Author: markt
Date: Mon Aug 21 08:20:06 2017
New Revision: 1805605
URL: http://svn.apache.org/viewvc?rev=1805605&view=rev
Log:
Ensure that the APR/native connector uses blocking I/O for TLS renegotiation.
Modified:
tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
tomcat/trunk/webapps/docs/changelog.xml
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java?rev=1805605&r1=1805604&r2=1805605&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java Mon Aug 21
08:20:06 2017
@@ -2835,10 +2835,50 @@ public class AprEndpoint extends Abstrac
@Override
public void doClientAuth(SSLSupport sslSupport) throws IOException {
long socket = getSocket().longValue();
- // Configure connection to require a certificate
+ // Configure connection to require a certificate. This requires a
+ // re-handshake and must block until the re-handshake completes.
+ // Therefore, make sure socket is in blocking mode.
+ Lock readLock = getBlockingStatusReadLock();
+ WriteLock writeLock = getBlockingStatusWriteLock();
+ boolean renegotiateDone = false;
try {
- SSLSocket.setVerify(socket, SSL.SSL_CVERIFY_REQUIRE, -1);
- SSLSocket.renegotiate(socket);
+ readLock.lock();
+ try {
+ if (getBlockingStatus()) {
+ Socket.timeoutSet(getSocket().longValue(),
getReadTimeout() * 1000);
+
+ SSLSocket.setVerify(socket, SSL.SSL_CVERIFY_REQUIRE,
-1);
+ SSLSocket.renegotiate(socket);
+
+ renegotiateDone = true;
+ }
+ } finally {
+ readLock.unlock();
+ }
+
+ if (!renegotiateDone) {
+ writeLock.lock();
+ try {
+ // Set the current settings for this socket
+ setBlockingStatus(true);
+ Socket.timeoutSet(getSocket().longValue(),
getReadTimeout() * 1000);
+ // Downgrade the lock
+ readLock.lock();
+ try {
+ writeLock.unlock();
+ SSLSocket.setVerify(socket,
SSL.SSL_CVERIFY_REQUIRE, -1);
+ SSLSocket.renegotiate(socket);
+ } finally {
+ readLock.unlock();
+ }
+ } finally {
+ // Should have been released above but may not have
been on some
+ // exception paths
+ if (writeLock.isHeldByCurrentThread()) {
+ writeLock.unlock();
+ }
+ }
+ }
} catch (Throwable t) {
ExceptionUtils.handleThrowable(t);
throw new IOException(sm.getString("socket.sslreneg"), t);
Modified: tomcat/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1805605&r1=1805604&r2=1805605&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Mon Aug 21 08:20:06 2017
@@ -97,6 +97,10 @@
Fix possible race condition when setting IO listeners on an upgraded
connection. (remm)
</fix>
+ <fix>
+ Ensure that the APR/native connector uses blocking I/O for TLS
+ renegotiation. (markt)
+ </fix>
</changelog>
</subsection>
<subsection name="Other">
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
