Hmm. Can't see a way (without changing the connector code) to test SSL renegotiation...

git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@1066766 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/test/org/apache/tomcat/util/net/TestSsl.java b/test/org/apache/tomcat/util/net/TestSsl.java
index 22ab739..cbec9e5 100644 (file)
--- a/test/org/apache/tomcat/util/net/TestSsl.java
+++ b/test/org/apache/tomcat/util/net/TestSsl.java
@@ -69,6 +69,13 @@ public class TestSsl extends TomcatBaseTest {
     boolean handshakeDone = false;
     
     public void testRenegotiateFail() throws Exception {
+        
+        // If RFC5746 is supported, renegotiation will always will (and will
+        // always be secure)
+        if (TesterSupport.RFC_5746_SUPPORTED) {
+            return;
+        }
+
         Tomcat tomcat = getTomcatInstance();
 
         File appDir = new File(getBuildDirectory(), "webapps/examples");
@@ -200,8 +207,10 @@ public class TestSsl extends TomcatBaseTest {
 
     @Override
     public void setUp() throws Exception {
-        // Make sure SSL renegotiation is not disabled in the JVM
-        System.setProperty("sun.security.ssl.allowUnsafeRenegotiation", "true");
+        if (!TesterSupport.RFC_5746_SUPPORTED) {
+            // Make sure SSL renegotiation is not disabled in the JVM
+            System.setProperty("sun.security.ssl.allowUnsafeRenegotiation", "true");
+        }
         super.setUp();
     }
 }

diff --git a/test/org/apache/tomcat/util/net/TesterSupport.java b/test/org/apache/tomcat/util/net/TesterSupport.java
index 6068295..7a7987e 100644 (file)
--- a/test/org/apache/tomcat/util/net/TesterSupport.java
+++ b/test/org/apache/tomcat/util/net/TesterSupport.java
@@ -17,14 +17,44 @@
 package org.apache.tomcat.util.net;
 
 import java.io.File;
+import java.security.KeyManagementException;
+import java.security.NoSuchAlgorithmException;
+import java.security.SecureRandom;
 import java.security.cert.X509Certificate;
 
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLServerSocketFactory;
 import javax.net.ssl.TrustManager;
 import javax.net.ssl.X509TrustManager;
 
 import org.apache.catalina.startup.Tomcat;
 
 public final class TesterSupport {
+    
+    protected static final boolean RFC_5746_SUPPORTED;
+
+    static {
+        boolean result = false;
+        SSLContext context;
+        try {
+            context = SSLContext.getInstance("TLS");
+            context.init(null, null, new SecureRandom());
+            SSLServerSocketFactory ssf = context.getServerSocketFactory();
+            String ciphers[] = ssf.getSupportedCipherSuites();
+            for (String cipher : ciphers) {
+                if ("TLS_EMPTY_RENEGOTIATION_INFO_SCSV".equals(cipher)) {
+                    result = true;
+                    break;
+                }
+            }
+        } catch (NoSuchAlgorithmException e) {
+            // Assume no RFC 5746 support
+        } catch (KeyManagementException e) {
+            // Assume no RFC 5746 support
+        }
+        RFC_5746_SUPPORTED = result;
+    }
+
     protected static final TrustManager[] TRUST_ALL_CERTS = new TrustManager[] { 
         new X509TrustManager() { 
             @Override
@@ -65,4 +95,5 @@ public final class TesterSupport {
         tomcat.getConnector().setSecure(true);            
         tomcat.getConnector().setProperty("SSLEnabled", "true");
     }
+    
 }