Author: markt
Date: Sun May 24 23:47:46 2009
New Revision: 778258
URL: http://svn.apache.org/viewvc?rev=778258&view=rev
Log:
Port fix for bug 45528 to TC4/TC5. Needed to make use of JdkCompat to allow for
unlikely (but possible) TC4 on 1.3 JVM.
Modified:
tomcat/connectors/trunk/util/java/org/apache/tomcat/util/compat/Jdk14Compat.java
tomcat/connectors/trunk/util/java/org/apache/tomcat/util/compat/JdkCompat.java
tomcat/connectors/trunk/util/java/org/apache/tomcat/util/net/jsse/JSSE13SocketFactory.java
tomcat/connectors/trunk/util/java/org/apache/tomcat/util/net/jsse/JSSE14SocketFactory.java
tomcat/connectors/trunk/util/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
tomcat/connectors/trunk/util/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties
Modified:
tomcat/connectors/trunk/util/java/org/apache/tomcat/util/compat/Jdk14Compat.java
URL:
http://svn.apache.org/viewvc/tomcat/connectors/trunk/util/java/org/apache/tomcat/util/compat/Jdk14Compat.java?rev=778258&r1=778257&r2=778258&view=diff
==============================================================================
---
tomcat/connectors/trunk/util/java/org/apache/tomcat/util/compat/Jdk14Compat.java
(original)
+++
tomcat/connectors/trunk/util/java/org/apache/tomcat/util/compat/Jdk14Compat.java
Sun May 24 23:47:46 2009
@@ -20,8 +20,11 @@
import java.io.File;
import java.io.IOException;
import java.net.MalformedURLException;
+import java.net.ServerSocket;
import java.net.URL;
+import javax.net.ServerSocketFactory;
+
//import org.apache.commons.logging.Log;
//import org.apache.commons.logging.LogFactory;
@@ -118,4 +121,12 @@
wrapper.initCause(wrapped);
}
+ /**
+ * Obtain an unbound socket from the ServerSocketFactory. Return null if
+ * unbound sockets cannot be created.
+ */
+ public ServerSocket getUnboundSocket(ServerSocketFactory ssf)
+ throws IOException {
+ return ssf.createServerSocket();
+ }
}
Modified:
tomcat/connectors/trunk/util/java/org/apache/tomcat/util/compat/JdkCompat.java
URL:
http://svn.apache.org/viewvc/tomcat/connectors/trunk/util/java/org/apache/tomcat/util/compat/JdkCompat.java?rev=778258&r1=778257&r2=778258&view=diff
==============================================================================
---
tomcat/connectors/trunk/util/java/org/apache/tomcat/util/compat/JdkCompat.java
(original)
+++
tomcat/connectors/trunk/util/java/org/apache/tomcat/util/compat/JdkCompat.java
Sun May 24 23:47:46 2009
@@ -22,9 +22,12 @@
import java.io.PrintWriter;
import java.io.StringWriter;
import java.net.MalformedURLException;
+import java.net.ServerSocket;
import java.net.URL;
import java.util.Vector;
+import javax.net.ServerSocketFactory;
+
/**
* General-purpose utility to provide backward-compatibility and JDK
@@ -219,4 +222,13 @@
// do nothing
}
+ /**
+ * Obtain an unbound socket from the ServerSocketFactory. Return null if
+ * unbound sockets cannot be created.
+ */
+ public ServerSocket getUnboundSocket(ServerSocketFactory ssf)
+ throws IOException {
+ return null;
+ }
+
}
Modified:
tomcat/connectors/trunk/util/java/org/apache/tomcat/util/net/jsse/JSSE13SocketFactory.java
URL:
http://svn.apache.org/viewvc/tomcat/connectors/trunk/util/java/org/apache/tomcat/util/net/jsse/JSSE13SocketFactory.java?rev=778258&r1=778257&r2=778258&view=diff
==============================================================================
---
tomcat/connectors/trunk/util/java/org/apache/tomcat/util/net/jsse/JSSE13SocketFactory.java
(original)
+++
tomcat/connectors/trunk/util/java/org/apache/tomcat/util/net/jsse/JSSE13SocketFactory.java
Sun May 24 23:47:46 2009
@@ -129,6 +129,9 @@
enabledCiphers = getEnabledCiphers(requestedCiphers,
sslProxy.getSupportedCipherSuites());
+ // Check the SSL config is OK
+ checkConfig();
+
} catch(Exception e) {
if( e instanceof IOException )
throw (IOException)e;
Modified:
tomcat/connectors/trunk/util/java/org/apache/tomcat/util/net/jsse/JSSE14SocketFactory.java
URL:
http://svn.apache.org/viewvc/tomcat/connectors/trunk/util/java/org/apache/tomcat/util/net/jsse/JSSE14SocketFactory.java?rev=778258&r1=778257&r2=778258&view=diff
==============================================================================
---
tomcat/connectors/trunk/util/java/org/apache/tomcat/util/net/jsse/JSSE14SocketFactory.java
(original)
+++
tomcat/connectors/trunk/util/java/org/apache/tomcat/util/net/jsse/JSSE14SocketFactory.java
Sun May 24 23:47:46 2009
@@ -120,6 +120,9 @@
enabledCiphers = getEnabledCiphers(requestedCiphers,
sslProxy.getSupportedCipherSuites());
+ // Check the SSL config is OK
+ checkConfig();
+
} catch(Exception e) {
if( e instanceof IOException )
throw (IOException)e;
Modified:
tomcat/connectors/trunk/util/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
URL:
http://svn.apache.org/viewvc/tomcat/connectors/trunk/util/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java?rev=778258&r1=778257&r2=778258&view=diff
==============================================================================
---
tomcat/connectors/trunk/util/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
(original)
+++
tomcat/connectors/trunk/util/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
Sun May 24 23:47:46 2009
@@ -34,6 +34,9 @@
import javax.net.ssl.SSLServerSocketFactory;
import javax.net.ssl.SSLSocket;
+import org.apache.tomcat.util.compat.JdkCompat;
+import org.apache.tomcat.util.res.StringManager;
+
/*
1. Make the JSSE's jars available, either as an installed
extension (copy them into jre/lib/ext) or by adding
@@ -54,6 +57,9 @@
public abstract class JSSESocketFactory
extends org.apache.tomcat.util.net.ServerSocketFactory
{
+ private static StringManager sm =
+ StringManager.getManager("org.apache.tomcat.util.net.jsse.res");
+
// defaults
static String defaultProtocol = "TLS";
static String defaultAlgorithm = "SunX509";
@@ -371,4 +377,53 @@
configureClientAuth(socket);
}
+ /**
+ * Checks that the certificate is compatible with the enabled cipher
suites.
+ * If we don't check now, the JIoEndpoint can enter a nasty logging loop.
+ * See bug 45528.
+ */
+ protected void checkConfig() throws IOException {
+ // Create an unbound server socket
+ ServerSocket socket =
+ JdkCompat.getJdkCompat().getUnboundSocket(sslProxy);
+ if (socket == null) {
+ // Can create unbound sockets (1.3 JVM) - can't test the connection
+ return;
+ }
+ initServerSocket(socket);
+
+ try {
+ // Set the timeout to 1ms as all we care about is if it throws an
+ // SSLException on accept.
+ socket.setSoTimeout(1);
+
+ socket.accept();
+ // Will never get here - no client can connect to an unbound port
+ } catch (SSLException ssle) {
+ // SSL configuration is invalid. Possibly cert doesn't match
ciphers
+ IOException ioe = new IOException(sm.getString(
+ "jsse.invalid_ssl_conf", ssle.getMessage()));
+ JdkCompat.getJdkCompat().chainException(ioe, ssle);
+ throw ioe;
+ } catch (Exception e) {
+ /*
+ * Possible ways of getting here
+ * socket.accept() throws a SecurityException
+ * socket.setSoTimeout() throws a SocketException
+ * socket.accept() throws some other exception (after a JDK change)
+ * In these cases the test won't work so carry on -
essentially
+ * the behaviour before this patch
+ * socket.accept() throws a SocketTimeoutException
+ * In this case all is well so carry on
+ */
+ } finally {
+ // Should be open here but just in case
+ try {
+ socket.close();
+ } catch (IOException ioe) {
+ // Ignore
+ }
+ }
+
+ }
}
Modified:
tomcat/connectors/trunk/util/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties
URL:
http://svn.apache.org/viewvc/tomcat/connectors/trunk/util/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties?rev=778258&r1=778257&r2=778258&view=diff
==============================================================================
---
tomcat/connectors/trunk/util/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties
(original)
+++
tomcat/connectors/trunk/util/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties
Sun May 24 23:47:46 2009
@@ -14,3 +14,4 @@
# limitations under the License.
jsse.alias_no_key_entry=Alias name {0} does not identify a key entry
+jsse.invalid_ssl_conf=SSL configuration is invalid due to {0}
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
