svn commit: r884998 - in /tomcat/tc5.5.x/trunk: ./ connectors/util/java/org/apache/tomcat/util/net/jsse/ container/webapps/docs/ container/webapps/docs/config/

markt Fri, 27 Nov 2009 12:44:26 -0800

Author: markt
Date: Fri Nov 27 20:43:58 2009
New Revision: 884998

URL: http://svn.apache.org/viewvc?rev=884998&view=rev
Log:
CVE-2009-3555. Provide option to disable legacy SSL renegotiation.
Based on Costin's patch for trunk with some modifications.
Note an alternative patch is proposed but it requires some of the changes in 
this patch anyway.


Modified:
    tomcat/tc5.5.x/trunk/STATUS.txt
    
tomcat/tc5.5.x/trunk/connectors/util/java/org/apache/tomcat/util/net/jsse/JSSE13SocketFactory.java
    
tomcat/tc5.5.x/trunk/connectors/util/java/org/apache/tomcat/util/net/jsse/JSSE14SocketFactory.java
    
tomcat/tc5.5.x/trunk/connectors/util/java/org/apache/tomcat/util/net/jsse/JSSE14Support.java
    
tomcat/tc5.5.x/trunk/connectors/util/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
    tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml
    tomcat/tc5.5.x/trunk/container/webapps/docs/config/http.xml

Modified: tomcat/tc5.5.x/trunk/STATUS.txt
URL: 
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/STATUS.txt?rev=884998&r1=884997&r2=884998&view=diff
==============================================================================
--- tomcat/tc5.5.x/trunk/STATUS.txt (original)
+++ tomcat/tc5.5.x/trunk/STATUS.txt Fri Nov 27 20:43:58 2009
@@ -153,12 +153,6 @@
   +1: kkolinko
   -1:
 
-* Disable TLS renegotiation be default with an option to re-enable it
-  Based on Costin's patch for trunk with Mark's modifications
-  http://people.apache.org/~markt/patches/2009-11-10-cve-2009-3555-tc5.patch
-  +1: markt, mturk, kkolinko
-  -1:
-
 * Align server.xml installed by .exe installer with the one bundled in
   zip/tgz archives
   
http://people.apache.org/~kkolinko/patches/2009-11-15_Installer_serverxml_tc55.patch

Modified: 
tomcat/tc5.5.x/trunk/connectors/util/java/org/apache/tomcat/util/net/jsse/JSSE13SocketFactory.java
URL: 
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/connectors/util/java/org/apache/tomcat/util/net/jsse/JSSE13SocketFactory.java?rev=884998&r1=884997&r2=884998&view=diff
==============================================================================
--- 
tomcat/tc5.5.x/trunk/connectors/util/java/org/apache/tomcat/util/net/jsse/JSSE13SocketFactory.java
 (original)
+++ 
tomcat/tc5.5.x/trunk/connectors/util/java/org/apache/tomcat/util/net/jsse/JSSE13SocketFactory.java
 Fri Nov 27 20:43:58 2009
@@ -129,6 +129,9 @@
             enabledCiphers = getEnabledCiphers(requestedCiphers,
                      sslProxy.getSupportedCipherSuites());
 
+            allowUnsafeLegacyRenegotiation =
+                
"true".equals(attributes.get("allowUnsafeLegacyRenegotiation"));
+
             // Check the SSL config is OK
             checkConfig();
 

Modified: 
tomcat/tc5.5.x/trunk/connectors/util/java/org/apache/tomcat/util/net/jsse/JSSE14SocketFactory.java
URL: 
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/connectors/util/java/org/apache/tomcat/util/net/jsse/JSSE14SocketFactory.java?rev=884998&r1=884997&r2=884998&view=diff
==============================================================================
--- 
tomcat/tc5.5.x/trunk/connectors/util/java/org/apache/tomcat/util/net/jsse/JSSE14SocketFactory.java
 (original)
+++ 
tomcat/tc5.5.x/trunk/connectors/util/java/org/apache/tomcat/util/net/jsse/JSSE14SocketFactory.java
 Fri Nov 27 20:43:58 2009
@@ -120,6 +120,9 @@
             enabledCiphers = getEnabledCiphers(requestedCiphers,
                                                
sslProxy.getSupportedCipherSuites());
 
+            allowUnsafeLegacyRenegotiation =
+                
"true".equals(attributes.get("allowUnsafeLegacyRenegotiation"));
+
             // Check the SSL config is OK
             checkConfig();
 

Modified: 
tomcat/tc5.5.x/trunk/connectors/util/java/org/apache/tomcat/util/net/jsse/JSSE14Support.java
URL: 
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/connectors/util/java/org/apache/tomcat/util/net/jsse/JSSE14Support.java?rev=884998&r1=884997&r2=884998&view=diff
==============================================================================
--- 
tomcat/tc5.5.x/trunk/connectors/util/java/org/apache/tomcat/util/net/jsse/JSSE14Support.java
 (original)
+++ 
tomcat/tc5.5.x/trunk/connectors/util/java/org/apache/tomcat/util/net/jsse/JSSE14Support.java
 Fri Nov 27 20:43:58 2009
@@ -96,7 +96,9 @@
                 break;
             }
         }
-        socket.setSoTimeout(oldTimeout);
+        if (!socket.isClosed()) {
+            socket.setSoTimeout(oldTimeout);
+        }
         if (listener.completed == false) {
             throw new SocketException("SSL Cert handshake timeout");
         }

Modified: 
tomcat/tc5.5.x/trunk/connectors/util/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
URL: 
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/connectors/util/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java?rev=884998&r1=884997&r2=884998&view=diff
==============================================================================
--- 
tomcat/tc5.5.x/trunk/connectors/util/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
 (original)
+++ 
tomcat/tc5.5.x/trunk/connectors/util/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
 Fri Nov 27 20:43:58 2009
@@ -29,6 +29,8 @@
 import java.security.KeyStore;
 import java.util.Vector;
 
+import javax.net.ssl.HandshakeCompletedEvent;
+import javax.net.ssl.HandshakeCompletedListener;
 import javax.net.ssl.SSLException;
 import javax.net.ssl.SSLServerSocket;
 import javax.net.ssl.SSLServerSocketFactory;
@@ -75,7 +77,8 @@
     protected String clientAuth = "false";
     protected SSLServerSocketFactory sslProxy = null;
     protected String[] enabledCiphers;
-   
+    protected boolean allowUnsafeLegacyRenegotiation = false;
+
 
     public JSSESocketFactory () {
     }
@@ -115,6 +118,11 @@
         SSLSocket asock = null;
         try {
              asock = (SSLSocket)socket.accept();
+             if (!allowUnsafeLegacyRenegotiation) {
+                 asock.addHandshakeCompletedListener(
+                         new DisableSslRenegotiation());
+             }
+
              configureClientAuth(asock);
         } catch (SSLException e){
           throw new SocketException("SSL handshake error" + e.toString());
@@ -122,6 +130,26 @@
         return asock;
     }
 
+    
+    private static class DisableSslRenegotiation 
+            implements HandshakeCompletedListener {
+        private volatile boolean completed = false;
+     
+        public void handshakeCompleted(HandshakeCompletedEvent event) {
+            if (completed) {
+                try {
+                    log.warn("SSL renegotiation is disabled, closing 
connection");
+                    event.getSession().invalidate();
+                    event.getSocket().close();
+                } catch (IOException e) {
+                    // ignore
+                }
+            }
+            completed = true;
+        }
+    }
+
+
     public void handshake(Socket sock) throws IOException {
         ((SSLSocket)sock).startHandshake();
     }
@@ -371,7 +399,6 @@
         String requestedProtocols = (String) attributes.get("protocols");
         setEnabledProtocols(socket, getEnabledProtocols(socket, 
                                                          requestedProtocols));
-
         // we don't know if client auth is needed -
         // after parsing the request we may re-handshake
         configureClientAuth(socket);

Modified: tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml
URL: 
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml?rev=884998&r1=884997&r2=884998&view=diff
==============================================================================
--- tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml (original)
+++ tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml Fri Nov 27 
20:43:58 2009
@@ -101,6 +101,10 @@
         <bug>47225</bug>: Fix error in calculation of a buffer length in the
         mapper. (markt)
       </fix>
+      <fix>
+        CVE-2009-3555. Provide option to disable legacy SSL renegotiation.
+        (markt/costin) 
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Jasper">

Modified: tomcat/tc5.5.x/trunk/container/webapps/docs/config/http.xml
URL: 
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/container/webapps/docs/config/http.xml?rev=884998&r1=884997&r2=884998&view=diff
==============================================================================
--- tomcat/tc5.5.x/trunk/container/webapps/docs/config/http.xml (original)
+++ tomcat/tc5.5.x/trunk/container/webapps/docs/config/http.xml Fri Nov 27 
20:43:58 2009
@@ -493,6 +493,13 @@
       TrustStore then you are using for the KeyStore.</p>
     </attribute>
 
+    <attribute name="allowUnsafeLegacyRenegotiation" required="false">
+      <p>Is unsafe legacy TLS renegotiation allowed which is likely to expose
+      users to CVE-2009-3555, a man-in-the-middle vulnerability in the TLS
+      protocol that allows an attacker to inject arbitrary data into the user's
+      request. If not specified, a default of <code>false</code> is used.</p>
+    </attribute>
+
   </attributes>
 
   <p>For more information, see the



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r884998 - in /tomcat/tc5.5.x/trunk: ./ connectors/util/java/org/apache/tomcat/util/net/jsse/ container/webapps/docs/ container/webapps/docs/config/

Reply via email to