svn commit: r1805752 - in /tomcat/trunk: java/org/apache/tomcat/jni/ java/org/apache/tomcat/util/net/ java/org/apache/tomcat/util/net/openssl/ webapps/docs/

markt Tue, 22 Aug 2017 04:03:55 -0700

Author: markt
Date: Tue Aug 22 11:03:28 2017
New Revision: 1805752

URL: http://svn.apache.org/viewvc?rev=1805752&view=rev
Log:
Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=61415
Fix TLS renegotiation with OpenSSL based connections and session caching.


Modified:
    tomcat/trunk/java/org/apache/tomcat/jni/SSLContext.java
    tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
    tomcat/trunk/java/org/apache/tomcat/util/net/SecureNioChannel.java
    tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
    tomcat/trunk/webapps/docs/changelog.xml

Modified: tomcat/trunk/java/org/apache/tomcat/jni/SSLContext.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/jni/SSLContext.java?rev=1805752&r1=1805751&r2=1805752&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/jni/SSLContext.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/jni/SSLContext.java Tue Aug 22 11:03:28 
2017
@@ -26,6 +26,9 @@ import java.util.concurrent.ConcurrentHa
  */
 public final class SSLContext {
 
+    public static final byte[] DEFAULT_SESSION_ID_CONTEXT =
+            new byte[] { 'd', 'e', 'f', 'a', 'u', 'l', 't' };
+
     /**
      * Create a new SSL context.
      *

Modified: tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java?rev=1805752&r1=1805751&r2=1805752&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java Tue Aug 22 
11:03:28 2017
@@ -543,6 +543,11 @@ public class AprEndpoint extends Abstrac
             SSLContext.setAlpnProtos(ctx, protocolsArray, 
SSL.SSL_SELECTOR_FAILURE_NO_ADVERTISE);
         }
 
+        // If client authentication is being used, OpenSSL requires that
+        // this is set so always set it in case an app is configured to require
+        // it
+        SSLContext.setSessionIdContext(ctx, 
SSLContext.DEFAULT_SESSION_ID_CONTEXT);
+
         long cctx;
         OpenSSLConf openSslConf = sslHostConfig.getOpenSslConf();
         if (openSslConf != null) {

Modified: tomcat/trunk/java/org/apache/tomcat/util/net/SecureNioChannel.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/SecureNioChannel.java?rev=1805752&r1=1805751&r2=1805752&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/SecureNioChannel.java 
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/SecureNioChannel.java Tue Aug 
22 11:03:28 2017
@@ -432,7 +432,7 @@ public class SecureNioChannel extends Ni
         //so we can clear it here.
         netOutBuffer.clear();
         //perform the wrap
-        getBufHandler().configureWriteBufferForWrite();
+        getBufHandler().configureWriteBufferForRead();
         SSLEngineResult result = 
sslEngine.wrap(getBufHandler().getWriteBuffer(), netOutBuffer);
         //prepare the results to be written
         netOutBuffer.flip();

Modified: 
tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java?rev=1805752&r1=1805751&r2=1805752&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java 
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java 
Tue Aug 22 11:03:28 2017
@@ -428,6 +428,10 @@ public class OpenSSLContext implements o
             }
 
             sessionContext = new OpenSSLSessionContext(ctx);
+            // If client authentication is being used, OpenSSL requires that
+            // this is set so always set it in case an app is configured to
+            // require it
+            
sessionContext.setSessionIdContext(SSLContext.DEFAULT_SESSION_ID_CONTEXT);
             sslHostConfig.setOpenSslContext(Long.valueOf(ctx));
             initialized = true;
         } catch (Exception e) {

Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1805752&r1=1805751&r2=1805752&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Tue Aug 22 11:03:28 2017
@@ -126,6 +126,10 @@
         Improve the warning message when JSSE and OpenSSL configuration styles
         are mixed on the same <code>SSLHostConfig</code>. (markt)
       </fix>
+      <fix>
+        <bug>61415</bug>: Fix TLS renegotiation with OpenSSL based connections
+        and session caching. (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Tribes">



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1805752 - in /tomcat/trunk: java/org/apache/tomcat/jni/ java/org/apache/tomcat/util/net/ java/org/apache/tomcat/util/net/openssl/ webapps/docs/

Reply via email to