the check would be as simple as
boolean b = keystore.isKeyEntry(alias);
Filip
Filip Hanik - Dev Lists wrote:
-1: this is a misconfigured keystore. Solution is to fix the keystore.
The SSL-HOW-TO in tomcat is talking about this.
There are a few cases, in this users case, the 'tomcat' alias is
not present
The keystore in this case doesn't even contain a private key
The bug report is invalid, the tomcat documentation talks how to get
around this
http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html
Infinite loop is bad, but if we need to validate the keystore, lets
validate the keystore, doing it in the accept() call is not the
correct solution.
not even if it is the main accept loop
Filip
[EMAIL PROTECTED] wrote:
Author: markt
Date: Sun Aug 10 10:24:51 2008
New Revision: 684559
URL: http://svn.apache.org/viewvc?rev=684559&view=rev
Log:
Fix for https://issues.apache.org/bugzilla/show_bug.cgi?id=45528.
Test the SSL socket before returning it to make sure the specified
certificate will work with the specified ciphers.
Modified:
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
Modified:
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java?rev=684559&r1=684558&r2=684559&view=diff
==============================================================================
---
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
(original)
+++
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
Sun Aug 10 10:24:51 2008
@@ -26,6 +26,7 @@
import java.net.ServerSocket;
import java.net.Socket;
import java.net.SocketException;
+import java.net.SocketTimeoutException;
import java.security.KeyStore;
import java.security.SecureRandom;
import java.security.cert.CRL;
@@ -692,7 +693,7 @@
* Configures the given SSL server socket with the requested
cipher suites,
* protocol versions, and need for client authentication
*/
- private void initServerSocket(ServerSocket ssocket) {
+ private void initServerSocket(ServerSocket ssocket) throws
IOException {
SSLServerSocket socket = (SSLServerSocket) ssocket;
@@ -704,9 +705,48 @@
setEnabledProtocols(socket, getEnabledProtocols(socket,
requestedProtocols));
+ // Check the SSL config is OK
+ checkSocket(ssocket);
+
// we don't know if client auth is needed -
// after parsing the request we may re-handshake
configureClientAuth(socket);
}
+ /**
+ * Checks that the cetificate is compatible with the enabled
cipher suites.
+ * If we don't check now, the JIoEndpoint can enter a nasty
logging loop.
+ * See bug 45528.
+ */
+ private void checkSocket(ServerSocket socket) throws IOException {
+ int timeout = socket.getSoTimeout();
+ + socket.setSoTimeout(1);
+ Socket s = null;
+ try {
+ s = socket.accept();
+ // No expecting to get here but if we do, at least we
know things
+ // are working.
+ } catch (SSLException ssle) {
+ // Cert doesn't match ciphers
+ IOException ioe =
+ new IOException("Certificate / cipher mismatch");
+ ioe.initCause(ssle);
+ throw ioe;
+ } catch (SocketTimeoutException ste) {
+ // Expected - do nothing
+ } finally {
+ // In case we actually got a connection - close it.
+ if (s != null) {
+ try {
+ s.close();
+ } catch (IOException ioe) {
+ // Ignore
+ }
+ }
+ // Reset the timeout
+ socket.setSoTimeout(timeout);
+ }
+ + }
}
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
