You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by rj...@apache.org on 2016/03/04 21:25:46 UTC
svn commit: r1733649 - in /tomcat/native/trunk: native/src/sslnetwork.c
native/src/sslutils.c xdocs/miscellaneous/changelog.xml
Author: rjung
Date: Fri Mar 4 20:25:45 2016
New Revision: 1733649
URL: http://svn.apache.org/viewvc?rev=1733649&view=rev
Log:
Improve renegotiation code and make it compatible
with OpenSSL 1.1.0.
Modified:
tomcat/native/trunk/native/src/sslnetwork.c
tomcat/native/trunk/native/src/sslutils.c
tomcat/native/trunk/xdocs/miscellaneous/changelog.xml
Modified: tomcat/native/trunk/native/src/sslnetwork.c
URL: http://svn.apache.org/viewvc/tomcat/native/trunk/native/src/sslnetwork.c?rev=1733649&r1=1733648&r2=1733649&view=diff
==============================================================================
--- tomcat/native/trunk/native/src/sslnetwork.c (original)
+++ tomcat/native/trunk/native/src/sslnetwork.c Fri Mar 4 20:25:45 2016
@@ -617,6 +617,7 @@ TCN_IMPLEMENT_CALL(jint, SSLSocket, rene
tcn_socket_t *s = J2P(sock, tcn_socket_t *);
tcn_ssl_conn_t *con;
int retVal;
+ char peekbuf[1];
UNREFERENCED_STDARGS;
TCN_ASSERT(sock != 0);
@@ -643,6 +644,19 @@ TCN_IMPLEMENT_CALL(jint, SSLSocket, rene
if (!SSL_is_init_finished(con->ssl)) {
return APR_EGENERAL;
}
+
+ /* Need to trigger renegotiation handshake by reading.
+ * Peeking 0 bytes actually works.
+ * See: http://marc.info/?t=145493359200002&r=1&w=2
+ */
+ SSL_peek(con->ssl, peekbuf, 0);
+
+ con->reneg_state = RENEG_REJECT;
+
+ if (!SSL_is_init_finished(con->ssl)) {
+ return APR_EGENERAL;
+ }
+
return APR_SUCCESS;
}
Modified: tomcat/native/trunk/native/src/sslutils.c
URL: http://svn.apache.org/viewvc/tomcat/native/trunk/native/src/sslutils.c?rev=1733649&r1=1733648&r2=1733649&view=diff
==============================================================================
--- tomcat/native/trunk/native/src/sslutils.c (original)
+++ tomcat/native/trunk/native/src/sslutils.c Fri Mar 4 20:25:45 2016
@@ -541,20 +541,9 @@ void SSL_callback_handshake(const SSL *s
/* If the reneg state is to reject renegotiations, check the SSL
* state machine and move to ABORT if a Client Hello is being
* read. */
- if ((where & SSL_CB_ACCEPT_LOOP) && con->reneg_state == RENEG_REJECT) {
- int state = SSL_get_state(ssl);
-
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- if (state == SSL3_ST_SR_CLNT_HELLO_A
- || state == SSL23_ST_SR_CLNT_HELLO_A
-#else
- if (state == TLS_ST_SR_CLNT_HELLO
-#endif
- ) {
- con->reneg_state = RENEG_ABORT;
- /* XXX: rejecting client initiated renegotiation
- */
- }
+ if ((where & SSL_CB_HANDSHAKE_START) &&
+ con->reneg_state == RENEG_REJECT) {
+ con->reneg_state = RENEG_ABORT;
}
/* If the first handshake is complete, change state to reject any
* subsequent client-initated renegotiation. */
Modified: tomcat/native/trunk/xdocs/miscellaneous/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/native/trunk/xdocs/miscellaneous/changelog.xml?rev=1733649&r1=1733648&r2=1733649&view=diff
==============================================================================
--- tomcat/native/trunk/xdocs/miscellaneous/changelog.xml (original)
+++ tomcat/native/trunk/xdocs/miscellaneous/changelog.xml Fri Mar 4 20:25:45 2016
@@ -36,6 +36,10 @@
</section>
<section name="Changes in 1.2.6">
<changelog>
+ <update>
+ Improve renegotiation code and make it compatible with
+ OpenSSL 1.1.0. (rjung)
+ </update>
<scode>
OpenSSL 1.1.0 compatibility updates. (rjung)
</scode>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org