Author: markt
Date: Fri Nov 27 20:43:58 2009
New Revision: 884998
URL: http://svn.apache.org/viewvc?rev=884998&view=rev
Log:
CVE-2009-3555. Provide option to disable legacy SSL renegotiation.
Based on Costin's patch for trunk with some modifications.
Note an alternative patch is proposed but it requires some of the changes in
this patch anyway.
Modified:
tomcat/tc5.5.x/trunk/STATUS.txt
tomcat/tc5.5.x/trunk/connectors/util/java/org/apache/tomcat/util/net/jsse/JSSE13SocketFactory.java
tomcat/tc5.5.x/trunk/connectors/util/java/org/apache/tomcat/util/net/jsse/JSSE14SocketFactory.java
tomcat/tc5.5.x/trunk/connectors/util/java/org/apache/tomcat/util/net/jsse/JSSE14Support.java
tomcat/tc5.5.x/trunk/connectors/util/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml
tomcat/tc5.5.x/trunk/container/webapps/docs/config/http.xml
Modified: tomcat/tc5.5.x/trunk/STATUS.txt
URL:
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/STATUS.txt?rev=884998&r1=884997&r2=884998&view=diff
==============================================================================
--- tomcat/tc5.5.x/trunk/STATUS.txt (original)
+++ tomcat/tc5.5.x/trunk/STATUS.txt Fri Nov 27 20:43:58 2009
@@ -153,12 +153,6 @@
+1: kkolinko
-1:
-* Disable TLS renegotiation be default with an option to re-enable it
- Based on Costin's patch for trunk with Mark's modifications
- http://people.apache.org/~markt/patches/2009-11-10-cve-2009-3555-tc5.patch
- +1: markt, mturk, kkolinko
- -1:
-
* Align server.xml installed by .exe installer with the one bundled in
zip/tgz archives
http://people.apache.org/~kkolinko/patches/2009-11-15_Installer_serverxml_tc55.patch
Modified:
tomcat/tc5.5.x/trunk/connectors/util/java/org/apache/tomcat/util/net/jsse/JSSE13SocketFactory.java
URL:
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/connectors/util/java/org/apache/tomcat/util/net/jsse/JSSE13SocketFactory.java?rev=884998&r1=884997&r2=884998&view=diff
==============================================================================
---
tomcat/tc5.5.x/trunk/connectors/util/java/org/apache/tomcat/util/net/jsse/JSSE13SocketFactory.java
(original)
+++
tomcat/tc5.5.x/trunk/connectors/util/java/org/apache/tomcat/util/net/jsse/JSSE13SocketFactory.java
Fri Nov 27 20:43:58 2009
@@ -129,6 +129,9 @@
enabledCiphers = getEnabledCiphers(requestedCiphers,
sslProxy.getSupportedCipherSuites());
+ allowUnsafeLegacyRenegotiation =
+
"true".equals(attributes.get("allowUnsafeLegacyRenegotiation"));
+
// Check the SSL config is OK
checkConfig();
Modified:
tomcat/tc5.5.x/trunk/connectors/util/java/org/apache/tomcat/util/net/jsse/JSSE14SocketFactory.java
URL:
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/connectors/util/java/org/apache/tomcat/util/net/jsse/JSSE14SocketFactory.java?rev=884998&r1=884997&r2=884998&view=diff
==============================================================================
---
tomcat/tc5.5.x/trunk/connectors/util/java/org/apache/tomcat/util/net/jsse/JSSE14SocketFactory.java
(original)
+++
tomcat/tc5.5.x/trunk/connectors/util/java/org/apache/tomcat/util/net/jsse/JSSE14SocketFactory.java
Fri Nov 27 20:43:58 2009
@@ -120,6 +120,9 @@
enabledCiphers = getEnabledCiphers(requestedCiphers,
sslProxy.getSupportedCipherSuites());
+ allowUnsafeLegacyRenegotiation =
+
"true".equals(attributes.get("allowUnsafeLegacyRenegotiation"));
+
// Check the SSL config is OK
checkConfig();
Modified:
tomcat/tc5.5.x/trunk/connectors/util/java/org/apache/tomcat/util/net/jsse/JSSE14Support.java
URL:
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/connectors/util/java/org/apache/tomcat/util/net/jsse/JSSE14Support.java?rev=884998&r1=884997&r2=884998&view=diff
==============================================================================
---
tomcat/tc5.5.x/trunk/connectors/util/java/org/apache/tomcat/util/net/jsse/JSSE14Support.java
(original)
+++
tomcat/tc5.5.x/trunk/connectors/util/java/org/apache/tomcat/util/net/jsse/JSSE14Support.java
Fri Nov 27 20:43:58 2009
@@ -96,7 +96,9 @@
break;
}
}
- socket.setSoTimeout(oldTimeout);
+ if (!socket.isClosed()) {
+ socket.setSoTimeout(oldTimeout);
+ }
if (listener.completed == false) {
throw new SocketException("SSL Cert handshake timeout");
}
Modified:
tomcat/tc5.5.x/trunk/connectors/util/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
URL:
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/connectors/util/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java?rev=884998&r1=884997&r2=884998&view=diff
==============================================================================
---
tomcat/tc5.5.x/trunk/connectors/util/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
(original)
+++
tomcat/tc5.5.x/trunk/connectors/util/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
Fri Nov 27 20:43:58 2009
@@ -29,6 +29,8 @@
import java.security.KeyStore;
import java.util.Vector;
+import javax.net.ssl.HandshakeCompletedEvent;
+import javax.net.ssl.HandshakeCompletedListener;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLServerSocket;
import javax.net.ssl.SSLServerSocketFactory;
@@ -75,7 +77,8 @@
protected String clientAuth = "false";
protected SSLServerSocketFactory sslProxy = null;
protected String[] enabledCiphers;
-
+ protected boolean allowUnsafeLegacyRenegotiation = false;
+
public JSSESocketFactory () {
}
@@ -115,6 +118,11 @@
SSLSocket asock = null;
try {
asock = (SSLSocket)socket.accept();
+ if (!allowUnsafeLegacyRenegotiation) {
+ asock.addHandshakeCompletedListener(
+ new DisableSslRenegotiation());
+ }
+
configureClientAuth(asock);
} catch (SSLException e){
throw new SocketException("SSL handshake error" + e.toString());
@@ -122,6 +130,26 @@
return asock;
}
+
+ private static class DisableSslRenegotiation
+ implements HandshakeCompletedListener {
+ private volatile boolean completed = false;
+
+ public void handshakeCompleted(HandshakeCompletedEvent event) {
+ if (completed) {
+ try {
+ log.warn("SSL renegotiation is disabled, closing
connection");
+ event.getSession().invalidate();
+ event.getSocket().close();
+ } catch (IOException e) {
+ // ignore
+ }
+ }
+ completed = true;
+ }
+ }
+
+
public void handshake(Socket sock) throws IOException {
((SSLSocket)sock).startHandshake();
}
@@ -371,7 +399,6 @@
String requestedProtocols = (String) attributes.get("protocols");
setEnabledProtocols(socket, getEnabledProtocols(socket,
requestedProtocols));
-
// we don't know if client auth is needed -
// after parsing the request we may re-handshake
configureClientAuth(socket);
Modified: tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml?rev=884998&r1=884997&r2=884998&view=diff
==============================================================================
--- tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml (original)
+++ tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml Fri Nov 27
20:43:58 2009
@@ -101,6 +101,10 @@
<bug>47225</bug>: Fix error in calculation of a buffer length in the
mapper. (markt)
</fix>
+ <fix>
+ CVE-2009-3555. Provide option to disable legacy SSL renegotiation.
+ (markt/costin)
+ </fix>
</changelog>
</subsection>
<subsection name="Jasper">
Modified: tomcat/tc5.5.x/trunk/container/webapps/docs/config/http.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/container/webapps/docs/config/http.xml?rev=884998&r1=884997&r2=884998&view=diff
==============================================================================
--- tomcat/tc5.5.x/trunk/container/webapps/docs/config/http.xml (original)
+++ tomcat/tc5.5.x/trunk/container/webapps/docs/config/http.xml Fri Nov 27
20:43:58 2009
@@ -493,6 +493,13 @@
TrustStore then you are using for the KeyStore.</p>
</attribute>
+ <attribute name="allowUnsafeLegacyRenegotiation" required="false">
+ <p>Is unsafe legacy TLS renegotiation allowed which is likely to expose
+ users to CVE-2009-3555, a man-in-the-middle vulnerability in the TLS
+ protocol that allows an attacker to inject arbitrary data into the user's
+ request. If not specified, a default of <code>false</code> is used.</p>
+ </attribute>
+
</attributes>
<p>For more information, see the
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
