https://issues.apache.org/bugzilla/show_bug.cgi?id=48236
Summary: another workaround for CVE-2009-3555 for the BIO
connector
Product: Tomcat 6
Version: unspecified
Platform: All
OS/Version: All
Status: NEW
Severity: major
Priority: P2
Component: Connectors
AssignedTo: [email protected]
ReportedBy: [email protected]
Since Revision 881774 of org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
SSL renegotiation can be disabled.
That is achieved by a HandshakeCompletedListener. The drawback is, that in the
JSSE from SUN any HandshakeCompletedListener will be invoked by with an own
thread. (See com.sun.net.ssl.internal.ssl.SSLSocketImpl or the fragment below)
Another way of disabling a SSL renegotiation is to set an empty cipher
list after the initial handshake:
org.apache.tomcat.util.net.jsse.JSSESocketFactory
...
...
public void handshake(Socket sock) throws IOException {
((SSLSocket)sock).startHandshake();
if(!allowUnsafeLegacyRenegotiation) {
// disable all ciphers, avoiding any subsequent handshake
((SSLSocket)sock).setEnabledCipherSuites(new String[0]);
}
}
Regards
Hartmut
com.sun.net.ssl.internal.ssl.SSLSocketImpl code fragment:
if (handshaker.isDone()) {
sess = handshaker.getSession();
handshaker = null;
connectionState = cs_DATA;
//
// Tell folk about handshake completion, but do
// it in a separate thread.
//
if (handshakeListeners != null) {
HandshakeCompletedEvent event =
new HandshakeCompletedEvent(this, sess);
Thread t = new NotifyHandshakeThread(
handshakeListeners.entrySet(), event);
t.start();
}
}
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
