tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Filip Hanik - Dev Lists <devli...@hanik.com>
Subject Re: svn commit: r684559 - /tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
Date Thu, 14 Aug 2008 04:22:29 GMT
-1: this is a misconfigured keystore. Solution is to fix the keystore.
      The SSL-HOW-TO in tomcat is talking about this.
      There are a few cases, in this users case, the 'tomcat' alias is 
not present
      The keystore in this case doesn't even contain a private key

The bug report is invalid, the tomcat documentation talks how to get 
around this
http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html

Infinite loop is bad, but if we need to validate the keystore, lets 
validate the keystore, doing it in the accept() call is not the correct 
solution.
not even if it is the main accept loop

Filip


markt@apache.org wrote:
> Author: markt
> Date: Sun Aug 10 10:24:51 2008
> New Revision: 684559
>
> URL: http://svn.apache.org/viewvc?rev=684559&view=rev
> Log:
> Fix for https://issues.apache.org/bugzilla/show_bug.cgi?id=45528. Test the SSL socket
before returning it to make sure the specified certificate will work with the specified ciphers.
>
> Modified:
>     tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
>
> Modified: tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
> URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java?rev=684559&r1=684558&r2=684559&view=diff
> ==============================================================================
> --- tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java (original)
> +++ tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java Sun Aug
10 10:24:51 2008
> @@ -26,6 +26,7 @@
>  import java.net.ServerSocket;
>  import java.net.Socket;
>  import java.net.SocketException;
> +import java.net.SocketTimeoutException;
>  import java.security.KeyStore;
>  import java.security.SecureRandom;
>  import java.security.cert.CRL;
> @@ -692,7 +693,7 @@
>       * Configures the given SSL server socket with the requested cipher suites,
>       * protocol versions, and need for client authentication
>       */
> -    private void initServerSocket(ServerSocket ssocket) {
> +    private void initServerSocket(ServerSocket ssocket) throws IOException {
>  
>          SSLServerSocket socket = (SSLServerSocket) ssocket;
>  
> @@ -704,9 +705,48 @@
>          setEnabledProtocols(socket, getEnabledProtocols(socket, 
>                                                           requestedProtocols));
>  
> +        // Check the SSL config is OK
> +        checkSocket(ssocket);
> +
>          // we don't know if client auth is needed -
>          // after parsing the request we may re-handshake
>          configureClientAuth(socket);
>      }
>  
> +    /**
> +     * Checks that the cetificate is compatible with the enabled cipher suites.
> +     * If we don't check now, the JIoEndpoint can enter a nasty logging loop.
> +     * See bug 45528.
> +     */
> +    private void checkSocket(ServerSocket socket) throws IOException {
> +        int timeout = socket.getSoTimeout();
> +        
> +        socket.setSoTimeout(1);
> +        Socket s = null;
> +        try {
> +            s = socket.accept();
> +            // No expecting to get here but if we do, at least we know things
> +            // are working.
> +        } catch (SSLException ssle) {
> +            // Cert doesn't match ciphers
> +            IOException ioe =
> +                new IOException("Certificate / cipher mismatch");
> +            ioe.initCause(ssle);
> +            throw ioe;
> +        } catch (SocketTimeoutException ste) {
> +            // Expected - do nothing
> +        } finally {
> +            // In case we actually got a connection - close it.
> +            if (s != null) {
> +                try {
> +                    s.close();
> +                } catch (IOException ioe) {
> +                    // Ignore
> +                }
> +            }
> +            // Reset the timeout
> +            socket.setSoTimeout(timeout);
> +        }
> +        
> +    }
>  }
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>
>   


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message