diff --git a/SOURCES/tomcatjss-TLSv1.1-1.2-support.patch b/SOURCES/tomcatjss-TLSv1.1-1.2-support.patch new file mode 100644 index 0000000..0145c15 --- /dev/null +++ b/SOURCES/tomcatjss-TLSv1.1-1.2-support.patch @@ -0,0 +1,178 @@ +Index: src/org/apache/tomcat/util/net/jss/JSSSocketFactory.java +=================================================================== +--- src/org/apache/tomcat/util/net/jss/JSSSocketFactory.java (revision 278) ++++ src/org/apache/tomcat/util/net/jss/JSSSocketFactory.java (working copy) +@@ -138,6 +138,23 @@ + cipherMap.put("TLS_ECDH_anon_WITH_AES_128_CBC_SHA", SSLSocket.TLS_ECDH_anon_WITH_AES_128_CBC_SHA); + cipherMap.put("TLS_ECDH_anon_WITH_AES_256_CBC_SHA", SSLSocket.TLS_ECDH_anon_WITH_AES_256_CBC_SHA); + ++ //TLSv1_2 ++ cipherMap.put("TLS_DHE_RSA_WITH_AES_128_CBC_SHA256", SSLSocket.TLS_DHE_RSA_WITH_AES_128_CBC_SHA256); ++ cipherMap.put("TLS_DHE_RSA_WITH_AES_256_CBC_SHA256", SSLSocket.TLS_DHE_RSA_WITH_AES_256_CBC_SHA256); ++ cipherMap.put("TLS_RSA_WITH_NULL_SHA256", SSLSocket.TLS_RSA_WITH_NULL_SHA256); ++ cipherMap.put("TLS_RSA_WITH_AES_128_CBC_SHA256", SSLSocket.TLS_RSA_WITH_AES_128_CBC_SHA256); ++ cipherMap.put("TLS_RSA_WITH_AES_256_CBC_SHA256", SSLSocket.TLS_RSA_WITH_AES_256_CBC_SHA256); ++ cipherMap.put("TLS_RSA_WITH_SEED_CBC_SHA", SSLSocket.TLS_RSA_WITH_SEED_CBC_SHA); ++ cipherMap.put("TLS_RSA_WITH_AES_128_GCM_SHA256", SSLSocket.TLS_RSA_WITH_AES_128_GCM_SHA256); ++ cipherMap.put("TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", SSLSocket.TLS_DHE_RSA_WITH_AES_128_GCM_SHA256); ++ cipherMap.put("TLS_DHE_DSS_WITH_AES_128_GCM_SHA256", SSLSocket.TLS_DHE_DSS_WITH_AES_128_GCM_SHA256); ++ cipherMap.put("TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256); ++ cipherMap.put("TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", SSLSocket.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256); ++ cipherMap.put("TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256); ++ cipherMap.put("TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256", SSLSocket.TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256); ++ cipherMap.put("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", SSLSocket.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256); ++ cipherMap.put("TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256", SSLSocket.TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256); ++ + } + + private static HashMap eccCipherMap = new HashMap(); +@@ -197,9 +214,13 @@ + } + } + +- public void setSSLCiphers(String attr) throws SocketException ++ public void setSSLCiphers(String attr) throws SocketException, IOException + { + String ciphers = (String)endpoint.getAttribute(attr); ++ if (ciphers == null || ciphers.equals("")) { ++ debugWrite("JSSSocketFactory setSSLCiphers: "+ attr +" not found"); ++ return; ++ } + StringTokenizer st = new StringTokenizer(ciphers, ","); + while (st.hasMoreTokens()) { + String cipherstr = st.nextToken(); +@@ -257,7 +278,14 @@ + } + } + +- public void setSSLOptions() throws SocketException ++ /* ++ * note: the SSL_OptionSet-based API for controlling the enabled ++ * protocol versions are obsolete and replaced by the ++ * setSSLVersionRange calls. If the "range" parameters are ++ * present in the attributes then the sslOptions parameter is ++ * ignored. ++ */ ++ public void setSSLOptions() throws SocketException, IOException + { + String options = (String)endpoint.getAttribute("sslOptions"); + StringTokenizer st = new StringTokenizer(options, ","); +@@ -308,6 +336,61 @@ + } + } + ++ ++ /* ++ * setSSLVersionRangeDefault sets the range of allowed ssl versions. ++ * This replaces the obsolete SSL_Option* API ++ * ++ * @param protoVariant indicates whether this setting is for ++ type "stream" or "datagram" ++ * @param sslVersionRange_s takes on the form of "min:max" where ++ * min/max values can be "ssl3, tls1_0, tls1_1, or tls1_2" ++ * ssl2 is not supported for tomcatjss via this interface ++ * The format is "sslVersionRange=min:max" ++ */ ++ public void setSSLVersionRangeDefault( ++ org.mozilla.jss.ssl.SSLSocket.SSLProtocolVariant protoVariant, ++ String sslVersionRange_s) ++ throws SocketException, IllegalArgumentException, IOException { ++ ++ // process sslVersionRange_s ++ String[] sslVersionRange = sslVersionRange_s.split(":"); ++ if (sslVersionRange.length != 2) { ++ debugWrite("JSSSocketFactory setSSLversionRangeDefault- SSL Version Range format error: " + sslVersionRange_s +"\n"); ++ throw new SocketException("tomcatjss: setSSLversionRangeDefault format error"); ++ } ++ String min_s = sslVersionRange[0]; ++ String max_s = sslVersionRange[1]; ++ int min = getSSLVersionRangeEnum(min_s); ++ int max = getSSLVersionRangeEnum(max_s); ++ if ((min == -1) || (max== -1)) { ++ debugWrite("JSSSocketFactory setSSLversionRangeDefault- SSL Version Range format error: " + sslVersionRange_s +"\n"); ++ throw new SocketException("tomcatjss: setSSLversionRangeDefault format error"); ++ } ++ ++ debugWrite("JSSSocketFactory setSSLversionRangeDefault- SSL Version Range set to min=" + min + " max = " + max +"\n"); ++ org.mozilla.jss.ssl.SSLSocket.SSLVersionRange range = ++ new org.mozilla.jss.ssl.SSLSocket.SSLVersionRange(min, max); ++ ++ SSLSocket.setSSLVersionRangeDefault(protoVariant, range); ++ debugWrite("JSSSocketFactory setSSLversionRangeDefault- variant set\n"); ++ } ++ ++ int getSSLVersionRangeEnum (String rangeString) { ++ if (rangeString == null) ++ return -1; ++ if (rangeString.equals("ssl3")) ++ return org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.ssl3; ++ else if (rangeString.equals("tls1_0")) ++ return org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_0; ++ else if (rangeString.equals("tls1_1")) ++ return org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_1; ++ else if (rangeString.equals("tls1_2")) ++ return org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_2; ++ ++ return -1; ++ } ++ + void init() throws IOException { + try { + String deb = (String)endpoint.getAttribute("debug"); +@@ -543,14 +626,52 @@ + } + if (mStrictCiphers == true) { + // what ciphers do we have to start with? turn them all off +- debugWrite("SSSocketFactory init - before setSSLOptions, strictCiphers is true\n"); ++ debugWrite("SSSocketFactory init - before setSSLCiphers, strictCiphers is true\n"); + unsetSSLCiphers(); + } else { +- debugWrite("SSSocketFactory init - before setSSLOptions, strictCiphers is false\n"); ++ debugWrite("SSSocketFactory init - before setSSLCiphers, strictCiphers is false\n"); + } + +- setSSLOptions(); +- debugWrite("SSSocketFactory init - after setSSLOptions\n"); ++ String sslVersionRangeStream = (String)endpoint.getAttribute("sslVersionRangeStream"); ++ if ((sslVersionRangeStream != null) && !sslVersionRangeStream.equals("")) { ++ debugWrite("SSSocketFactory init - calling setSSLVersionRangeDefault() for type STREAM\n"); ++ setSSLVersionRangeDefault(org.mozilla.jss.ssl.SSLSocket.SSLProtocolVariant.STREAM, sslVersionRangeStream); ++ debugWrite("SSSocketFactory init - after setSSLVersionRangeDefault() for type STREAM\n"); ++ } ++ ++ String sslVersionRangeDatagram = (String)endpoint.getAttribute("sslVersionRangeDatagram"); ++ if ((sslVersionRangeDatagram != null) && !sslVersionRangeDatagram.equals("")) { ++ debugWrite("SSSocketFactory init - calling setSSLVersionRangeDefault() for type DATA_GRAM\n"); ++ setSSLVersionRangeDefault(org.mozilla.jss.ssl.SSLSocket.SSLProtocolVariant.DATA_GRAM, sslVersionRangeDatagram); ++ debugWrite("SSSocketFactory init - after setSSLVersionRangeDefault() for type DATA_GRAM\n"); ++ } ++ ++ /* ++ * According to NSS: ++ * the SSL_OptionSet-based API for controlling the enabled ++ * protocol versions are obsolete and replaced by the ++ * setSSLVersionRange calls. ++ * Therefore, if the "range" parameters are ++ * present in the attributes then the sslOptions parameter is ++ * ignored. ++ * Using the new version range API in conjunction with the older ++ * SSL_OptionSet-based API for controlling the enabled protocol ++ * versions may cause unexpected results ++ */ ++ if (((sslVersionRangeStream != null) ++ && !sslVersionRangeStream.equals("")) ++ || ((sslVersionRangeDatagram != null) ++ && !sslVersionRangeDatagram.equals(""))) { ++ /* deliberately lose the ssl2 here */ ++ debugWrite("SSSocketFactory init - calling setSSLCiphers() honoring only sslRangeCiphers\n"); ++ setSSLCiphers("sslRangeCiphers"); ++ debugWrite("SSSocketFactory init - after setSSLCiphers() honoring only sslRangeCiphers\n"); ++ } else { ++ debugWrite("SSSocketFactory init - calling setSSLOptions()\n"); ++ setSSLOptions(); ++ debugWrite("SSSocketFactory init - after setSSLOptions()\n"); ++ } ++ + } catch (Exception ex) { + debugWrite("JSSSocketFactory init - exception thrown:"+ + ex.toString()+"\n"); diff --git a/SOURCES/tomcatjss-clientauth-NullPtrException.patch b/SOURCES/tomcatjss-clientauth-NullPtrException.patch new file mode 100644 index 0000000..9657a5c --- /dev/null +++ b/SOURCES/tomcatjss-clientauth-NullPtrException.patch @@ -0,0 +1,15 @@ +Index: src/org/apache/tomcat/util/net/jss/JSSSocketFactory.java +=================================================================== +--- src/org/apache/tomcat/util/net/jss/JSSSocketFactory.java (revision 278) ++++ src/org/apache/tomcat/util/net/jss/JSSSocketFactory.java (working copy) +@@ -405,6 +405,10 @@ + // MUST look for "clientauth" (ALL lowercase) since "clientAuth" + // (camel case) has already been processed by Tomcat 7 + String clientAuthStr = (String)endpoint.getAttribute("clientauth"); ++ if (clientAuthStr == null) { ++ debugWrite("JSSSocketFactory init - \"clientauth\" not found, default to want."); ++ clientAuthStr = "want"; ++ } + File file = null; + try { + mServerCertNickPath = (String)endpoint.getAttribute("serverCertNickFile"); diff --git a/SPECS/tomcatjss.spec b/SPECS/tomcatjss.spec index 6db8b97..1f14c50 100644 --- a/SPECS/tomcatjss.spec +++ b/SPECS/tomcatjss.spec @@ -1,6 +1,6 @@ Name: tomcatjss Version: 7.1.0 -Release: 4%{?dist} +Release: 5%{?dist} Summary: JSSE implementation using JSS for Tomcat URL: http://pki.fedoraproject.org/ License: LGPLv2+ @@ -17,14 +17,17 @@ Source0: http://pki.fedoraproject.org/pki/sources/%{name}/%{name}-%{version}.ta BuildRequires: ant BuildRequires: java-devel BuildRequires: jpackage-utils >= 0:1.7.5-15 -BuildRequires: jss >= 4.2.6-24 +BuildRequires: jss >= 4.2.6-35 BuildRequires: tomcat >= 7.0.40 Requires: java Requires: jpackage-utils >= 0:1.7.5-15 -Requires: jss >= 4.2.6-24 +Requires: jss >= 4.2.6-35 Requires: tomcat >= 7.0.40 +Patch1: tomcatjss-clientauth-NullPtrException.patch +Patch2: tomcatjss-TLSv1.1-1.2-support.patch + # The 'tomcatjss' package conflicts with the 'tomcat-native' package # because it uses an underlying NSS security model rather than the # OpenSSL security model, so these two packages may not co-exist. @@ -45,8 +48,9 @@ NOTE: The 'tomcatjss' package conflicts with the 'tomcat-native' package OpenSSL security model, so these two packages may not co-exist. %prep - %setup -q +%patch1 -p0 +%patch2 -p0 %build @@ -76,6 +80,12 @@ rm -rf %{buildroot} %{_javadir}/* %changelog +* Mon Sep 29 2014 Christina Fu - 7.1.0-5 +- Bugzilla Bug #1058366 NullPointerException in tomcatjss searching + for attribute "clientauth" (cfu) +- Bugzilla Bug #871171 - Provide Tomcat support for TLS v1.1 and + TLS v1.2 (cfu) + * Fri Dec 27 2013 Daniel Mach - 7.1.0-4 - Mass rebuild 2013-12-27