You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2014/08/26 12:55:26 UTC
svn commit: r1620560 -
/tomcat/trunk/java/org/apache/tomcat/jni/socket/AprSocketContext.java
Author: markt
Date: Tue Aug 26 10:55:26 2014
New Revision: 1620560
URL: http://svn.apache.org/r1620560
Log:
Fix threading issue. Multiple threads could, sequentially, create a new
sslContext when there should only be one. Identified by Coverity scan.
Modified:
tomcat/trunk/java/org/apache/tomcat/jni/socket/AprSocketContext.java
Modified: tomcat/trunk/java/org/apache/tomcat/jni/socket/AprSocketContext.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/jni/socket/AprSocketContext.java?rev=1620560&r1=1620559&r2=1620560&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/jni/socket/AprSocketContext.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/jni/socket/AprSocketContext.java Tue Aug 26 10:55:26 2014
@@ -133,7 +133,7 @@ public class AprSocketContext {
/**
* SSL context.
*/
- private long sslCtx = 0;
+ private volatile long sslCtx = 0;
TlsCertVerifier tlsCertVerifier;
@@ -608,68 +608,69 @@ public class AprSocketContext {
long getSslCtx() throws Exception {
if (sslCtx == 0) {
synchronized (AprSocketContext.class) {
+ if (sslCtx == 0) {
+ boolean serverMode = acceptor != null;
+ sslCtx = SSLContext.make(getRootPool(),
+ sslProtocol,
+ serverMode ? SSL.SSL_MODE_SERVER : SSL.SSL_MODE_CLIENT);
- boolean serverMode = acceptor != null;
- sslCtx = SSLContext.make(getRootPool(),
- sslProtocol,
- serverMode ? SSL.SSL_MODE_SERVER : SSL.SSL_MODE_CLIENT);
+ // SSL.SSL_OP_NO_SSLv3
+ int opts = SSL.SSL_OP_NO_SSLv2 |
+ SSL.SSL_OP_SINGLE_DH_USE;
- // SSL.SSL_OP_NO_SSLv3
- int opts = SSL.SSL_OP_NO_SSLv2 |
- SSL.SSL_OP_SINGLE_DH_USE;
-
- if (!USE_TICKETS || serverMode && ticketKey == null) {
- opts |= SSL.SSL_OP_NO_TICKET;
- }
-
- SSLContext.setOptions(sslCtx, opts);
- // Set revocation
- // SSLContext.setCARevocation(sslContext, SSLCARevocationFile, SSLCARevocationPath);
+ if (!USE_TICKETS || serverMode && ticketKey == null) {
+ opts |= SSL.SSL_OP_NO_TICKET;
+ }
- // Client certificate verification - maybe make it option
- try {
- SSLContext.setCipherSuite(sslCtx, SSLCipherSuite);
+ SSLContext.setOptions(sslCtx, opts);
+ // Set revocation
+ // SSLContext.setCARevocation(sslContext, SSLCARevocationFile, SSLCARevocationPath);
+
+ // Client certificate verification - maybe make it option
+ try {
+ SSLContext.setCipherSuite(sslCtx, SSLCipherSuite);
- if (serverMode) {
- if (ticketKey != null) {
- //SSLExt.setTicketKeys(sslCtx, ticketKey, ticketKey.length);
- }
- if (certFile != null) {
- boolean rc = SSLContext.setCertificate(sslCtx,
- certFile,
- keyFile, null, SSL.SSL_AIDX_DSA);
- if (!rc) {
- throw new IOException("Can't set keys");
+ if (serverMode) {
+ if (ticketKey != null) {
+ //SSLExt.setTicketKeys(sslCtx, ticketKey, ticketKey.length);
}
- }
- SSLContext.setVerify(sslCtx, SSL.SSL_CVERIFY_NONE, 10);
+ if (certFile != null) {
+ boolean rc = SSLContext.setCertificate(sslCtx,
+ certFile,
+ keyFile, null, SSL.SSL_AIDX_DSA);
+ if (!rc) {
+ throw new IOException("Can't set keys");
+ }
+ }
+ SSLContext.setVerify(sslCtx, SSL.SSL_CVERIFY_NONE, 10);
- if (spdyNPN != null) {
- SSLExt.setNPN(sslCtx, spdyNPN, spdyNPN.length);
- }
- } else {
- if (tlsCertVerifier != null) {
- // NONE ?
- SSLContext.setVerify(sslCtx,
- SSL.SSL_CVERIFY_NONE, 10);
+ if (spdyNPN != null) {
+ SSLExt.setNPN(sslCtx, spdyNPN, spdyNPN.length);
+ }
} else {
- SSLContext.setCACertificate(sslCtx,
- "/etc/ssl/certs/ca-certificates.crt",
- "/etc/ssl/certs");
- SSLContext.setVerify(sslCtx,
- SSL.SSL_CVERIFY_REQUIRE, 10);
- }
+ if (tlsCertVerifier != null) {
+ // NONE ?
+ SSLContext.setVerify(sslCtx,
+ SSL.SSL_CVERIFY_NONE, 10);
+ } else {
+ SSLContext.setCACertificate(sslCtx,
+ "/etc/ssl/certs/ca-certificates.crt",
+ "/etc/ssl/certs");
+ SSLContext.setVerify(sslCtx,
+ SSL.SSL_CVERIFY_REQUIRE, 10);
+ }
- if (spdyNPN != null) {
- SSLExt.setNPN(sslCtx, spdyNPN, spdyNPN.length);
+ if (spdyNPN != null) {
+ SSLExt.setNPN(sslCtx, spdyNPN, spdyNPN.length);
+ }
}
+ } catch (IOException e) {
+ throw e;
+ } catch (Exception e) {
+ throw new IOException(e);
}
- } catch (IOException e) {
- throw e;
- } catch (Exception e) {
- throw new IOException(e);
}
// TODO: try release buffers
}
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org