tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: svn commit: r684559 - /tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
Date Thu, 14 Aug 2008 10:39:48 GMT
Filip Hanik - Dev Lists wrote:
> the check would be as simple as
> 
> 
> boolean b = keystore.isKeyEntry(alias);

It would be if the alias was the problem. Unfortunately it isn't. See my
longer mail on the subject.

Mark

> 
> Filip
> 
> 
> Filip Hanik - Dev Lists wrote:
>> -1: this is a misconfigured keystore. Solution is to fix the keystore.
>>      The SSL-HOW-TO in tomcat is talking about this.
>>      There are a few cases, in this users case, the 'tomcat' alias is
>> not present
>>      The keystore in this case doesn't even contain a private key
>>
>> The bug report is invalid, the tomcat documentation talks how to get
>> around this
>> http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html
>>
>> Infinite loop is bad, but if we need to validate the keystore, lets
>> validate the keystore, doing it in the accept() call is not the
>> correct solution.
>> not even if it is the main accept loop
>>
>> Filip
>>
>>
>> markt@apache.org wrote:
>>> Author: markt
>>> Date: Sun Aug 10 10:24:51 2008
>>> New Revision: 684559
>>>
>>> URL: http://svn.apache.org/viewvc?rev=684559&view=rev
>>> Log:
>>> Fix for https://issues.apache.org/bugzilla/show_bug.cgi?id=45528.
>>> Test the SSL socket before returning it to make sure the specified
>>> certificate will work with the specified ciphers.
>>>
>>> Modified:
>>>    
>>> tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
>>>
>>> Modified:
>>> tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
>>> URL:
>>> http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java?rev=684559&r1=684558&r2=684559&view=diff
>>>
>>> ==============================================================================
>>>
>>> ---
>>> tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
>>> (original)
>>> +++
>>> tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
>>> Sun Aug 10 10:24:51 2008
>>> @@ -26,6 +26,7 @@
>>>  import java.net.ServerSocket;
>>>  import java.net.Socket;
>>>  import java.net.SocketException;
>>> +import java.net.SocketTimeoutException;
>>>  import java.security.KeyStore;
>>>  import java.security.SecureRandom;
>>>  import java.security.cert.CRL;
>>> @@ -692,7 +693,7 @@
>>>       * Configures the given SSL server socket with the requested
>>> cipher suites,
>>>       * protocol versions, and need for client authentication
>>>       */
>>> -    private void initServerSocket(ServerSocket ssocket) {
>>> +    private void initServerSocket(ServerSocket ssocket) throws
>>> IOException {
>>>  
>>>          SSLServerSocket socket = (SSLServerSocket) ssocket;
>>>  
>>> @@ -704,9 +705,48 @@
>>>          setEnabledProtocols(socket, getEnabledProtocols(socket,
>>>                                                          
>>> requestedProtocols));
>>>  
>>> +        // Check the SSL config is OK
>>> +        checkSocket(ssocket);
>>> +
>>>          // we don't know if client auth is needed -
>>>          // after parsing the request we may re-handshake
>>>          configureClientAuth(socket);
>>>      }
>>>  
>>> +    /**
>>> +     * Checks that the cetificate is compatible with the enabled
>>> cipher suites.
>>> +     * If we don't check now, the JIoEndpoint can enter a nasty
>>> logging loop.
>>> +     * See bug 45528.
>>> +     */
>>> +    private void checkSocket(ServerSocket socket) throws IOException {
>>> +        int timeout = socket.getSoTimeout();
>>> +        +        socket.setSoTimeout(1);
>>> +        Socket s = null;
>>> +        try {
>>> +            s = socket.accept();
>>> +            // No expecting to get here but if we do, at least we
>>> know things
>>> +            // are working.
>>> +        } catch (SSLException ssle) {
>>> +            // Cert doesn't match ciphers
>>> +            IOException ioe =
>>> +                new IOException("Certificate / cipher mismatch");
>>> +            ioe.initCause(ssle);
>>> +            throw ioe;
>>> +        } catch (SocketTimeoutException ste) {
>>> +            // Expected - do nothing
>>> +        } finally {
>>> +            // In case we actually got a connection - close it.
>>> +            if (s != null) {
>>> +                try {
>>> +                    s.close();
>>> +                } catch (IOException ioe) {
>>> +                    // Ignore
>>> +                }
>>> +            }
>>> +            // Reset the timeout
>>> +            socket.setSoTimeout(timeout);
>>> +        }
>>> +        +    }
>>>  }
>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: dev-help@tomcat.apache.org
>>>
>>>
>>>   
>>
>>
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
> 
> 



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message