http.xml

kkolinko Mon, 07 Feb 2011 06:17:16 -0800

Author: kkolinko
Date: Mon Feb  7 14:16:42 2011
New Revision: 1067949

URL: http://svn.apache.org/viewvc?rev=1067949&view=rev
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=50325
Use JVM provided solutions to CVE-2009-3555 if available (i.e. RFC 5746 support)


Modified:
    tomcat/tc5.5.x/trunk/STATUS.txt
    
tomcat/tc5.5.x/trunk/connectors/util/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
    tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml
    tomcat/tc5.5.x/trunk/container/webapps/docs/config/http.xml

Modified: tomcat/tc5.5.x/trunk/STATUS.txt
URL: 
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/STATUS.txt?rev=1067949&r1=1067948&r2=1067949&view=diff
==============================================================================
--- tomcat/tc5.5.x/trunk/STATUS.txt (original)
+++ tomcat/tc5.5.x/trunk/STATUS.txt Mon Feb  7 14:16:42 2011
@@ -25,18 +25,6 @@ $Id$
 PATCHES PROPOSED TO BACKPORT:
   [ New proposals should be added at the end of the list ]
 
-* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=50325
-  Use JVM provided solutions to CVE-2009-3555 if available (i.e. RFC 5746
-  support)
-  http://svn.apache.org/viewvc?rev=1065859&view=rev
-  +1: markt, kkolinko, pero
-  -1:
-   kkolinko:
-     1) s/for (String cipher : ciphers){/for (int i=0; 
i<ciphers.length;i++){String cipher=ciphers[i];/
-     2) do not change visibility of defaultProtocol, defaultKeystoreType 
-   markt:
-     Happy to include those changes
-
 * Add additional roles to the Admin, Manager and Host-Manager applications
   (admin-gui, admin-script; manager-gui, manager-script, manager-jmx, 
manager-status)
   to allow more fine-grained control over which functionality is accessible,

Modified: 
tomcat/tc5.5.x/trunk/connectors/util/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
URL: 
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/connectors/util/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java?rev=1067949&r1=1067948&r2=1067949&view=diff
==============================================================================
--- 
tomcat/tc5.5.x/trunk/connectors/util/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
 (original)
+++ 
tomcat/tc5.5.x/trunk/connectors/util/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
 Mon Feb  7 14:16:42 2011
@@ -26,9 +26,13 @@ import java.net.InetAddress;
 import java.net.ServerSocket;
 import java.net.Socket;
 import java.net.SocketException;
+import java.security.KeyManagementException;
 import java.security.KeyStore;
+import java.security.NoSuchAlgorithmException;
+import java.security.SecureRandom;
 import java.util.Vector;
 
+import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLException;
 import javax.net.ssl.SSLServerSocket;
 import javax.net.ssl.SSLServerSocketFactory;
@@ -77,6 +81,29 @@ public abstract class JSSESocketFactory
     protected String[] enabledCiphers;
     protected boolean allowUnsafeLegacyRenegotiation = false;
 
+    protected static final boolean RFC_5746_SUPPORTED;
+
+    static {
+        boolean result = false;
+        SSLContext context;
+        try {
+            context = SSLContext.getInstance("TLS");
+            context.init(null, null, new SecureRandom());
+            SSLServerSocketFactory ssf = context.getServerSocketFactory();
+            String ciphers[] = ssf.getSupportedCipherSuites();
+            for (String cipher : ciphers) {
+                if ("TLS_EMPTY_RENEGOTIATION_INFO_SCSV".equals(cipher)) {
+                    result = true;
+                    break;
+                }
+            }
+        } catch (NoSuchAlgorithmException e) {
+            // Assume no RFC 5746 support
+        } catch (KeyManagementException e) {
+            // Assume no RFC 5746 support
+        }
+        RFC_5746_SUPPORTED = result;
+    }
 
     public JSSESocketFactory () {
     }
@@ -127,7 +154,7 @@ public abstract class JSSESocketFactory
     public void handshake(Socket sock) throws IOException {
         ((SSLSocket)sock).startHandshake();
         
-        if (!allowUnsafeLegacyRenegotiation) {
+        if (!allowUnsafeLegacyRenegotiation && !RFC_5746_SUPPORTED) {
             // Prevent futher handshakes by removing all cipher suites
             ((SSLSocket) sock).setEnabledCipherSuites(new String[0]);
         }

Modified: tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml
URL: 
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml?rev=1067949&r1=1067948&r2=1067949&view=diff
==============================================================================
--- tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml (original)
+++ tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml Mon Feb  7 
14:16:42 2011
@@ -84,6 +84,12 @@
         Remove <code>JSSE13Factory</code>, <code>JSSE13SocketFactory</code>
         classes, as Tomcat 5.5 always runs on JRE 1.4 or later. (kkolinko)
       </update>
+      <fix>
+        <bug>50325</bug>: When the JVM indicates support for RFC 5746, disable
+        Tomcat&apos;s <code>allowUnsafeLegacyRenegotiation</code> configuration
+        attribute and use the JVM configuration to control renegotiation.
+        (markt/kkolinko)
+      </fix>
     </changelog>
   </subsection>
 </section>

Modified: tomcat/tc5.5.x/trunk/container/webapps/docs/config/http.xml
URL: 
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/container/webapps/docs/config/http.xml?rev=1067949&r1=1067948&r2=1067949&view=diff
==============================================================================
--- tomcat/tc5.5.x/trunk/container/webapps/docs/config/http.xml (original)
+++ tomcat/tc5.5.x/trunk/container/webapps/docs/config/http.xml Mon Feb  7 
14:16:42 2011
@@ -512,7 +512,13 @@
       <p>Is unsafe legacy TLS renegotiation allowed which is likely to expose
       users to CVE-2009-3555, a man-in-the-middle vulnerability in the TLS
       protocol that allows an attacker to inject arbitrary data into the user's
-      request. If not specified, a default of <code>false</code> is used.</p>
+      request. If not specified, a default of <code>false</code> is used. This
+      attribute only has an effect if the JVM does not support RFC 5746 as
+      indicated by the presence of the pseudo-ciphersuite
+      TLS_EMPTY_RENEGOTIATION_INFO_SCSV. This is available JRE/JDK 6 update 22
+      onwards. Where RFC 5746 is supported the renegotiation - including 
support
+      for unsafe legacy renegotiation - is controlled by the JVM configuration.
+      </p>
     </attribute>
 
   </attributes>



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1067949 - in /tomcat/tc5.5.x/trunk: STATUS.txt connectors/util/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java container/webapps/docs/changelog.xml container/webapps/docs/config/http.xml

Reply via email to