Author: dehort
Date: 2012-02-24 15:31:30 -0500 (Fri, 24 Feb 2012)
New Revision: 1985
Modified:
branches/JBOSSWEB_2_0_0_GA_CP13_JBPAPP-8232/src/share/classes/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
branches/JBOSSWEB_2_0_0_GA_CP13_JBPAPP-8232/src/share/classes/org/apache/tomcat/util/net/jsse/JSSESupport.java
Log:
Applying patch for ConcurrentModificationException in HandshakeCompletedNotify-Thead
issue
[JBPAPP-8232]
Modified:
branches/JBOSSWEB_2_0_0_GA_CP13_JBPAPP-8232/src/share/classes/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
===================================================================
---
branches/JBOSSWEB_2_0_0_GA_CP13_JBPAPP-8232/src/share/classes/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java 2012-02-24
20:19:02 UTC (rev 1984)
+++
branches/JBOSSWEB_2_0_0_GA_CP13_JBPAPP-8232/src/share/classes/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java 2012-02-24
20:31:30 UTC (rev 1985)
@@ -51,6 +51,7 @@
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLServerSocket;
import javax.net.ssl.SSLServerSocketFactory;
+import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
@@ -148,40 +149,24 @@
SSLSocket asock = null;
try {
asock = (SSLSocket)socket.accept();
- if (!allowUnsafeLegacyRenegotiation) {
- asock.addHandshakeCompletedListener(
- new DisableSslRenegotiation());
- }
- configureClientAuth(asock);
} catch (SSLException e){
throw new SocketException("SSL handshake error" + e.toString());
}
return asock;
}
- private static class DisableSslRenegotiation
- implements HandshakeCompletedListener {
- private volatile boolean completed = false;
+ public void handshake(Socket sock) throws IOException {
+ // We do getSession instead of startHandshake() so we can call this multiple
times
+ SSLSession session = ((SSLSocket)sock).getSession();
+ if (session.getCipherSuite().equals("SSL_NULL_WITH_NULL_NULL"))
+ throw new IOException("SSL handshake failed. Ciper suite in SSL Session
is SSL_NULL_WITH_NULL_NULL");
- public void handshakeCompleted(HandshakeCompletedEvent event) {
- if (completed) {
- try {
- log.warn("SSL renegotiation is disabled, closing
connection");
- event.getSession().invalidate();
- event.getSocket().close();
- } catch (IOException e) {
- // ignore
- }
- }
- completed = true;
+ if (!allowUnsafeLegacyRenegotiation) {
+ // Prevent futher handshakes by removing all cipher suites
+ ((SSLSocket) sock).setEnabledCipherSuites(new String[0]);
}
}
-
- public void handshake(Socket sock) throws IOException {
- ((SSLSocket)sock).startHandshake();
- }
-
/*
* Determines the SSL cipher suites to be enabled.
*
Modified:
branches/JBOSSWEB_2_0_0_GA_CP13_JBPAPP-8232/src/share/classes/org/apache/tomcat/util/net/jsse/JSSESupport.java
===================================================================
---
branches/JBOSSWEB_2_0_0_GA_CP13_JBPAPP-8232/src/share/classes/org/apache/tomcat/util/net/jsse/JSSESupport.java 2012-02-24
20:19:02 UTC (rev 1984)
+++
branches/JBOSSWEB_2_0_0_GA_CP13_JBPAPP-8232/src/share/classes/org/apache/tomcat/util/net/jsse/JSSESupport.java 2012-02-24
20:31:30 UTC (rev 1985)
@@ -148,6 +148,15 @@
ssl.setNeedClientAuth(true);
}
+ if (ssl.getEnabledCipherSuites().length == 0) {
+ // Handshake is never going to be successful.
+ // Assume this is because handshakes are disabled
+ log.warn("SSL server initiated renegotiation is disabled, closing
connection");
+ session.invalidate();
+ ssl.close();
+ return;
+ }
+
InputStream in = ssl.getInputStream();
int oldTimeout = ssl.getSoTimeout();
ssl.setSoTimeout(1000);
@@ -170,10 +179,7 @@
break;
}
}
- // If legacy re-negotiation is disabled, socked could be closed here
- if (!ssl.isClosed()) {
- ssl.setSoTimeout(oldTimeout);
- }
+ ssl.setSoTimeout(oldTimeout);
if (listener.completed == false) {
throw new SocketException("SSL Cert handshake timeout");
}
Show replies by date