Author: markt Date: Mon Aug 21 08:20:06 2017 New Revision: 1805605 URL: http://svn.apache.org/viewvc?rev=1805605&view=rev Log: Ensure that the APR/native connector uses blocking I/O for TLS renegotiation.
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java tomcat/trunk/webapps/docs/changelog.xml Modified: tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java?rev=1805605&r1=1805604&r2=1805605&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java (original) +++ tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java Mon Aug 21 08:20:06 2017 @@ -2835,10 +2835,50 @@ public class AprEndpoint extends Abstrac @Override public void doClientAuth(SSLSupport sslSupport) throws IOException { long socket = getSocket().longValue(); - // Configure connection to require a certificate + // Configure connection to require a certificate. This requires a + // re-handshake and must block until the re-handshake completes. + // Therefore, make sure socket is in blocking mode. + Lock readLock = getBlockingStatusReadLock(); + WriteLock writeLock = getBlockingStatusWriteLock(); + boolean renegotiateDone = false; try { - SSLSocket.setVerify(socket, SSL.SSL_CVERIFY_REQUIRE, -1); - SSLSocket.renegotiate(socket); + readLock.lock(); + try { + if (getBlockingStatus()) { + Socket.timeoutSet(getSocket().longValue(), getReadTimeout() * 1000); + + SSLSocket.setVerify(socket, SSL.SSL_CVERIFY_REQUIRE, -1); + SSLSocket.renegotiate(socket); + + renegotiateDone = true; + } + } finally { + readLock.unlock(); + } + + if (!renegotiateDone) { + writeLock.lock(); + try { + // Set the current settings for this socket + setBlockingStatus(true); + Socket.timeoutSet(getSocket().longValue(), getReadTimeout() * 1000); + // Downgrade the lock + readLock.lock(); + try { + writeLock.unlock(); + SSLSocket.setVerify(socket, SSL.SSL_CVERIFY_REQUIRE, -1); + SSLSocket.renegotiate(socket); + } finally { + readLock.unlock(); + } + } finally { + // Should have been released above but may not have been on some + // exception paths + if (writeLock.isHeldByCurrentThread()) { + writeLock.unlock(); + } + } + } } catch (Throwable t) { ExceptionUtils.handleThrowable(t); throw new IOException(sm.getString("socket.sslreneg"), t); Modified: tomcat/trunk/webapps/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1805605&r1=1805604&r2=1805605&view=diff ============================================================================== --- tomcat/trunk/webapps/docs/changelog.xml (original) +++ tomcat/trunk/webapps/docs/changelog.xml Mon Aug 21 08:20:06 2017 @@ -97,6 +97,10 @@ Fix possible race condition when setting IO listeners on an upgraded connection. (remm) </fix> + <fix> + Ensure that the APR/native connector uses blocking I/O for TLS + renegotiation. (markt) + </fix> </changelog> </subsection> <subsection name="Other"> --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org