svn commit: r834289 - /tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java

Mon, 09 Nov 2009 17:03:11 -0800 

Author: costin
Date: Tue Nov 10 01:02:43 2009
New Revision: 834289

URL: http://svn.apache.org/viewvc?rev=834289&view=rev
Log:
Fix for the SSL midm - disable client re-negotiation, connection will be 
closed. 


Modified:
    tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java

Modified: 
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java?rev=834289&r1=834288&r2=834289&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java 
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java 
Tue Nov 10 01:02:43 2009
@@ -42,6 +42,8 @@
 import java.util.Vector;
 
 import javax.net.ssl.CertPathTrustManagerParameters;
+import javax.net.ssl.HandshakeCompletedEvent;
+import javax.net.ssl.HandshakeCompletedListener;
 import javax.net.ssl.KeyManager;
 import javax.net.ssl.KeyManagerFactory;
 import javax.net.ssl.ManagerFactoryParameters;
@@ -93,6 +95,9 @@
     private static final int defaultSessionCacheSize = 0;
     private static final int defaultSessionTimeout = 86400;
     
+    private static final boolean midmMode = 
+        "true".equals(System.getProperty("enable_ssl_mitm_vulnerability"));
+    
     static org.apache.juli.logging.Log log =
         org.apache.juli.logging.LogFactory.getLog(JSSESocketFactory.class);
 
@@ -154,12 +159,34 @@
         SSLSocket asock = null;
         try {
              asock = (SSLSocket)socket.accept();
+             if (!midmMode) {
+                 asock.addHandshakeCompletedListener(
+                         new DisableSslRenegotiation());
+             }
              configureClientAuth(asock);
         } catch (SSLException e){
           throw new SocketException("SSL handshake error" + e.toString());
         }
         return asock;
     }
+    
+    private static class DisableSslRenegotiation 
+            implements HandshakeCompletedListener {
+        private volatile boolean completed = false;
+
+        public void handshakeCompleted(HandshakeCompletedEvent event) {
+            if (completed) {
+                try {
+                    log.warn("SSL renegotiation is disabled, closing 
connection");
+                    event.getSocket().close();
+                } catch (IOException e) {
+                    // ignore
+                }
+            }
+            completed = true;
+        }
+    }
+
 
     @Override
     public void handshake(Socket sock) throws IOException {



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to