svn commit: r904851 - in /tomcat/tc5.5.x/trunk: STATUS.txt connectors/util/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java connectors/util/java/org/apache/tomcat/util/net/jsse/JSSESupport.java

Sat, 30 Jan 2010 11:14:41 -0800 

Author: markt
Date: Sat Jan 30 19:14:15 2010
New Revision: 904851

URL: http://svn.apache.org/viewvc?rev=904851&view=rev
Log:
Apply the alternative fix for CVE-2009-3555: SSL MITM

Modified:
    tomcat/tc5.5.x/trunk/STATUS.txt
    
tomcat/tc5.5.x/trunk/connectors/util/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
    
tomcat/tc5.5.x/trunk/connectors/util/java/org/apache/tomcat/util/net/jsse/JSSESupport.java

Modified: tomcat/tc5.5.x/trunk/STATUS.txt
URL: 
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/STATUS.txt?rev=904851&r1=904850&r2=904851&view=diff
==============================================================================
--- tomcat/tc5.5.x/trunk/STATUS.txt (original)
+++ tomcat/tc5.5.x/trunk/STATUS.txt Sat Jan 30 19:14:15 2010
@@ -86,14 +86,6 @@
   +1: markt, kkolinko
   -1: 
 
-* Alternative fix for CVE-2009-3555 SSL MITN
-  The current patch uses an async callback to close the socket. It is
-  technically possible an attack may succeed before the socket is closed
-  The new patch only logs failed server initiated negotiations.
-  http://people.apache.org/~markt/patches/2009-11-20-cve2009-3555-v2.patch
-  +1: markt, rjung, kkolinko
-  -1: 
-
 * Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=47609
   Implement fail-safe EOL conversion for source distributions
   Based on a patch provided by sebb

Modified: 
tomcat/tc5.5.x/trunk/connectors/util/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
URL: 
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/connectors/util/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java?rev=904851&r1=904850&r2=904851&view=diff
==============================================================================
--- 
tomcat/tc5.5.x/trunk/connectors/util/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
 (original)
+++ 
tomcat/tc5.5.x/trunk/connectors/util/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
 Sat Jan 30 19:14:15 2010
@@ -29,8 +29,6 @@
 import java.security.KeyStore;
 import java.util.Vector;
 
-import javax.net.ssl.HandshakeCompletedEvent;
-import javax.net.ssl.HandshakeCompletedListener;
 import javax.net.ssl.SSLException;
 import javax.net.ssl.SSLServerSocket;
 import javax.net.ssl.SSLServerSocketFactory;
@@ -118,11 +116,6 @@
         SSLSocket asock = null;
         try {
              asock = (SSLSocket)socket.accept();
-             if (!allowUnsafeLegacyRenegotiation) {
-                 asock.addHandshakeCompletedListener(
-                         new DisableSslRenegotiation());
-             }
-
              configureClientAuth(asock);
         } catch (SSLException e){
           throw new SocketException("SSL handshake error" + e.toString());
@@ -131,27 +124,13 @@
     }
 
     
-    private static class DisableSslRenegotiation 
-            implements HandshakeCompletedListener {
-        private volatile boolean completed = false;
-     
-        public void handshakeCompleted(HandshakeCompletedEvent event) {
-            if (completed) {
-                try {
-                    log.warn("SSL renegotiation is disabled, closing 
connection");
-                    event.getSession().invalidate();
-                    event.getSocket().close();
-                } catch (IOException e) {
-                    // ignore
-                }
-            }
-            completed = true;
-        }
-    }
-
-
     public void handshake(Socket sock) throws IOException {
         ((SSLSocket)sock).startHandshake();
+        
+        if (!allowUnsafeLegacyRenegotiation) {
+            // Prevent futher handshakes by removing all cipher suites
+            ((SSLSocket) sock).setEnabledCipherSuites(new String[0]);
+        }
     }
 
     /*

Modified: 
tomcat/tc5.5.x/trunk/connectors/util/java/org/apache/tomcat/util/net/jsse/JSSESupport.java
URL: 
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/connectors/util/java/org/apache/tomcat/util/net/jsse/JSSESupport.java?rev=904851&r1=904850&r2=904851&view=diff
==============================================================================
--- 
tomcat/tc5.5.x/trunk/connectors/util/java/org/apache/tomcat/util/net/jsse/JSSESupport.java
 (original)
+++ 
tomcat/tc5.5.x/trunk/connectors/util/java/org/apache/tomcat/util/net/jsse/JSSESupport.java
 Sat Jan 30 19:14:15 2010
@@ -132,6 +132,16 @@
 
     protected void handShake() throws IOException {
         ssl.setNeedClientAuth(true);
+        
+        if (ssl.getEnabledCipherSuites().length == 0) {
+            // Handshake is never going to be successful.
+            // Assume this is because handshakes are disabled
+            log.warn("SSL server initiated renegotiation is disabled, closing 
connection");
+            ssl.getSession().invalidate();
+            ssl.close();
+            return;
+        }
+
         ssl.startHandshake();
     }
     /**



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to