tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Filip Hanik - Dev Lists <devli...@hanik.com>
Subject Re: svn commit: r684559 - /tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
Date Thu, 14 Aug 2008 04:25:03 GMT
the check would be as simple as


boolean b = keystore.isKeyEntry(alias);

Filip


Filip Hanik - Dev Lists wrote:
> -1: this is a misconfigured keystore. Solution is to fix the keystore.
>      The SSL-HOW-TO in tomcat is talking about this.
>      There are a few cases, in this users case, the 'tomcat' alias is 
> not present
>      The keystore in this case doesn't even contain a private key
>
> The bug report is invalid, the tomcat documentation talks how to get 
> around this
> http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html
>
> Infinite loop is bad, but if we need to validate the keystore, lets 
> validate the keystore, doing it in the accept() call is not the 
> correct solution.
> not even if it is the main accept loop
>
> Filip
>
>
> markt@apache.org wrote:
>> Author: markt
>> Date: Sun Aug 10 10:24:51 2008
>> New Revision: 684559
>>
>> URL: http://svn.apache.org/viewvc?rev=684559&view=rev
>> Log:
>> Fix for https://issues.apache.org/bugzilla/show_bug.cgi?id=45528. 
>> Test the SSL socket before returning it to make sure the specified 
>> certificate will work with the specified ciphers.
>>
>> Modified:
>>     
>> tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
>>
>> Modified: 
>> tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
>> URL: 
>> http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java?rev=684559&r1=684558&r2=684559&view=diff

>>
>> ============================================================================== 
>>
>> --- 
>> tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java 
>> (original)
>> +++ 
>> tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java 
>> Sun Aug 10 10:24:51 2008
>> @@ -26,6 +26,7 @@
>>  import java.net.ServerSocket;
>>  import java.net.Socket;
>>  import java.net.SocketException;
>> +import java.net.SocketTimeoutException;
>>  import java.security.KeyStore;
>>  import java.security.SecureRandom;
>>  import java.security.cert.CRL;
>> @@ -692,7 +693,7 @@
>>       * Configures the given SSL server socket with the requested 
>> cipher suites,
>>       * protocol versions, and need for client authentication
>>       */
>> -    private void initServerSocket(ServerSocket ssocket) {
>> +    private void initServerSocket(ServerSocket ssocket) throws 
>> IOException {
>>  
>>          SSLServerSocket socket = (SSLServerSocket) ssocket;
>>  
>> @@ -704,9 +705,48 @@
>>          setEnabledProtocols(socket, getEnabledProtocols(socket, 
>>                                                           
>> requestedProtocols));
>>  
>> +        // Check the SSL config is OK
>> +        checkSocket(ssocket);
>> +
>>          // we don't know if client auth is needed -
>>          // after parsing the request we may re-handshake
>>          configureClientAuth(socket);
>>      }
>>  
>> +    /**
>> +     * Checks that the cetificate is compatible with the enabled 
>> cipher suites.
>> +     * If we don't check now, the JIoEndpoint can enter a nasty 
>> logging loop.
>> +     * See bug 45528.
>> +     */
>> +    private void checkSocket(ServerSocket socket) throws IOException {
>> +        int timeout = socket.getSoTimeout();
>> +        +        socket.setSoTimeout(1);
>> +        Socket s = null;
>> +        try {
>> +            s = socket.accept();
>> +            // No expecting to get here but if we do, at least we 
>> know things
>> +            // are working.
>> +        } catch (SSLException ssle) {
>> +            // Cert doesn't match ciphers
>> +            IOException ioe =
>> +                new IOException("Certificate / cipher mismatch");
>> +            ioe.initCause(ssle);
>> +            throw ioe;
>> +        } catch (SocketTimeoutException ste) {
>> +            // Expected - do nothing
>> +        } finally {
>> +            // In case we actually got a connection - close it.
>> +            if (s != null) {
>> +                try {
>> +                    s.close();
>> +                } catch (IOException ioe) {
>> +                    // Ignore
>> +                }
>> +            }
>> +            // Reset the timeout
>> +            socket.setSoTimeout(timeout);
>> +        }
>> +        +    }
>>  }
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: dev-help@tomcat.apache.org
>>
>>
>>   
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message