Return-Path: Delivered-To: apmail-tomcat-dev-archive@www.apache.org Received: (qmail 23495 invoked from network); 2 Feb 2011 15:16:59 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 2 Feb 2011 15:16:59 -0000 Received: (qmail 61550 invoked by uid 500); 2 Feb 2011 15:16:57 -0000 Delivered-To: apmail-tomcat-dev-archive@tomcat.apache.org Received: (qmail 60893 invoked by uid 500); 2 Feb 2011 15:16:53 -0000 Mailing-List: contact dev-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Developers List" Delivered-To: mailing list dev@tomcat.apache.org Received: (qmail 60864 invoked by uid 99); 2 Feb 2011 15:16:52 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 02 Feb 2011 15:16:52 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 02 Feb 2011 15:16:49 +0000 Received: by eris.apache.org (Postfix, from userid 65534) id C48E6238896F; Wed, 2 Feb 2011 15:16:28 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r1066497 - in /tomcat/tc6.0.x/trunk: STATUS.txt java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java webapps/docs/changelog.xml webapps/docs/config/http.xml Date: Wed, 02 Feb 2011 15:16:28 -0000 To: dev@tomcat.apache.org From: kkolinko@apache.org X-Mailer: svnmailer-1.0.8 Message-Id: <20110202151628.C48E6238896F@eris.apache.org> X-Virus-Checked: Checked by ClamAV on apache.org Author: kkolinko Date: Wed Feb 2 15:16:28 2011 New Revision: 1066497 URL: http://svn.apache.org/viewvc?rev=1066497&view=rev Log: Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=50325 Use JVM provided solutions to CVE-2009-3555 if available (i.e. RFC 5746 support) Modified: tomcat/tc6.0.x/trunk/STATUS.txt tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml tomcat/tc6.0.x/trunk/webapps/docs/config/http.xml Modified: tomcat/tc6.0.x/trunk/STATUS.txt URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=1066497&r1=1066496&r2=1066497&view=diff ============================================================================== --- tomcat/tc6.0.x/trunk/STATUS.txt (original) +++ tomcat/tc6.0.x/trunk/STATUS.txt Wed Feb 2 15:16:28 2011 @@ -88,15 +88,3 @@ PATCHES PROPOSED TO BACKPORT: The updated patch fixes a race condition. We can stall this item until we get some feedback about 7.0.5. -1: - -* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=50325 - Use JVM provided solutions to CVE-2009-3555 if available (i.e. RFC 5746 - support) - http://svn.apache.org/viewvc?rev=1065859&view=rev - +1: markt, kkolinko, funkman - -1: - kkolinko: - I think it would be better to do not change visibility of - defaultProtocol, defaultKeystoreType, though I do not see much - concerns against it. - markt: Happy to exclude those changes Modified: tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java?rev=1066497&r1=1066496&r2=1066497&view=diff ============================================================================== --- tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java (original) +++ tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java Wed Feb 2 15:16:28 2011 @@ -26,7 +26,9 @@ import java.net.InetAddress; import java.net.ServerSocket; import java.net.Socket; import java.net.SocketException; +import java.security.KeyManagementException; import java.security.KeyStore; +import java.security.NoSuchAlgorithmException; import java.security.SecureRandom; import java.security.cert.CRL; import java.security.cert.CRLException; @@ -82,6 +84,8 @@ public class JSSESocketFactory private static StringManager sm = StringManager.getManager("org.apache.tomcat.util.net.jsse.res"); + private static final boolean RFC_5746_SUPPORTED; + // defaults static String defaultProtocol = "TLS"; static boolean defaultClientAuth = false; @@ -95,6 +99,28 @@ public class JSSESocketFactory static org.apache.juli.logging.Log log = org.apache.juli.logging.LogFactory.getLog(JSSESocketFactory.class); + static { + boolean result = false; + SSLContext context; + try { + context = SSLContext.getInstance("TLS"); + context.init(null, null, new SecureRandom()); + SSLServerSocketFactory ssf = context.getServerSocketFactory(); + String ciphers[] = ssf.getSupportedCipherSuites(); + for (String cipher : ciphers) { + if ("TLS_EMPTY_RENEGOTIATION_INFO_SCSV".equals(cipher)) { + result = true; + break; + } + } + } catch (NoSuchAlgorithmException e) { + // Assume no RFC 5746 support + } catch (KeyManagementException e) { + // Assume no RFC 5746 support + } + RFC_5746_SUPPORTED = result; + } + protected boolean initialized; protected String clientAuth = "false"; protected SSLServerSocketFactory sslProxy = null; @@ -159,9 +185,9 @@ public class JSSESocketFactory public void handshake(Socket sock) throws IOException { ((SSLSocket)sock).startHandshake(); - - if (!allowUnsafeLegacyRenegotiation) { - // Prevent futher handshakes by removing all cipher suites + + if (!allowUnsafeLegacyRenegotiation && !RFC_5746_SUPPORTED) { + // Prevent further handshakes by removing all cipher suites ((SSLSocket) sock).setEnabledCipherSuites(new String[0]); } } Modified: tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml?rev=1066497&r1=1066496&r2=1066497&view=diff ============================================================================== --- tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml (original) +++ tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml Wed Feb 2 15:16:28 2011 @@ -72,6 +72,12 @@ it more robust. (mturk/kkolinko) + 50325: When the JVM indicates support for RFC 5746, disable + Tomcat's allowUnsafeLegacyRenegotiation configuration + attribute and use the JVM configuration to control renegotiation. + (markt) + + 50631: InternalNioInputBuffer should honor maxHttpHeadSize. (kkolinko) Modified: tomcat/tc6.0.x/trunk/webapps/docs/config/http.xml URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/config/http.xml?rev=1066497&r1=1066496&r2=1066497&view=diff ============================================================================== --- tomcat/tc6.0.x/trunk/webapps/docs/config/http.xml (original) +++ tomcat/tc6.0.x/trunk/webapps/docs/config/http.xml Wed Feb 2 15:16:28 2011 @@ -799,7 +799,13 @@

Is unsafe legacy TLS renegotiation allowed which is likely to expose users to CVE-2009-3555, a man-in-the-middle vulnerability in the TLS protocol that allows an attacker to inject arbitrary data into the user's - request. If not specified, a default of false is used.

+ request. If not specified, a default of false is used. This + attribute only has an effect if the JVM does not support RFC 5746 as + indicated by the presence of the pseudo-ciphersuite + TLS_EMPTY_RENEGOTIATION_INFO_SCSV. This is available JRE/JDK 6 update 22 + onwards. Where RFC 5746 is supported the renegotiation - including support + for unsafe legacy renegotiation - is controlled by the JVM configuration. +

--------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For additional commands, e-mail: dev-help@tomcat.apache.org