From: markt Date: Wed, 20 Aug 2008 23:20:42 +0000 (+0000) Subject: Improved fix for 45528 (invalid SSL config). X-Git-Url: https://git.internetallee.de/?a=commitdiff_plain;h=7a91561bbad55515357443096191134e8e58632d;p=tomcat7.0 Improved fix for 45528 (invalid SSL config). It is a variation on the previous patch that: - does the check earlier - uses an unbound socket so there is no possibility of a client connection - uses the String manager for the error message Note: I gave up on the alterntaive javax.crypto.Cipher suggestion as the cipher names are different and there is no easy conversion. git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@687503 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java b/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java index 5edf4f809..104154b01 100644 --- a/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java +++ b/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java @@ -26,6 +26,7 @@ import java.net.InetAddress; import java.net.ServerSocket; import java.net.Socket; import java.net.SocketException; +import java.net.SocketTimeoutException; import java.security.KeyStore; import java.security.SecureRandom; import java.security.cert.CRL; @@ -428,6 +429,9 @@ public class JSSESocketFactory getEnabledCiphers(requestedCiphers, sslProxy.getSupportedCipherSuites()); + // Check the SSL config is OK + checkConfig(); + } catch(Exception e) { if( e instanceof IOException ) throw (IOException)e; @@ -692,7 +696,7 @@ public class JSSESocketFactory * Configures the given SSL server socket with the requested cipher suites, * protocol versions, and need for client authentication */ - private void initServerSocket(ServerSocket ssocket) { + private void initServerSocket(ServerSocket ssocket) throws IOException { SSLServerSocket socket = (SSLServerSocket) ssocket; @@ -709,4 +713,33 @@ public class JSSESocketFactory configureClientAuth(socket); } + /** + * Checks that the cetificate is compatible with the enabled cipher suites. + * If we don't check now, the JIoEndpoint can enter a nasty logging loop. + * See bug 45528. + */ + private void checkConfig() throws IOException { + // Create an unbound server socket + ServerSocket socket = sslProxy.createServerSocket(); + initServerSocket(socket); + + // Set the timeout to 1ms as all we care about is if it throws an + // exception on accept. + socket.setSoTimeout(1); + try { + socket.accept(); + // Will never get here - no client can connect to an unbound port + } catch (SSLException ssle) { + // SSL configuration is invalid. Possibly cert doesn't match ciphers + IOException ioe = new IOException(sm.getString( + "jsse.invalid_ssl_conf", ssle.getMessage())); + ioe.initCause(ssle); + throw ioe; + } catch (SocketTimeoutException ste) { + // Expected if all is well - do nothing + } finally { + socket.close(); + } + + } } diff --git a/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties b/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties index 79c34c4a5..58db59288 100644 --- a/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties +++ b/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties @@ -15,3 +15,4 @@ jsse.alias_no_key_entry=Alias name {0} does not identify a key entry jsse.keystore_load_failed=Failed to load keystore type {0} with path {1} due to {2} +jsse.invalid_ssl_conf=SSL configuration is invalid due to {0} \ No newline at end of file