Author: rjung
Date: Tue Nov 3 00:28:22 2009
New Revision: 832222
URL: http://svn.apache.org/viewvc?rev=832222&view=rev
Log:
BZ46950: Fix doing SSL renegotiation when a resource with CLIENT-CERT
auth is requested.
As a side effect update tcnative dependency to 1.1.17.
Modified:
tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/AprLifecycleListener.java
tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/Http11AprProcessor.java
tomcat/tc6.0.x/trunk/java/org/apache/tomcat/jni/SSLSocket.java
tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
Modified:
tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/AprLifecycleListener.java
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/AprLifecycleListener.java?rev=832222&r1=832221&r2=832222&view=diff
==============================================================================
---
tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/AprLifecycleListener.java
(original)
+++
tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/AprLifecycleListener.java
Tue Nov 3 00:28:22 2009
@@ -58,8 +58,8 @@
protected static final int TCN_REQUIRED_MAJOR = 1;
protected static final int TCN_REQUIRED_MINOR = 1;
- protected static final int TCN_REQUIRED_PATCH = 8;
- protected static final int TCN_RECOMMENDED_PV = 10;
+ protected static final int TCN_REQUIRED_PATCH = 17;
+ protected static final int TCN_RECOMMENDED_PV = 17;
// ---------------------------------------------- Properties
Modified:
tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/Http11AprProcessor.java
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/Http11AprProcessor.java?rev=832222&r1=832221&r2=832222&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/Http11AprProcessor.java
(original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/Http11AprProcessor.java
Tue Nov 3 00:28:22 2009
@@ -1135,10 +1135,11 @@
request.setAttribute(AprEndpoint.CIPHER_SUITE_KEY,
sslO);
}
// Get client certificate and the certificate chain if
present
+ // certLength == -1 indicates an error
int certLength = SSLSocket.getInfoI(socket,
SSL.SSL_INFO_CLIENT_CERT_CHAIN);
byte[] clientCert = SSLSocket.getInfoB(socket,
SSL.SSL_INFO_CLIENT_CERT);
X509Certificate[] certs = null;
- if (clientCert != null) {
+ if (clientCert != null && certLength > -1) {
certs = new X509Certificate[certLength + 1];
CertificateFactory cf =
CertificateFactory.getInstance("X.509");
certs[0] = (X509Certificate)
cf.generateCertificate(new ByteArrayInputStream(clientCert));
@@ -1168,29 +1169,35 @@
} else if (actionCode == ActionCode.ACTION_REQ_SSL_CERTIFICATE) {
if (ssl && (socket != 0)) {
- // Consume and buffer the request body, so that it does not
- // interfere with the client's handshake messages
+ // Consume and buffer the request body, so that it does not
+ // interfere with the client's handshake messages
InputFilter[] inputFilters = inputBuffer.getFilters();
((BufferedInputFilter)
inputFilters[Constants.BUFFERED_FILTER]).setLimit(maxSavePostSize);
inputBuffer.addActiveFilter(inputFilters[Constants.BUFFERED_FILTER]);
try {
- // Renegociate certificates
- SSLSocket.renegotiate(socket);
- // Get client certificate and the certificate chain if
present
- int certLength = SSLSocket.getInfoI(socket,
SSL.SSL_INFO_CLIENT_CERT_CHAIN);
- byte[] clientCert = SSLSocket.getInfoB(socket,
SSL.SSL_INFO_CLIENT_CERT);
- X509Certificate[] certs = null;
- if (clientCert != null) {
- certs = new X509Certificate[certLength + 1];
- CertificateFactory cf =
CertificateFactory.getInstance("X.509");
- certs[0] = (X509Certificate)
cf.generateCertificate(new ByteArrayInputStream(clientCert));
- for (int i = 0; i < certLength; i++) {
- byte[] data = SSLSocket.getInfoB(socket,
SSL.SSL_INFO_CLIENT_CERT_CHAIN + i);
- certs[i+1] = (X509Certificate)
cf.generateCertificate(new ByteArrayInputStream(data));
+ // Configure connection to require a certificate
+ SSLSocket.setVerify(socket, SSL.SSL_CVERIFY_REQUIRE,
+ endpoint.getSSLVerifyDepth());
+ // Renegotiate certificates
+ if (SSLSocket.renegotiate(socket) == 0) {
+ // Don't look for certs unless we know renegotiation
worked.
+ // Get client certificate and the certificate chain if
present
+ // certLength == -1 indicates an error
+ int certLength =
SSLSocket.getInfoI(socket,SSL.SSL_INFO_CLIENT_CERT_CHAIN);
+ byte[] clientCert = SSLSocket.getInfoB(socket,
SSL.SSL_INFO_CLIENT_CERT);
+ X509Certificate[] certs = null;
+ if (clientCert != null && certLength > -1) {
+ certs = new X509Certificate[certLength + 1];
+ CertificateFactory cf =
CertificateFactory.getInstance("X.509");
+ certs[0] = (X509Certificate)
cf.generateCertificate(new ByteArrayInputStream(clientCert));
+ for (int i = 0; i < certLength; i++) {
+ byte[] data = SSLSocket.getInfoB(socket,
SSL.SSL_INFO_CLIENT_CERT_CHAIN + i);
+ certs[i+1] = (X509Certificate)
cf.generateCertificate(new ByteArrayInputStream(data));
+ }
+ }
+ if (certs != null) {
+ request.setAttribute(AprEndpoint.CERTIFICATE_KEY,
certs);
}
- }
- if (certs != null) {
- request.setAttribute(AprEndpoint.CERTIFICATE_KEY,
certs);
}
} catch (Exception e) {
log.warn(sm.getString("http11processor.socket.ssl"), e);
Modified: tomcat/tc6.0.x/trunk/java/org/apache/tomcat/jni/SSLSocket.java
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/tomcat/jni/SSLSocket.java?rev=832222&r1=832221&r2=832222&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/tomcat/jni/SSLSocket.java (original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/tomcat/jni/SSLSocket.java Tue Nov 3
00:28:22 2009
@@ -57,6 +57,29 @@
public static native int renegotiate(long thesocket);
/**
+ * Set Type of Client Certificate verification and Maximum depth of CA
+ * Certificates in Client Certificate verification.
+ * <br />
+ * This is used to change the verification level for a connection prior to
+ * starting a re-negotiation.
+ * <br />
+ * The following levels are available for level:
+ * <PRE>
+ * SSL_CVERIFY_NONE - No client Certificate is required at all
+ * SSL_CVERIFY_OPTIONAL - The client may present a valid Certificate
+ * SSL_CVERIFY_REQUIRE - The client has to present a valid
+ * Certificate
+ * SSL_CVERIFY_OPTIONAL_NO_CA - The client may present a valid Certificate
+ * but it need not to be (successfully)
+ * verifiable
+ * </PRE>
+ * <br />
+ * @param sock The socket to change.
+ * @param level Type of Client Certificate verification.
+ */
+ public static native void setVerify(long sock, int level, int depth);
+
+ /**
* Return SSL Info parameter as byte array.
*
* @param sock The socket to read the data from.
Modified: tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml?rev=832222&r1=832221&r2=832222&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml Tue Nov 3 00:28:22 2009
@@ -36,6 +36,9 @@
<section name="Tomcat 6.0.21 (remm)">
<subsection name="Catalina">
<changelog>
+ <update>
+ Update required version for native to 1.1.17. (rjung)
+ </update>
<fix>
Fix issues with expression language when running under a
SecurityManager. (markt)
@@ -230,6 +233,10 @@
<subsection name="Coyote">
<changelog>
<fix>
+ <bug>46950</bug>: Fix doing SSL renegotiation when a resource with
CLIENT-CERT
+ auth is requested. (markt)
+ </fix>
+ <fix>
Align tcnative native and Java method names. (rjung)
</fix>
<update>Dont report thread count from connector if an external executor
is used.</update>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
