Mailing-List: contact dev-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
Reply-To: "Tomcat Developers List" <dev@tomcat.apache.org>
Received-SPF: pass (athena.apache.org: local policy)
Message-ID: <48B2D184.6020602@hanik.com>
Date: Mon, 25 Aug 2008 10:36:36 -0500
From: Filip Hanik - Dev Lists <devlists@hanik.com>
User-Agent: Thunderbird 2.0.0.16 (Windows/20080708)
MIME-Version: 1.0
To: Tomcat Developers List <dev@tomcat.apache.org>
Subject: Re: svn commit: r687503 - in
 /tomcat/trunk/java/org/apache/tomcat/util/net/jsse:
 JSSESocketFactory.java res/LocalStrings.properties
References: <20080820232042.AB85223889BA@eris.apache.org>
In-Reply-To: <20080820232042.AB85223889BA@eris.apache.org>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit

+        socket.setSoTimeout(1);

does this ever get reset?

In JioEndpoint.java I see
        //if( serverTimeout >= 0 )
        //    serverSocket.setSoTimeout( serverTimeout );
It's commented out

and I have a hard time finding where it would be set to a more normal value, instead of 1 millisecond for the server socket

Filip


markt@apache.org wrote:
> Author: markt
> Date: Wed Aug 20 16:20:42 2008
> New Revision: 687503
>
> URL: http://svn.apache.org/viewvc?rev=687503&view=rev
> Log:
> Improved fix for 45528 (invalid SSL config).
> It is a variation on the previous patch that:
> - does the check earlier
> - uses an unbound socket so there is no possibility of a client connection
> - uses the String manager for the error message
> Note: I gave up on the alterntaive javax.crypto.Cipher suggestion as the cipher names are different and there is no easy conversion.
>
> Modified:
>     tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
>     tomcat/trunk/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties
>
> Modified: tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
> URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java?rev=687503&r1=687502&r2=687503&view=diff
> ==============================================================================
> --- tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java (original)
> +++ tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java Wed Aug 20 16:20:42 2008
> @@ -26,6 +26,7 @@
>  import java.net.ServerSocket;
>  import java.net.Socket;
>  import java.net.SocketException;
> +import java.net.SocketTimeoutException;
>  import java.security.KeyStore;
>  import java.security.SecureRandom;
>  import java.security.cert.CRL;
> @@ -428,6 +429,9 @@
>                  getEnabledCiphers(requestedCiphers,
>                          sslProxy.getSupportedCipherSuites());
>  
> +            // Check the SSL config is OK
> +            checkConfig();
> +
>          } catch(Exception e) {
>              if( e instanceof IOException )
>                  throw (IOException)e;
> @@ -692,7 +696,7 @@
>       * Configures the given SSL server socket with the requested cipher suites,
>       * protocol versions, and need for client authentication
>       */
> -    private void initServerSocket(ServerSocket ssocket) {
> +    private void initServerSocket(ServerSocket ssocket) throws IOException {
>  
>          SSLServerSocket socket = (SSLServerSocket) ssocket;
>  
> @@ -709,4 +713,33 @@
>          configureClientAuth(socket);
>      }
>  
> +    /**
> +     * Checks that the cetificate is compatible with the enabled cipher suites.
> +     * If we don't check now, the JIoEndpoint can enter a nasty logging loop.
> +     * See bug 45528.
> +     */
> +    private void checkConfig() throws IOException {
> +        // Create an unbound server socket
> +        ServerSocket socket = sslProxy.createServerSocket();
> +        initServerSocket(socket);
> +
> +        // Set the timeout to 1ms as all we care about is if it throws an
> +        // exception on accept. 
> +        socket.setSoTimeout(1);
> +        try {
> +            socket.accept();
> +            // Will never get here - no client can connect to an unbound port
> +        } catch (SSLException ssle) {
> +            // SSL configuration is invalid. Possibly cert doesn't match ciphers
> +            IOException ioe = new IOException(sm.getString(
> +                    "jsse.invalid_ssl_conf", ssle.getMessage()));
> +            ioe.initCause(ssle);
> +            throw ioe;
> +        } catch (SocketTimeoutException ste) {
> +            // Expected if all is well - do nothing
> +        } finally {
> +            socket.close();
> +        }
> +        
> +    }
>  }
>
> Modified: tomcat/trunk/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties
> URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties?rev=687503&r1=687502&r2=687503&view=diff
> ==============================================================================
> --- tomcat/trunk/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties (original)
> +++ tomcat/trunk/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties Wed Aug 20 16:20:42 2008
> @@ -15,3 +15,4 @@
>  
>  jsse.alias_no_key_entry=Alias name {0} does not identify a key entry
>  jsse.keystore_load_failed=Failed to load keystore type {0} with path {1} due to {2}
> +jsse.invalid_ssl_conf=SSL configuration is invalid due to {0} 
> \ No newline at end of file
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>
>   


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org