Author: markt
Date: Tue Apr 17 13:52:22 2018
New Revision: 1829366
URL: http://svn.apache.org/viewvc?rev=1829366&view=rev
Log:
Prevent unexpected TLS handshake failures caused by errors during a previous
handshake that were not correctly cleaned-up when using the NIO or NIO2
connector with the OpenSSLImplementation.
Modified:
tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
tomcat/trunk/webapps/docs/changelog.xml
Modified:
tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java?rev=1829366&r1=1829365&r2=1829366&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java Tue
Apr 17 13:52:22 2018
@@ -630,6 +630,7 @@ public final class OpenSSLEngine extends
// NOTE: Calling a fake read is necessary before calling
pendingReadableBytesInSSL because
// SSL_pending will return 0 if OpenSSL has not started the current
TLS record
// See https://www.openssl.org/docs/manmaster/ssl/SSL_pending.html
+ clearLastError();
int lastPrimingReadResult = SSL.readFromSSL(ssl, EMPTY_ADDR, 0); //
priming read
// check if SSL_read returned <= 0. In this case we need to check the
error and see if it was something
// fatal.
@@ -884,6 +885,7 @@ public final class OpenSSLEngine extends
private void handshake() throws SSLException {
currentHandshake = SSL.getHandshakeCount(ssl);
+ clearLastError();
int code = SSL.doHandshake(ssl);
if (code <= 0) {
checkLastError();
@@ -902,6 +904,7 @@ public final class OpenSSLEngine extends
}
private synchronized void renegotiate() throws SSLException {
+ clearLastError();
int code = SSL.renegotiate(ssl);
if (code <= 0) {
checkLastError();
@@ -932,6 +935,20 @@ public final class OpenSSLEngine extends
}
}
+
+ /*
+ * Many calls to SSL methods do not check the last error. Those that do
+ * check the last error need to ensure that any previously ignored error is
+ * cleared prior to the method call else errors may be falsely reported.
+ *
+ * TODO: Check last error after every call to an SSL method and respond
+ * appropriately.
+ */
+ private void clearLastError() {
+ SSL.getLastErrorNumber();
+ }
+
+
private static long memoryAddress(ByteBuffer buf) {
return Buffer.address(buf);
}
Modified: tomcat/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1829366&r1=1829365&r2=1829366&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Tue Apr 17 13:52:22 2018
@@ -77,6 +77,11 @@
increase in size to one more than the configured limit. Patch provided
by usc. (markt)
</fix>
+ <fix>
+ Prevent unexpected TLS handshake failures caused by errors during a
+ previous handshake that were not correctly cleaned-up when using the
NIO
+ or NIO2 connector with the <code>OpenSSLImplementation</code>. (markt)
+ </fix>
</changelog>
</subsection>
</section>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
