Author: markt
Date: Wed Nov 18 13:37:12 2009
New Revision: 881774
URL: http://svn.apache.org/viewvc?rev=881774&view=rev
Log:
Provide a workaround for CVE-2009-3555 for the BIO connector
Modified:
tomcat/tc6.0.x/trunk/STATUS.txt
tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESupport.java
tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
tomcat/tc6.0.x/trunk/webapps/docs/config/http.xml
Modified: tomcat/tc6.0.x/trunk/STATUS.txt
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=881774&r1=881773&r2=881774&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/STATUS.txt (original)
+++ tomcat/tc6.0.x/trunk/STATUS.txt Wed Nov 18 13:37:12 2009
@@ -369,12 +369,6 @@
-1:
+0: markt Combined patch needs to have 834047 removed and 881765 added
-* Disable TLS renegotiation be default with an option to re-enable it
- Based on Costin's patch for trunk with Mark's modifications
- http://people.apache.org/~markt/patches/2009-11-10-cve-2009-3555-tc6.patch
- +1: markt, billbarker, mturk, kkolinko, jfclere
- -1:
-
* Improvements to memory leak prevention
http://people.apache.org/~markt/patches/2009-11-10-leak-prevention.patch
+1: markt, kkolinko
Modified:
tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java?rev=881774&r1=881773&r2=881774&view=diff
==============================================================================
---
tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
(original)
+++
tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
Wed Nov 18 13:37:12 2009
@@ -42,6 +42,8 @@
import java.util.Vector;
import javax.net.ssl.CertPathTrustManagerParameters;
+import javax.net.ssl.HandshakeCompletedEvent;
+import javax.net.ssl.HandshakeCompletedListener;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.ManagerFactoryParameters;
@@ -99,6 +101,7 @@
protected String clientAuth = "false";
protected SSLServerSocketFactory sslProxy = null;
protected String[] enabledCiphers;
+ protected boolean allowUnsafeLegacyRenegotiation = false;
/**
* Flag to state that we require client authentication.
@@ -149,12 +152,35 @@
SSLSocket asock = null;
try {
asock = (SSLSocket)socket.accept();
+ if (!allowUnsafeLegacyRenegotiation) {
+ asock.addHandshakeCompletedListener(
+ new DisableSslRenegotiation());
+ }
configureClientAuth(asock);
} catch (SSLException e){
throw new SocketException("SSL handshake error" + e.toString());
}
return asock;
}
+
+ private static class DisableSslRenegotiation
+ implements HandshakeCompletedListener {
+ private volatile boolean completed = false;
+
+ public void handshakeCompleted(HandshakeCompletedEvent event) {
+ if (completed) {
+ try {
+ log.warn("SSL renegotiation is disabled, closing
connection");
+ event.getSession().invalidate();
+ event.getSocket().close();
+ } catch (IOException e) {
+ // ignore
+ }
+ }
+ completed = true;
+ }
+ }
+
public void handshake(Socket sock) throws IOException {
((SSLSocket)sock).startHandshake();
@@ -447,6 +473,9 @@
enabledCiphers = getEnabledCiphers(requestedCiphers,
sslProxy.getSupportedCipherSuites());
+ allowUnsafeLegacyRenegotiation =
+
"true".equals(attributes.get("allowUnsafeLegacyRenegotiation"));
+
// Check the SSL config is OK
checkConfig();
Modified:
tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESupport.java
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESupport.java?rev=881774&r1=881773&r2=881774&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESupport.java
(original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESupport.java
Wed Nov 18 13:37:12 2009
@@ -170,7 +170,10 @@
break;
}
}
- ssl.setSoTimeout(oldTimeout);
+ // If legacy re-negotiation is disabled, socked could be closed here
+ if (!ssl.isClosed()) {
+ ssl.setSoTimeout(oldTimeout);
+ }
if (listener.completed == false) {
throw new SocketException("SSL Cert handshake timeout");
}
Modified: tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml?rev=881774&r1=881773&r2=881774&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml Wed Nov 18 13:37:12 2009
@@ -316,6 +316,10 @@
Use correct connector attribute (SSLEnabled) rather than secure to
determine if SSL should be used. (fhanik)
</fix>
+ <fix>
+ Provide a workaround for CVE-2009-3555, the TLS renegotiation issue for
+ the default Blocking IO Java connector.
+ </fix>
</changelog>
</subsection>
<subsection name="Jasper">
Modified: tomcat/tc6.0.x/trunk/webapps/docs/config/http.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/config/http.xml?rev=881774&r1=881773&r2=881774&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/config/http.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/config/http.xml Wed Nov 18 13:37:12 2009
@@ -755,6 +755,13 @@
certificates.</p>
</attribute>
+ <attribute name="allowUnsafeLegacyRenegotiation" required="false">
+ <p>Is unsafe legacy TLS renegotiation allowed which is likely to expose
+ users to CVE-2009-3555, a man-in-the-middle vulnerability in the TLS
+ protocol that allows an attacker to inject arbitrary data into the user's
+ request. If not specified, a default of <code>false</code> is used.</p>
+ </attribute>
+
</attributes>
<p>For more information, see the
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
