Implement renegotiation for SSL cert authentication

author fhanik <fhanik@13f79535-47bb-0310-9956-ffa450edef68>

Tue, 1 Mar 2011 20:04:26 +0000 (20:04 +0000)

committer fhanik <fhanik@13f79535-47bb-0310-9956-ffa450edef68>

Tue, 1 Mar 2011 20:04:26 +0000 (20:04 +0000)
author fhanik <fhanik@13f79535-47bb-0310-9956-ffa450edef68>
Tue, 1 Mar 2011 20:04:26 +0000 (20:04 +0000)
committer fhanik <fhanik@13f79535-47bb-0310-9956-ffa450edef68>
Tue, 1 Mar 2011 20:04:26 +0000 (20:04 +0000)
diff --git a/java/org/apache/coyote/http11/Http11NioProcessor.java b/java/org/apache/coyote/http11/Http11NioProcessor.java

index daef7e7..6f6145c 100644 (file)
--- a/java/org/apache/coyote/http11/Http11NioProcessor.java
+++ b/java/org/apache/coyote/http11/Http11NioProcessor.java
@@ -23,6 +23,8 @@ import java.nio.channels.SelectionKey;
  import java.util.Locale;
  import java.util.concurrent.Executor;
  
+import javax.net.ssl.SSLEngine;
+
  import org.apache.coyote.ActionCode;
  import org.apache.coyote.Request;
  import org.apache.coyote.RequestInfo;
@@ -42,7 +44,9 @@ import org.apache.tomcat.util.net.NioChannel;
  import org.apache.tomcat.util.net.NioEndpoint;
  import org.apache.tomcat.util.net.NioEndpoint.KeyAttachment;
  import org.apache.tomcat.util.net.SSLSupport;
+import org.apache.tomcat.util.net.SecureNioChannel;
  import org.apache.tomcat.util.net.SocketStatus;
+import org.apache.tomcat.util.net.jsse.JSSEFactory;
  
  
  /**
@@ -625,6 +629,19 @@ public class Http11NioProcessor extends AbstractHttp11Processor {
                      .setLimit(maxSavePostSize);
                  inputBuffer.addActiveFilter
                      (inputFilters[Constants.BUFFERED_FILTER]);
+                SecureNioChannel sslChannel = (SecureNioChannel) socket;
+                SSLEngine engine = sslChannel.getSslEngine();
+                if (!engine.getNeedClientAuth()) {
+                    // Need to re-negotiate SSL connection
+                    engine.setNeedClientAuth(true);
+                    try {
+                        sslChannel.rehandshake(endpoint.getSoTimeout());
+                        sslSupport = (new JSSEFactory()).getSSLSupport(engine.getSession());
+                    } catch (IOException ioe) {
+                        log.warn(sm.getString("http11processor.socket.sslreneg",ioe));
+                    }
+                }
+
                  try {
                      Object sslO = sslSupport.getPeerCertificateChain(true);
                      if( sslO != null) {
diff --git a/test/org/apache/tomcat/util/net/TestClientCert.java b/test/org/apache/tomcat/util/net/TestClientCert.java

index 2835bab..9fb465a 100644 (file)
--- a/test/org/apache/tomcat/util/net/TestClientCert.java
+++ b/test/org/apache/tomcat/util/net/TestClientCert.java
@@ -103,9 +103,6 @@ public class TestClientCert extends TomcatBaseTest {
          Tomcat tomcat = getTomcatInstance();
  
          String protocol = tomcat.getConnector().getProtocolHandlerClassName();
-        if (protocol.indexOf("Nio") != -1) {
-            return; // Not supported yet (2011-03-01)
-        }
          if (protocol.indexOf("Apr") != -1) {
              return; // Disabled by default in 1.1.20 windows binary (2010-07-27)
          }
author	fhanik <fhanik@13f79535-47bb-0310-9956-ffa450edef68>
	Tue, 1 Mar 2011 20:04:26 +0000 (20:04 +0000)
committer	fhanik <fhanik@13f79535-47bb-0310-9956-ffa450edef68>
	Tue, 1 Mar 2011 20:04:26 +0000 (20:04 +0000)
java/org/apache/coyote/http11/Http11NioProcessor.java		patch \| blob \| history
test/org/apache/tomcat/util/net/TestClientCert.java		patch \| blob \| history