You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2008/09/06 22:06:22 UTC
svn commit: r692721 - in /tomcat/tc6.0.x/trunk: ./ STATUS.txt
java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
webapps/docs/changelog.xml
Author: markt
Date: Sat Sep 6 13:06:21 2008
New Revision: 692721
URL: http://svn.apache.org/viewvc?rev=692721&view=rev
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=45528
Prevent infinite logging loop with invalid SSL config
Modified:
tomcat/tc6.0.x/trunk/ (props changed)
tomcat/tc6.0.x/trunk/STATUS.txt
tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
Propchange: tomcat/tc6.0.x/trunk/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Sat Sep 6 13:06:21 2008
@@ -1 +1 @@
-/tomcat/trunk:673796,673820,683982,684001,684081,684234,684269-684270
+/tomcat/trunk:673796,673820,683982,684001,684081,684234,684269-684270,687503,687645
Modified: tomcat/tc6.0.x/trunk/STATUS.txt
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=692721&r1=692720&r2=692721&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/STATUS.txt (original)
+++ tomcat/tc6.0.x/trunk/STATUS.txt Sat Sep 6 13:06:21 2008
@@ -84,14 +84,6 @@
+1: funkman, remm, fhanik
-1:
-* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=45528
- Improved fix that hopefully addresses previous concerns
- http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java?r1=685981&r2=687645&diff_format=h
- http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties?r1=656035&r2=687503
- +1: markt, remm, fhanik
- -1:
-
-
* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=43327
http://svn.apache.org/viewvc?rev=687755&view=rev
Note use trunk >=r690600 of TC-native to test it as it also needs patches
Modified: tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java?rev=692721&r1=692720&r2=692721&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java (original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java Sat Sep 6 13:06:21 2008
@@ -421,6 +421,9 @@
enabledCiphers = getEnabledCiphers(requestedCiphers,
sslProxy.getSupportedCipherSuites());
+ // Check the SSL config is OK
+ checkConfig();
+
} catch(Exception e) {
if( e instanceof IOException )
throw (IOException)e;
@@ -695,4 +698,46 @@
configureClientAuth(socket);
}
+ /**
+ * Checks that the certificate is compatible with the enabled cipher suites.
+ * If we don't check now, the JIoEndpoint can enter a nasty logging loop.
+ * See bug 45528.
+ */
+ private void checkConfig() throws IOException {
+ // Create an unbound server socket
+ ServerSocket socket = sslProxy.createServerSocket();
+ initServerSocket(socket);
+
+ try {
+ // Set the timeout to 1ms as all we care about is if it throws an
+ // SSLException on accept.
+ socket.setSoTimeout(1);
+
+ socket.accept();
+ // Will never get here - no client can connect to an unbound port
+ } catch (SSLException ssle) {
+ // SSL configuration is invalid. Possibly cert doesn't match ciphers
+ IOException ioe = new IOException(sm.getString(
+ "jsse.invalid_ssl_conf", ssle.getMessage()));
+ ioe.initCause(ssle);
+ throw ioe;
+ } catch (Exception e) {
+ /*
+ * Possible ways of getting here
+ * socket.accept() throws a SecurityException
+ * socket.setSoTimeout() throws a SocketException
+ * socket.accept() throws some other exception (after a JDK change)
+ * In these cases the test won't work so carry on - essentially
+ * the behaviour before this patch
+ * socket.accept() throws a SocketTimeoutException
+ * In this case all is well so carry on
+ */
+ } finally {
+ // Should be open here but just in case
+ if (!socket.isClosed()) {
+ socket.close();
+ }
+ }
+
+ }
}
Modified: tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml?rev=692721&r1=692720&r2=692721&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml Sat Sep 6 13:06:21 2008
@@ -42,6 +42,10 @@
<bug>45453</bug>: Remove potential race condition in JDBC Realm.
Based on a patch by Santtu Hyrkk. (markt)
</fix>
+ <fix>
+ <bug>45528</bug>: Add detection for invalid SSL configuration to prevent
+ infinite logging loop on start-up. (markt)
+ </fix>
<add>
<bug>45576</bug>: Add DIGEST support to the JAAS Realm. (markt)
</add>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org