Author: jfrederic.clere(a)jboss.com Date: 2010-02-10 04:38:30 -0500 (Wed, 10 Feb 2010) New Revision: 1382 Modified: branches/JBOSSWEB_2_0_0_GA_CP/src/share/classes/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java branches/JBOSSWEB_2_0_0_GA_CP/src/share/classes/org/apache/tomcat/util/net/jsse/JSSESupport.java Log: Port r1270. Modified: branches/JBOSSWEB_2_0_0_GA_CP/src/share/classes/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java =================================================================== --- branches/JBOSSWEB_2_0_0_GA_CP/src/share/classes/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java 2010-02-08 14:10:38 UTC (rev 1381) +++ branches/JBOSSWEB_2_0_0_GA_CP/src/share/classes/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java 2010-02-10 09:38:30 UTC (rev 1382) @@ -42,6 +42,8 @@ import java.util.Vector; import javax.net.ssl.CertPathTrustManagerParameters; +import javax.net.ssl.HandshakeCompletedEvent; +import javax.net.ssl.HandshakeCompletedListener; import javax.net.ssl.KeyManager; import javax.net.ssl.KeyManagerFactory; import javax.net.ssl.ManagerFactoryParameters; @@ -95,6 +97,7 @@ protected String clientAuth = "false"; protected SSLServerSocketFactory sslProxy = null; protected String[] enabledCiphers; + protected boolean allowUnsafeLegacyRenegotiation = false; /** * Flag to state that we require client authentication. @@ -145,13 +148,36 @@ SSLSocket asock = null; try { asock = (SSLSocket)socket.accept(); + if (!allowUnsafeLegacyRenegotiation) { + asock.addHandshakeCompletedListener( + new DisableSslRenegotiation()); + } configureClientAuth(asock); } catch (SSLException e){ throw new SocketException("SSL handshake error" + e.toString()); } return asock; } + + private static class DisableSslRenegotiation + implements HandshakeCompletedListener { + private volatile boolean completed = false; + public void handshakeCompleted(HandshakeCompletedEvent event) { + if (completed) { + try { + log.warn("SSL renegotiation is disabled, closing connection"); + event.getSession().invalidate(); + event.getSocket().close(); + } catch (IOException e) { + // ignore + } + } + completed = true; + } + } + + public void handshake(Socket sock) throws IOException { ((SSLSocket)sock).startHandshake(); } Modified: branches/JBOSSWEB_2_0_0_GA_CP/src/share/classes/org/apache/tomcat/util/net/jsse/JSSESupport.java =================================================================== --- branches/JBOSSWEB_2_0_0_GA_CP/src/share/classes/org/apache/tomcat/util/net/jsse/JSSESupport.java 2010-02-08 14:10:38 UTC (rev 1381) +++ branches/JBOSSWEB_2_0_0_GA_CP/src/share/classes/org/apache/tomcat/util/net/jsse/JSSESupport.java 2010-02-10 09:38:30 UTC (rev 1382) @@ -170,7 +170,10 @@ break; } } - ssl.setSoTimeout(oldTimeout); + // If legacy re-negotiation is disabled, socked could be closed here + if (!ssl.isClosed()) { + ssl.setSoTimeout(oldTimeout); + } if (listener.completed == false) { throw new SocketException("SSL Cert handshake timeout"); }