You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2018/10/11 10:18:39 UTC
svn commit: r1843542 - in /tomcat/trunk: java/org/apache/tomcat/jni/SSL.java
java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
webapps/docs/changelog.xml
Author: markt
Date: Thu Oct 11 10:18:39 2018
New Revision: 1843542
URL: http://svn.apache.org/viewvc?rev=1843542&view=rev
Log:
Fix server initiated TLS renegotiation to obtain a client certificate when using NIO/NIO2 and the OpenSSL backed JSSE TLS implementation.
Prior to this fix, the client would send the certs but the server would not read them and would timeout the request.
Modified:
tomcat/trunk/java/org/apache/tomcat/jni/SSL.java
tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
tomcat/trunk/webapps/docs/changelog.xml
Modified: tomcat/trunk/java/org/apache/tomcat/jni/SSL.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/jni/SSL.java?rev=1843542&r1=1843541&r2=1843542&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/jni/SSL.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/jni/SSL.java Thu Oct 11 10:18:39 2018
@@ -557,6 +557,13 @@ public final class SSL {
public static native int renegotiate(long ssl);
/**
+ * SSL_renegotiate_pending
+ * @param ssl the SSL instance (SSL *)
+ * @return the operation status
+ */
+ public static native int renegotiatePending(long ssl);
+
+ /**
* SSL_in_init.
* @param ssl the SSL instance (SSL *)
* @return the status
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java?rev=1843542&r1=1843541&r2=1843542&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java Thu Oct 11 10:18:39 2018
@@ -982,7 +982,7 @@ public final class OpenSSLEngine extends
// No pending data to be sent to the peer
// Check to see if we have finished handshaking
int handshakeCount = SSL.getHandshakeCount(ssl);
- if (handshakeCount != currentHandshake) {
+ if (handshakeCount != currentHandshake && SSL.renegotiatePending(ssl) == 0) {
if (alpn) {
selectedProtocol = SSL.getAlpnSelected(ssl);
if (selectedProtocol == null) {
@@ -994,7 +994,7 @@ public final class OpenSSLEngine extends
return SSLEngineResult.HandshakeStatus.FINISHED;
}
- // No pending data and still handshaking
+ // No pending data and still handshaking / renegotiation pending
// Must be waiting on the peer to send more data
return SSLEngineResult.HandshakeStatus.NEED_UNWRAP;
}
Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1843542&r1=1843541&r2=1843542&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Thu Oct 11 10:18:39 2018
@@ -127,6 +127,11 @@
implementation that prevented from secure WebSocket connections from
being established. (markt)
</fix>
+ <fix>
+ Fix server initiated TLS renegotiation to obtain a client certificate
+ when using NIO/NIO2 and the OpenSSL backed JSSE TLS implementation.
+ (markt)
+ </fix>
</changelog>
</subsection>
<subsection name="Jasper">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org