Author: jfrederic.clere(a)jboss.com
Date: 2010-12-01 05:11:29 -0500 (Wed, 01 Dec 2010)
New Revision: 1596
Modified:
branches/2.1.x/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
branches/2.1.x/java/org/apache/tomcat/util/net/jsse/JSSESupport.java
branches/2.1.x/webapps/docs/changelog.xml
Log:
Port improvement where a listener is not used. Using a listener actually causes problems
(JBPAPP-5293)
Modified: branches/2.1.x/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
===================================================================
--- branches/2.1.x/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java 2010-12-01
09:14:34 UTC (rev 1595)
+++ branches/2.1.x/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java 2010-12-01
10:11:29 UTC (rev 1596)
@@ -51,6 +51,7 @@
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLServerSocket;
import javax.net.ssl.SSLServerSocketFactory;
+import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSessionContext;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.TrustManager;
@@ -152,40 +153,24 @@
SSLSocket asock = null;
try {
asock = (SSLSocket)socket.accept();
- if (!allowUnsafeLegacyRenegotiation) {
- asock.addHandshakeCompletedListener(
- new DisableSslRenegotiation());
- }
- configureClientAuth(asock);
} catch (SSLException e){
throw new SocketException("SSL handshake error" + e.toString());
}
return asock;
}
- private static class DisableSslRenegotiation
- implements HandshakeCompletedListener {
- private volatile boolean completed = false;
+ public void handshake(Socket sock) throws IOException {
+ // We do getSession instead of startHandshake() so we can call this multiple
times
+ SSLSession session = ((SSLSocket)sock).getSession();
+ if (session.getCipherSuite().equals("SSL_NULL_WITH_NULL_NULL"))
+ throw new IOException("SSL handshake failed. Ciper suite in SSL Session
is SSL_NULL_WITH_NULL_NULL");
- public void handshakeCompleted(HandshakeCompletedEvent event) {
- if (completed) {
- try {
- log.warn("SSL renegotiation is disabled, closing
connection");
- event.getSession().invalidate();
- event.getSocket().close();
- } catch (IOException e) {
- // ignore
- }
- }
- completed = true;
+ if (!allowUnsafeLegacyRenegotiation) {
+ // Prevent futher handshakes by removing all cipher suites
+ ((SSLSocket) sock).setEnabledCipherSuites(new String[0]);
}
}
-
- public void handshake(Socket sock) throws IOException {
- ((SSLSocket)sock).startHandshake();
- }
-
/*
* Determines the SSL cipher suites to be enabled.
*
Modified: branches/2.1.x/java/org/apache/tomcat/util/net/jsse/JSSESupport.java
===================================================================
--- branches/2.1.x/java/org/apache/tomcat/util/net/jsse/JSSESupport.java 2010-12-01
09:14:34 UTC (rev 1595)
+++ branches/2.1.x/java/org/apache/tomcat/util/net/jsse/JSSESupport.java 2010-12-01
10:11:29 UTC (rev 1596)
@@ -148,6 +148,15 @@
ssl.setNeedClientAuth(true);
}
+ if (ssl.getEnabledCipherSuites().length == 0) {
+ // Handshake is never going to be successful.
+ // Assume this is because handshakes are disabled
+ log.warn("SSL server initiated renegotiation is disabled, closing
connection");
+ session.invalidate();
+ ssl.close();
+ return;
+ }
+
InputStream in = ssl.getInputStream();
int oldTimeout = ssl.getSoTimeout();
ssl.setSoTimeout(1000);
@@ -170,10 +179,7 @@
break;
}
}
- // If legacy re-negotiation is disabled, socked could be closed here
- if (!ssl.isClosed()) {
- ssl.setSoTimeout(oldTimeout);
- }
+ ssl.setSoTimeout(oldTimeout);
if (listener.completed == false) {
throw new SocketException("SSL Cert handshake timeout");
}
Modified: branches/2.1.x/webapps/docs/changelog.xml
===================================================================
--- branches/2.1.x/webapps/docs/changelog.xml 2010-12-01 09:14:34 UTC (rev 1595)
+++ branches/2.1.x/webapps/docs/changelog.xml 2010-12-01 10:11:29 UTC (rev 1596)
@@ -15,6 +15,15 @@
</properties>
<body>
+<section name="JBoss Web 2.1.11.GA (remm)">
+ <subsection name="Coyote">
+ <changelog>
+ <fix>
+ <jboss-jira>JBPAPP-5293</jboss-jira>: ConcurrentModificationException
in HandshakeCompletedNotify-Thread. (remm)
+ </fix>
+ </changelog>
+ </subsection>
+</section>
<section name="JBoss Web 2.1.10.GA (remm)">
<subsection name="Coyote">