tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: svn commit: r684559 - /tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
Date Thu, 14 Aug 2008 10:38:50 GMT
Filip Hanik - Dev Lists wrote:
> -1: this is a misconfigured keystore. Solution is to fix the keystore.
>      The SSL-HOW-TO in tomcat is talking about this.
>      There are a few cases, in this users case, the 'tomcat' alias is
> not present
>      The keystore in this case doesn't even contain a private key
> 
> The bug report is invalid, the tomcat documentation talks how to get
> around this
> http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html
> 
> Infinite loop is bad, but if we need to validate the keystore, lets
> validate the keystore, doing it in the accept() call is not the correct
> solution.
> not even if it is the main accept loop

The alias isn't the problem. When I tested this with an invalid password,
as per the OPs report, I couldn't reproduce it. The only way I could
reproduce it was to take a valid, working SSL configuration and set a value
for the ciphers attribute that was not compatible with the certificate
Tomcat was using.

The test is done in the init() for the connector.

The reason I used an accept() was it was the only way I could find to
detect the problem. You could catch the exception in the main accept() loop
once the connector has started but you'll see the same exception if the
handshake fails between the client and the server. The only way of
differentiating would be by looking for keywords in the exception message
but that opens up all sorts of i18n issues.

There must be a way to test cert/cipher compatibility without opening a
socket but I couldn't find it when I looked. I'll take another look at the
javax.net.ssl API but if anyone has any bright ideas please, let me know.

Mark

> 
> Filip
> 
> 
> markt@apache.org wrote:
>> Author: markt
>> Date: Sun Aug 10 10:24:51 2008
>> New Revision: 684559
>>
>> URL: http://svn.apache.org/viewvc?rev=684559&view=rev
>> Log:
>> Fix for https://issues.apache.org/bugzilla/show_bug.cgi?id=45528. Test
>> the SSL socket before returning it to make sure the specified
>> certificate will work with the specified ciphers.
>>
>> Modified:
>>    
>> tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
>>
>> Modified:
>> tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
>> URL:
>> http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java?rev=684559&r1=684558&r2=684559&view=diff
>>
>> ==============================================================================
>>
>> ---
>> tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
>> (original)
>> +++
>> tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
>> Sun Aug 10 10:24:51 2008
>> @@ -26,6 +26,7 @@
>>  import java.net.ServerSocket;
>>  import java.net.Socket;
>>  import java.net.SocketException;
>> +import java.net.SocketTimeoutException;
>>  import java.security.KeyStore;
>>  import java.security.SecureRandom;
>>  import java.security.cert.CRL;
>> @@ -692,7 +693,7 @@
>>       * Configures the given SSL server socket with the requested
>> cipher suites,
>>       * protocol versions, and need for client authentication
>>       */
>> -    private void initServerSocket(ServerSocket ssocket) {
>> +    private void initServerSocket(ServerSocket ssocket) throws
>> IOException {
>>  
>>          SSLServerSocket socket = (SSLServerSocket) ssocket;
>>  
>> @@ -704,9 +705,48 @@
>>          setEnabledProtocols(socket, getEnabledProtocols(socket,
>>                                                          
>> requestedProtocols));
>>  
>> +        // Check the SSL config is OK
>> +        checkSocket(ssocket);
>> +
>>          // we don't know if client auth is needed -
>>          // after parsing the request we may re-handshake
>>          configureClientAuth(socket);
>>      }
>>  
>> +    /**
>> +     * Checks that the cetificate is compatible with the enabled
>> cipher suites.
>> +     * If we don't check now, the JIoEndpoint can enter a nasty
>> logging loop.
>> +     * See bug 45528.
>> +     */
>> +    private void checkSocket(ServerSocket socket) throws IOException {
>> +        int timeout = socket.getSoTimeout();
>> +        +        socket.setSoTimeout(1);
>> +        Socket s = null;
>> +        try {
>> +            s = socket.accept();
>> +            // No expecting to get here but if we do, at least we
>> know things
>> +            // are working.
>> +        } catch (SSLException ssle) {
>> +            // Cert doesn't match ciphers
>> +            IOException ioe =
>> +                new IOException("Certificate / cipher mismatch");
>> +            ioe.initCause(ssle);
>> +            throw ioe;
>> +        } catch (SocketTimeoutException ste) {
>> +            // Expected - do nothing
>> +        } finally {
>> +            // In case we actually got a connection - close it.
>> +            if (s != null) {
>> +                try {
>> +                    s.close();
>> +                } catch (IOException ioe) {
>> +                    // Ignore
>> +                }
>> +            }
>> +            // Reset the timeout
>> +            socket.setSoTimeout(timeout);
>> +        }
>> +        +    }
>>  }
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: dev-help@tomcat.apache.org
>>
>>
>>   
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
> 
> 



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message