tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From kkoli...@apache.org
Subject svn commit: r1066497 - in /tomcat/tc6.0.x/trunk: STATUS.txt java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java webapps/docs/changelog.xml webapps/docs/config/http.xml
Date Wed, 02 Feb 2011 15:16:28 GMT
Author: kkolinko
Date: Wed Feb  2 15:16:28 2011
New Revision: 1066497

URL: http://svn.apache.org/viewvc?rev=1066497&view=rev
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=50325
Use JVM provided solutions to CVE-2009-3555 if available (i.e. RFC 5746 support)

Modified:
    tomcat/tc6.0.x/trunk/STATUS.txt
    tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
    tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
    tomcat/tc6.0.x/trunk/webapps/docs/config/http.xml

Modified: tomcat/tc6.0.x/trunk/STATUS.txt
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=1066497&r1=1066496&r2=1066497&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/STATUS.txt (original)
+++ tomcat/tc6.0.x/trunk/STATUS.txt Wed Feb  2 15:16:28 2011
@@ -88,15 +88,3 @@ PATCHES PROPOSED TO BACKPORT:
               The updated patch fixes a race condition.
               We can stall this item until we get some feedback about 7.0.5.
   -1:
-
-* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=50325
-  Use JVM provided solutions to CVE-2009-3555 if available (i.e. RFC 5746
-  support)
-  http://svn.apache.org/viewvc?rev=1065859&view=rev
-  +1: markt, kkolinko, funkman
-  -1:
-   kkolinko:
-     I think it would be better to do not change visibility of
-     defaultProtocol, defaultKeystoreType, though I do not see much
-     concerns against it.
-   markt: Happy to exclude those changes

Modified: tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java?rev=1066497&r1=1066496&r2=1066497&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java (original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java Wed Feb
 2 15:16:28 2011
@@ -26,7 +26,9 @@ import java.net.InetAddress;
 import java.net.ServerSocket;
 import java.net.Socket;
 import java.net.SocketException;
+import java.security.KeyManagementException;
 import java.security.KeyStore;
+import java.security.NoSuchAlgorithmException;
 import java.security.SecureRandom;
 import java.security.cert.CRL;
 import java.security.cert.CRLException;
@@ -82,6 +84,8 @@ public class JSSESocketFactory
     private static StringManager sm =
         StringManager.getManager("org.apache.tomcat.util.net.jsse.res");
 
+    private static final boolean RFC_5746_SUPPORTED;
+
     // defaults
     static String defaultProtocol = "TLS";
     static boolean defaultClientAuth = false;
@@ -95,6 +99,28 @@ public class JSSESocketFactory
     static org.apache.juli.logging.Log log =
         org.apache.juli.logging.LogFactory.getLog(JSSESocketFactory.class);
 
+    static {
+        boolean result = false;
+        SSLContext context;
+        try {
+            context = SSLContext.getInstance("TLS");
+            context.init(null, null, new SecureRandom());
+            SSLServerSocketFactory ssf = context.getServerSocketFactory();
+            String ciphers[] = ssf.getSupportedCipherSuites();
+            for (String cipher : ciphers) {
+                if ("TLS_EMPTY_RENEGOTIATION_INFO_SCSV".equals(cipher)) {
+                    result = true;
+                    break;
+                }
+            }
+        } catch (NoSuchAlgorithmException e) {
+            // Assume no RFC 5746 support
+        } catch (KeyManagementException e) {
+            // Assume no RFC 5746 support
+        }
+        RFC_5746_SUPPORTED = result;
+    }
+
     protected boolean initialized;
     protected String clientAuth = "false";
     protected SSLServerSocketFactory sslProxy = null;
@@ -159,9 +185,9 @@ public class JSSESocketFactory
     
     public void handshake(Socket sock) throws IOException {
         ((SSLSocket)sock).startHandshake();
-        
-        if (!allowUnsafeLegacyRenegotiation) {
-            // Prevent futher handshakes by removing all cipher suites
+
+        if (!allowUnsafeLegacyRenegotiation && !RFC_5746_SUPPORTED) {
+            // Prevent further handshakes by removing all cipher suites
             ((SSLSocket) sock).setEnabledCipherSuites(new String[0]);
         }
     }

Modified: tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml?rev=1066497&r1=1066496&r2=1066497&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml Wed Feb  2 15:16:28 2011
@@ -72,6 +72,12 @@
         it more robust. (mturk/kkolinko)
       </fix>
       <fix>
+        <bug>50325</bug>: When the JVM indicates support for RFC 5746, disable
+        Tomcat&apos;s <code>allowUnsafeLegacyRenegotiation</code> configuration
+        attribute and use the JVM configuration to control renegotiation.
+        (markt)
+      </fix>
+      <fix>
         <bug>50631</bug>: InternalNioInputBuffer should honor
         <code>maxHttpHeadSize</code>. (kkolinko)
       </fix>

Modified: tomcat/tc6.0.x/trunk/webapps/docs/config/http.xml
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/config/http.xml?rev=1066497&r1=1066496&r2=1066497&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/config/http.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/config/http.xml Wed Feb  2 15:16:28 2011
@@ -799,7 +799,13 @@
       <p>Is unsafe legacy TLS renegotiation allowed which is likely to expose
       users to CVE-2009-3555, a man-in-the-middle vulnerability in the TLS
       protocol that allows an attacker to inject arbitrary data into the user's
-      request. If not specified, a default of <code>false</code> is used.</p>
+      request. If not specified, a default of <code>false</code> is used. This
+      attribute only has an effect if the JVM does not support RFC 5746 as
+      indicated by the presence of the pseudo-ciphersuite
+      TLS_EMPTY_RENEGOTIATION_INFO_SCSV. This is available JRE/JDK 6 update 22
+      onwards. Where RFC 5746 is supported the renegotiation - including support
+      for unsafe legacy renegotiation - is controlled by the JVM configuration.
+      </p>
     </attribute>
 
   </attributes>



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message