tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ma...@apache.org
Subject svn commit: r684559 - /tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
Date Sun, 10 Aug 2008 17:24:51 GMT
Author: markt
Date: Sun Aug 10 10:24:51 2008
New Revision: 684559

URL: http://svn.apache.org/viewvc?rev=684559&view=rev
Log:
Fix for https://issues.apache.org/bugzilla/show_bug.cgi?id=45528. Test the SSL socket before
returning it to make sure the specified certificate will work with the specified ciphers.

Modified:
    tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java

Modified: tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java?rev=684559&r1=684558&r2=684559&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java Sun Aug 10 10:24:51
2008
@@ -26,6 +26,7 @@
 import java.net.ServerSocket;
 import java.net.Socket;
 import java.net.SocketException;
+import java.net.SocketTimeoutException;
 import java.security.KeyStore;
 import java.security.SecureRandom;
 import java.security.cert.CRL;
@@ -692,7 +693,7 @@
      * Configures the given SSL server socket with the requested cipher suites,
      * protocol versions, and need for client authentication
      */
-    private void initServerSocket(ServerSocket ssocket) {
+    private void initServerSocket(ServerSocket ssocket) throws IOException {
 
         SSLServerSocket socket = (SSLServerSocket) ssocket;
 
@@ -704,9 +705,48 @@
         setEnabledProtocols(socket, getEnabledProtocols(socket, 
                                                          requestedProtocols));
 
+        // Check the SSL config is OK
+        checkSocket(ssocket);
+
         // we don't know if client auth is needed -
         // after parsing the request we may re-handshake
         configureClientAuth(socket);
     }
 
+    /**
+     * Checks that the cetificate is compatible with the enabled cipher suites.
+     * If we don't check now, the JIoEndpoint can enter a nasty logging loop.
+     * See bug 45528.
+     */
+    private void checkSocket(ServerSocket socket) throws IOException {
+        int timeout = socket.getSoTimeout();
+        
+        socket.setSoTimeout(1);
+        Socket s = null;
+        try {
+            s = socket.accept();
+            // No expecting to get here but if we do, at least we know things
+            // are working.
+        } catch (SSLException ssle) {
+            // Cert doesn't match ciphers
+            IOException ioe =
+                new IOException("Certificate / cipher mismatch");
+            ioe.initCause(ssle);
+            throw ioe;
+        } catch (SocketTimeoutException ste) {
+            // Expected - do nothing
+        } finally {
+            // In case we actually got a connection - close it.
+            if (s != null) {
+                try {
+                    s.close();
+                } catch (IOException ioe) {
+                    // Ignore
+                }
+            }
+            // Reset the timeout
+            socket.setSoTimeout(timeout);
+        }
+        
+    }
 }



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message