You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2018/11/29 21:27:44 UTC
svn commit: r1847765 - in /tomcat/trunk:
java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
webapps/docs/changelog.xml
Author: markt
Date: Thu Nov 29 21:27:43 2018
New Revision: 1847765
URL: http://svn.apache.org/viewvc?rev=1847765&view=rev
Log:
Avoid hang with TLS 1.0 and NIO/NIO2+OpenSSL 1.1.1
Modified:
tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
tomcat/trunk/webapps/docs/changelog.xml
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java?rev=1847765&r1=1847764&r2=1847765&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java Thu Nov 29 21:27:43 2018
@@ -145,6 +145,7 @@ public final class OpenSSLEngine extends
// Use an invalid cipherSuite until the handshake is completed
// See http://docs.oracle.com/javase/7/docs/api/javax/net/ssl/SSLEngine.html#getSession()
+ private volatile String version;
private volatile String cipher;
private volatile String applicationProtocol;
@@ -632,7 +633,7 @@ public final class OpenSSLEngine extends
throws SSLException {
// NOTE: Calling a fake read is necessary before calling pendingReadableBytesInSSL because
// SSL_pending will return 0 if OpenSSL has not started the current TLS record
- // See https://www.openssl.org/docs/manmaster/ssl/SSL_pending.html
+ // See https://www.openssl.org/docs/manmaster/man3/SSL_pending.html
clearLastError();
int lastPrimingReadResult = SSL.readFromSSL(ssl, EMPTY_ADDR, 0); // priming read
// check if SSL_read returned <= 0. In this case we need to check the error and see if it was something
@@ -640,7 +641,22 @@ public final class OpenSSLEngine extends
if (lastPrimingReadResult <= 0) {
checkLastError();
}
- return SSL.pendingReadableBytesInSSL(ssl);
+ int pendingReadableBytesInSSL = SSL.pendingReadableBytesInSSL(ssl);
+
+ // TLS 1.0 needs additional handling
+ // TODO Figure out why this is necessary and if a simpler / better
+ // solution is available
+ if (Constants.SSL_PROTO_TLSv1.equals(version) && lastPrimingReadResult == 0 &&
+ pendingReadableBytesInSSL == 0) {
+ // Perform another priming read
+ lastPrimingReadResult = SSL.readFromSSL(ssl, EMPTY_ADDR, 0);
+ if (lastPrimingReadResult <= 0) {
+ checkLastError();
+ }
+ pendingReadableBytesInSSL = SSL.pendingReadableBytesInSSL(ssl);
+ }
+
+ return pendingReadableBytesInSSL;
}
@Override
@@ -1027,6 +1043,7 @@ public final class OpenSSLEngine extends
}
}
session.lastAccessedTime = System.currentTimeMillis();
+ version = SSL.getVersion(ssl);
handshakeFinished = true;
return SSLEngineResult.HandshakeStatus.FINISHED;
}
Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1847765&r1=1847764&r2=1847765&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Thu Nov 29 21:27:43 2018
@@ -128,6 +128,11 @@
<fix>
Avoid bad SSLHostConfig JMX registrations before init. (remm)
</fix>
+ <fix>
+ Avoid a potential hang when a client connects using TLS 1.0 to a Tomcat
+ HTTPS connector configured to use NIO or NIO with OpenSSL 1.1.1 or
+ later. (markt)
+ </fix>
</changelog>
</subsection>
<subsection name="Jasper">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org