Return-Path: 
 <dev-return-90850-apmail-tomcat-dev-archive=tomcat.apache.org@tomcat.apache.org>
Delivered-To: apmail-tomcat-dev-archive@www.apache.org
Received: (qmail 65446 invoked from network); 25 Aug 2008 15:42:33 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2)
  by minotaur.apache.org with SMTP; 25 Aug 2008 15:42:33 -0000
Received: (qmail 38886 invoked by uid 500); 25 Aug 2008 15:42:29 -0000
Delivered-To: apmail-tomcat-dev-archive@tomcat.apache.org
Received: (qmail 38810 invoked by uid 500); 25 Aug 2008 15:42:29 -0000
Mailing-List: contact dev-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@tomcat.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@tomcat.apache.org>
List-Post: <mailto:dev@tomcat.apache.org>
List-Id: <dev.tomcat.apache.org>
Reply-To: "Tomcat Developers List" <dev@tomcat.apache.org>
Delivered-To: mailing list dev@tomcat.apache.org
Received: (qmail 38799 invoked by uid 99); 25 Aug 2008 15:42:29 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 25 Aug 2008 08:42:29 -0700
X-ASF-Spam-Status: No, hits=-0.0 required=10.0
	tests=SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (athena.apache.org: local policy)
Received: from [72.22.94.67] (HELO virtual.halosg.com) (72.22.94.67)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 25 Aug 2008 15:41:31 +0000
Received: (qmail 17982 invoked from network); 25 Aug 2008 10:41:00 -0500
Received: from sfwv.statefarm.com (HELO ?10.35.237.70?) (205.242.229.80)
  by halosg.com with SMTP; 25 Aug 2008 10:41:00 -0500
Message-ID: <48B2D277.6070800@hanik.com>
Date: Mon, 25 Aug 2008 10:40:39 -0500
From: Filip Hanik - Dev Lists <devlists@hanik.com>
User-Agent: Thunderbird 2.0.0.16 (Windows/20080708)
MIME-Version: 1.0
To: Tomcat Developers List <dev@tomcat.apache.org>
Subject: Re: svn commit: r687503 - in
 /tomcat/trunk/java/org/apache/tomcat/util/net/jsse:
 JSSESocketFactory.java res/LocalStrings.properties
References: <20080820232042.AB85223889BA@eris.apache.org>
 <48B2D184.6020602@hanik.com>
In-Reply-To: <48B2D184.6020602@hanik.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Virus-Checked: Checked by ClamAV on apache.org

figured it out, you close the socket again

Filip

Filip Hanik - Dev Lists wrote:
> +        socket.setSoTimeout(1);
>
> does this ever get reset?
>
> In JioEndpoint.java I see
>        //if( serverTimeout >= 0 )
>        //    serverSocket.setSoTimeout( serverTimeout );
> It's commented out
>
> and I have a hard time finding where it would be set to a more normal 
> value, instead of 1 millisecond for the server socket
>
> Filip
>
>
>
> markt@apache.org wrote:
>> Author: markt
>> Date: Wed Aug 20 16:20:42 2008
>> New Revision: 687503
>>
>> URL: http://svn.apache.org/viewvc?rev=687503&view=rev
>> Log:
>> Improved fix for 45528 (invalid SSL config).
>> It is a variation on the previous patch that:
>> - does the check earlier
>> - uses an unbound socket so there is no possibility of a client 
>> connection
>> - uses the String manager for the error message
>> Note: I gave up on the alterntaive javax.crypto.Cipher suggestion as 
>> the cipher names are different and there is no easy conversion.
>>
>> Modified:
>>     
>> tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
>>     
>> tomcat/trunk/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties 
>>
>>
>> Modified: 
>> tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
>> URL: 
>> http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java?rev=687503&r1=687502&r2=687503&view=diff 
>>
>> ============================================================================== 
>>
>> --- 
>> tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java 
>> (original)
>> +++ 
>> tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java 
>> Wed Aug 20 16:20:42 2008
>> @@ -26,6 +26,7 @@
>>  import java.net.ServerSocket;
>>  import java.net.Socket;
>>  import java.net.SocketException;
>> +import java.net.SocketTimeoutException;
>>  import java.security.KeyStore;
>>  import java.security.SecureRandom;
>>  import java.security.cert.CRL;
>> @@ -428,6 +429,9 @@
>>                  getEnabledCiphers(requestedCiphers,
>>                          sslProxy.getSupportedCipherSuites());
>>  
>> +            // Check the SSL config is OK
>> +            checkConfig();
>> +
>>          } catch(Exception e) {
>>              if( e instanceof IOException )
>>                  throw (IOException)e;
>> @@ -692,7 +696,7 @@
>>       * Configures the given SSL server socket with the requested 
>> cipher suites,
>>       * protocol versions, and need for client authentication
>>       */
>> -    private void initServerSocket(ServerSocket ssocket) {
>> +    private void initServerSocket(ServerSocket ssocket) throws 
>> IOException {
>>  
>>          SSLServerSocket socket = (SSLServerSocket) ssocket;
>>  
>> @@ -709,4 +713,33 @@
>>          configureClientAuth(socket);
>>      }
>>  
>> +    /**
>> +     * Checks that the cetificate is compatible with the enabled 
>> cipher suites.
>> +     * If we don't check now, the JIoEndpoint can enter a nasty 
>> logging loop.
>> +     * See bug 45528.
>> +     */
>> +    private void checkConfig() throws IOException {
>> +        // Create an unbound server socket
>> +        ServerSocket socket = sslProxy.createServerSocket();
>> +        initServerSocket(socket);
>> +
>> +        // Set the timeout to 1ms as all we care about is if it 
>> throws an
>> +        // exception on accept. +        socket.setSoTimeout(1);
>> +        try {
>> +            socket.accept();
>> +            // Will never get here - no client can connect to an 
>> unbound port
>> +        } catch (SSLException ssle) {
>> +            // SSL configuration is invalid. Possibly cert doesn't 
>> match ciphers
>> +            IOException ioe = new IOException(sm.getString(
>> +                    "jsse.invalid_ssl_conf", ssle.getMessage()));
>> +            ioe.initCause(ssle);
>> +            throw ioe;
>> +        } catch (SocketTimeoutException ste) {
>> +            // Expected if all is well - do nothing
>> +        } finally {
>> +            socket.close();
>> +        }
>> +        +    }
>>  }
>>
>> Modified: 
>> tomcat/trunk/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties 
>>
>> URL: 
>> http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties?rev=687503&r1=687502&r2=687503&view=diff 
>>
>> ============================================================================== 
>>
>> --- 
>> tomcat/trunk/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties 
>> (original)
>> +++ 
>> tomcat/trunk/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties 
>> Wed Aug 20 16:20:42 2008
>> @@ -15,3 +15,4 @@
>>  
>>  jsse.alias_no_key_entry=Alias name {0} does not identify a key entry
>>  jsse.keystore_load_failed=Failed to load keystore type {0} with path 
>> {1} due to {2}
>> +jsse.invalid_ssl_conf=SSL configuration is invalid due to {0} \ No 
>> newline at end of file
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: dev-help@tomcat.apache.org
>>
>>
>>   
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org