Author: kkolinko
Date: Wed Feb 2 15:16:28 2011
New Revision: 1066497
URL: http://svn.apache.org/viewvc?rev=1066497&view=rev
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=50325
Use JVM provided solutions to CVE-2009-3555 if available (i.e. RFC 5746 support)
Modified:
tomcat/tc6.0.x/trunk/STATUS.txt
tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
tomcat/tc6.0.x/trunk/webapps/docs/config/http.xml
Modified: tomcat/tc6.0.x/trunk/STATUS.txt
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=1066497&r1=1066496&r2=1066497&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/STATUS.txt (original)
+++ tomcat/tc6.0.x/trunk/STATUS.txt Wed Feb 2 15:16:28 2011
@@ -88,15 +88,3 @@ PATCHES PROPOSED TO BACKPORT:
The updated patch fixes a race condition.
We can stall this item until we get some feedback about 7.0.5.
-1:
-
-* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=50325
- Use JVM provided solutions to CVE-2009-3555 if available (i.e. RFC 5746
- support)
- http://svn.apache.org/viewvc?rev=1065859&view=rev
- +1: markt, kkolinko, funkman
- -1:
- kkolinko:
- I think it would be better to do not change visibility of
- defaultProtocol, defaultKeystoreType, though I do not see much
- concerns against it.
- markt: Happy to exclude those changes
Modified:
tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java?rev=1066497&r1=1066496&r2=1066497&view=diff
==============================================================================
---
tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
(original)
+++
tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
Wed Feb 2 15:16:28 2011
@@ -26,7 +26,9 @@ import java.net.InetAddress;
import java.net.ServerSocket;
import java.net.Socket;
import java.net.SocketException;
+import java.security.KeyManagementException;
import java.security.KeyStore;
+import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.security.cert.CRL;
import java.security.cert.CRLException;
@@ -82,6 +84,8 @@ public class JSSESocketFactory
private static StringManager sm =
StringManager.getManager("org.apache.tomcat.util.net.jsse.res");
+ private static final boolean RFC_5746_SUPPORTED;
+
// defaults
static String defaultProtocol = "TLS";
static boolean defaultClientAuth = false;
@@ -95,6 +99,28 @@ public class JSSESocketFactory
static org.apache.juli.logging.Log log =
org.apache.juli.logging.LogFactory.getLog(JSSESocketFactory.class);
+ static {
+ boolean result = false;
+ SSLContext context;
+ try {
+ context = SSLContext.getInstance("TLS");
+ context.init(null, null, new SecureRandom());
+ SSLServerSocketFactory ssf = context.getServerSocketFactory();
+ String ciphers[] = ssf.getSupportedCipherSuites();
+ for (String cipher : ciphers) {
+ if ("TLS_EMPTY_RENEGOTIATION_INFO_SCSV".equals(cipher)) {
+ result = true;
+ break;
+ }
+ }
+ } catch (NoSuchAlgorithmException e) {
+ // Assume no RFC 5746 support
+ } catch (KeyManagementException e) {
+ // Assume no RFC 5746 support
+ }
+ RFC_5746_SUPPORTED = result;
+ }
+
protected boolean initialized;
protected String clientAuth = "false";
protected SSLServerSocketFactory sslProxy = null;
@@ -159,9 +185,9 @@ public class JSSESocketFactory
public void handshake(Socket sock) throws IOException {
((SSLSocket)sock).startHandshake();
-
- if (!allowUnsafeLegacyRenegotiation) {
- // Prevent futher handshakes by removing all cipher suites
+
+ if (!allowUnsafeLegacyRenegotiation && !RFC_5746_SUPPORTED) {
+ // Prevent further handshakes by removing all cipher suites
((SSLSocket) sock).setEnabledCipherSuites(new String[0]);
}
}
Modified: tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml?rev=1066497&r1=1066496&r2=1066497&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml Wed Feb 2 15:16:28 2011
@@ -72,6 +72,12 @@
it more robust. (mturk/kkolinko)
</fix>
<fix>
+ <bug>50325</bug>: When the JVM indicates support for RFC 5746, disable
+ Tomcat's <code>allowUnsafeLegacyRenegotiation</code> configuration
+ attribute and use the JVM configuration to control renegotiation.
+ (markt)
+ </fix>
+ <fix>
<bug>50631</bug>: InternalNioInputBuffer should honor
<code>maxHttpHeadSize</code>. (kkolinko)
</fix>
Modified: tomcat/tc6.0.x/trunk/webapps/docs/config/http.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/config/http.xml?rev=1066497&r1=1066496&r2=1066497&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/config/http.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/config/http.xml Wed Feb 2 15:16:28 2011
@@ -799,7 +799,13 @@
<p>Is unsafe legacy TLS renegotiation allowed which is likely to expose
users to CVE-2009-3555, a man-in-the-middle vulnerability in the TLS
protocol that allows an attacker to inject arbitrary data into the user's
- request. If not specified, a default of <code>false</code> is used.</p>
+ request. If not specified, a default of <code>false</code> is used. This
+ attribute only has an effect if the JVM does not support RFC 5746 as
+ indicated by the presence of the pseudo-ciphersuite
+ TLS_EMPTY_RENEGOTIATION_INFO_SCSV. This is available JRE/JDK 6 update 22
+ onwards. Where RFC 5746 is supported the renegotiation - including
support
+ for unsafe legacy renegotiation - is controlled by the JVM configuration.
+ </p>
</attribute>
</attributes>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
