changelog.xml

markt Thu, 28 Apr 2016 12:56:04 -0700

Author: markt
Date: Thu Apr 28 19:55:02 2016
New Revision: 1741501

URL: http://svn.apache.org/viewvc?rev=1741501&view=rev
Log:
Work around a known issue in OpenSSL 
(https://github.com/openssl/openssl/issues/188) that does not permit the TLS 
handshake to be failed if the ALPN negotiation fails.


Modified:
    tomcat/trunk/java/org/apache/coyote/AbstractProtocol.java
    tomcat/trunk/webapps/docs/changelog.xml

Modified: tomcat/trunk/java/org/apache/coyote/AbstractProtocol.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/AbstractProtocol.java?rev=1741501&r1=1741500&r2=1741501&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/coyote/AbstractProtocol.java (original)
+++ tomcat/trunk/java/org/apache/coyote/AbstractProtocol.java Thu Apr 28 
19:55:02 2016
@@ -733,10 +733,27 @@ public abstract class AbstractProtocol<S
                             // Explicitly negotiated the default protocol.
                             // Obtain a processor below.
                         } else {
+                            // TODO:
+                            // OpenSSL 1.0.2's ALPN callback doesn't support
+                            // failing the handshake with an error if no
+                            // protocol can be negotiated. Therefore, we need 
to
+                            // fail the connection here. Once this is fixed,
+                            // replace the code below with the commented out
+                            // block.
+                            if (getLog().isDebugEnabled()) {
+                                getLog().debug(sm.getString(
+                                    
"abstractConnectionHandler.negotiatedProcessor.fail",
+                                    negotiatedProtocol));
+                            }
+                            return SocketState.CLOSED;
+                            /*
+                             * To replace the code above once OpenSSL 1.1.0 is
+                             * used.
                             // Failed to create processor. This is a bug.
                             throw new IllegalStateException(sm.getString(
                                     
"abstractConnectionHandler.negotiatedProcessor.fail",
                                     negotiatedProtocol));
+                            */
                         }
                     }
                 }

Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1741501&r1=1741500&r2=1741501&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Thu Apr 28 19:55:02 2016
@@ -214,6 +214,11 @@
         JSSE+OpenSSL with the certificate chain stored in a Java KeyStore.
         (markt)
       </fix>
+      <fix>
+        Work around <a herf="https://github.com/openssl/openssl/issues/188";>a
+        known issue in OpenSSL</a> that does not permit the TLS handshake to be
+        failed if the ALPN negotiation fails. (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="WebSocket">



---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

svn commit: r1741501 - in /tomcat/trunk: java/org/apache/coyote/AbstractProtocol.java webapps/docs/changelog.xml

Reply via email to