You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2008/09/06 22:06:22 UTC

svn commit: r692721 - in /tomcat/tc6.0.x/trunk: ./ STATUS.txt java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java webapps/docs/changelog.xml

Author: markt
Date: Sat Sep  6 13:06:21 2008
New Revision: 692721

URL: http://svn.apache.org/viewvc?rev=692721&view=rev
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=45528
Prevent infinite logging loop with invalid SSL config

Modified:
    tomcat/tc6.0.x/trunk/   (props changed)
    tomcat/tc6.0.x/trunk/STATUS.txt
    tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
    tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml

Propchange: tomcat/tc6.0.x/trunk/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Sat Sep  6 13:06:21 2008
@@ -1 +1 @@
-/tomcat/trunk:673796,673820,683982,684001,684081,684234,684269-684270
+/tomcat/trunk:673796,673820,683982,684001,684081,684234,684269-684270,687503,687645

Modified: tomcat/tc6.0.x/trunk/STATUS.txt
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=692721&r1=692720&r2=692721&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/STATUS.txt (original)
+++ tomcat/tc6.0.x/trunk/STATUS.txt Sat Sep  6 13:06:21 2008
@@ -84,14 +84,6 @@
   +1: funkman, remm, fhanik
   -1: 
 
-* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=45528
-  Improved fix that hopefully addresses previous concerns
-  http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java?r1=685981&r2=687645&diff_format=h
-  http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties?r1=656035&r2=687503
-  +1: markt, remm, fhanik
-  -1: 
-
-
 * Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=43327
   http://svn.apache.org/viewvc?rev=687755&view=rev
   Note use trunk >=r690600 of TC-native to test it as it also needs patches

Modified: tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java?rev=692721&r1=692720&r2=692721&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java (original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java Sat Sep  6 13:06:21 2008
@@ -421,6 +421,9 @@
             enabledCiphers = getEnabledCiphers(requestedCiphers,
                                                sslProxy.getSupportedCipherSuites());
 
+            // Check the SSL config is OK
+            checkConfig();
+
         } catch(Exception e) {
             if( e instanceof IOException )
                 throw (IOException)e;
@@ -695,4 +698,46 @@
         configureClientAuth(socket);
     }
 
+    /**
+     * Checks that the certificate is compatible with the enabled cipher suites.
+     * If we don't check now, the JIoEndpoint can enter a nasty logging loop.
+     * See bug 45528.
+     */
+    private void checkConfig() throws IOException {
+        // Create an unbound server socket
+        ServerSocket socket = sslProxy.createServerSocket();
+        initServerSocket(socket);
+
+        try {
+            // Set the timeout to 1ms as all we care about is if it throws an
+            // SSLException on accept. 
+            socket.setSoTimeout(1);
+
+            socket.accept();
+            // Will never get here - no client can connect to an unbound port
+        } catch (SSLException ssle) {
+            // SSL configuration is invalid. Possibly cert doesn't match ciphers
+            IOException ioe = new IOException(sm.getString(
+                    "jsse.invalid_ssl_conf", ssle.getMessage()));
+            ioe.initCause(ssle);
+            throw ioe;
+        } catch (Exception e) {
+            /*
+             * Possible ways of getting here
+             * socket.accept() throws a SecurityException
+             * socket.setSoTimeout() throws a SocketException
+             * socket.accept() throws some other exception (after a JDK change)
+             *      In these cases the test won't work so carry on - essentially
+             *      the behaviour before this patch
+             * socket.accept() throws a SocketTimeoutException
+             *      In this case all is well so carry on
+             */
+        } finally {
+            // Should be open here but just in case
+            if (!socket.isClosed()) {
+                socket.close();
+            }
+        }
+        
+    }
 }

Modified: tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml?rev=692721&r1=692720&r2=692721&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml Sat Sep  6 13:06:21 2008
@@ -42,6 +42,10 @@
         <bug>45453</bug>: Remove potential race condition in JDBC Realm.
         Based on a patch by Santtu Hyrkk. (markt)
       </fix>
+      <fix>
+        <bug>45528</bug>: Add detection for invalid SSL configuration to prevent
+        infinite logging loop on start-up. (markt)
+      </fix>
       <add>
         <bug>45576</bug>: Add DIGEST support to the JAAS Realm. (markt)
       </add>



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org