Re: [VOTE] Releasing Apache Tomcat Native 1.1.18
On 11/19/2009 08:51 AM, Henri Gomez wrote: did you run buildconf ? jnirelease.sh should have done that... Investigating... I'm running SnowLeopard I still have to update my box Cheers Jean-Frederic 2009/11/19 jean-frederic clere: On 11/18/2009 09:43 PM, Henri Gomez wrote: JF, could you provide a new tarball with the configure included. I couldn't built it under OS/X since buildconf failed about missing : cp: /usr/bin/build/apr_common.m4: No such file or directory cp: /usr/bin/build/find_apr.m4: No such file or directory cp: /usr/bin/build/install.sh: No such file or directory cp: /usr/bin/build/config.guess: No such file or directory cp: /usr/bin/build/config.sub: No such file or directory Weird it works for me. +++ macosx:~ jfclere$ uname -a Darwin macosx.gva.redhat.com 9.8.0 Darwin Kernel Version 9.8.0: Wed Jul 15 16:55:01 PDT 2009; root:xnu-1228.15.4~1/RELEASE_I386 i386 +++ Broken apr? Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Releasing Apache Tomcat Native 1.1.18
It works with the update tarball : I just used : ./configure --with-apr=/usr/bin --with-java-home=/System/Library/Frameworks/JavaVM.framework/Versions/Current/ make got : total 2544 -rwxr-xr-x 1 henri staff 186280 19 nov 09:39 libtcnative-1.0.1.18.dylib drwxr-xr-x 3 henri staff 102 19 nov 09:39 libtcnative-1.0.1.18.dylib.dSYM lrwxr-xr-x 1 henri staff 26 19 nov 09:39 libtcnative-1.0.dylib -> libtcnative-1.0.1.18.dylib -rw-r--r-- 1 henri staff 1095088 19 nov 09:39 libtcnative-1.a lrwxr-xr-x 1 henri staff 26 19 nov 09:39 libtcnative-1.dylib -> libtcnative-1.0.1.18.dylib lrwxr-xr-x 1 henri staff 19 19 nov 09:39 libtcnative-1.la -> ../libtcnative-1.la -rw-r--r-- 1 henri staff 907 19 nov 09:39 libtcnative-1.lai 2009/11/19 jean-frederic clere : > On 11/19/2009 08:51 AM, Henri Gomez wrote: >> >> did you run buildconf ? > > jnirelease.sh should have done that... > Investigating... > >> >> I'm running SnowLeopard > > I still have to update my box > > Cheers > > Jean-Frederic > > >> >> 2009/11/19 jean-frederic clere: >>> >>> On 11/18/2009 09:43 PM, Henri Gomez wrote: JF, could you provide a new tarball with the configure included. I couldn't built it under OS/X since buildconf failed about missing : cp: /usr/bin/build/apr_common.m4: No such file or directory cp: /usr/bin/build/find_apr.m4: No such file or directory cp: /usr/bin/build/install.sh: No such file or directory cp: /usr/bin/build/config.guess: No such file or directory cp: /usr/bin/build/config.sub: No such file or directory >>> >>> Weird it works for me. >>> +++ >>> macosx:~ jfclere$ uname -a >>> Darwin macosx.gva.redhat.com 9.8.0 Darwin Kernel Version 9.8.0: Wed Jul >>> 15 >>> 16:55:01 PDT 2009; root:xnu-1228.15.4~1/RELEASE_I386 i386 >>> +++ >>> Broken apr? >>> >>> Cheers >>> >>> Jean-Frederic >>> >>> - >>> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: dev-h...@tomcat.apache.org >>> >>> >> >> - >> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: dev-h...@tomcat.apache.org >> >> > > > - > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > > - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r882085 - /tomcat/native/branches/1.1.x/KEYS
Author: jfclere Date: Thu Nov 19 09:12:57 2009 New Revision: 882085 URL: http://svn.apache.org/viewvc?rev=882085&view=rev Log: Put back the old key. Modified: tomcat/native/branches/1.1.x/KEYS Modified: tomcat/native/branches/1.1.x/KEYS URL: http://svn.apache.org/viewvc/tomcat/native/branches/1.1.x/KEYS?rev=882085&r1=882084&r2=882085&view=diff == --- tomcat/native/branches/1.1.x/KEYS (original) +++ tomcat/native/branches/1.1.x/KEYS Thu Nov 19 09:12:57 2009 @@ -48,6 +48,180 @@ -END PGP PUBLIC KEY BLOCK- Type Bits/KeyID Date User ID +pub 1024D/6210BFC0 2007-03-01 + Key fingerprint = 3A6F 081D DFD3 DE93 02C3 1329 0F45 0A26 6210 BFC0 +uid Jean-Frederic Clere + +-BEGIN PGP PUBLIC KEY BLOCK- +Version: GnuPG v1.4.9 (GNU/Linux) + +mQGiBEXmkEIRBACXRXY3PDrrX7Ropn3BQhyas3nlXO78lD2nFfPsF5bAPWFOM15j +GCQ+gbv5elNQoHHUW3xRb8+ac1gX+UmnX3ZRv7aUb3EfFgIPSK5pc7ZsFcVnZVEP +5Gas7daUSnnUu3qi7uYGb5HFbF/YwQCM6vbhXoAKtEvxZhXC0m6ZKif/8wCgxD8f +eXQfHk7ecbeu5TIufJqaqesD/2l+eoLQtMjdEBq7uEoh9MteH+Z33cHvNwNL4K0H +NwNlvkOb80SlELi+3AiOuRx40HwkFeN+5SEDHGhDJSxqEzvQCja+TuOIS3hXiNjk +OsjEpQb/4E9mGVsnlFZuuFL8vnq16MgF4hh3FMe3jFMqCAoiV9J6hou/zDs3b/Ha +a8/DA/9H1McE4p9GRIJA9Y4N1BkyX8+ADKIpAMvHPCzT3yugSz/K4Ifu3CwBkuTi +le1FZGXsAVL3RrbffAgN0xBsq1EpPkdCdNasK5GhFPSxKcyL7uvN8bZR1JiISWBZ +4GxhiC2rlXPbc2yFl4WRwCRRUb74/oJZAzFmS+pMiKaV7SyqJrQoSmVhbi1GcmVk +ZXJpYyBDbGVyZSA8amZjbGVyZUBhcGFjaGUub3JnPohgBBMRAgAgBQJF5pBCAhsD +BgsJCAcDAgQVAggDBBYCAwECHgECF4AACgkQD0UKJmIQv8DFdwCeIBT2LHKqfYps +3QuIvrYttQg/t2AAoJInGcOe/URrRu1Ll0hPjd5YhdwWiEYEEBECAAYFAkXsV5MA +CgkQgLlToEHklGXSMACgve83/VOFOtbpzWFD9rOREZStDXsAnRgBmJnc0QFsIXOc +dU5Ah9J7/iJtiEYEEBECAAYFAkXxWUQACgkQjxyfqkjBhuytuQCfV4Odj+jKbqnj +64wxMw5kGHnQZH0An1giH7fn3UH3lBkprW19brvb05CFiJwEEAECAAYFAkX1FikA +CgkQN+P0X+5l4yFU0wP/WethK81d//omAQDFdolLSF1TaOB+zrAhuYrxy7m72HLo +zx/7Y+0/1wzMX5V7u7HAe+XFEl9fERB6TNLuxqZ4klY7d7KLIujzEug8sdUH4u4N +rUSsemRKdbcfvDbkB6J9UvhWnvHSsFgqL7H2cLfBgQFepk+56IB9YrdTNIUZOwaI +RgQQEQIABgUCRfUW4QAKCRAyyeTONkLLS09FAJ9NL8xU9OYjspKfg0Kk4eburgP8 +nACdF7HZyo9HKKhzJn28PRXX7+3H0b2IRgQQEQIABgUCRjjkzwAKCRAVRbP+4iLe +T0GZAKCUOipt/K3MzpQ083eS4mVr4R429wCfQEoMiXiHdz+KT07mZXo4QD1O192I +RgQQEQIABgUCRjjpXAAKCRBj0K2ukRID5L3hAKCP6tsY3xUQBHvvQM4OmQZdfRR9 +pQCdEMFh8Jq1oZuS9LHCTrf7ggjq7zCIRgQTEQIABgUCRjkZrwAKCRDh4fKwmQ7U +quVOAJ0UW1UrbDCuB4DQ4tAz03sC6FObywCdFH6Xkdq4qX3XgeiezlhOlIBwTlKI +RgQQEQIABgUCRj4Y1gAKCRA+Km/CXymIJLFXAKCXipHF2Rqxl+dTAA6g3LuP3FF7 +YQCfaNWVxSlmZv+VN33zVznr91ovmgWInAQQAQIABgUCRjoJaAAKCRCazTzAqZ91 +3UEYBADUpDKiPOaWvVydgd1/p7N8UNPVDBCL9z1/fFtu/5Sv70ZycH1LlhPjPJ+M +0wJJ+YnT6MfCrK9IvUA4EBOLCKUnPXLNRRDSTR9KAZ/MdTcXWDpSeblnzdhtTbIR +d+jM4WGmTHdf63Ihnbdwk+R+DqXhcC2B5bAehL2uvAlXiJDtgYhGBBARAgAGBQJG +OgloAAoJEFCOrsUwLaVoQVEAn3BkgA7UBE4ZovfuI7Bp8wsPJFJ6AJ40FDNEFjbe +t9olf651G7WkpoivGYhGBBARAgAGBQJGOgloAAoJEN26ZLosMS0vQVEAoMcPumxy +JjF8vRBAyXVSFTM89jGFAKCti+obp2QQw/XlMNspQ/EO5AD8z4hGBBARAgAGBQJG +PNZeAAoJEJhw7/PxL2Byv2IAnicACjBfpx8eIGGT+fZ4OFFan3cpAJ417eg7IBHC +p4l178Gi5y0p+wsNTIhGBBMRAgAGBQJGPElkAAoJEEwEKBgxGj3lI0QAnAwZX18Q +U0pcbHwx9ny6b63MiXcyAJ9XJL4lLkVqIm0uzS3eoLZjBO7ZU4hGBBMRAgAGBQJG +PaU8AAoJEC65RoKIgXQCOyEAniDyarxoZXRE6rUk4g4lEtCoJvqGAJ9JKFmj6iZi +uy4UQPoEsPqSWLPEAYhGBBARAgAGBQJGP2YGAAoJEFQiDSzIdBVcoKkAoI49yLAx ++RvUb1j5+Cbb8vYpowwbAJ9k3wfDs78E8s5sYkGbYN85Mu/q24hxBBARAgAxBQJG +SMVhKhxIZW5uaW5nIFNjaG1pZWRlaGF1c2VuIDxocHNAaW50ZXJtZXRhLmRlPgAK +CRAyhk5BnIUiK1MuAJ4h7vp1hLjsm7gr2blUvG15e6+PHgCePye70dE1hoVONGNE +Q+FX27Ql4rmIRgQQEQIABgUCRjj8WAAKCRBz3YwWAVMCNe+mAJwPyecY3Y+auncb +tiFOj8petNa16wCgkLEilAZsWH8bQzLUu0yZXcrBW1WIRgQQEQIABgUCRj34MQAK +CRCgctTQQ1jFhEBtAKCOlOOxoqANEF2Zij8Gi1rvK0yTzACfSssIWEFZkgdPxiiW +r4/+t8FQqVaIRgQQEQIABgUCRj4U6gAKCRACpaYFC35s+nBuAKC5+CCIz88XrRVX +G3LFbeK9H+aAeACbBGI+y7jAgKLNGBSjOnPB5ajBe9GIRgQQEQIABgUCRj8qcAAK +CRD1wmAWTO7XX2wCAJ99C+LVaPbN4P1FwU0o6WUadEnZcwCeMithJAFS3Rultu9y +1HmWLOWFSN6IRgQQEQIABgUCRkC/CQAKCRBtC8c6QFgYNwjoAKCSlNTJj/kNqvAc +JsC0GKfT+r8RwgCffaiPviX9ertpr+PM8yz+nT6L2ymIRgQQEQIABgUCRkYTTQAK +CRCiEVrhX2uLciWvAJ9cM9TfSkK1ou7pXypgnHlgPV4PtQCgggWePY2cBTfx+GXU +StQaZcAgDyaIRgQQEQIABgUCRkxHGwAKCRAfISPDa9hyoGU/AKCrtCvm5B4EQAXe +EPyKsuPbUWrXowCcDFpFZe1UjXqiwrW1lJrXGUDhR4uJARwEEAECAAYFAkc8uywA +CgkQGWWFUMMRBhGwIwf7BS+5jxF/dAqG/XZx9BibpENe2hg2QEWzcaH/32gYThUj +NU/ihqlibTD1vpUUUk7lVL3zMzaJ9x0MweN87sxQ5M/qpwnxdKCXGVvjPt0Py0ej +elYSbgZ3o+5FcbO0X4J7DfYOXwJ6purzaqlgw5x6iU5xUdfY0lFwFhg9QlkwQISm +vNBvwxiQU4PIHCq38pjIUPvZXOKkdLPeC8Tl056IgjztUZC4C6VGqHiOHBGLxiQT +azrUCdu8KFG/be1ddrmRpH/DP+Y37uXIJ/eQxw1B6NWbjt63TWdsi5P2zdSu5RHK +2ExI5/yQcutDSn0fmsPYCJ32ZYo+euL5NHheVYK0/4icBBABAgAGBQJH/k2KAAoJ +EDGmPZbsFAuBySsD/3hfokxe76Tm4wgDCKL9m71Pokkv740AXp024QF23ySugGRT +9PN2jUu/xFhAGoQxF6c2AbZpAXbTc/qvsxlbEvroTb5FsD2VJFwaWLP+SYejY3pr +QF1STzpI+NbS2UU5RfnI43kBbN+GvSKD57mIlFLUC++RfLsTczqr3aXrEpxliEYE +EBECAAYFAkZSePIACgkQMsHW7w8UO8F/LwCeKjlz8pbyQfI3ZbNSXtpb1nUOHl8A +n16zM2BcQkYkRaEnXFnxh7FRU/lniEYEEBECAAYFAkZSePcACgkQy66+OaRsTKGH +0QCgm9osoC33yu/KoBvPS42LP562oaoAni
Re: [VOTE] Releasing Apache Tomcat Native 1.1.18
On 11/19/2009 09:41 AM, Henri Gomez wrote: It works with the update tarball : The updated tarball is now available at http://tomcat.apache.org/dev/dist/tomcat-connectors/native/source/1.1.18/ Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 48236] New: another workaround for CVE-2009-3555 for the BIO connector
https://issues.apache.org/bugzilla/show_bug.cgi?id=48236
Summary: another workaround for CVE-2009-3555 for the BIO
connector
Product: Tomcat 6
Version: unspecified
Platform: All
OS/Version: All
Status: NEW
Severity: major
Priority: P2
Component: Connectors
AssignedTo: dev@tomcat.apache.org
ReportedBy: hartmut.k...@adnovum.ch
Since Revision 881774 of org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
SSL renegotiation can be disabled.
That is achieved by a HandshakeCompletedListener. The drawback is, that in the
JSSE from SUN any HandshakeCompletedListener will be invoked by with an own
thread. (See com.sun.net.ssl.internal.ssl.SSLSocketImpl or the fragment below)
Another way of disabling a SSL renegotiation is to set an empty cipher
list after the initial handshake:
org.apache.tomcat.util.net.jsse.JSSESocketFactory
...
...
public void handshake(Socket sock) throws IOException {
((SSLSocket)sock).startHandshake();
if(!allowUnsafeLegacyRenegotiation) {
// disable all ciphers, avoiding any subsequent handshake
((SSLSocket)sock).setEnabledCipherSuites(new String[0]);
}
}
Regards
Hartmut
com.sun.net.ssl.internal.ssl.SSLSocketImpl code fragment:
if (handshaker.isDone()) {
sess = handshaker.getSession();
handshaker = null;
connectionState = cs_DATA;
//
// Tell folk about handshake completion, but do
// it in a separate thread.
//
if (handshakeListeners != null) {
HandshakeCompletedEvent event =
new HandshakeCompletedEvent(this, sess);
Thread t = new NotifyHandshakeThread(
handshakeListeners.entrySet(), event);
t.start();
}
}
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 48236] another workaround for CVE-2009-3555 for the BIO connector
https://issues.apache.org/bugzilla/show_bug.cgi?id=48236 --- Comment #1 from Mark Thomas 2009-11-19 05:44:36 GMT --- Thanks for the alternative suggestion. I'll do some testign and if all looks OK, change the way we disable the handshake. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r882148 - /tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
Author: markt
Date: Thu Nov 19 14:01:27 2009
New Revision: 882148
URL: http://svn.apache.org/viewvc?rev=882148&view=rev
Log:
Remove unused code
Modified:
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
Modified:
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java?rev=882148&r1=882147&r2=882148&view=diff
==
--- tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
Thu Nov 19 14:01:27 2009
@@ -161,7 +161,6 @@
asock.addHandshakeCompletedListener(
new DisableSslRenegotiation());
}
- configureClientAuth(asock);
} catch (SSLException e){
throw new SocketException("SSL handshake error" + e.toString());
}
@@ -746,17 +745,6 @@
}
/**
- * Configure Client authentication for this version of JSSE. The
- * JSSE included in Java 1.4 supports the 'want' value. Prior
- * versions of JSSE will treat 'want' as 'false'.
- * @param socket the SSLSocket
- */
-protected void configureClientAuth(SSLSocket socket){
-// Per JavaDocs: SSLSockets returned from
-// SSLServerSocket.accept() inherit this setting.
-}
-
-/**
* Configures the given SSL server socket with the requested cipher suites,
* protocol versions, and need for client authentication
*/
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r882151 - /tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
Author: markt
Date: Thu Nov 19 14:05:56 2009
New Revision: 882151
URL: http://svn.apache.org/viewvc?rev=882151&view=rev
Log:
Fix the Eclipse warnings - no functional change
Modified:
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
Modified:
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java?rev=882151&r1=882150&r2=882151&view=diff
==
--- tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
Thu Nov 19 14:05:56 2009
@@ -116,6 +116,7 @@
public JSSESocketFactory () {
+// NOOP
}
@Override
@@ -207,7 +208,7 @@
protected String[] getEnabledCiphers(String requestedCiphers,
String[] supportedCiphers) {
-String[] enabledCiphers = null;
+String[] result = null;
if (requestedCiphers != null) {
Vector vec = null;
@@ -261,14 +262,14 @@
}
if (vec != null) {
-enabledCiphers = new String[vec.size()];
-vec.copyInto(enabledCiphers);
+result = new String[vec.size()];
+vec.copyInto(result);
}
} else {
-enabledCiphers = sslProxy.getDefaultCipherSuites();
+result = sslProxy.getDefaultCipherSuites();
}
-return enabledCiphers;
+return result;
}
/*
@@ -526,11 +527,12 @@
kms = kmf.getKeyManagers();
if (keyAlias != null) {
+String alias = keyAlias;
if (JSSESocketFactory.defaultKeystoreType.equals(keystoreType)) {
-keyAlias = keyAlias.toLowerCase();
+alias = alias.toLowerCase();
}
for(int i=0; i
svn commit: r882169 - /tomcat/trunk/java/org/apache/catalina/connector/Connector.java
Author: markt
Date: Thu Nov 19 15:08:03 2009
New Revision: 882169
URL: http://svn.apache.org/viewvc?rev=882169&view=rev
Log:
Fix SSL config error as a result of attribute refactoring.
Modified:
tomcat/trunk/java/org/apache/catalina/connector/Connector.java
Modified: tomcat/trunk/java/org/apache/catalina/connector/Connector.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/connector/Connector.java?rev=882169&r1=882168&r2=882169&view=diff
==
--- tomcat/trunk/java/org/apache/catalina/connector/Connector.java (original)
+++ tomcat/trunk/java/org/apache/catalina/connector/Connector.java Thu Nov 19
15:08:03 2009
@@ -290,7 +290,6 @@
replacements.put("rootFile", "rootfile");
replacements.put("keystorePass", "keypass");
replacements.put("keystoreType", "keytype");
- replacements.put("sslProtocol", "protocol");
replacements.put("sslProtocols", "protocols");
}
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 48238] New: Tomcat-lite won't compile
https://issues.apache.org/bugzilla/show_bug.cgi?id=48238 Summary: Tomcat-lite won't compile Product: Tomcat 7 Version: trunk Platform: PC OS/Version: Windows XP Status: NEW Severity: normal Priority: P2 Component: Modules: tomcat-lite AssignedTo: dev@tomcat.apache.org ReportedBy: s...@apache.org TL has a couple of errors which mean it won't compile. Patches to follow -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 48238] Tomcat-lite won't compile
https://issues.apache.org/bugzilla/show_bug.cgi?id=48238 --- Comment #1 from Sebb 2009-11-19 07:43:54 UTC --- Created an attachment (id=24565) --> (https://issues.apache.org/bugzilla/attachment.cgi?id=24565) Fix bug (sm not init); remove unnecessary casts -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 48238] Tomcat-lite won't compile
https://issues.apache.org/bugzilla/show_bug.cgi?id=48238 --- Comment #2 from Sebb 2009-11-19 07:45:11 UTC --- Created an attachment (id=24566) --> (https://issues.apache.org/bugzilla/attachment.cgi?id=24566) ByteChunk.length() => ByteChunk.getLength(); += @Override -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 48239] New: HexUtils exposes public array
https://issues.apache.org/bugzilla/show_bug.cgi?id=48239 Summary: HexUtils exposes public array Product: Tomcat 7 Version: trunk Platform: PC OS/Version: Windows XP Status: NEW Severity: normal Priority: P2 Component: Catalina AssignedTo: dev@tomcat.apache.org ReportedBy: s...@apache.org Created an attachment (id=24567) --> (https://issues.apache.org/bugzilla/attachment.cgi?id=24567) Patch to replace direct array access with getters HexUtils has two public static arrays which ought to be immutable. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 48240] New: Tomcat-Lite missing @Override markers
https://issues.apache.org/bugzilla/show_bug.cgi?id=48240 Summary: Tomcat-Lite missing @Override markers Product: Tomcat 7 Version: trunk Platform: PC OS/Version: Windows XP Status: NEW Severity: normal Priority: P2 Component: Modules: tomcat-lite AssignedTo: dev@tomcat.apache.org ReportedBy: s...@apache.org Created an attachment (id=24568) --> (https://issues.apache.org/bugzilla/attachment.cgi?id=24568) += @Override; -= (cast) Lots of missing @Override markers in tomcat-lite Also a couple of unnecessary casts can be removed. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r882186 - /tomcat/trunk/java/org/apache/coyote/http11/Http11Protocol.java
Author: markt
Date: Thu Nov 19 16:05:48 2009
New Revision: 882186
URL: http://svn.apache.org/viewvc?rev=882186&view=rev
Log:
Fix Eclipse warning
Modified:
tomcat/trunk/java/org/apache/coyote/http11/Http11Protocol.java
Modified: tomcat/trunk/java/org/apache/coyote/http11/Http11Protocol.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http11/Http11Protocol.java?rev=882186&r1=882185&r2=882186&view=diff
==
--- tomcat/trunk/java/org/apache/coyote/http11/Http11Protocol.java (original)
+++ tomcat/trunk/java/org/apache/coyote/http11/Http11Protocol.java Thu Nov 19
16:05:48 2009
@@ -185,6 +185,7 @@
protected ConcurrentLinkedQueue recycledProcessors =
new ConcurrentLinkedQueue() {
+private static final long serialVersionUID = 1L;
protected AtomicInteger size = new AtomicInteger(0);
@Override
public boolean offer(Http11Processor processor) {
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r882231 - in /tomcat/trunk: java/org/apache/catalina/connector/ java/org/apache/coyote/http11/ java/org/apache/tomcat/util/net/ java/org/apache/tomcat/util/net/jsse/ webapps/docs/config/
Author: markt
Date: Thu Nov 19 18:00:09 2009
New Revision: 882231
URL: http://svn.apache.org/viewvc?rev=882231&view=rev
Log:
Fix SSL for BIO post refactoring
Make attribute names consistent
Endpoints are now responsible for configuring the SSL "engine"
Basics work but still needs more testing
NIO & APR to follow
Modified:
tomcat/trunk/java/org/apache/catalina/connector/Connector.java
tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java
tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java
tomcat/trunk/java/org/apache/tomcat/util/net/JIoEndpoint.java
tomcat/trunk/java/org/apache/tomcat/util/net/NioEndpoint.java
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
tomcat/trunk/webapps/docs/config/http.xml
Modified: tomcat/trunk/java/org/apache/catalina/connector/Connector.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/connector/Connector.java?rev=882231&r1=882230&r2=882231&view=diff
==
--- tomcat/trunk/java/org/apache/catalina/connector/Connector.java (original)
+++ tomcat/trunk/java/org/apache/catalina/connector/Connector.java Thu Nov 19
18:00:09 2009
@@ -284,12 +284,8 @@
replacements.put("connectionLinger", "soLinger");
replacements.put("connectionTimeout", "soTimeout");
replacements.put("connectionUploadTimeout", "timeout");
- replacements.put("clientAuth", "clientauth");
- replacements.put("keystoreFile", "keystore");
replacements.put("randomFile", "randomfile");
replacements.put("rootFile", "rootfile");
- replacements.put("keystorePass", "keypass");
- replacements.put("keystoreType", "keytype");
replacements.put("sslProtocols", "protocols");
}
Modified: tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java?rev=882231&r1=882230&r2=882231&view=diff
==
--- tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java
(original)
+++ tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java Thu
Nov 19 18:00:09 2009
@@ -325,49 +325,68 @@
public int getSoLinger() { return endpoint.getSoLinger(); }
public void setSoLinger(int soLinger) { endpoint.setSoLinger(soLinger); }
+// JSSE SSL attrbutes
+public String getAlgorithm() { return endpoint.getAlgorithm();}
+public void setAlgorithm(String s ) { endpoint.setAlgorithm(s);}
+public String getClientAuth() { return endpoint.getClientAuth();}
+public void setClientAuth(String s ) { endpoint.setClientAuth(s);}
+
public String getKeystoreFile() { return endpoint.getKeystoreFile();}
public void setKeystoreFile(String s ) { endpoint.setKeystoreFile(s);}
-public void setKeystore(String s) { setKeystoreFile(s);}
-public String getKeystore(){ return getKeystoreFile();}
-public String getKeyAlias() { return (endpoint).getKeyAlias();}
-public void setKeyAlias(String s ) { (endpoint).setKeyAlias(s);}
-
-
-public String getAlgorithm() { return (endpoint).getAlgorithm();}
-public void setAlgorithm(String s ) { (endpoint).setAlgorithm(s);}
-
-public void setClientauth(String s) {setClientAuth(s);}
-public String getClientauth(){ return getClientAuth();}
-public String getClientAuth() { return (endpoint).getClientAuth();}
-public void setClientAuth(String s ) { (endpoint).setClientAuth(s);}
-
-public String getKeystorePass() { return (endpoint).getKeystorePass();}
-public void setKeystorePass(String s ) { (endpoint).setKeystorePass(s);}
-public void setKeypass(String s) { setKeystorePass(s);}
-public String getKeypass() { return getKeystorePass();}
-public String getKeystoreType() { return (endpoint).getKeystoreType();}
-public void setKeystoreType(String s ) { (endpoint).setKeystoreType(s);}
-public String getKeytype() { return getKeystoreType();}
-public void setKeytype(String s ) { setKeystoreType(s);}
-
-public void setTruststoreFile(String f){(endpoint).setTruststoreFile(f);}
-public String getTruststoreFile(){return (endpoint).getTruststoreFile();}
-public void setTruststorePass(String p){(endpoint).setTruststorePass(p);}
-public String getTruststorePass(){return (endpoint).getTruststorePass();}
-public void setTruststoreType(String t){(endpoint).setTruststoreType(t);}
-public String getTruststoreType(){ return (endpoint).getTruststoreType();}
+
+public String getKeystorePass() { return endpoint.getKeystorePass();}
+public void setKeystorePass(String s ) { endpoint.setKeystorePass(s);}
+public String getKeystoreType() { return endpoint.getKeystoreType();}
+public void setKeystoreType(String s )
Tomcat Native patch - adding dynamic locking callbacks for openssl engines
All;
Hello. I have been using Tomcat and TCNative for quite a while now,
but have just now subscribed to this list so I may contribute a
proposed patch. Since I am new, please be patient if I'm doing things
wrong - I've RTFM, but that only goes so far.
The attached patch adds dynamic locking callbacks needed by certain
engines in OpenSSL (chil, specifically). Most of this code was poached
from HTTPD 2.2.x mod_ssl (ssl_util.c). The notable differences to
TCNative after applying the patch are that the call to ssl_thread_setup
had to be moved before the engine is initialized since the callbacks
must be set before engine init, and the dynamic callback functions were
added to ssl_thread_setup.
I am attaching the proposed patch to this email, but please let me
know
what it would take to have it properly committed and offer any
suggestions that may relate to the patch itself. I'm also used to
patches including information in the CHANGELOG file, but it seems
TCNative doesn't do things that way?
Thanks for your time
--
--
diff -Nru tomcat-native-1.1.16-src/jni/native/include/ssl_private.h
tomcat-native-1.1.16-src-dynamic_callbacks/jni/native/include/ssl_private.h
--- tomcat-native-1.1.16-src/jni/native/include/ssl_private.h 2006-10-21
17:16:34.0 -0500
+++ tomcat-native-1.1.16-src-dynamic_callbacks/jni/native/include/ssl_private.h
2009-11-19 09:10:58.630479400 -0600
@@ -292,3 +292,13 @@
int SSL_callback_SSL_verify(int, X509_STORE_CTX *);
int SSL_rand_seed(const char *file);
#endif /* SSL_PRIVATE_H */
+
+/* Global reference to the pool used by the dynamic mutexes */
+apr_pool_t *dynlockpool;
+
+/**
+ * Dynamic lock callback functions
+ */
+static struct CRYPTO_dynlock_value *ssl_dyn_create_function(const char *file,
int line);
+static void ssl_dyn_lock_function(int mode, struct CRYPTO_dynlock_value *l,
const char *file, int line);
+static void ssl_dyn_destroy_function(struct CRYPTO_dynlock_value *l, const
char *file, int line);
diff -Nru tomcat-native-1.1.16-src/jni/native/src/ssl.c
tomcat-native-1.1.16-src-dynamic_callbacks/jni/native/src/ssl.c
--- tomcat-native-1.1.16-src/jni/native/src/ssl.c 2007-04-03
09:16:23.0 -0500
+++ tomcat-native-1.1.16-src-dynamic_callbacks/jni/native/src/ssl.c
2009-11-19 09:10:40.567979400 -0600
@@ -213,6 +213,12 @@
UNREFERENCED(data);
CRYPTO_set_locking_callback(NULL);
CRYPTO_set_id_callback(NULL);
+CRYPTO_set_dynlock_create_callback(NULL);
+CRYPTO_set_dynlock_lock_callback(NULL);
+CRYPTO_set_dynlock_destroy_callback(NULL);
+
+dynlockpool = NULL;
+
/* Let the registered mutex cleanups do their own thing
*/
return APR_SUCCESS;
@@ -233,6 +239,14 @@
CRYPTO_set_id_callback(ssl_thread_id);
CRYPTO_set_locking_callback(ssl_thread_lock);
+/* Set up dynamic locking scaffolding for OpenSSL to use at its
+ * convenience.
+ */
+dynlockpool = p;
+CRYPTO_set_dynlock_create_callback(ssl_dyn_create_function);
+CRYPTO_set_dynlock_lock_callback(ssl_dyn_lock_function);
+CRYPTO_set_dynlock_destroy_callback(ssl_dyn_destroy_function);
+
apr_pool_cleanup_register(p, NULL, ssl_thread_cleanup,
apr_pool_cleanup_null);
}
@@ -402,6 +416,9 @@
OPENSSL_load_builtin_modules();
#endif
+/* Initialize thread support */
+ssl_thread_setup(tcn_global_pool);
+
#ifndef OPENSSL_NO_ENGINE
if (J2S(engine)) {
ENGINE *ee = NULL;
@@ -455,8 +472,6 @@
apr_pool_cleanup_register(tcn_global_pool, NULL,
ssl_init_cleanup,
apr_pool_cleanup_null);
-/* Initialize thread support */
-ssl_thread_setup(tcn_global_pool);
TCN_FREE_CSTRING(engine);
return (jint)APR_SUCCESS;
}
@@ -911,3 +926,109 @@
}
#endif
+
+/* Dynamic lock structure */
+struct CRYPTO_dynlock_value {
+apr_pool_t *pool;
+const char* file;
+int line;
+apr_thread_mutex_t *mutex;
+};
+
+/*
+ * Dynamic lock creation callback
+ */
+static struct CRYPTO_dynlock_value *ssl_dyn_create_function(const char *file,
+ int line)
+{
+struct CRYPTO_dynlock_value *value;
+apr_pool_t *p;
+apr_status_t rv;
+
+/*
+ * We need a pool to allocate our mutex. Since we can't clear
+ * allocated memory from a pool, create a subpool that we can blow
+ * away in the destruction callback.
+ */
+rv = apr_pool_create(&p, dynlockpool);
+if (rv != APR_SUCCESS) {
+fprintf(stderr, "Failed to create subpool for dynamic lock");
+return NULL;
+}
+
+/*
+fprintf(stderr, "Creating dynamic lock");
+*/
+
+value = (struct CRYPTO_dynlock_value *)apr_palloc(p,
+ sizeof(struct
CRYPTO_dynlock_value));
+if (!value) {
+fprintf(stderr, "Failed to allocate dynamic lock structure");
+return NULL;
+
Re: Tomcat Native patch - adding dynamic locking callbacks for openssl engines
On 11/19/2009 08:39 PM, Daniel Ruggeri wrote: All; Hello. I have been using Tomcat and TCNative for quite a while now, but have just now subscribed to this list so I may contribute a proposed patch. Since I am new, please be patient if I'm doing things wrong - I've RTFM, but that only goes so far. Can you please create bugzilla issue and attach a patch to it. https://issues.apache.org/bugzilla/query.cgi?product=Tomcat%20Native > I'm also used to patches including information in the CHANGELOG file, but it seems TCNative doesn't do things that way? It's inside xdocs/miscellaneous/changelog.xml Regards -- TM - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 48192] Allow to specify the SSLSocket class in connector tag of server.xml
https://issues.apache.org/bugzilla/show_bug.cgi?id=48192 Mark Thomas changed: What|Removed |Added Status|NEW |RESOLVED Resolution||WONTFIX --- Comment #2 from Mark Thomas 2009-11-19 13:37:27 GMT --- Assuming this enhancement request is solely to address CVE-2009-3555, then I am closing this as WONTFIX as this is not the solution that will be implemented. Current thinking is that the solution to CVE-2009-3555 will be based on the solution proposed in bug48236 combined logging based on the original patch ie r881774. If there are other reasons for wanting this enhancement, feel free to re-open this issue. Enhancement requests with patches are more likely to be applied sooner. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 48158] warn that "per directory client certificate authentication" is harmful
https://issues.apache.org/bugzilla/show_bug.cgi?id=48158 Mark Thomas changed: What|Removed |Added Status|NEW |RESOLVED Resolution||DUPLICATE --- Comment #10 from Mark Thomas 2009-11-19 13:38:59 GMT --- The warning has already gone out to users@, dev@ and announce@ The actual patch is currently being tracked in bug48236. That eventual patch for bug48236 will be ported to 5.5.x and 6.0.x. *** This bug has been marked as a duplicate of bug 48236 *** -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 48236] another workaround for CVE-2009-3555 for the BIO connector
https://issues.apache.org/bugzilla/show_bug.cgi?id=48236 Mark Thomas changed: What|Removed |Added CC||hau...@acm.org --- Comment #2 from Mark Thomas 2009-11-19 13:38:59 GMT --- *** Bug 48158 has been marked as a duplicate of this bug. *** -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 48236] another workaround for CVE-2009-3555 for the BIO connector
https://issues.apache.org/bugzilla/show_bug.cgi?id=48236 --- Comment #3 from Mark Thomas 2009-11-19 13:41:24 GMT --- Testing has been positive. I ended up keeping the listener from the original patch to log the handshake attempts. I'm not so concerned about the logging being in a separate thread and it was the easiest (only?) way to hook into the client triggered handshakes. Patch to trunk will follow shortly. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r882320 - in /tomcat/trunk/java/org/apache/tomcat/util/net/jsse: JSSESocketFactory.java JSSESupport.java
Author: markt
Date: Thu Nov 19 22:06:43 2009
New Revision: 882320
URL: http://svn.apache.org/viewvc?rev=882320&view=rev
Log:
Improve workaround for CVE-2009-3555
On the plus side, it doesn't rely on an async event to close the connection
On the down side, I haven't yet found a way to log client initiated handshakes
before they get closed
Modified:
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESupport.java
Modified:
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java?rev=882320&r1=882319&r2=882320&view=diff
==
--- tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
Thu Nov 19 22:06:43 2009
@@ -42,8 +42,6 @@
import java.util.Vector;
import javax.net.ssl.CertPathTrustManagerParameters;
-import javax.net.ssl.HandshakeCompletedEvent;
-import javax.net.ssl.HandshakeCompletedListener;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.ManagerFactoryParameters;
@@ -159,42 +157,23 @@
SSLSocket asock = null;
try {
asock = (SSLSocket)socket.accept();
- if (!allowUnsafeLegacyRenegotiation) {
- asock.addHandshakeCompletedListener(
- new DisableSslRenegotiation());
- }
} catch (SSLException e){
throw new SocketException("SSL handshake error" + e.toString());
}
return asock;
}
-private static class DisableSslRenegotiation
-implements HandshakeCompletedListener {
-private volatile boolean completed = false;
-
-public void handshakeCompleted(HandshakeCompletedEvent event) {
-if (completed) {
-try {
-log.warn("SSL renegotiation is disabled, closing
connection");
-event.getSession().invalidate();
-event.getSocket().close();
-} catch (IOException e) {
-// ignore
-}
-}
-completed = true;
-}
-}
-
-
@Override
public void handshake(Socket sock) throws IOException {
-//we do getSession instead of startHandshake() so we can call this
multiple times
+// We do getSession instead of startHandshake() so we can call this
multiple times
SSLSession session = ((SSLSocket)sock).getSession();
if (session.getCipherSuite().equals("SSL_NULL_WITH_NULL_NULL"))
throw new IOException("SSL handshake failed. Ciper suite in SSL
Session is SSL_NULL_WITH_NULL_NULL");
- //((SSLSocket)sock).startHandshake();
+
+if (!allowUnsafeLegacyRenegotiation) {
+// Prevent futher handshakes by removing all cipher suites
+((SSLSocket) sock).setEnabledCipherSuites(new String[0]);
+}
}
/*
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESupport.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESupport.java?rev=882320&r1=882319&r2=882320&view=diff
==
--- tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESupport.java
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESupport.java Thu Nov
19 22:06:43 2009
@@ -149,6 +149,15 @@
ssl.setNeedClientAuth(true);
}
+if (ssl.getEnabledCipherSuites().length == 0) {
+// Handshake is never going to be successful.
+// Assume this is because handshakes are disabled
+log.warn("SSL server initiated renegotiation is disabled, closing
connection");
+session.invalidate();
+ssl.close();
+return;
+}
+
InputStream in = ssl.getInputStream();
int oldTimeout = ssl.getSoTimeout();
ssl.setSoTimeout(1000);
@@ -171,10 +180,7 @@
break;
}
}
-// If legacy re-negotiation is disabled, socked could be closed here
-if (!ssl.isClosed()) {
-ssl.setSoTimeout(oldTimeout);
-}
+ssl.setSoTimeout(oldTimeout);
if (listener.completed == false) {
throw new SocketException("SSL Cert handshake timeout");
}
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
SSL MITM status update
Feedback / comments on the info below. I'd like to get it out to users@ and announce@ fairly soon. Cheers, Mark === Overview Work on the root cause is progressing but is still in a state of flux. The purpose of this update is provide information on the current understanding so users are better informed when making decisions regarding risk mitigation for this issue in their environment. BIO Connector = The HTTP BIO connector that ships with 6.0.20 and 5.5.28 supports client and server initiated negotiation and is vulnerable to CVE-2009-3555. A patch [1] has been applied to trunk, 6.0.x and 5.5.x that provides an option to disable renegotiation. This patch has an issue in that it uses an asynchronous callback to close the connection when a handshake is detected. It is theoretically possible for an attack to complete before the connection is closed. When negotiation is disabled, both server and client initiated attempts to renegotiate are logged. An updated patch [2] has been applied to trunk and proposed for 6.0.x and 5.5.x that resolves the asynchronous concerns but only logs server initiated renegotiation. Users of 6.0.20, 5.5.28 and earlier versions can apply either of the patches. It will be necessary to build Tomcat from source to use these patches. Testing with both these patches has shown that using the connector attributes clientAuth="want" and allowUnsafeLegacyRenegotiation="false" provides a similar user experience during negotiation to clientAuth="false" and allowUnsafeLegacyRenegotiation="true" although this may vary by application. It is anticipated that 6.0.21 and 5.5.29 releases will be made once the situation stabilises and the Tomcat development team is confident that further changes will not be required. NIO Connector = The HTTP NIO connector that ships with 6.0.20 and 5.5.28 does not support client or server initiated renegotiation and is therefore not vulnerable to CVE-2009-3555. As and when negotiation support is added to the NIO connector, it will support the allowUnsafeLegacyRenegotiation connector attribute and behave in a similar manner to the HTTP BIO connector. APR / native Connector == Behaviour of the APR/native connector depends on the version of the APR/native connector and on the version of OpenSSL that the connector is build with. Versions prior to APR/native 1.1.16 are not discussed. The windows binaries available from the ASF have been built with the following OpenSSL versions: APR/native OpenSSL 1.1.16 0.9.8i 1.1.17 0.9.8l 1.1.18 0.9.8k - TBC Any version of the APR/native connector built with OpenSSl 0.9.8l will not support client or server initiated negotiation and will, therefore, not be vulnerable to CVE-2009-3555. Client initiated negotiation is supported in 1.1.16 and 1.1.17. These versions are, therefore, vulnerable to CVE-2009-3555 unless built with OpenSSL 0.9.8l. Client initiated negotiation has been disabled in 1.1.18. Therefore, this version is not vulnerable to CVE-2009-3555 via client initiated renegotiation although it may still be vulnerable via server initiated renegotiation. Server initiated renegotiation is supported in 1.1.17 onwards. Therefore, 1.1.17 onwards is vulnerable to CVE-2009-3555 via server initiated renegotiation unless the APR/native connector is built with OpenSSL 0.9.8l. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r882368 - /tomcat/tc6.0.x/trunk/STATUS.txt
Author: markt Date: Fri Nov 20 00:50:06 2009 New Revision: 882368 URL: http://svn.apache.org/viewvc?rev=882368&view=rev Log: Propose alternative fix Modified: tomcat/tc6.0.x/trunk/STATUS.txt Modified: tomcat/tc6.0.x/trunk/STATUS.txt URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=882368&r1=882367&r2=882368&view=diff == --- tomcat/tc6.0.x/trunk/STATUS.txt (original) +++ tomcat/tc6.0.x/trunk/STATUS.txt Fri Nov 20 00:50:06 2009 @@ -396,3 +396,11 @@ http://people.apache.org/~markt/patches/2009-11-17-cookie-allow-equals.patch +1: markt -1: + +* Alternative fix for CVE-2009-3555 SSL MITN + The current patch uses an async callback to close the socket. It is + technically possible an attack may suceed before the socket is closed + The new patch only logs failed server initiated negotiations + http://people.apache.org/~markt/patches/2009-11-20-cve2009-3555-v2.patch + +1: markt + -1: - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r882369 - /tomcat/tc5.5.x/trunk/STATUS.txt
Author: markt Date: Fri Nov 20 00:50:20 2009 New Revision: 882369 URL: http://svn.apache.org/viewvc?rev=882369&view=rev Log: Propose alternative fix Modified: tomcat/tc5.5.x/trunk/STATUS.txt Modified: tomcat/tc5.5.x/trunk/STATUS.txt URL: http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/STATUS.txt?rev=882369&r1=882368&r2=882369&view=diff == --- tomcat/tc5.5.x/trunk/STATUS.txt (original) +++ tomcat/tc5.5.x/trunk/STATUS.txt Fri Nov 20 00:50:20 2009 @@ -250,4 +250,11 @@ http://people.apache.org/~markt/patches/2009-11-17-cookie-allow-equals.patch +1: markt -1: - \ No newline at end of file + +* Alternative fix for CVE-2009-3555 SSL MITN + The current patch uses an async callback to close the socket. It is + technically possible an attack may suceed before the socket is closed + The new patch only logs failed server initiated negotiations + http://people.apache.org/~markt/patches/2009-11-20-cve2009-3555-v2.patch + +1: markt + -1: - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: svn commit: r882320 - in /tomcat/trunk/java/org/apache/tomcat/util/net/jsse: JSSESocketFactory.java JSSESupport.java
This looks like it should work (haven't tested it yet), but hoping that there are people that can test on non-Sun JVMs to see if there could be problems. This patch is a little heavy on knowing how the JVM implements things :(. wrote in message news:20091119220644.2d8f42388...@eris.apache.org... > Author: markt > Date: Thu Nov 19 22:06:43 2009 > New Revision: 882320 > > URL: http://svn.apache.org/viewvc?rev=882320&view=rev > Log: > Improve workaround for CVE-2009-3555 > On the plus side, it doesn't rely on an async event to close the > connection > On the down side, I haven't yet found a way to log client initiated > handshakes before they get closed > > Modified: > > tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java >tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESupport.java > > Modified: > tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java > URL: > http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java?rev=882320&r1=882319&r2=882320&view=diff > - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 48236] another workaround for CVE-2009-3555 for the BIO connector
https://issues.apache.org/bugzilla/show_bug.cgi?id=48236 Ralf Hauser changed: What|Removed |Added CC||more...@privasphere.com --- Comment #4 from Ralf Hauser 2009-11-19 22:00:46 UTC --- Are there any junit or rather httpclient/httpunit tests for this? Or at least a detailed test script (e.g. documented in a wiki)? Looking forward to the new patch. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
