It is likely that the entire second handshake can be removed. But I would
have to clone the 1.0.2 branch and look to be sure. The
accept-after-handshake in the code is a work-around for a very old bug
(which used to be in JSSE as well in Java 1.4).
There has been a lot of refactoring on the master branch of OpenSSL recently
regarding the state machine for the SSL object. It is simply not possible
in the public API to do the second handshake in 1.1.0+ anymore.
I knew we had a test case for renegotiate, but didn't realize that it was
disabled for APR. I'll look into enabling it on a local test environment to
see what happens.
"Konstantin Kolinko" wrote in message
news:CABzHfVkC-5yZLADQE=O4ds7=0dontmu2golai_llg8rg2o7...@mail.gmail.com...
2015-11-04 5:25 GMT+03:00 <billbar...@apache.org>:
Author: billbarker
Date: Wed Nov 4 02:25:05 2015
New Revision: 1712457
URL: http://svn.apache.org/viewvc?rev=1712457&view=rev
Log:
Forward port r1712199 align with OpenSSL master. Just deleted the SSLeay
check since any OS I know will raise an UnsatifiedLinkError if you try to
load this with such an old version when 1.0.2x is required. Otherwise no
change if compiling against 1.0.2x
Modified:
tomcat/native/trunk/native/src/ssl.c
tomcat/native/trunk/native/src/sslnetwork.c
tomcat/native/trunk/native/src/sslutils.c
Modified: tomcat/native/trunk/native/src/sslnetwork.c
URL:
http://svn.apache.org/viewvc/tomcat/native/trunk/native/src/sslnetwork.c?rev=1712457&r1=1712456&r2=1712457&view=diff
==============================================================================
--- tomcat/native/trunk/native/src/sslnetwork.c (original)
+++ tomcat/native/trunk/native/src/sslnetwork.c Wed Nov 4 02:25:05 2015
@@ -650,6 +650,7 @@ TCN_IMPLEMENT_CALL(jint, SSLSocket, rene
#endif
return APR_EGENERAL;
}
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
SSL_set_state(con->ssl, SSL_ST_ACCEPT);
apr_socket_timeout_get(con->sock, &timeout);
@@ -669,14 +670,11 @@ TCN_IMPLEMENT_CALL(jint, SSLSocket, rene
break;
}
con->reneg_state = RENEG_REJECT;
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+
if (SSL_get_state(con->ssl) != SSL_ST_OK) {
-#else
- if (SSL_get_state(con->ssl) != TLS_ST_OK) {
-#endif
return APR_EGENERAL;
}
-
+#endif
return APR_SUCCESS;
}
Regarding the above change in SSLSocket.renegotiate()
TCN_IMPLEMENT_CALL(jint, SSLSocket, renegotiate)(TCN_STDARGS,
jlong sock)
As a comment there says,
/* Sequence to renegotiate is
* SSL_renegotiate()
* SSL_do_handshake()
* ssl->state = SSL_ST_ACCEPT
* SSL_do_handshake()
*/
The change is that the second handshake attempt (starting with
ssl->state) is removed on OpenSSL 1.1+.
Can it be removed completely -- on the old library as well? I think
that the first SSL_do_handshake() shall be enough.
Actually we do not have tests for renegotiation, as
org.apache.tomcat.util.net.TesterSupport does
protected static boolean isRenegotiationSupported(Tomcat tomcat) {
String protocol =
tomcat.getConnector().getProtocolHandlerClassName();
if (protocol.contains("Apr")) {
// Disabled by default in 1.1.20 windows binary (2010-07-27)
return false;
}
if (protocol.contains("NioProtocol") ||
(protocol.contains("Nio2Protocol") && isMacOs())) {
// Doesn't work on all platforms - see BZ 56448.
return false;
}
return true;
}
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
