Re: svn commit: r687503 - in /tomcat/trunk/java/org/apache/tomcat/util/net/jsse: JSSESocketFactory.java res/LocalStrings.properties

[Filip Hanik - Dev Lists]

the checkConfig catches a SocketTimeoutException, but the javadoc says
public synchronized void setSoTimeout(int timeout) throws SocketException 
<http://addison-wesley.de/Service/Krueger/javadocs/java.net.SocketException.html#_top_>

Enable/disable SO_TIMEOUT with the specified timeout, in milliseconds. 
With this option set to a non-zero timeout, a call to accept() for this 
ServerSocket will block for only this amount of time. If the timeout 
expires, a *java.io.InterruptedIOExceptio**n* is raised, though the 
ServerSocket is still valid.

this still seems like a hack :)
Filip




[EMAIL PROTECTED] wrote:
Author: markt
Date: Wed Aug 20 16:20:42 2008
New Revision: 687503

URL: http://svn.apache.org/viewvc?rev=687503&view=rev
Log:
Improved fix for 45528 (invalid SSL config).
It is a variation on the previous patch that:
- does the check earlier
- uses an unbound socket so there is no possibility of a client connection
- uses the String manager for the error message
Note: I gave up on the alterntaive javax.crypto.Cipher suggestion as the cipher 
names are different and there is no easy conversion.

Modified:
    tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
    
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties

Modified: 
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java?rev=687503&r1=687502&r2=687503&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java 
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java 
Wed Aug 20 16:20:42 2008
@@ -26,6 +26,7 @@
 import java.net.ServerSocket;
 import java.net.Socket;
 import java.net.SocketException;
+import java.net.SocketTimeoutException;
 import java.security.KeyStore;
 import java.security.SecureRandom;
 import java.security.cert.CRL;
@@ -428,6 +429,9 @@
                 getEnabledCiphers(requestedCiphers,
                         sslProxy.getSupportedCipherSuites());
 
+            // Check the SSL config is OK
+            checkConfig();
+
         } catch(Exception e) {
             if( e instanceof IOException )
                 throw (IOException)e;
@@ -692,7 +696,7 @@
      * Configures the given SSL server socket with the requested cipher suites,
      * protocol versions, and need for client authentication
      */
-    private void initServerSocket(ServerSocket ssocket) {
+    private void initServerSocket(ServerSocket ssocket) throws IOException {
 
         SSLServerSocket socket = (SSLServerSocket) ssocket;
 
@@ -709,4 +713,33 @@
         configureClientAuth(socket);
     }
 
+    /**
+     * Checks that the cetificate is compatible with the enabled cipher suites.
+     * If we don't check now, the JIoEndpoint can enter a nasty logging loop.
+     * See bug 45528.
+     */
+    private void checkConfig() throws IOException {
+        // Create an unbound server socket
+        ServerSocket socket = sslProxy.createServerSocket();
+        initServerSocket(socket);
+
+        // Set the timeout to 1ms as all we care about is if it throws an
+        // exception on accept. 
+        socket.setSoTimeout(1);
+        try {
+            socket.accept();
+            // Will never get here - no client can connect to an unbound port
+        } catch (SSLException ssle) {
+            // SSL configuration is invalid. Possibly cert doesn't match 
ciphers
+            IOException ioe = new IOException(sm.getString(
+                    "jsse.invalid_ssl_conf", ssle.getMessage()));
+            ioe.initCause(ssle);
+            throw ioe;
+        } catch (SocketTimeoutException ste) {
+            // Expected if all is well - do nothing
+        } finally {
+            socket.close();
+        }
+        
+    }
 }

Modified: 
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties?rev=687503&r1=687502&r2=687503&view=diff
==============================================================================
--- 
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties 
(original)
+++ 
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties 
Wed Aug 20 16:20:42 2008
@@ -15,3 +15,4 @@
 
 jsse.alias_no_key_entry=Alias name {0} does not identify a key entry
 jsse.keystore_load_failed=Failed to load keystore type {0} with path {1} due 
to {2}
+jsse.invalid_ssl_conf=SSL configuration is invalid due to {0} 
\ No newline at end of file



---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


  


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]