svn commit: r1680246 - in /tomcat/trunk/java/org/apache/tomcat/util/net: LocalStrings.properties SecureNio2Channel.java SecureNioChannel.java

Tue, 19 May 2015 04:02:42 -0700 

Author: markt
Date: Tue May 19 11:02:24 2015
New Revision: 1680246

URL: http://svn.apache.org/r1680246
Log:
Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=57931
Ensure that the TLS connection is closed cleanly so that the client receives 
the appropriate error code when the connection is terminated due to invalid / 
missing client cert (or any other reason during the handshake)

Modified:
    tomcat/trunk/java/org/apache/tomcat/util/net/LocalStrings.properties
    tomcat/trunk/java/org/apache/tomcat/util/net/SecureNio2Channel.java
    tomcat/trunk/java/org/apache/tomcat/util/net/SecureNioChannel.java

Modified: tomcat/trunk/java/org/apache/tomcat/util/net/LocalStrings.properties
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/LocalStrings.properties?rev=1680246&r1=1680245&r2=1680246&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/LocalStrings.properties 
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/LocalStrings.properties Tue 
May 19 11:02:24 2015
@@ -93,6 +93,7 @@ channel.nio.ssl.remainingDataDuringClose
 channel.nio.ssl.pendingWriteDuringClose=Pending write, so remaining data in 
the network buffer, can't send SSL close message, force a close with 
close(true) instead
 channel.nio.ssl.invalidCloseState=Invalid close state, will not send network 
data.
 channel.nio.ssl.unwrapFail=Unable to unwrap data, invalid status [{0}]
+channel.nio.ssl.wrapException=Handshake failed during wrap
 channel.nio.ssl.wrapFail=Unable to wrap data, invalid status [{0}]
 channel.nio.ssl.incompleteHandshake=Handshake incomplete, you must complete 
handshake before reading data.
 channel.nio.ssl.closing=Channel is in closing state.

Modified: tomcat/trunk/java/org/apache/tomcat/util/net/SecureNio2Channel.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/SecureNio2Channel.java?rev=1680246&r1=1680245&r2=1680246&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/SecureNio2Channel.java 
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/SecureNio2Channel.java Tue May 
19 11:02:24 2015
@@ -223,10 +223,19 @@ public class SecureNio2Channel extends N
                 }
                 case NEED_WRAP: {
                     //perform the wrap function
-                    handshake = handshakeWrap();
-                    if (handshake.getStatus() == Status.OK){
+                    try {
+                        handshake = handshakeWrap();
+                    } catch (SSLException e) {
+                        if (log.isDebugEnabled()) {
+                            log.debug("channel.nio.ssl.wrapException", e);
+                        }
+                        handshake = handshakeWrap();
+                    }
+                    if (handshake.getStatus() == Status.OK) {
                         if (handshakeStatus == HandshakeStatus.NEED_TASK)
                             handshakeStatus = tasks();
+                    } else if (handshake.getStatus() == Status.CLOSED) {
+                        return -1;
                     } else {
                         //wrap should always work with our buffers
                         throw new 
IOException(sm.getString("channel.nio.ssl.unexpectedStatusDuringWrap", 
handshake.getStatus()));

Modified: tomcat/trunk/java/org/apache/tomcat/util/net/SecureNioChannel.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/SecureNioChannel.java?rev=1680246&r1=1680245&r2=1680246&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/SecureNioChannel.java 
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/SecureNioChannel.java Tue May 
19 11:02:24 2015
@@ -28,6 +28,7 @@ import javax.net.ssl.SSLEngine;
 import javax.net.ssl.SSLEngineResult;
 import javax.net.ssl.SSLEngineResult.HandshakeStatus;
 import javax.net.ssl.SSLEngineResult.Status;
+import javax.net.ssl.SSLException;
 
 import org.apache.juli.logging.Log;
 import org.apache.juli.logging.LogFactory;
@@ -76,7 +77,6 @@ public class SecureNioChannel extends Ni
             netOutBuffer = ByteBuffer.allocateDirect(DEFAULT_NET_BUFFER_SIZE);
         }
 
-
         // selector pool for blocking operations
         this.pool = pool;
         this.endpoint = endpoint;
@@ -181,10 +181,20 @@ public class SecureNioChannel extends Ni
                 }
                 case NEED_WRAP: {
                     //perform the wrap function
-                    handshake = handshakeWrap(write);
-                    if ( handshake.getStatus() == Status.OK ){
+                    try {
+                        handshake = handshakeWrap(write);
+                    } catch (SSLException e) {
+                        if (log.isDebugEnabled()) {
+                            log.debug("channel.nio.ssl.wrapException", e);
+                        }
+                        handshake = handshakeWrap(write);
+                    }
+                    if (handshake.getStatus() == Status.OK) {
                         if (handshakeStatus == HandshakeStatus.NEED_TASK)
                             handshakeStatus = tasks();
+                    } else if (handshake.getStatus() == Status.CLOSED) {
+                        flush(netOutBuffer);
+                        return -1;
                     } else {
                         //wrap should always work with our buffers
                         throw new 
IOException(sm.getString("channel.nio.ssl.unexpectedStatusDuringWrap", 
handshake.getStatus()));



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to