Author: remy.maucherat(a)jboss.com Date: 2009-10-31 19:31:38 -0400 (Sat, 31 Oct 2009) New Revision: 1234 Modified: trunk/java/org/apache/catalina/core/AprLifecycleListener.java trunk/java/org/apache/coyote/http11/Http11AprProcessor.java trunk/java/org/apache/tomcat/jni/SSLSocket.java trunk/webapps/docs/changelog.xml Log: - Port SSL patch that had been forgotten. Modified: trunk/java/org/apache/catalina/core/AprLifecycleListener.java =================================================================== --- trunk/java/org/apache/catalina/core/AprLifecycleListener.java 2009-10-31 18:31:47 UTC (rev 1233) +++ trunk/java/org/apache/catalina/core/AprLifecycleListener.java 2009-10-31 23:31:38 UTC (rev 1234) @@ -27,7 +27,6 @@ import org.apache.catalina.util.StringManager; import org.apache.tomcat.jni.Library; import org.jboss.logging.Logger; -import org.jboss.logging.Logger; @@ -59,7 +58,7 @@ protected static final int TCN_REQUIRED_MAJOR = 1; protected static final int TCN_REQUIRED_MINOR = 1; protected static final int TCN_REQUIRED_PATCH = 8; - protected static final int TCN_RECOMMENDED_PV = 12; + protected static final int TCN_RECOMMENDED_PV = 17; // ---------------------------------------------- Properties Modified: trunk/java/org/apache/coyote/http11/Http11AprProcessor.java =================================================================== --- trunk/java/org/apache/coyote/http11/Http11AprProcessor.java 2009-10-31 18:31:47 UTC (rev 1233) +++ trunk/java/org/apache/coyote/http11/Http11AprProcessor.java 2009-10-31 23:31:38 UTC (rev 1234) @@ -1162,10 +1162,11 @@ request.setAttribute(AprEndpoint.CIPHER_SUITE_KEY, sslO); } // Get client certificate and the certificate chain if present + // certLength == -1 indicates an error int certLength = SSLSocket.getInfoI(socket, SSL.SSL_INFO_CLIENT_CERT_CHAIN); byte[] clientCert = SSLSocket.getInfoB(socket, SSL.SSL_INFO_CLIENT_CERT); X509Certificate[] certs = null; - if (clientCert != null) { + if (clientCert != null && certLength > -1) { certs = new X509Certificate[certLength + 1]; CertificateFactory cf = CertificateFactory.getInstance("X.509"); certs[0] = (X509Certificate) cf.generateCertificate(new ByteArrayInputStream(clientCert)); @@ -1201,24 +1202,30 @@ inputBuffer.addActiveFilter(inputFilters[Constants.BUFFERED_FILTER]); } try { + // Configure connection to require a certificate + SSLSocket.setVerify(socket, SSL.SSL_CVERIFY_REQUIRE, + endpoint.getSSLVerifyDepth()); // Renegociate certificates - SSLSocket.renegotiate(socket); - // Get client certificate and the certificate chain if present - int certLength = SSLSocket.getInfoI(socket, SSL.SSL_INFO_CLIENT_CERT_CHAIN); - byte[] clientCert = SSLSocket.getInfoB(socket, SSL.SSL_INFO_CLIENT_CERT); - X509Certificate[] certs = null; - if (clientCert != null) { - certs = new X509Certificate[certLength + 1]; - CertificateFactory cf = CertificateFactory.getInstance("X.509"); - certs[0] = (X509Certificate) cf.generateCertificate(new ByteArrayInputStream(clientCert)); - for (int i = 0; i < certLength; i++) { - byte[] data = SSLSocket.getInfoB(socket, SSL.SSL_INFO_CLIENT_CERT_CHAIN + i); - certs[i+1] = (X509Certificate) cf.generateCertificate(new ByteArrayInputStream(data)); + if (SSLSocket.renegotiate(socket) == 0) { + // Don't look for certs unless we know renegotiation worked. + // Get client certificate and the certificate chain if present + // certLength == -1 indicates an error + int certLength = SSLSocket.getInfoI(socket, SSL.SSL_INFO_CLIENT_CERT_CHAIN); + byte[] clientCert = SSLSocket.getInfoB(socket, SSL.SSL_INFO_CLIENT_CERT); + X509Certificate[] certs = null; + if (clientCert != null && certLength > -1) { + certs = new X509Certificate[certLength + 1]; + CertificateFactory cf = CertificateFactory.getInstance("X.509"); + certs[0] = (X509Certificate) cf.generateCertificate(new ByteArrayInputStream(clientCert)); + for (int i = 0; i < certLength; i++) { + byte[] data = SSLSocket.getInfoB(socket, SSL.SSL_INFO_CLIENT_CERT_CHAIN + i); + certs[i+1] = (X509Certificate) cf.generateCertificate(new ByteArrayInputStream(data)); + } } - } - if (certs != null) { - request.setAttribute(AprEndpoint.CERTIFICATE_KEY, certs); - } + if (certs != null) { + request.setAttribute(AprEndpoint.CERTIFICATE_KEY, certs); + } + } } catch (Exception e) { log.warn(sm.getString("http11processor.socket.ssl"), e); } Modified: trunk/java/org/apache/tomcat/jni/SSLSocket.java =================================================================== --- trunk/java/org/apache/tomcat/jni/SSLSocket.java 2009-10-31 18:31:47 UTC (rev 1233) +++ trunk/java/org/apache/tomcat/jni/SSLSocket.java 2009-10-31 23:31:38 UTC (rev 1234) @@ -48,7 +48,7 @@ * response is sent. In more detail: the renegotiation happens after the * request line and MIME headers were read, but _before_ the attached * request body is read. The reason simply is that in the HTTP protocol - * usually there is no acknowledgment step between the headers and the + * usually there is no acknowledgement step between the headers and the * body (there is the 100-continue feature and the chunking facility * only), so Apache has no API hook for this step. * @@ -57,7 +57,30 @@ public static native int renegotiate(long thesocket); /** - * Retrun SSL Info parameter as byte array. + * Set Type of Client Certificate verification and Maximum depth of CA + * Certificates in Client Certificate verification. + * <br /> + * This is used to change the verification level for a connection prior to + * starting a re-negotiation. + * <br /> + * The following levels are available for level: + * <PRE> + * SSL_CVERIFY_NONE - No client Certificate is required at all + * SSL_CVERIFY_OPTIONAL - The client may present a valid Certificate + * SSL_CVERIFY_REQUIRE - The client has to present a valid + * Certificate + * SSL_CVERIFY_OPTIONAL_NO_CA - The client may present a valid Certificate + * but it need not to be (successfully) + * verifiable + * </PRE> + * <br /> + * @param sock The socket to change. + * @param level Type of Client Certificate verification. + */ + public static native void setVerify(long sock, int level, int depth); + + /** + * Return SSL Info parameter as byte array. * * @param sock The socket to read the data from. * @param id Parameter id. @@ -67,7 +90,7 @@ throws Exception; /** - * Retrun SSL Info parameter as String. + * Return SSL Info parameter as String. * * @param sock The socket to read the data from. * @param id Parameter id. @@ -77,7 +100,7 @@ throws Exception; /** - * Retrun SSL Info parameter as integer. + * Return SSL Info parameter as integer. * * @param sock The socket to read the data from. * @param id Parameter id. Modified: trunk/webapps/docs/changelog.xml =================================================================== --- trunk/webapps/docs/changelog.xml 2009-10-31 18:31:47 UTC (rev 1233) +++ trunk/webapps/docs/changelog.xml 2009-10-31 23:31:38 UTC (rev 1234) @@ -158,6 +158,9 @@ <fix> Cookie separators and quoting compliance fixes. (markt, kkolinko) </fix> + <fix> + <bug>46950</bug>: Fix SSL renegociation problems. (jfclere) + </fix> </changelog> </subsection> <subsection name="Jasper">