Author: markt Date: Thu Nov 29 21:27:43 2018 New Revision: 1847765 URL: http://svn.apache.org/viewvc?rev=1847765&view=rev Log: Avoid hang with TLS 1.0 and NIO/NIO2+OpenSSL 1.1.1
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java tomcat/trunk/webapps/docs/changelog.xml Modified: tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java?rev=1847765&r1=1847764&r2=1847765&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java (original) +++ tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java Thu Nov 29 21:27:43 2018 @@ -145,6 +145,7 @@ public final class OpenSSLEngine extends // Use an invalid cipherSuite until the handshake is completed // See http://docs.oracle.com/javase/7/docs/api/javax/net/ssl/SSLEngine.html#getSession() + private volatile String version; private volatile String cipher; private volatile String applicationProtocol; @@ -632,7 +633,7 @@ public final class OpenSSLEngine extends throws SSLException { // NOTE: Calling a fake read is necessary before calling pendingReadableBytesInSSL because // SSL_pending will return 0 if OpenSSL has not started the current TLS record - // See https://www.openssl.org/docs/manmaster/ssl/SSL_pending.html + // See https://www.openssl.org/docs/manmaster/man3/SSL_pending.html clearLastError(); int lastPrimingReadResult = SSL.readFromSSL(ssl, EMPTY_ADDR, 0); // priming read // check if SSL_read returned <= 0. In this case we need to check the error and see if it was something @@ -640,7 +641,22 @@ public final class OpenSSLEngine extends if (lastPrimingReadResult <= 0) { checkLastError(); } - return SSL.pendingReadableBytesInSSL(ssl); + int pendingReadableBytesInSSL = SSL.pendingReadableBytesInSSL(ssl); + + // TLS 1.0 needs additional handling + // TODO Figure out why this is necessary and if a simpler / better + // solution is available + if (Constants.SSL_PROTO_TLSv1.equals(version) && lastPrimingReadResult == 0 && + pendingReadableBytesInSSL == 0) { + // Perform another priming read + lastPrimingReadResult = SSL.readFromSSL(ssl, EMPTY_ADDR, 0); + if (lastPrimingReadResult <= 0) { + checkLastError(); + } + pendingReadableBytesInSSL = SSL.pendingReadableBytesInSSL(ssl); + } + + return pendingReadableBytesInSSL; } @Override @@ -1027,6 +1043,7 @@ public final class OpenSSLEngine extends } } session.lastAccessedTime = System.currentTimeMillis(); + version = SSL.getVersion(ssl); handshakeFinished = true; return SSLEngineResult.HandshakeStatus.FINISHED; } Modified: tomcat/trunk/webapps/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1847765&r1=1847764&r2=1847765&view=diff ============================================================================== --- tomcat/trunk/webapps/docs/changelog.xml (original) +++ tomcat/trunk/webapps/docs/changelog.xml Thu Nov 29 21:27:43 2018 @@ -128,6 +128,11 @@ <fix> Avoid bad SSLHostConfig JMX registrations before init. (remm) </fix> + <fix> + Avoid a potential hang when a client connects using TLS 1.0 to a Tomcat + HTTPS connector configured to use NIO or NIO with OpenSSL 1.1.1 or + later. (markt) + </fix> </changelog> </subsection> <subsection name="Jasper"> --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org