DO NOT REPLY [Bug 45648] Function 'f:length' not found

2008-08-20 Thread bugzilla 
https://issues.apache.org/bugzilla/show_bug.cgi?id=45648





--- Comment #2 from Carlos Costa e Silva <[EMAIL PROTECTED]>  2008-08-20 
09:04:29 PST ---
Another note: this problem doesn't happen with tomcat 6.0.16.


-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

DO NOT REPLY [Bug 45653] Tomcat leaks classloader reference, causing java.lang.OutOfMemoryError: PermGen space

2008-08-20 Thread bugzilla 
https://issues.apache.org/bugzilla/show_bug.cgi?id=45653





--- Comment #1 from Philip Zuev <[EMAIL PROTECTED]>  2008-08-20 10:52:33 PST ---
Created an attachment (id=22462)
 --> (https://issues.apache.org/bugzilla/attachment.cgi?id=22462)
Jhat memory report

Jhat memory report


-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

DO NOT REPLY [Bug 45648] Function 'f:length' not found

2008-08-20 Thread bugzilla 
https://issues.apache.org/bugzilla/show_bug.cgi?id=45648





--- Comment #3 from Carlos Costa e Silva <[EMAIL PROTECTED]>  2008-08-20 
11:39:05 PST ---
Deployed a CAS server v3.3 and found this in the logs:

javax.el.ELException: Function 'f:escapeXml' not found
at
org.apache.el.lang.ExpressionBuilder.visit(ExpressionBuilder.java:171)
at org.apache.el.parser.SimpleNode.accept(SimpleNode.java:145)
...


-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

DO NOT REPLY [Bug 45661] New: NioBlockingSelector uses all CPU after a socket connection is killed

2008-08-20 Thread bugzilla 
https://issues.apache.org/bugzilla/show_bug.cgi?id=45661

   Summary: NioBlockingSelector uses all CPU after a socket
connection is killed
   Product: Tomcat 6
   Version: 6.0.18
  Platform: PC
OS/Version: Windows XP
Status: NEW
  Severity: normal
  Priority: P2
 Component: Catalina
AssignedTo: [EMAIL PROTECTED]
ReportedBy: [EMAIL PROTECTED]


I have an app which runs an embedded Tomcat with nio connector.
Using Sysinternals TcpView to close an socket connection to a localhost port,
the process spikes to high CPU usage.

After I pause the threads, I find out the NioBlockingSelector.BlockPoller is
causing the high CPU. In this code fragment, the selector.select(1000) returns
without waiting for 1000ms, but the keyCount is zero.

I don't know why selector.select(1000) returns immediately in this case. Maybe
it is bug in Java, but could this function be changed to prevent the looping in
this case?

public void run() {
while (run) {
try {
events();
int keyCount = 0;
try {
int i = wakeupCounter.get();
if (i>0) 
keyCount = selector.selectNow();
else {
wakeupCounter.set(-1);
keyCount = selector.select(1000);
}


-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

svn commit: r687503 - in /tomcat/trunk/java/org/apache/tomcat/util/net/jsse: JSSESocketFactory.java res/LocalStrings.properties

2008-08-20 Thread markt 
Author: markt
Date: Wed Aug 20 16:20:42 2008
New Revision: 687503

URL: http://svn.apache.org/viewvc?rev=687503&view=rev
Log:
Improved fix for 45528 (invalid SSL config).
It is a variation on the previous patch that:
- does the check earlier
- uses an unbound socket so there is no possibility of a client connection
- uses the String manager for the error message
Note: I gave up on the alterntaive javax.crypto.Cipher suggestion as the cipher 
names are different and there is no easy conversion.

Modified:
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java

tomcat/trunk/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties

Modified: 
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java?rev=687503&r1=687502&r2=687503&view=diff
==
--- tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java 
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java 
Wed Aug 20 16:20:42 2008
@@ -26,6 +26,7 @@
 import java.net.ServerSocket;
 import java.net.Socket;
 import java.net.SocketException;
+import java.net.SocketTimeoutException;
 import java.security.KeyStore;
 import java.security.SecureRandom;
 import java.security.cert.CRL;
@@ -428,6 +429,9 @@
 getEnabledCiphers(requestedCiphers,
 sslProxy.getSupportedCipherSuites());
 
+// Check the SSL config is OK
+checkConfig();
+
 } catch(Exception e) {
 if( e instanceof IOException )
 throw (IOException)e;
@@ -692,7 +696,7 @@
  * Configures the given SSL server socket with the requested cipher suites,
  * protocol versions, and need for client authentication
  */
-private void initServerSocket(ServerSocket ssocket) {
+private void initServerSocket(ServerSocket ssocket) throws IOException {
 
 SSLServerSocket socket = (SSLServerSocket) ssocket;
 
@@ -709,4 +713,33 @@
 configureClientAuth(socket);
 }
 
+/**
+ * Checks that the cetificate is compatible with the enabled cipher suites.
+ * If we don't check now, the JIoEndpoint can enter a nasty logging loop.
+ * See bug 45528.
+ */
+private void checkConfig() throws IOException {
+// Create an unbound server socket
+ServerSocket socket = sslProxy.createServerSocket();
+initServerSocket(socket);
+
+// Set the timeout to 1ms as all we care about is if it throws an
+// exception on accept. 
+socket.setSoTimeout(1);
+try {
+socket.accept();
+// Will never get here - no client can connect to an unbound port
+} catch (SSLException ssle) {
+// SSL configuration is invalid. Possibly cert doesn't match 
ciphers
+IOException ioe = new IOException(sm.getString(
+"jsse.invalid_ssl_conf", ssle.getMessage()));
+ioe.initCause(ssle);
+throw ioe;
+} catch (SocketTimeoutException ste) {
+// Expected if all is well - do nothing
+} finally {
+socket.close();
+}
+
+}
 }

Modified: 
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties?rev=687503&r1=687502&r2=687503&view=diff
==
--- 
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties 
(original)
+++ 
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties 
Wed Aug 20 16:20:42 2008
@@ -15,3 +15,4 @@
 
 jsse.alias_no_key_entry=Alias name {0} does not identify a key entry
 jsse.keystore_load_failed=Failed to load keystore type {0} with path {1} due 
to {2}
+jsse.invalid_ssl_conf=SSL configuration is invalid due to {0} 
\ No newline at end of file



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

DO NOT REPLY [Bug 45528] Tomcat 6 fails to detect a matching certificate and stuck in an infinite loop

2008-08-20 Thread bugzilla 
https://issues.apache.org/bugzilla/show_bug.cgi?id=45528





--- Comment #5 from Mark Thomas <[EMAIL PROTECTED]>  2008-08-20 16:23:22 PST ---
The original patch was rejected. I have just proposed a reworked patch.


-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

DO NOT REPLY [Bug 45653] Tomcat leaks classloader reference, causing java.lang.OutOfMemoryError: PermGen space

2008-08-20 Thread bugzilla 
https://issues.apache.org/bugzilla/show_bug.cgi?id=45653


Mark Thomas <[EMAIL PROTECTED]> changed:

   What|Removed |Added

 Status|NEW |RESOLVED
 Resolution||INVALID




--- Comment #2 from Mark Thomas <[EMAIL PROTECTED]>  2008-08-20 16:30:56 PST ---
This is a caused by coding errors in your test application and/or bugs in the
libraries you are using. Please ask on the users list if you need further
assistance.


-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

svn commit: r687506 - in /tomcat: current/tc5.5.x/STATUS.txt tc6.0.x/trunk/STATUS.txt

2008-08-20 Thread markt 
Author: markt
Date: Wed Aug 20 16:31:18 2008
New Revision: 687506

URL: http://svn.apache.org/viewvc?rev=687506&view=rev
Log:
Propose fix for 45528

Modified:
tomcat/current/tc5.5.x/STATUS.txt
tomcat/tc6.0.x/trunk/STATUS.txt

Modified: tomcat/current/tc5.5.x/STATUS.txt
URL: 
http://svn.apache.org/viewvc/tomcat/current/tc5.5.x/STATUS.txt?rev=687506&r1=687505&r2=687506&view=diff
==
--- tomcat/current/tc5.5.x/STATUS.txt (original)
+++ tomcat/current/tc5.5.x/STATUS.txt Wed Aug 20 16:31:18 2008
@@ -79,3 +79,9 @@
   https://issues.apache.org/bugzilla/show_bug.cgi?id=41407
   +1: markt, fhanik
   -1: 
+
+* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=45528
+  Improved fix that hopefully addresses previous concerns
+  http://svn.apache.org/viewvc?rev=687503&view=rev
+  +1: markt
+  -1: 

Modified: tomcat/tc6.0.x/trunk/STATUS.txt
URL: 
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=687506&r1=687505&r2=687506&view=diff
==
--- tomcat/tc6.0.x/trunk/STATUS.txt (original)
+++ tomcat/tc6.0.x/trunk/STATUS.txt Wed Aug 20 16:31:18 2008
@@ -77,7 +77,7 @@
   +1: markt, remm, funkman
   -1: 
 
- * Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=45608
+* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=45608
   Prevent race condition for allocate/deallocate in StandardWrapper
   http://svn.apache.org/viewvc?rev=685177&view=rev
   +1: markt
@@ -90,3 +90,8 @@
   +1: funkman
   -1: 
 
+* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=45528
+  Improved fix that hopefully addresses previous concerns
+  http://svn.apache.org/viewvc?rev=687503&view=rev
+  +1: markt
+  -1: 



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

svn commit: r687508 - /tomcat/trunk/java/org/apache/juli/ClassLoaderLogManager.java

2008-08-20 Thread markt 
Author: markt
Date: Wed Aug 20 16:36:36 2008
New Revision: 687508

URL: http://svn.apache.org/viewvc?rev=687508&view=rev
Log:
Remove unnecessary casts. Reported by Jens Kapitza in 
https://issues.apache.org/bugzilla/show_bug.cgi?id=45655

Modified:
tomcat/trunk/java/org/apache/juli/ClassLoaderLogManager.java

Modified: tomcat/trunk/java/org/apache/juli/ClassLoaderLogManager.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/juli/ClassLoaderLogManager.java?rev=687508&r1=687507&r2=687508&view=diff
==
--- tomcat/trunk/java/org/apache/juli/ClassLoaderLogManager.java (original)
+++ tomcat/trunk/java/org/apache/juli/ClassLoaderLogManager.java Wed Aug 20 
16:36:36 2008
@@ -135,9 +135,9 @@
 Handler handler = null;
 ClassLoader current = classLoader;
 while (current != null) {
-info = (ClassLoaderLogInfo) 
classLoaderLoggers.get(current);
+info = classLoaderLoggers.get(current);
 if (info != null) {
-handler = (Handler) info.handlers.get(handlerName);
+handler = info.handlers.get(handlerName);
 if (handler != null) {
 break;
 }
@@ -174,7 +174,7 @@
 public synchronized Logger getLogger(final String name) {
 ClassLoader classLoader = Thread.currentThread()
 .getContextClassLoader();
-return (Logger) getClassLoaderInfo(classLoader).loggers.get(name);
+return getClassLoaderInfo(classLoader).loggers.get(name);
 }
 
 
@@ -198,7 +198,7 @@
 public String getProperty(String name) {
 ClassLoader classLoader = Thread.currentThread()
 .getContextClassLoader();
-String prefix = (String) this.prefix.get();
+String prefix = this.prefix.get();
 if (prefix != null) {
 name = prefix + name;
 }
@@ -210,7 +210,7 @@
 if ((result == null) && (info.props.isEmpty())) {
 ClassLoader current = classLoader.getParent();
 while (current != null) {
-info = (ClassLoaderLogInfo) classLoaderLoggers.get(current);
+info = classLoaderLoggers.get(current);
 if (info != null) {
 result = info.props.getProperty(name);
 if ((result != null) || (!info.props.isEmpty())) {
@@ -265,8 +265,7 @@
 if (classLoader == null) {
 classLoader = ClassLoader.getSystemClassLoader();
 }
-ClassLoaderLogInfo info = (ClassLoaderLogInfo) classLoaderLoggers
-.get(classLoader);
+ClassLoaderLogInfo info = classLoaderLoggers.get(classLoader);
 if (info == null) {
 final ClassLoader classLoaderParam = classLoader;
 AccessController.doPrivileged(new PrivilegedAction() {
@@ -279,7 +278,7 @@
 return null;
 }
 });
-info = (ClassLoaderLogInfo) classLoaderLoggers.get(classLoader);
+info = classLoaderLoggers.get(classLoader);
 }
 return info;
 }
@@ -362,8 +361,7 @@
 protected void readConfiguration(InputStream is, ClassLoader classLoader)
 throws IOException {
 
-ClassLoaderLogInfo info = 
-(ClassLoaderLogInfo) classLoaderLoggers.get(classLoader);
+ClassLoaderLogInfo info = classLoaderLoggers.get(classLoader);
 
 try {
 info.props.load(is);
@@ -503,8 +501,7 @@
 nextName = name.substring(0, dotIndex);
 name = name.substring(dotIndex + 1);
 }
-LogNode childNode = (LogNode) currentNode.children
-.get(nextName);
+LogNode childNode = currentNode.children.get(nextName);
 if (childNode == null) {
 childNode = new LogNode(currentNode);
 currentNode.children.put(nextName, childNode);



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

DO NOT REPLY [Bug 45655] check permisson

2008-08-20 Thread bugzilla 
https://issues.apache.org/bugzilla/show_bug.cgi?id=45655


Mark Thomas <[EMAIL PROTECTED]> changed:

   What|Removed |Added

 Status|NEW |NEEDINFO




--- Comment #1 from Mark Thomas <[EMAIL PROTECTED]>  2008-08-20 16:38:17 PST ---
I've cleaned up the casts but your changes to the security code result in
functional changes. Was this intended? If so, please explain why the current
functionality is incorrect.


-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

DO NOT REPLY [Bug 45652] XSS patch for EL

2008-08-20 Thread bugzilla 
https://issues.apache.org/bugzilla/show_bug.cgi?id=45652





--- Comment #2 from Mark Thomas <[EMAIL PROTECTED]>  2008-08-20 16:41:04 PST ---
I don't see a need for this to be a system property. It should be another
parameter on the JSP Servlet like trimSpaces. Could you re-work the patch?


-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[Tomcat Wiki] Update of "PoweredBy" by gustavohipolito

2008-08-20 Thread Apache Wiki 
Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Tomcat Wiki" for change 
notification.

The following page has been changed by gustavohipolito:
http://wiki.apache.org/tomcat/PoweredBy

--
  = WasHeilt =
  [http://www.washeilt.de WasHeilt] platform for experiences with alternative 
medicine (German) 
  
+ = Opticalhost =
+ http://opticalhost.com.br/imagens/topo2/canto01_topo.gif
+ [http://www.opticalhost.com.br/ Opticalhost - Soluçoes para o seu site] 
provides webhosting with JSP/Servlets support using Tomcat.
+ 
  
  [[Anchor(surveys)]]
  == Surveys and Other Evidence of Usage ==

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: svn commit: r687503 - in /tomcat/trunk/java/org/apache/tomcat/util/net/jsse: JSSESocketFactory.java res/LocalStrings.properties

2008-08-20 Thread Konstantin Kolinko 
Hi,

Several comments:
1. There are two glitches, that got carried over from the previous
version of the patch:

a)
> -private void initServerSocket(ServerSocket ssocket) {
> +private void initServerSocket(ServerSocket ssocket) throws IOException {

There is no need to declare throwing an IOException here.

b)
> + * Checks that the cetificate is compatible with the enabled cipher 
> suites.

s/cetificate/certificate/

2. I do not understand how serverSocket.accept() can succeed for an
unbound socket. It bugs me.

from ServerSocket#accept() of jdk 1.5.0_12:

if (!isBound())
throw new SocketException("Socket is not bound yet");

It seems that the specific implementation, SSLServerSocketImpl,
bypasses the check (overwrites the accept() method not calling
super and not reimplementing the check), but it looks more like
a bug in this specific JDK implementation than a design decision.

Also, in this operation the server port is checked through the
security manager for an "accept" permission. Some configurations
might need adjusting.


Best regards,
Konstantin Kolinko

2008/8/21  <[EMAIL PROTECTED]>:
> Author: markt
> Date: Wed Aug 20 16:20:42 2008
> New Revision: 687503
>
> URL: http://svn.apache.org/viewvc?rev=687503&view=rev
> Log:
> Improved fix for 45528 (invalid SSL config).
> It is a variation on the previous patch that:
> - does the check earlier
> - uses an unbound socket so there is no possibility of a client connection
> - uses the String manager for the error message
> Note: I gave up on the alterntaive javax.crypto.Cipher suggestion as the 
> cipher names are different and there is no easy conversion.
>
> Modified:
>tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
>
> tomcat/trunk/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties
>
> Modified: 
> tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
> URL: 
> http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java?rev=687503&r1=687502&r2=687503&view=diff
> ==
> --- tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java 
> (original)
> +++ tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java 
> Wed Aug 20 16:20:42 2008
> @@ -26,6 +26,7 @@
>  import java.net.ServerSocket;
>  import java.net.Socket;
>  import java.net.SocketException;
> +import java.net.SocketTimeoutException;
>  import java.security.KeyStore;
>  import java.security.SecureRandom;
>  import java.security.cert.CRL;
> @@ -428,6 +429,9 @@
> getEnabledCiphers(requestedCiphers,
> sslProxy.getSupportedCipherSuites());
>
> +// Check the SSL config is OK
> +checkConfig();
> +
> } catch(Exception e) {
> if( e instanceof IOException )
> throw (IOException)e;
> @@ -692,7 +696,7 @@
>  * Configures the given SSL server socket with the requested cipher 
> suites,
>  * protocol versions, and need for client authentication
>  */
> -private void initServerSocket(ServerSocket ssocket) {
> +private void initServerSocket(ServerSocket ssocket) throws IOException {
>
> SSLServerSocket socket = (SSLServerSocket) ssocket;
>
> @@ -709,4 +713,33 @@
> configureClientAuth(socket);
> }
>
> +/**
> + * Checks that the cetificate is compatible with the enabled cipher 
> suites.
> + * If we don't check now, the JIoEndpoint can enter a nasty logging loop.
> + * See bug 45528.
> + */
> +private void checkConfig() throws IOException {
> +// Create an unbound server socket
> +ServerSocket socket = sslProxy.createServerSocket();
> +initServerSocket(socket);
> +
> +// Set the timeout to 1ms as all we care about is if it throws an
> +// exception on accept.
> +socket.setSoTimeout(1);
> +try {
> +socket.accept();
> +// Will never get here - no client can connect to an unbound port
> +} catch (SSLException ssle) {
> +// SSL configuration is invalid. Possibly cert doesn't match 
> ciphers
> +IOException ioe = new IOException(sm.getString(
> +"jsse.invalid_ssl_conf", ssle.getMessage()));
> +ioe.initCause(ssle);
> +throw ioe;
> +} catch (SocketTimeoutException ste) {
> +// Expected if all is well - do nothing
> +} finally {
> +socket.close();
> +}
> +
> +}
>  }
>
> Modified: 
> tomcat/trunk/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties
> URL: 
> http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties?rev=687503&r1=687502&r2=687503&view=diff
> ==
> --- 
> tomcat/trunk/ja

Re: svn commit: r687503 - in /tomcat/trunk/java/org/apache/tomcat/util/net/jsse: JSSESocketFactory.java res/LocalStrings.properties

2008-08-20 Thread Filip Hanik - Dev Lists 

the checkConfig catches a SocketTimeoutException, but the javadoc says

public synchronized void setSoTimeout(int timeout) throws SocketException 


Enable/disable SO_TIMEOUT with the specified timeout, in milliseconds. 
With this option set to a non-zero timeout, a call to accept() for this 
ServerSocket will block for only this amount of time. If the timeout 
expires, a *java.io.InterruptedIOExceptio**n* is raised, though the 
ServerSocket is still valid.


this still seems like a hack :)
Filip




[EMAIL PROTECTED] wrote:

Author: markt
Date: Wed Aug 20 16:20:42 2008
New Revision: 687503

URL: http://svn.apache.org/viewvc?rev=687503&view=rev
Log:
Improved fix for 45528 (invalid SSL config).
It is a variation on the previous patch that:
- does the check earlier
- uses an unbound socket so there is no possibility of a client connection
- uses the String manager for the error message
Note: I gave up on the alterntaive javax.crypto.Cipher suggestion as the cipher 
names are different and there is no easy conversion.

Modified:
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java

tomcat/trunk/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties

Modified: 
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java?rev=687503&r1=687502&r2=687503&view=diff
==
--- tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java 
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java 
Wed Aug 20 16:20:42 2008
@@ -26,6 +26,7 @@
 import java.net.ServerSocket;
 import java.net.Socket;
 import java.net.SocketException;
+import java.net.SocketTimeoutException;
 import java.security.KeyStore;
 import java.security.SecureRandom;
 import java.security.cert.CRL;
@@ -428,6 +429,9 @@
 getEnabledCiphers(requestedCiphers,
 sslProxy.getSupportedCipherSuites());
 
+// Check the SSL config is OK

+checkConfig();
+
 } catch(Exception e) {
 if( e instanceof IOException )
 throw (IOException)e;
@@ -692,7 +696,7 @@
  * Configures the given SSL server socket with the requested cipher suites,
  * protocol versions, and need for client authentication
  */
-private void initServerSocket(ServerSocket ssocket) {
+private void initServerSocket(ServerSocket ssocket) throws IOException {
 
 SSLServerSocket socket = (SSLServerSocket) ssocket;
 
@@ -709,4 +713,33 @@

 configureClientAuth(socket);
 }
 
+/**

+ * Checks that the cetificate is compatible with the enabled cipher suites.
+ * If we don't check now, the JIoEndpoint can enter a nasty logging loop.
+ * See bug 45528.
+ */
+private void checkConfig() throws IOException {
+// Create an unbound server socket
+ServerSocket socket = sslProxy.createServerSocket();
+initServerSocket(socket);
+
+// Set the timeout to 1ms as all we care about is if it throws an
+// exception on accept. 
+socket.setSoTimeout(1);

+try {
+socket.accept();
+// Will never get here - no client can connect to an unbound port
+} catch (SSLException ssle) {
+// SSL configuration is invalid. Possibly cert doesn't match 
ciphers
+IOException ioe = new IOException(sm.getString(
+"jsse.invalid_ssl_conf", ssle.getMessage()));
+ioe.initCause(ssle);
+throw ioe;
+} catch (SocketTimeoutException ste) {
+// Expected if all is well - do nothing
+} finally {
+socket.close();
+}
+
+}

 }

Modified: 
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties?rev=687503&r1=687502&r2=687503&view=diff
==
--- 
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties 
(original)
+++ 
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties 
Wed Aug 20 16:20:42 2008
@@ -15,3 +15,4 @@
 
 jsse.alias_no_key_entry=Alias name {0} does not identify a key entry

 jsse.keystore_load_failed=Failed to load keystore type {0} with path {1} due 
to {2}
+jsse.invalid_ssl_conf=SSL configuration is invalid due to {0} 
\ No newline at end of file




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


  



--