tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Barker" <billwbar...@verizon.net>
Subject Re: svn commit: r834289 - /tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
Date Tue, 10 Nov 2009 03:49:34 GMT

<costin@apache.org> wrote in message 
news:20091110010244.4F838238888F@eris.apache.org...
> Author: costin
> Date: Tue Nov 10 01:02:43 2009
> New Revision: 834289
>
> URL: http://svn.apache.org/viewvc?rev=834289&view=rev
> Log:
> Fix for the SSL midm - disable client re-negotiation, connection will be 
> closed.
>
>
> Modified:
> 
> tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
>
> Modified: 
> tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
> URL: 
> http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java?rev=834289&r1=834288&r2=834289&view=diff
> ==============================================================================
> ---  
> tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java 
> (original)
> +++ 
> tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java 
> Tue Nov 10 01:02:43 2009
> @@ -42,6 +42,8 @@
> import java.util.Vector;
>
> import javax.net.ssl.CertPathTrustManagerParameters;
> +import javax.net.ssl.HandshakeCompletedEvent;
> +import javax.net.ssl.HandshakeCompletedListener;
> import javax.net.ssl.KeyManager;
> import javax.net.ssl.KeyManagerFactory;
> import javax.net.ssl.ManagerFactoryParameters;
> @@ -93,6 +95,9 @@
>     private static final int defaultSessionCacheSize = 0;
>     private static final int defaultSessionTimeout = 86400;
>
> +    private static final boolean midmMode =
> + 
> "true".equals(System.getProperty("enable_ssl_mitm_vulnerability"));
> +
>     static org.apache.juli.logging.Log log =
> 
> org.apache.juli.logging.LogFactory.getLog(JSSESocketFactory.class);
>
> @@ -154,12 +159,34 @@
>         SSLSocket asock = null;
>         try {
>              asock = (SSLSocket)socket.accept();
> +             if (!midmMode) {
> +                 asock.addHandshakeCompletedListener(
> +                         new DisableSslRenegotiation());
> +             }
>              configureClientAuth(asock);
>         } catch (SSLException e){
>           throw new SocketException("SSL handshake error" + e.toString());
>         }
>         return asock;
>     }
> +
> +    private static class DisableSslRenegotiation
> +            implements HandshakeCompletedListener {
> +        private volatile boolean completed = false;
> +
> +        public void handshakeCompleted(HandshakeCompletedEvent event) {
> +            if (completed) {
> +                try {
> +                    log.warn("SSL renegotiation is disabled, closing 
> connection");
> +                    event.getSocket().close();

This is just a nuisance.  The black-hat can simply reconnect and request to 
resume the session.  At the very least, the session would need to be 
invalidated as well.  But from what I've read, even this isn't a very 
effective mitigation tactic.  Since we are notified after the handshake is 
done, the black-hat already has all the information she needs to continue 
the attack.

> +                } catch (IOException e) {
> +                    // ignore
> +                }
> +            }
> +            completed = true;
> +        }
> +    }
> +
>
>     @Override
>     public void handshake(Socket sock) throws IOException { 




---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message