Author: markt
Date: Sat Jan 30 19:14:15 2010
New Revision: 904851
URL: http://svn.apache.org/viewvc?rev=904851&view=rev
Log:
Apply the alternative fix for CVE-2009-3555: SSL MITM
Modified:
tomcat/tc5.5.x/trunk/STATUS.txt
tomcat/tc5.5.x/trunk/connectors/util/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
tomcat/tc5.5.x/trunk/connectors/util/java/org/apache/tomcat/util/net/jsse/JSSESupport.java
Modified: tomcat/tc5.5.x/trunk/STATUS.txt
URL:
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/STATUS.txt?rev=904851&r1=904850&r2=904851&view=diff
==============================================================================
--- tomcat/tc5.5.x/trunk/STATUS.txt (original)
+++ tomcat/tc5.5.x/trunk/STATUS.txt Sat Jan 30 19:14:15 2010
@@ -86,14 +86,6 @@
+1: markt, kkolinko
-1:
-* Alternative fix for CVE-2009-3555 SSL MITN
- The current patch uses an async callback to close the socket. It is
- technically possible an attack may succeed before the socket is closed
- The new patch only logs failed server initiated negotiations.
- http://people.apache.org/~markt/patches/2009-11-20-cve2009-3555-v2.patch
- +1: markt, rjung, kkolinko
- -1:
-
* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=47609
Implement fail-safe EOL conversion for source distributions
Based on a patch provided by sebb
Modified:
tomcat/tc5.5.x/trunk/connectors/util/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
URL:
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/connectors/util/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java?rev=904851&r1=904850&r2=904851&view=diff
==============================================================================
---
tomcat/tc5.5.x/trunk/connectors/util/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
(original)
+++
tomcat/tc5.5.x/trunk/connectors/util/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
Sat Jan 30 19:14:15 2010
@@ -29,8 +29,6 @@
import java.security.KeyStore;
import java.util.Vector;
-import javax.net.ssl.HandshakeCompletedEvent;
-import javax.net.ssl.HandshakeCompletedListener;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLServerSocket;
import javax.net.ssl.SSLServerSocketFactory;
@@ -118,11 +116,6 @@
SSLSocket asock = null;
try {
asock = (SSLSocket)socket.accept();
- if (!allowUnsafeLegacyRenegotiation) {
- asock.addHandshakeCompletedListener(
- new DisableSslRenegotiation());
- }
-
configureClientAuth(asock);
} catch (SSLException e){
throw new SocketException("SSL handshake error" + e.toString());
@@ -131,27 +124,13 @@
}
- private static class DisableSslRenegotiation
- implements HandshakeCompletedListener {
- private volatile boolean completed = false;
-
- public void handshakeCompleted(HandshakeCompletedEvent event) {
- if (completed) {
- try {
- log.warn("SSL renegotiation is disabled, closing
connection");
- event.getSession().invalidate();
- event.getSocket().close();
- } catch (IOException e) {
- // ignore
- }
- }
- completed = true;
- }
- }
-
-
public void handshake(Socket sock) throws IOException {
((SSLSocket)sock).startHandshake();
+
+ if (!allowUnsafeLegacyRenegotiation) {
+ // Prevent futher handshakes by removing all cipher suites
+ ((SSLSocket) sock).setEnabledCipherSuites(new String[0]);
+ }
}
/*
Modified:
tomcat/tc5.5.x/trunk/connectors/util/java/org/apache/tomcat/util/net/jsse/JSSESupport.java
URL:
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/connectors/util/java/org/apache/tomcat/util/net/jsse/JSSESupport.java?rev=904851&r1=904850&r2=904851&view=diff
==============================================================================
---
tomcat/tc5.5.x/trunk/connectors/util/java/org/apache/tomcat/util/net/jsse/JSSESupport.java
(original)
+++
tomcat/tc5.5.x/trunk/connectors/util/java/org/apache/tomcat/util/net/jsse/JSSESupport.java
Sat Jan 30 19:14:15 2010
@@ -132,6 +132,16 @@
protected void handShake() throws IOException {
ssl.setNeedClientAuth(true);
+
+ if (ssl.getEnabledCipherSuites().length == 0) {
+ // Handshake is never going to be successful.
+ // Assume this is because handshakes are disabled
+ log.warn("SSL server initiated renegotiation is disabled, closing
connection");
+ ssl.getSession().invalidate();
+ ssl.close();
+ return;
+ }
+
ssl.startHandshake();
}
/**
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
