0600 -@@ -97,6 +97,10 @@ class JSSSupport implements SSLSupport { - return null; - } - -+ public String getProtocol() throws IOException { -+ return null; -+ } -+ - public String getSessionId() throws IOException { - return null; - } diff --git a/SOURCES/tomcatjss-Comply-with-ASF-trademark-rules.patch b/SOURCES/tomcatjss-Comply-with-ASF-trademark-rules.patch new file mode 100644 index 0000000..f2ed9ba --- /dev/null +++ b/SOURCES/tomcatjss-Comply-with-ASF-trademark-rules.patch @@ -0,0 +1,56 @@ +From 7ace773ac5a46704c131bd1cc788d6db4568e401 Mon Sep 17 00:00:00 2001 +From: Matthew Harmsen +Date: Mon, 12 Jun 2017 16:05:21 -0600 +Subject: [PATCH] Comply with ASF trademark rules + +- tomcatjss Pagure Issue #10 - Comply with ASF trademark rules (mharmsen) +--- + README | 26 ++++++++++++++++---------- + 1 file changed, 16 insertions(+), 10 deletions(-) + +diff --git a/README b/README +index b8f3860..b3912ba 100644 +--- a/README ++++ b/README +@@ -1,23 +1,29 @@ +-tomcatjss, a JSSE module for Tomcat that uses JSS, a Java interface to +-Network Security Services(NSS). ++JSS Connector for Apache Tomcat, installed via the tomcatjss package, ++is a Java Secure Socket Extension (JSSE) module for Apache Tomcat that ++uses Java Security Services (JSS), a Java interface to Network Security ++Services (NSS). + +-tomcatjss defines a number of attributes for a Connector including: ++JSS Connector for Apache Tomcat defines a number of attributes for a Connector ++including: + + clientauth: specify if client authentication is required in the connector (or + port), it can be true or false. If true then client authentication is required. + + sslOptions: specify a comma-delimited list of ssl options to pass into the ssl + implementation. Each option takes the form of: option=[true|false]. +-tomcatjss supports the options: ssl2, ssl3, tls. ++JSS Connector for Apache Tomcat supports the options: ssl2, ssl3, tls. + +-ssl2Ciphers: specify a list of SSL2 ciphers that tomcatjss should accept +-or reject from the client. You can use + to denote "accept", - means "reject". ++ssl2Ciphers: specify a list of SSL2 ciphers that JSS Connector for ++Apache Tomcat should accept or reject from the client. You can use + to ++denote "accept", - means "reject" + +-ssl3Ciphers: specifies a list of SSL3 ciphers that tomcatjss should accept +-or reject from the client. You can use + to denote "accept", - means "reject". ++ssl3Ciphers: specifies a list of SSL3 ciphers that JSS Connector for ++Apache Tomcat should accept or reject from the client. You can use + to ++denote "accept", - means "reject". + +-tlsCiphers: specifies a list of TLS ciphers that tomcatjss should accept +-or reject from the client. You can use + to denote "accept", - means "reject". ++tlsCiphers: specifies a list of TLS ciphers that JSS Connector for ++Apache Tomcat should accept or reject from the client. You can use + to ++denote "accept", - means "reject". + + serverCertNickFile: a file in which specify the nickname of the + server certificate. The file should contain a single line that contains +-- +2.9.4 diff --git a/SOURCES/tomcatjss-Fixed-SSL-cipher-list-parser.patch b/SOURCES/tomcatjss-Fixed-SSL-cipher-list-parser.patch new file mode 100644 index 0000000..f948210 --- /dev/null +++ b/SOURCES/tomcatjss-Fixed-SSL-cipher-list-parser.patch @@ -0,0 +1,94 @@ +From c14c8ec6b077721eddeddb125b9a4b0141e5e4aa Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Thu, 1 Jun 2017 00:29:37 +0200 +Subject: [PATCH] Fixed SSL cipher list parser. + +The SSL cipher list parsers have been modified to ignore spaces +to allow more user-friendly formatting. + +https://pagure.io/tomcatjss/issue/9 + +Change-Id: Ic21f0347e06e20f64ef37de95f9d1f1ac3d1f0d2 +--- + .../apache/tomcat/util/net/jss/JSSImplementation.java | 5 +++-- + src/org/apache/tomcat/util/net/jss/JSSSocketFactory.java | 16 ++++++++++++++-- + 2 files changed, 17 insertions(+), 4 deletions(-) + +diff --git a/src/org/apache/tomcat/util/net/jss/JSSImplementation.java b/src/org/apache/tomcat/util/net/jss/JSSImplementation.java +index 42dc8d2..8721844 100644 +--- a/src/org/apache/tomcat/util/net/jss/JSSImplementation.java ++++ b/src/org/apache/tomcat/util/net/jss/JSSImplementation.java +@@ -25,6 +25,8 @@ import java.io.IOException; + import java.net.Socket; + import java.util.Properties; + ++import org.apache.commons.logging.Log; ++import org.apache.commons.logging.LogFactory; + import org.apache.tomcat.util.net.AbstractEndpoint; + import org.apache.tomcat.util.net.SSLImplementation; + import org.apache.tomcat.util.net.SSLSupport; +@@ -35,8 +37,7 @@ public class JSSImplementation extends SSLImplementation { + static final String JSSFactory = "org.apache.tomcat.util.net.jss.JSSFactory"; + static final String SSLSocketClass = "org.mozilla.jss.ssl.SSLSocket"; + +- static org.apache.commons.logging.Log logger = org.apache.commons.logging.LogFactory +- .getLog(JSSImplementation.class); ++ static Log logger = LogFactory.getLog(JSSImplementation.class); + + private JSSFactory factory = null; + +diff --git a/src/org/apache/tomcat/util/net/jss/JSSSocketFactory.java b/src/org/apache/tomcat/util/net/jss/JSSSocketFactory.java +index 4992600..f974a89 100644 +--- a/src/org/apache/tomcat/util/net/jss/JSSSocketFactory.java ++++ b/src/org/apache/tomcat/util/net/jss/JSSSocketFactory.java +@@ -42,6 +42,8 @@ import javax.net.ssl.SSLContext; + import javax.net.ssl.TrustManager; + + import org.apache.commons.lang.StringUtils; ++import org.apache.commons.logging.Log; ++import org.apache.commons.logging.LogFactory; + // Imports required to "implement" Tomcat 7 Interface + import org.apache.tomcat.util.net.AbstractEndpoint; + import org.mozilla.jss.CertDatabaseException; +@@ -61,6 +63,8 @@ public class JSSSocketFactory implements + org.apache.tomcat.util.net.ServerSocketFactory, + org.apache.tomcat.util.net.SSLUtil { + ++ static Log logger = LogFactory.getLog(JSSSocketFactory.class); ++ + private static HashMap cipherMap = new HashMap(); + static { + // SSLv2 +@@ -382,9 +386,13 @@ public class JSSSocketFactory implements + debugWrite("JSSSocketFactory setSSLCiphers: " + attr + " not found"); + return; + } +- StringTokenizer st = new StringTokenizer(ciphers, ","); ++ ++ logger.debug("Processing " + attr + ":"); ++ StringTokenizer st = new StringTokenizer(ciphers, ", "); + while (st.hasMoreTokens()) { + String cipherstr = st.nextToken(); ++ logger.debug(" - " + cipherstr); ++ + int cipherid = 0; + String text; + boolean state; +@@ -456,9 +464,13 @@ public class JSSSocketFactory implements + debugWrite("no sslOptions specified"); + return; + } +- StringTokenizer st = new StringTokenizer(options, ","); ++ ++ logger.debug("Processing sslOptions:"); ++ StringTokenizer st = new StringTokenizer(options, ", "); + while (st.hasMoreTokens()) { + String option = st.nextToken(); ++ logger.debug(" - " + option); ++ + StringTokenizer st1 = new StringTokenizer(option, "="); + String name = st1.nextToken(); + String value = st1.nextToken(); +-- +1.8.3.1 + diff --git a/SOURCES/tomcatjss-missing-ciphers.patch b/SOURCES/tomcatjss-missing-ciphers.patch deleted file mode 100644 index 953b20c..0000000 --- a/SOURCES/tomcatjss-missing-ciphers.patch +++ /dev/null @@ -1,70 +0,0 @@ -diff -up src/org/apache/tomcat/util/net/jss/JSSSocketFactory.java.cfu src/org/apache/tomcat/util/net/jss/JSSSocketFactory.java ---- src/org/apache/tomcat/util/net/jss/JSSSocketFactory.java.cfu 2016-06-29 18:54:38.498127146 -0600 -+++ src/org/apache/tomcat/util/net/jss/JSSSocketFactory.java 2016-06-29 18:56:38.646778769 -0600 -@@ -96,8 +96,12 @@ public class JSSSocketFactory implements - SSLSocket.SSL3_RSA_EXPORT_WITH_DES40_CBC_SHA); - cipherMap.put("SSL3_RSA_WITH_DES_CBC_SHA", - SSLSocket.SSL3_RSA_WITH_DES_CBC_SHA); -+ - cipherMap.put("SSL3_RSA_WITH_3DES_EDE_CBC_SHA", - SSLSocket.SSL3_RSA_WITH_3DES_EDE_CBC_SHA); -+ // deprecated SSL3.0 names replaced by IANA-registered TLS names -+ cipherMap.put("TLS_RSA_WITH_3DES_EDE_CBC_SHA", -+ SSLSocket.SSL3_RSA_WITH_3DES_EDE_CBC_SHA); - - cipherMap.put("SSL3_DH_DSS_EXPORT_WITH_DES40_CBC_SHA", - SSLSocket.SSL3_DH_DSS_EXPORT_WITH_DES40_CBC_SHA); -@@ -116,14 +120,23 @@ public class JSSSocketFactory implements - SSLSocket.SSL3_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA); - cipherMap.put("SSL3_DHE_DSS_WITH_DES_CBC_SHA", - SSLSocket.SSL3_DHE_DSS_WITH_DES_CBC_SHA); -+ - cipherMap.put("SSL3_DHE_DSS_WITH_3DES_EDE_CBC_SHA", - SSLSocket.SSL3_DHE_DSS_WITH_3DES_EDE_CBC_SHA); -+ // deprecated SSL3.0 names replaced by IANA-registered TLS names -+ cipherMap.put("TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA", -+ SSLSocket.SSL3_DHE_DSS_WITH_3DES_EDE_CBC_SHA); -+ - cipherMap.put("SSL3_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA", - SSLSocket.SSL3_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA); - cipherMap.put("SSL3_DHE_RSA_WITH_DES_CBC_SHA", - SSLSocket.SSL3_DHE_RSA_WITH_DES_CBC_SHA); -+ - cipherMap.put("SSL3_DHE_RSA_WITH_3DES_EDE_CBC_SHA", - SSLSocket.SSL3_DHE_RSA_WITH_3DES_EDE_CBC_SHA); -+ // deprecated SSL3.0 names replaced by IANA-registered TLS names -+ cipherMap.put("TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA", -+ SSLSocket.SSL3_DHE_RSA_WITH_3DES_EDE_CBC_SHA); - - cipherMap.put("SSL3_DH_ANON_EXPORT_WITH_RC4_40_MD5", - SSLSocket.SSL3_DH_ANON_EXPORT_WITH_RC4_40_MD5); -@@ -264,6 +277,12 @@ public class JSSSocketFactory implements - cipherMap.put("TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256", - SSLSocket.TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256); - -+ cipherMap.put("TLS_ECDH_RSA_WITH_AES_256_CBC_SHA", -+ SSLSocket.TLS_ECDH_RSA_WITH_AES_256_CBC_SHA); -+ cipherMap.put("TLS_ECDH_RSA_WITH_AES_128_CBC_SHA", -+ SSLSocket.TLS_ECDH_RSA_WITH_AES_128_CBC_SHA); -+ cipherMap.put("TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA", -+ SSLSocket.TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA); - } - - private static HashMap eccCipherMap = new HashMap(); -@@ -308,6 +327,8 @@ public class JSSSocketFactory implements - "TLS_ECDH_RSA_WITH_NULL_SHA"); - eccCipherMap.put(SSLSocket.TLS_ECDH_ECDSA_WITH_NULL_SHA, - "TLS_ECDH_ECDSA_WITH_NULL_SHA"); -+ eccCipherMap.put(SSLSocket.TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, -+ "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256"); - } - - private AbstractEndpoint endpoint; -@@ -393,6 +414,7 @@ public class JSSSocketFactory implements - + ": 0x" + Integer.toHexString(cipherid) + "\n"); - SSLSocket.setCipherPreferenceDefault(cipherid, state); - } catch (Exception e) { -+ System.err.println("SSLSocket.setCipherPreferenceDefault exception:" +e); - if (eccCipherMap.containsKey(cipherid)) { - System.err - .println("Warning: SSL ECC cipher \"" diff --git a/SOURCES/tomcatjss-support-for-event-API.patch b/SOURCES/tomcatjss-support-for-event-API.patch new file mode 100644 index 0000000..f38a2f1 --- /dev/null +++ b/SOURCES/tomcatjss-support-for-event-API.patch @@ -0,0 +1,294 @@ +From c410c7a35b4aa78e7c35d11a72cc96ff932df982 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Fri, 3 Mar 2017 09:19:58 +0100 +Subject: [PATCH 1/2] Renamed getEndpointAttribute(). + +The getEndpointAttribute() in JSSSocketFactory has been renamed +to getProperty() for clarity. +--- + .../tomcat/util/net/jss/JSSSocketFactory.java | 44 +++++++++++----------- + 1 file changed, 22 insertions(+), 22 deletions(-) + +diff --git a/src/org/apache/tomcat/util/net/jss/JSSSocketFactory.java b/src/org/apache/tomcat/util/net/jss/JSSSocketFactory.java +index ebf5505..bc096c1 100644 +--- a/src/org/apache/tomcat/util/net/jss/JSSSocketFactory.java ++++ b/src/org/apache/tomcat/util/net/jss/JSSSocketFactory.java +@@ -377,7 +377,7 @@ public class JSSSocketFactory implements + } + + public void setSSLCiphers(String attr) throws SocketException, IOException { +- String ciphers = getEndpointAttribute(attr); ++ String ciphers = getProperty(attr); + if (StringUtils.isEmpty(ciphers)) { + debugWrite("JSSSocketFactory setSSLCiphers: " + attr + " not found"); + return; +@@ -451,7 +451,7 @@ public class JSSSocketFactory implements + * parameter is ignored. + */ + public void setSSLOptions() throws SocketException, IOException { +- String options = getEndpointAttribute("sslOptions"); ++ String options = getProperty("sslOptions"); + if (StringUtils.isEmpty(options)) { + debugWrite("no sslOptions specified"); + return; +@@ -562,7 +562,7 @@ public class JSSSocketFactory implements + return -1; + } + +- String getEndpointAttribute(String tag) { ++ String getProperty(String tag) { + + // check /conf/server.xml + String value = (String)endpoint.getAttribute(tag); +@@ -575,8 +575,8 @@ public class JSSSocketFactory implements + return value; + } + +- String getEndpointAttribute(String tag, String defaultValue) { +- String value = getEndpointAttribute(tag); ++ String getProperty(String tag, String defaultValue) { ++ String value = getProperty(tag); + if (value == null) { + return defaultValue; + } +@@ -585,7 +585,7 @@ public class JSSSocketFactory implements + + void init() throws IOException { + // debug enabled? +- String deb = getEndpointAttribute("debug"); ++ String deb = getProperty("debug"); + if (StringUtils.equals(deb, "true")) { + debug = true; + debugFile = new FileWriter("/tmp/tomcatjss.log", true); +@@ -613,14 +613,14 @@ public class JSSSocketFactory implements + + // MUST look for "clientauth" (ALL lowercase) since "clientAuth" + // (camel case) has already been processed by Tomcat 7 +- String clientAuthStr = getEndpointAttribute("clientauth"); ++ String clientAuthStr = getProperty("clientauth"); + if (clientAuthStr == null) { + debugWrite("JSSSocketFactory init - \"clientauth\" not found, default to want."); + clientAuthStr = "want"; + } + File file = null; + try { +- mServerCertNickPath = getEndpointAttribute("serverCertNickFile"); ++ mServerCertNickPath = getProperty("serverCertNickFile"); + if (mServerCertNickPath == null) { + throw new IOException("serverCertNickFile not specified"); + } +@@ -656,7 +656,7 @@ public class JSSSocketFactory implements + "JSSSocketFactory: no serverCertNickFile defined"); + } + +- // serverCertNick = (String)getEndpointAttribute("serverCert"); ++ // serverCertNick = (String)getProperty("serverCert"); + if (clientAuthStr.equalsIgnoreCase("true") + || clientAuthStr.equalsIgnoreCase("yes")) { + requireClientAuth = true; +@@ -670,7 +670,7 @@ public class JSSSocketFactory implements + && ocspConfigured == false) { + debugWrite("JSSSocketFactory init - checking for OCSP settings. \n"); + boolean enableOCSP = false; +- String doOCSP = getEndpointAttribute("enableOCSP"); ++ String doOCSP = getProperty("enableOCSP"); + + debugWrite("JSSSocketFactory init - doOCSP flag:" + doOCSP + " \n"); + +@@ -682,10 +682,10 @@ public class JSSSocketFactory implements + + "\n"); + + if (enableOCSP == true) { +- String ocspResponderURL = getEndpointAttribute("ocspResponderURL"); ++ String ocspResponderURL = getProperty("ocspResponderURL"); + debugWrite("JSSSocketFactory init - ocspResponderURL " + + ocspResponderURL + "\n"); +- String ocspResponderCertNickname = getEndpointAttribute( ++ String ocspResponderCertNickname = getProperty( + "ocspResponderCertNickname"); + debugWrite("JSSSocketFactory init - ocspResponderCertNickname" + + ocspResponderCertNickname + "\n"); +@@ -700,9 +700,9 @@ public class JSSSocketFactory implements + int ocspMinCacheEntryDuration_i = 3600; + int ocspMaxCacheEntryDuration_i = 86400; + +- String ocspCacheSize = getEndpointAttribute("ocspCacheSize"); +- String ocspMinCacheEntryDuration = getEndpointAttribute("ocspMinCacheEntryDuration"); +- String ocspMaxCacheEntryDuration = getEndpointAttribute("ocspMaxCacheEntryDuration"); ++ String ocspCacheSize = getProperty("ocspCacheSize"); ++ String ocspMinCacheEntryDuration = getProperty("ocspMinCacheEntryDuration"); ++ String ocspMaxCacheEntryDuration = getProperty("ocspMaxCacheEntryDuration"); + + if (ocspCacheSize != null + || ocspMinCacheEntryDuration != null +@@ -729,7 +729,7 @@ public class JSSSocketFactory implements + } + + // defualt to 60 seconds; +- String ocspTimeout = getEndpointAttribute("ocspTimeout"); ++ String ocspTimeout = getProperty("ocspTimeout"); + if (ocspTimeout != null) { + debugWrite("JSSSocketFactory init - ocspTimeout= \n" + ocspTimeout); + int ocspTimeout_i = Integer.parseInt(ocspTimeout); +@@ -760,7 +760,7 @@ public class JSSSocketFactory implements + // 12 hours = 43200 seconds + SSLServerSocket.configServerSessionIDCache(0, 43200, 43200, null); + +- String strictCiphersStr = getEndpointAttribute("strictCiphers"); ++ String strictCiphersStr = getProperty("strictCiphers"); + if (StringUtils.equalsIgnoreCase(strictCiphersStr, "true") + || StringUtils.equalsIgnoreCase(strictCiphersStr, "yes")) { + mStrictCiphers = true; +@@ -773,7 +773,7 @@ public class JSSSocketFactory implements + debugWrite("SSSocketFactory init - before setSSLCiphers, strictCiphers is false\n"); + } + +- String sslVersionRangeStream = getEndpointAttribute("sslVersionRangeStream"); ++ String sslVersionRangeStream = getProperty("sslVersionRangeStream"); + if ((sslVersionRangeStream != null) + && !sslVersionRangeStream.equals("")) { + debugWrite("SSSocketFactory init - calling setSSLVersionRangeDefault() for type STREAM\n"); +@@ -783,7 +783,7 @@ public class JSSSocketFactory implements + debugWrite("SSSocketFactory init - after setSSLVersionRangeDefault() for type STREAM\n"); + } + +- String sslVersionRangeDatagram = getEndpointAttribute("sslVersionRangeDatagram"); ++ String sslVersionRangeDatagram = getProperty("sslVersionRangeDatagram"); + if ((sslVersionRangeDatagram != null) + && !sslVersionRangeDatagram.equals("")) { + debugWrite("SSSocketFactory init - calling setSSLVersionRangeDefault() for type DATA_GRAM\n"); +@@ -854,11 +854,11 @@ public class JSSSocketFactory implements + + private void initializePasswordStore() throws InstantiationException, IllegalAccessException, + ClassNotFoundException, IOException { +- mPwdClass = getEndpointAttribute("passwordClass"); ++ mPwdClass = getProperty("passwordClass"); + if (mPwdClass == null) { + throw new IOException("Misconfiguration: passwordClass is not defined"); + } +- mPwdPath = getEndpointAttribute("passwordFile"); ++ mPwdPath = getProperty("passwordFile"); + + mPasswordStore = (IPasswordStore) Class.forName(mPwdClass).newInstance(); + debugWrite("JSSSocketFactory init - password reader initialized\n"); +@@ -869,7 +869,7 @@ public class JSSSocketFactory implements + + private CryptoManager getCryptoManager() throws KeyDatabaseException, CertDatabaseException, + GeneralSecurityException, NotInitializedException, IOException { +- String certDir = getEndpointAttribute("certdbDir"); ++ String certDir = getProperty("certdbDir"); + if (certDir == null) { + throw new IOException("Misconfiguration: certdir not defined"); + } +-- +1.8.3.1 + + +From 7612272aa337c413ac4b96cd13d5a1384b80b5aa Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Fri, 27 Jan 2017 04:31:41 +0100 +Subject: [PATCH 2/2] Added SSLSocketListener registry. + +A new TomcatJSS class has been added as a mechanism to register +SSLSocketListeners for all SSLSockets created by TomcatJSS. + +https://pagure.io/tomcatjss/issue/4 +--- + .../tomcat/util/net/jss/JSSSocketFactory.java | 4 ++ + src/org/apache/tomcat/util/net/jss/TomcatJSS.java | 69 ++++++++++++++++++++++ + 2 files changed, 73 insertions(+) + create mode 100644 src/org/apache/tomcat/util/net/jss/TomcatJSS.java + +diff --git a/src/org/apache/tomcat/util/net/jss/JSSSocketFactory.java b/src/org/apache/tomcat/util/net/jss/JSSSocketFactory.java +index bc096c1..4992600 100644 +--- a/src/org/apache/tomcat/util/net/jss/JSSSocketFactory.java ++++ b/src/org/apache/tomcat/util/net/jss/JSSSocketFactory.java +@@ -934,6 +934,10 @@ public class JSSSocketFactory implements + SSLSocket asock = null; + try { + asock = (SSLSocket) socket.accept(); ++ ++ TomcatJSS tomcatjss = TomcatJSS.getInstance(); ++ asock.addSocketListener(tomcatjss); ++ + if (wantClientAuth || requireClientAuth) { + asock.requestClientAuth(true); + if (requireClientAuth == true) { +diff --git a/src/org/apache/tomcat/util/net/jss/TomcatJSS.java b/src/org/apache/tomcat/util/net/jss/TomcatJSS.java +new file mode 100644 +index 0000000..9717921 +--- /dev/null ++++ b/src/org/apache/tomcat/util/net/jss/TomcatJSS.java +@@ -0,0 +1,69 @@ ++/* BEGIN COPYRIGHT BLOCK ++ * This library is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU Lesser General Public ++ * License as published by the Free Software Foundation; either ++ * version 2.1 of the License, or (at your option) any later version. ++ * ++ * This library is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * Lesser General Public License for more details. ++ * ++ * You should have received a copy of the GNU Lesser General Public ++ * License along with this library; if not, write to the Free Software ++ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA ++ * ++ * Copyright (C) 2017 Red Hat, Inc. ++ * All rights reserved. ++ * END COPYRIGHT BLOCK */ ++ ++package org.apache.tomcat.util.net.jss; ++ ++import java.util.ArrayList; ++import java.util.Collection; ++ ++import org.mozilla.jss.ssl.SSLAlertEvent; ++import org.mozilla.jss.ssl.SSLHandshakeCompletedEvent; ++import org.mozilla.jss.ssl.SSLSocketListener; ++ ++public class TomcatJSS implements SSLSocketListener { ++ ++ public final static TomcatJSS INSTANCE = new TomcatJSS(); ++ ++ public static TomcatJSS getInstance() { return INSTANCE; } ++ ++ Collection socketListeners = new ArrayList(); ++ ++ public void addSocketListener(SSLSocketListener listener) { ++ socketListeners.add(listener); ++ } ++ ++ public void removeSocketListener(SSLSocketListener listener) { ++ socketListeners.remove(listener); ++ } ++ ++ public Collection getSocketListeners() { ++ return socketListeners; ++ } ++ ++ @Override ++ public void alertReceived(SSLAlertEvent event) { ++ for (SSLSocketListener listener : socketListeners) { ++ listener.alertReceived(event); ++ } ++ } ++ ++ @Override ++ public void alertSent(SSLAlertEvent event) { ++ for (SSLSocketListener listener : socketListeners) { ++ listener.alertSent(event); ++ } ++ } ++ ++ @Override ++ public void handshakeCompleted(SSLHandshakeCompletedEvent event) { ++ for (SSLSocketListener listener : socketListeners) { ++ listener.handshakeCompleted(event); ++ } ++ } ++} +-- +1.8.3.1 + diff --git a/SPECS/tomcatjss.spec b/SPECS/tomcatjss.spec index fb80df3..90c490d 100644 --- a/SPECS/tomcatjss.spec +++ b/SPECS/tomcatjss.spec @@ -1,7 +1,7 @@ Name: tomcatjss -Version: 7.1.2 -Release: 3%{?dist} -Summary: JSSE implementation using JSS for Tomcat +Version: 7.2.1 +Release: 6%{?dist} +Summary: JSS Connector for Apache Tomcat, a JSSE module for Apache Tomcat that uses JSS URL: http://pki.fedoraproject.org/ License: LGPLv2+ Group: System Environment/Libraries @@ -14,11 +14,16 @@ Source0: http://pki.fedoraproject.org/pki/sources/%{name}/%{name}-%{version}.ta # jpackage-utils requires versioning to meet both build and runtime requirements # jss requires versioning to meet both build and runtime requirements # tomcat requires versioning to meet both build and runtime requirements +Conflicts: pki-base < 10.4.0 BuildRequires: ant BuildRequires: apache-commons-lang BuildRequires: java-devel BuildRequires: jpackage-utils >= 0:1.7.5-15 -BuildRequires: jss >= 4.2.6-35 +%if 0%{?fedora} +BuildRequires: jss >= 4.4.2-2 +%else +BuildRequires: jss >= 4.4.0-7 +%endif %if 0%{?fedora} >= 23 BuildRequires: tomcat >= 8.0.18 %else @@ -32,16 +37,29 @@ Requires: java-headless Requires: java %endif Requires: jpackage-utils >= 0:1.7.5-15 -Requires: jss >= 4.2.6-35 +%if 0%{?fedora} +Requires: jss >= 4.4.2-2 +%else +Requires: jss >= 4.4.0-7 +%endif %if 0%{?fedora} >= 23 Requires: tomcat >= 8.0.18 %else Requires: tomcat >= 7.0.68 %endif -## tomcatjss-7.1.2-2 -Patch1: tomcatjss-Build-Tomcat-7.0.68.patch -Patch2: tomcatjss-missing-ciphers.patch +####################### +## tomcatjss-7.2.1-3 +####################### +Patch1: tomcatjss-support-for-event-API.patch +####################### +## tomcatjss-7.2.1-4 +####################### +Patch2: tomcatjss-Fixed-SSL-cipher-list-parser.patch +####################### +## tomcatjss-7.2.1-5 +####################### +Patch3: tomcatjss-Comply-with-ASF-trademark-rules.patch # The 'tomcatjss' package conflicts with the 'tomcat-native' package # because it uses an underlying NSS security model rather than the @@ -55,8 +73,10 @@ Conflicts: tomcat-native %endif %description -A Java Secure Socket Extension (JSSE) implementation -using Java Security Services (JSS) for Tomcat 7. +JSS Connector for Apache Tomcat, installed via the tomcatjss package, +is a Java Secure Socket Extension (JSSE) module for Apache Tomcat that +uses Java Security Services (JSS), a Java interface to Network Security +Services (NSS). NOTE: The 'tomcatjss' package conflicts with the 'tomcat-native' package because it uses an underlying NSS security model rather than the @@ -65,8 +85,9 @@ NOTE: The 'tomcatjss' package conflicts with the 'tomcat-native' package %prep %setup -q -%patch1 -p0 -%patch2 -p0 +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 chmod -c -x LICENSE README %build @@ -97,22 +118,52 @@ rm -rf %{buildroot} %{_javadir}/* %changelog +* Mon Jun 12 2017 Matthew Harmsen 7.2.1-6 +- Bugzilla Bug #1460040 - Comply with ASF trademark rules (mharmsen) + +* Mon Jun 12 2017 Matthew Harmsen 7.2.1-5 +- Bugzilla Bug #1460037 - Comply with ASF trademark rules (mharmsen) + +* Mon Jun 5 2017 Endi Sukma Dewata 7.2.1-4 +- Bugzilla Bug #1457524 - Problem parsing formatted cipher list (edewata) + +* Mon Mar 27 2017 Matthew Harmsen - 7.2.1-3 +- Bugzilla Bug #1394416 - Rebase tomcatjss to 7.2.x in RHEL 7.4 (mharmsen) +- ## 'tomcatjss-support-for-event-API.patch' resolves the following issues + ## ported from upstream: +- tomcatjss Pagure Issue #4 - Support for Event API (edewata) + +* Tue Mar 21 2017 Matthew Harmsen - 7.2.1-2 +- Added Conflicts statement due to incompatibility with pki-base < 10.4.0 + +* Tue Mar 14 2017 Matthew Harmsen 7.2.1-1 +- Updated jss build and runtime dependencies +- Bumped version due to corrupted tarball + +* Mon Mar 13 2017 Matthew Harmsen 7.2.0-2 +- Changed build so that it did not package and depend upon the specfile being + included inside the tarball + +* Sun Mar 12 2017 Matthew Harmsen 7.2.0-1 +- tomcatjss Pagure Issue #6 - Rebase tomcatjss to 7.2.0 in Fedora 25+ (mharmsen) +- Bugzilla Bug #1394416 - Rebase tomcatjss to 7.2.0 in RHEL 7.4 (mharmsen) + * Wed Jun 29 2016 Christina Fu 7.1.2-3 - Bugzilla Bug #1203407 - missing ciphers (cfu) * Wed Mar 16 2016 Endi Sukma Dewata 7.1.2-2 - Bugzilla Bug #1344804 - Build failure on RHEL 7.3 (patch for Bugzilla Bug #1245786 - Build failure on F23 was backported to - RHEL 7 to coincide with Tomcat version change to 7.0.68+) + RHEL 7 to coincide with Apache Tomcat version change to 7.0.68+) * Wed Mar 4 2015 Endi Sukma Dewata 7.1.2-1 -- Bugzilla Bug #1198450 - Support for Tomcat 8 +- Bugzilla Bug #1198450 - Support for Apache Tomcat 8 - Bugzilla Bug #1214858 - Add nuxwdog support (alee) * Tue Sep 30 2014 Christina Fu 7.1.1-1 - Bugzilla Bug #1058366 NullPointerException in tomcatjss searching for attribute "clientauth" (cfu) -- Bugzilla Bug #871171 - Provide Tomcat support for TLS v1.1 and +- Bugzilla Bug #871171 - Provide Apache Tomcat support for TLS v1.1 and TLS v1.2 (cfu) - Bumped revision to 7.1.1 @@ -140,8 +191,8 @@ rm -rf %{buildroot} - Bugzila Bug #819554 tomcatjss: Please migrate from tomcat6 to tomcat7 * Thu Aug 2 2012 Matthew Harmsen 7.0.0-3 -- PKI TRAC Ticket #283 - Dogtag 10: Integrate Tomcat 6 'tomcatjss.jar' and - Tomcat 7 'tomcat7jss.jar' in Fedora 18 tomcatjss package +- PKI TRAC Ticket #283 - Dogtag 10: Integrate Apache Tomcat 6 'tomcatjss.jar' + and Apache Tomcat 7 'tomcat7jss.jar' in Fedora 18 tomcatjss package * Thu Jul 26 2012 Matthew Harmsen 7.0.0-2 - Fixed runtime 'Requires' cut/paste typos