This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 11.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/11.0.x by this push:
new f97e3a24ec Fix Tomcat not sending close_notify with
OpenSSLImplementation
f97e3a24ec is described below
commit f97e3a24ecccddcb2b3018fb6626854ac13e70f5
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Fri Aug 30 15:21:08 2024 +0100
Fix Tomcat not sending close_notify with OpenSSLImplementation
---
.../apache/tomcat/util/net/openssl/OpenSSLEngine.java | 18 +++++++++++-------
webapps/docs/changelog.xml | 5 +++++
2 files changed, 16 insertions(+), 7 deletions(-)
diff --git a/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
b/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
index 0eb7beb55d..914eafb901 100644
--- a/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
+++ b/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
@@ -465,8 +465,8 @@ public final class OpenSSLEngine extends SSLEngine
implements SSLUtil.ProtocolIn
// If isOutboundDone is set, then the data from the network BIO
// was the close_notify message -- we are not required to wait
- // for the receipt the peer's close_notify message -- shutdown.
- if (isOutboundDone) {
+ // for the receipt of the peer's close_notify message -- shutdown.
+ if (isOutboundDone()) {
shutdown();
}
@@ -637,7 +637,6 @@ public final class OpenSSLEngine extends SSLEngine
implements SSLUtil.ProtocolIn
// Check to see if we received a close_notify message from the peer
if (!receivedShutdown && (SSL.getShutdown(state.ssl) &
SSL.SSL_RECEIVED_SHUTDOWN) == SSL.SSL_RECEIVED_SHUTDOWN) {
receivedShutdown = true;
- closeOutbound();
closeInbound();
}
if (bytesProduced == 0 && (written == 0 || (written > 0 &&
!src.hasRemaining() && handshakeFinished))) {
@@ -692,7 +691,10 @@ public final class OpenSSLEngine extends SSLEngine
implements SSLUtil.ProtocolIn
isInboundDone = true;
engineClosed = true;
- shutdown();
+ if (isOutboundDone()) {
+ // Only call shutdown if there is no outbound data pending.
+ shutdown();
+ }
if (accepted != Accepted.NOT && !receivedShutdown) {
throw new SSLException(sm.getString("engine.inboundClose"));
@@ -1073,13 +1075,15 @@ public final class OpenSSLEngine extends SSLEngine
implements SSLUtil.ProtocolIn
// Check if we are in the shutdown phase
if (engineClosed) {
- // Waiting to send the close_notify message
if (SSL.pendingWrittenBytesInBIO(state.networkBIO) != 0) {
+ // Waiting to send the close_notify message
return SSLEngineResult.HandshakeStatus.NEED_WRAP;
}
- // Must be waiting to receive the close_notify message
- return SSLEngineResult.HandshakeStatus.NEED_UNWRAP;
+ if (!isInboundDone()) {
+ // Must be waiting to receive the close_notify message
+ return SSLEngineResult.HandshakeStatus.NEED_UNWRAP;
+ }
}
return SSLEngineResult.HandshakeStatus.NOT_HANDSHAKING;
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index d2366f1bed..798065a138 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -134,6 +134,11 @@
<code>Rfc6265CookieProcessor</code>. The default behaviour is
unchanged.
(markt)
</add>
+ <fix>
+ Ensure that Tomcat sends a TLS close_notify message after receiving one
+ from the client when using the <code>OpenSSLImplementation</code>.
+ (markt)
+ </fix>
</changelog>
</subsection>
<subsection name="Jasper">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
