Author: mmillson Date: 2010-12-21 00:18:05 -0500 (Tue, 21 Dec 2010) New Revision: 1627 Modified: branches/JBOSSWEB_2_0_0_GA_CP14_JBPAPP-5637/src/share/classes/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java branches/JBOSSWEB_2_0_0_GA_CP14_JBPAPP-5637/src/share/classes/org/apache/tomcat/util/net/jsse/JSSESupport.java Log: Fix ConcurrentModificationException in HandshakeCompletedNotify-Thread for [JBPAPP-5637]. Modified: branches/JBOSSWEB_2_0_0_GA_CP14_JBPAPP-5637/src/share/classes/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java =================================================================== --- branches/JBOSSWEB_2_0_0_GA_CP14_JBPAPP-5637/src/share/classes/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java 2010-12-21 05:03:13 UTC (rev 1626) +++ branches/JBOSSWEB_2_0_0_GA_CP14_JBPAPP-5637/src/share/classes/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java 2010-12-21 05:18:05 UTC (rev 1627) @@ -51,6 +51,7 @@ import javax.net.ssl.SSLException; import javax.net.ssl.SSLServerSocket; import javax.net.ssl.SSLServerSocketFactory; +import javax.net.ssl.SSLSession; import javax.net.ssl.SSLSessionContext; import javax.net.ssl.SSLSocket; import javax.net.ssl.TrustManager; @@ -152,40 +153,24 @@ SSLSocket asock = null; try { asock = (SSLSocket)socket.accept(); - if (!allowUnsafeLegacyRenegotiation) { - asock.addHandshakeCompletedListener( - new DisableSslRenegotiation()); - } - configureClientAuth(asock); } catch (SSLException e){ throw new SocketException("SSL handshake error" + e.toString()); } return asock; } - private static class DisableSslRenegotiation - implements HandshakeCompletedListener { - private volatile boolean completed = false; + public void handshake(Socket sock) throws IOException { + // We do getSession instead of startHandshake() so we can call this multiple times + SSLSession session = ((SSLSocket)sock).getSession(); + if (session.getCipherSuite().equals("SSL_NULL_WITH_NULL_NULL")) + throw new IOException("SSL handshake failed. Ciper suite in SSL Session is SSL_NULL_WITH_NULL_NULL"); - public void handshakeCompleted(HandshakeCompletedEvent event) { - if (completed) { - try { - log.warn("SSL renegotiation is disabled, closing connection"); - event.getSession().invalidate(); - event.getSocket().close(); - } catch (IOException e) { - // ignore - } - } - completed = true; + if (!allowUnsafeLegacyRenegotiation) { + // Prevent futher handshakes by removing all cipher suites + ((SSLSocket) sock).setEnabledCipherSuites(new String[0]); } } - - public void handshake(Socket sock) throws IOException { - ((SSLSocket)sock).startHandshake(); - } - /* * Determines the SSL cipher suites to be enabled. * Modified: branches/JBOSSWEB_2_0_0_GA_CP14_JBPAPP-5637/src/share/classes/org/apache/tomcat/util/net/jsse/JSSESupport.java =================================================================== --- branches/JBOSSWEB_2_0_0_GA_CP14_JBPAPP-5637/src/share/classes/org/apache/tomcat/util/net/jsse/JSSESupport.java 2010-12-21 05:03:13 UTC (rev 1626) +++ branches/JBOSSWEB_2_0_0_GA_CP14_JBPAPP-5637/src/share/classes/org/apache/tomcat/util/net/jsse/JSSESupport.java 2010-12-21 05:18:05 UTC (rev 1627) @@ -148,6 +148,15 @@ ssl.setNeedClientAuth(true); } + if (ssl.getEnabledCipherSuites().length == 0) { + // Handshake is never going to be successful. + // Assume this is because handshakes are disabled + log.warn("SSL server initiated renegotiation is disabled, closing connection"); + session.invalidate(); + ssl.close(); + return; + } + InputStream in = ssl.getInputStream(); int oldTimeout = ssl.getSoTimeout(); ssl.setSoTimeout(1000); @@ -170,10 +179,7 @@ break; } } - // If legacy re-negotiation is disabled, socked could be closed here - if (!ssl.isClosed()) { - ssl.setSoTimeout(oldTimeout); - } + ssl.setSoTimeout(oldTimeout); if (listener.completed == false) { throw new SocketException("SSL Cert handshake timeout"); }