tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ma...@apache.org
Subject svn commit: r1843542 - in /tomcat/trunk: java/org/apache/tomcat/jni/SSL.java java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java webapps/docs/changelog.xml
Date Thu, 11 Oct 2018 10:18:39 GMT
Author: markt
Date: Thu Oct 11 10:18:39 2018
New Revision: 1843542

URL: http://svn.apache.org/viewvc?rev=1843542&view=rev
Log:
Fix server initiated TLS renegotiation to obtain a client certificate when using NIO/NIO2
and the OpenSSL backed JSSE TLS implementation.
Prior to this fix, the client would send the certs but the server would not read them and
would timeout the request.

Modified:
    tomcat/trunk/java/org/apache/tomcat/jni/SSL.java
    tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
    tomcat/trunk/webapps/docs/changelog.xml

Modified: tomcat/trunk/java/org/apache/tomcat/jni/SSL.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/jni/SSL.java?rev=1843542&r1=1843541&r2=1843542&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/jni/SSL.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/jni/SSL.java Thu Oct 11 10:18:39 2018
@@ -557,6 +557,13 @@ public final class SSL {
     public static native int renegotiate(long ssl);
 
     /**
+     * SSL_renegotiate_pending
+     * @param ssl the SSL instance (SSL *)
+     * @return the operation status
+     */
+    public static native int renegotiatePending(long ssl);
+
+    /**
      * SSL_in_init.
      * @param ssl the SSL instance (SSL *)
      * @return the status

Modified: tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java?rev=1843542&r1=1843541&r2=1843542&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java Thu Oct 11 10:18:39
2018
@@ -982,7 +982,7 @@ public final class OpenSSLEngine extends
             // No pending data to be sent to the peer
             // Check to see if we have finished handshaking
             int handshakeCount = SSL.getHandshakeCount(ssl);
-            if (handshakeCount != currentHandshake) {
+            if (handshakeCount != currentHandshake && SSL.renegotiatePending(ssl)
== 0) {
                 if (alpn) {
                     selectedProtocol = SSL.getAlpnSelected(ssl);
                     if (selectedProtocol == null) {
@@ -994,7 +994,7 @@ public final class OpenSSLEngine extends
                 return SSLEngineResult.HandshakeStatus.FINISHED;
             }
 
-            // No pending data and still handshaking
+            // No pending data and still handshaking / renegotiation pending
             // Must be waiting on the peer to send more data
             return SSLEngineResult.HandshakeStatus.NEED_UNWRAP;
         }

Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1843542&r1=1843541&r2=1843542&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Thu Oct 11 10:18:39 2018
@@ -127,6 +127,11 @@
         implementation that prevented from secure WebSocket connections from
         being established. (markt)
       </fix>
+      <fix>
+        Fix server initiated TLS renegotiation to obtain a client certificate
+        when using NIO/NIO2 and the OpenSSL backed JSSE TLS implementation.
+        (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Jasper">



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message