JBossWeb SVN: r1641 - in trunk: webapps/docs and 1 other directory.
by jbossweb-commits@lists.jboss.org
Author: remy.maucherat(a)jboss.com
Date: 2011-02-01 11:43:12 -0500 (Tue, 01 Feb 2011)
New Revision: 1641
Modified:
trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
trunk/webapps/docs/changelog.xml
Log:
- Support new TLS renegotiation.
Modified: trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
===================================================================
--- trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java 2011-01-27 15:24:30 UTC (rev 1640)
+++ trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java 2011-02-01 16:43:12 UTC (rev 1641)
@@ -26,7 +26,9 @@
import java.net.ServerSocket;
import java.net.Socket;
import java.net.SocketException;
+import java.security.KeyManagementException;
import java.security.KeyStore;
+import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.security.cert.CRL;
import java.security.cert.CRLException;
@@ -85,7 +87,7 @@
private static StringManager sm =
StringManager.getManager("org.apache.tomcat.util.net.jsse.res");
-
+ private static final boolean RFC_5746_SUPPORTED;
// defaults
static String defaultProtocol = "TLS";
static boolean defaultClientAuth = false;
@@ -99,6 +101,28 @@
static org.jboss.logging.Logger log =
org.jboss.logging.Logger.getLogger(JSSESocketFactory.class);
+ static {
+ boolean result = false;
+ SSLContext context;
+ try {
+ context = SSLContext.getInstance("TLS");
+ context.init(null, null, new SecureRandom());
+ SSLServerSocketFactory ssf = context.getServerSocketFactory();
+ String ciphers[] = ssf.getSupportedCipherSuites();
+ for (String cipher : ciphers) {
+ if ("TLS_EMPTY_RENEGOTIATION_INFO_SCSV".equals(cipher)) {
+ result = true;
+ break;
+ }
+ }
+ } catch (NoSuchAlgorithmException e) {
+ // Assume no RFC 5746 support
+ } catch (KeyManagementException e) {
+ // Assume no RFC 5746 support
+ }
+ RFC_5746_SUPPORTED = result;
+ }
+
protected boolean initialized;
protected String clientAuth = "false";
protected SSLServerSocketFactory sslProxy = null;
@@ -166,8 +190,8 @@
if (session.getCipherSuite().equals("SSL_NULL_WITH_NULL_NULL"))
throw new IOException("SSL handshake failed. Ciper suite in SSL Session is SSL_NULL_WITH_NULL_NULL");
- if (!allowUnsafeLegacyRenegotiation) {
- // Prevent futher handshakes by removing all cipher suites
+ if (!allowUnsafeLegacyRenegotiation && !RFC_5746_SUPPORTED) {
+ // Prevent further handshakes by removing all cipher suites
((SSLSocket) sock).setEnabledCipherSuites(new String[0]);
}
}
Modified: trunk/webapps/docs/changelog.xml
===================================================================
--- trunk/webapps/docs/changelog.xml 2011-01-27 15:24:30 UTC (rev 1640)
+++ trunk/webapps/docs/changelog.xml 2011-02-01 16:43:12 UTC (rev 1641)
@@ -76,6 +76,9 @@
<fix>
<jira>186</jira>: Fix wait logic in pause() and add configuration. (jfclere)
</fix>
+ <fix>
+ Allow using the new TLS renegotiation (RFC 5746) if available. (markt)
+ </fix>
</changelog>
</subsection>
<subsection name="Jasper">