Filip Hanik - Dev Lists wrote: > the check would be as simple as > > > boolean b = keystore.isKeyEntry(alias);
It would be if the alias was the problem. Unfortunately it isn't. See my longer mail on the subject. Mark > > Filip > > > Filip Hanik - Dev Lists wrote: >> -1: this is a misconfigured keystore. Solution is to fix the keystore. >> The SSL-HOW-TO in tomcat is talking about this. >> There are a few cases, in this users case, the 'tomcat' alias is >> not present >> The keystore in this case doesn't even contain a private key >> >> The bug report is invalid, the tomcat documentation talks how to get >> around this >> http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html >> >> Infinite loop is bad, but if we need to validate the keystore, lets >> validate the keystore, doing it in the accept() call is not the >> correct solution. >> not even if it is the main accept loop >> >> Filip >> >> >> [EMAIL PROTECTED] wrote: >>> Author: markt >>> Date: Sun Aug 10 10:24:51 2008 >>> New Revision: 684559 >>> >>> URL: http://svn.apache.org/viewvc?rev=684559&view=rev >>> Log: >>> Fix for https://issues.apache.org/bugzilla/show_bug.cgi?id=45528. >>> Test the SSL socket before returning it to make sure the specified >>> certificate will work with the specified ciphers. >>> >>> Modified: >>> >>> tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java >>> >>> Modified: >>> tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java >>> URL: >>> http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java?rev=684559&r1=684558&r2=684559&view=diff >>> >>> ============================================================================== >>> >>> --- >>> tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java >>> (original) >>> +++ >>> tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java >>> Sun Aug 10 10:24:51 2008 >>> @@ -26,6 +26,7 @@ >>> import java.net.ServerSocket; >>> import java.net.Socket; >>> import java.net.SocketException; >>> +import java.net.SocketTimeoutException; >>> import java.security.KeyStore; >>> import java.security.SecureRandom; >>> import java.security.cert.CRL; >>> @@ -692,7 +693,7 @@ >>> * Configures the given SSL server socket with the requested >>> cipher suites, >>> * protocol versions, and need for client authentication >>> */ >>> - private void initServerSocket(ServerSocket ssocket) { >>> + private void initServerSocket(ServerSocket ssocket) throws >>> IOException { >>> >>> SSLServerSocket socket = (SSLServerSocket) ssocket; >>> >>> @@ -704,9 +705,48 @@ >>> setEnabledProtocols(socket, getEnabledProtocols(socket, >>> >>> requestedProtocols)); >>> >>> + // Check the SSL config is OK >>> + checkSocket(ssocket); >>> + >>> // we don't know if client auth is needed - >>> // after parsing the request we may re-handshake >>> configureClientAuth(socket); >>> } >>> >>> + /** >>> + * Checks that the cetificate is compatible with the enabled >>> cipher suites. >>> + * If we don't check now, the JIoEndpoint can enter a nasty >>> logging loop. >>> + * See bug 45528. >>> + */ >>> + private void checkSocket(ServerSocket socket) throws IOException { >>> + int timeout = socket.getSoTimeout(); >>> + + socket.setSoTimeout(1); >>> + Socket s = null; >>> + try { >>> + s = socket.accept(); >>> + // No expecting to get here but if we do, at least we >>> know things >>> + // are working. >>> + } catch (SSLException ssle) { >>> + // Cert doesn't match ciphers >>> + IOException ioe = >>> + new IOException("Certificate / cipher mismatch"); >>> + ioe.initCause(ssle); >>> + throw ioe; >>> + } catch (SocketTimeoutException ste) { >>> + // Expected - do nothing >>> + } finally { >>> + // In case we actually got a connection - close it. >>> + if (s != null) { >>> + try { >>> + s.close(); >>> + } catch (IOException ioe) { >>> + // Ignore >>> + } >>> + } >>> + // Reset the timeout >>> + socket.setSoTimeout(timeout); >>> + } >>> + + } >>> } >>> >>> >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: [EMAIL PROTECTED] >>> For additional commands, e-mail: [EMAIL PROTECTED] >>> >>> >>> >> >> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
