Author: remy.maucherat(a)jboss.com
Date: 2008-08-25 07:03:17 -0400 (Mon, 25 Aug 2008)
New Revision: 748
Modified:
trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
trunk/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties
trunk/webapps/docs/changelog.xml
Log:
- Add config check for java.io SSL.
Modified: trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
===================================================================
--- trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java 2008-08-25 11:02:39
UTC (rev 747)
+++ trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java 2008-08-25 11:03:17
UTC (rev 748)
@@ -421,6 +421,9 @@
enabledCiphers = getEnabledCiphers(requestedCiphers,
sslProxy.getSupportedCipherSuites());
+ // Check the SSL config is OK
+ checkConfig();
+
} catch(Exception e) {
if( e instanceof IOException )
throw (IOException)e;
@@ -695,4 +698,47 @@
configureClientAuth(socket);
}
+ /**
+ * Checks that the certificate is compatible with the enabled cipher suites.
+ * If we don't check now, the JIoEndpoint can enter a nasty logging loop.
+ * See bug 45528.
+ */
+ private void checkConfig() throws IOException {
+ // Create an unbound server socket
+ ServerSocket socket = sslProxy.createServerSocket();
+ initServerSocket(socket);
+
+ try {
+ // Set the timeout to 1ms as all we care about is if it throws an
+ // SSLException on accept.
+ socket.setSoTimeout(1);
+
+ socket.accept();
+ // Will never get here - no client can connect to an unbound port
+ } catch (SSLException ssle) {
+ // SSL configuration is invalid. Possibly cert doesn't match ciphers
+ IOException ioe = new IOException(sm.getString(
+ "jsse.invalid_ssl_conf", ssle.getMessage()));
+ ioe.initCause(ssle);
+ throw ioe;
+ } catch (Exception e) {
+ /*
+ * Possible ways of getting here
+ * socket.accept() throws a SecurityException
+ * socket.setSoTimeout() throws a SocketException
+ * socket.accept() throws some other exception (after a JDK change)
+ * In these cases the test won't work so carry on - essentially
+ * the behaviour before this patch
+ * socket.accept() throws a SocketTimeoutException
+ * In this case all is well so carry on
+ */
+ } finally {
+ // Should be open here but just in case
+ if (!socket.isClosed()) {
+ socket.close();
+ }
+ }
+
+ }
+
}
Modified: trunk/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties
===================================================================
--- trunk/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties 2008-08-25
11:02:39 UTC (rev 747)
+++ trunk/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties 2008-08-25
11:03:17 UTC (rev 748)
@@ -1,2 +1,18 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+#
http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
jsse.alias_no_key_entry=Alias name {0} does not identify a key entry
jsse.keystore_load_failed=Failed to load keystore type {0} with path {1} due to {2}
+jsse.invalid_ssl_conf=SSL configuration is invalid due to {0}
Modified: trunk/webapps/docs/changelog.xml
===================================================================
--- trunk/webapps/docs/changelog.xml 2008-08-25 11:02:39 UTC (rev 747)
+++ trunk/webapps/docs/changelog.xml 2008-08-25 11:03:17 UTC (rev 748)
@@ -53,6 +53,9 @@
Consider that a normal request is Comet (it is possible to get a resume before
officially going into Comet mode). (remm)
</fix>
+ <fix>
+ Add configuration checks for java.io SSL. (markt)
+ </fix>
</changelog>
</subsection>
<subsection name="Jasper">