Author: markt
Date: Mon Jan 31 23:43:38 2011
New Revision: 1065859
URL: http://svn.apache.org/viewvc?rev=1065859&view=rev
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=50325
Use JVM provided solutions to CVE-2009-3555 if available (i.e. RFC 5746 support)
Modified:
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
tomcat/trunk/webapps/docs/changelog.xml
tomcat/trunk/webapps/docs/config/http.xml
Modified:
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java?rev=1065859&r1=1065858&r2=1065859&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
Mon Jan 31 23:43:38 2011
@@ -26,7 +26,9 @@ import java.net.InetAddress;
import java.net.ServerSocket;
import java.net.Socket;
import java.net.SocketException;
+import java.security.KeyManagementException;
import java.security.KeyStore;
+import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.security.UnrecoverableKeyException;
import java.security.cert.CRL;
@@ -78,12 +80,16 @@ import org.apache.tomcat.util.res.String
*/
public class JSSESocketFactory implements ServerSocketFactory {
+ private static final org.apache.juli.logging.Log log =
+ org.apache.juli.logging.LogFactory.getLog(JSSESocketFactory.class);
private static final StringManager sm =
StringManager.getManager("org.apache.tomcat.util.net.jsse.res");
+ private static final boolean RFC_5746_SUPPORTED;
+
// Defaults - made public where re-used
- static String defaultProtocol = "TLS";
- static String defaultKeystoreType = "JKS";
+ private static final String defaultProtocol = "TLS";
+ private static final String defaultKeystoreType = "JKS";
private static final String defaultKeystoreFile
= System.getProperty("user.home") + "/.keystore";
private static final int defaultSessionCacheSize = 0;
@@ -91,8 +97,28 @@ public class JSSESocketFactory implement
private static final String ALLOW_ALL_SUPPORTED_CIPHERS = "ALL";
public static final String DEFAULT_KEY_PASS = "changeit";
- static final org.apache.juli.logging.Log log =
- org.apache.juli.logging.LogFactory.getLog(JSSESocketFactory.class);
+ static {
+ boolean result = false;
+ SSLContext context;
+ try {
+ context = SSLContext.getInstance("TLS");
+ context.init(null, null, new SecureRandom());
+ SSLServerSocketFactory ssf = context.getServerSocketFactory();
+ String ciphers[] = ssf.getSupportedCipherSuites();
+ for (String cipher : ciphers) {
+ if ("TLS_EMPTY_RENEGOTIATION_INFO_SCSV".equals(cipher)) {
+ result = true;
+ break;
+ }
+ }
+ } catch (NoSuchAlgorithmException e) {
+ // Assume no RFC 5746 support
+ } catch (KeyManagementException e) {
+ // Assume no RFC 5746 support
+ }
+ RFC_5746_SUPPORTED = result;
+ }
+
private AbstractEndpoint endpoint;
@@ -168,8 +194,8 @@ public class JSSESocketFactory implement
if (session.getCipherSuite().equals("SSL_NULL_WITH_NULL_NULL"))
throw new IOException("SSL handshake failed. Ciper suite in SSL
Session is SSL_NULL_WITH_NULL_NULL");
- if (!allowUnsafeLegacyRenegotiation) {
- // Prevent futher handshakes by removing all cipher suites
+ if (!allowUnsafeLegacyRenegotiation && !RFC_5746_SUPPORTED) {
+ // Prevent further handshakes by removing all cipher suites
((SSLSocket) sock).setEnabledCipherSuites(new String[0]);
}
}
Modified: tomcat/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1065859&r1=1065858&r2=1065859&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Mon Jan 31 23:43:38 2011
@@ -126,6 +126,12 @@
<code>event.close()</code> during an END event. (markt)
</fix>
<fix>
+ <bug>50325</bug>: When the JVM indicates support for RFC 5746, disable
+ Tomcat's <code>allowUnsafeLegacyRenegotiation</code> configuration
+ attribute and use the JVM configuration to control renegotiation.
+ (markt)
+ </fix>
+ <fix>
<bug>50405</bug>: Fix occassional NPE when using NIO connector and
Comet. (markt)
</fix>
Modified: tomcat/trunk/webapps/docs/config/http.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/http.xml?rev=1065859&r1=1065858&r2=1065859&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/config/http.xml (original)
+++ tomcat/trunk/webapps/docs/config/http.xml Mon Jan 31 23:43:38 2011
@@ -864,7 +864,13 @@
<p>Is unsafe legacy TLS renegotiation allowed which is likely to expose
users to CVE-2009-3555, a man-in-the-middle vulnerability in the TLS
protocol that allows an attacker to inject arbitrary data into the user's
- request. If not specified, a default of <code>false</code> is used.</p>
+ request. If not specified, a default of <code>false</code> is used. This
+ attribute only has an effect if the JVM does not support RFC 5746 as
+ indicated by the presence of the pseudo-ciphersuite
+ TLS_EMPTY_RENEGOTIATION_INFO_SCSV. This is available JRE/JDK 6 update 22
+ onwards. Where RFC 5746 is supported the renegotiation - including
support
+ for unsafe legacy renegotiation - is controlled by the JVM configuration.
+ </p>
</attribute>
<attribute name="ciphers" required="false">
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
