You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2019/06/26 20:38:37 UTC
[tomcat] 08/10: Avoid possible hang with TLS 1.0 + NIO/NIO2 +
OpenSSL 1.1.1 or later
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit bfc8b58645de2fa69819e90dd096f854e6a6929b
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Wed Jun 26 21:27:31 2019 +0100
Avoid possible hang with TLS 1.0 + NIO/NIO2 + OpenSSL 1.1.1 or later
---
.../apache/tomcat/util/net/openssl/OpenSSLEngine.java | 19 ++++++++++++++++++-
webapps/docs/changelog.xml | 9 +++++++++
2 files changed, 27 insertions(+), 1 deletion(-)
diff --git a/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java b/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
index 82d5862..e775168 100644
--- a/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
+++ b/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
@@ -145,6 +145,7 @@ public final class OpenSSLEngine extends SSLEngine implements SSLUtil.ProtocolIn
// Use an invalid cipherSuite until the handshake is completed
// See http://docs.oracle.com/javase/7/docs/api/javax/net/ssl/SSLEngine.html#getSession()
+ private volatile String version;
private volatile String cipher;
private volatile String applicationProtocol;
@@ -640,7 +641,22 @@ public final class OpenSSLEngine extends SSLEngine implements SSLUtil.ProtocolIn
if (lastPrimingReadResult <= 0) {
checkLastError();
}
- return SSL.pendingReadableBytesInSSL(ssl);
+ int pendingReadableBytesInSSL = SSL.pendingReadableBytesInSSL(ssl);
+
+ // TLS 1.0 needs additional handling
+ // TODO Figure out why this is necessary and if a simpler / better
+ // solution is available
+ if (Constants.SSL_PROTO_TLSv1.equals(version) && lastPrimingReadResult == 0 &&
+ pendingReadableBytesInSSL == 0) {
+ // Perform another priming read
+ lastPrimingReadResult = SSL.readFromSSL(ssl, EMPTY_ADDR, 0);
+ if (lastPrimingReadResult <= 0) {
+ checkLastError();
+ }
+ pendingReadableBytesInSSL = SSL.pendingReadableBytesInSSL(ssl);
+ }
+
+ return pendingReadableBytesInSSL;
}
@Override
@@ -1027,6 +1043,7 @@ public final class OpenSSLEngine extends SSLEngine implements SSLUtil.ProtocolIn
}
}
session.lastAccessedTime = System.currentTimeMillis();
+ version = SSL.getVersion(ssl);
handshakeFinished = true;
return SSLEngineResult.HandshakeStatus.FINISHED;
}
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 6266e79..fedb79c 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -82,6 +82,15 @@
</add>
</changelog>
</subsection>
+ <subsection name="Coyote">
+ <changelog>
+ <fix>
+ Avoid a potential hang when a client connects using TLS 1.0 to a Tomcat
+ HTTPS connector configured to use NIO or NIO with OpenSSL 1.1.1 or
+ later. (markt)
+ </fix>
+ </changelog>
+ </subsection>
<subsection name="Jasper">
<changelog>
<add>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org