From 2ffb423370ed1dabe4896e3f85490c7dab0d1dde Mon Sep 17 00:00:00 2001 From: markt Date: Thu, 3 Feb 2011 09:20:34 +0000 Subject: [PATCH] Hmm. Can't see a way (without changing the connector code) to test SSL renegotiation failure if the JVM supports RFC5746. Need to think about this some more. In the meantime, get the tests working. git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@1066766 13f79535-47bb-0310-9956-ffa450edef68 --- test/org/apache/tomcat/util/net/TestSsl.java | 13 +++++++-- test/org/apache/tomcat/util/net/TesterSupport.java | 31 ++++++++++++++++++++++ 2 files changed, 42 insertions(+), 2 deletions(-) diff --git a/test/org/apache/tomcat/util/net/TestSsl.java b/test/org/apache/tomcat/util/net/TestSsl.java index 22ab73938..cbec9e5a0 100644 --- a/test/org/apache/tomcat/util/net/TestSsl.java +++ b/test/org/apache/tomcat/util/net/TestSsl.java @@ -69,6 +69,13 @@ public class TestSsl extends TomcatBaseTest { boolean handshakeDone = false; public void testRenegotiateFail() throws Exception { + + // If RFC5746 is supported, renegotiation will always will (and will + // always be secure) + if (TesterSupport.RFC_5746_SUPPORTED) { + return; + } + Tomcat tomcat = getTomcatInstance(); File appDir = new File(getBuildDirectory(), "webapps/examples"); @@ -200,8 +207,10 @@ public class TestSsl extends TomcatBaseTest { @Override public void setUp() throws Exception { - // Make sure SSL renegotiation is not disabled in the JVM - System.setProperty("sun.security.ssl.allowUnsafeRenegotiation", "true"); + if (!TesterSupport.RFC_5746_SUPPORTED) { + // Make sure SSL renegotiation is not disabled in the JVM + System.setProperty("sun.security.ssl.allowUnsafeRenegotiation", "true"); + } super.setUp(); } } diff --git a/test/org/apache/tomcat/util/net/TesterSupport.java b/test/org/apache/tomcat/util/net/TesterSupport.java index 60682957a..7a7987e77 100644 --- a/test/org/apache/tomcat/util/net/TesterSupport.java +++ b/test/org/apache/tomcat/util/net/TesterSupport.java @@ -17,14 +17,44 @@ package org.apache.tomcat.util.net; import java.io.File; +import java.security.KeyManagementException; +import java.security.NoSuchAlgorithmException; +import java.security.SecureRandom; import java.security.cert.X509Certificate; +import javax.net.ssl.SSLContext; +import javax.net.ssl.SSLServerSocketFactory; import javax.net.ssl.TrustManager; import javax.net.ssl.X509TrustManager; import org.apache.catalina.startup.Tomcat; public final class TesterSupport { + + protected static final boolean RFC_5746_SUPPORTED; + + static { + boolean result = false; + SSLContext context; + try { + context = SSLContext.getInstance("TLS"); + context.init(null, null, new SecureRandom()); + SSLServerSocketFactory ssf = context.getServerSocketFactory(); + String ciphers[] = ssf.getSupportedCipherSuites(); + for (String cipher : ciphers) { + if ("TLS_EMPTY_RENEGOTIATION_INFO_SCSV".equals(cipher)) { + result = true; + break; + } + } + } catch (NoSuchAlgorithmException e) { + // Assume no RFC 5746 support + } catch (KeyManagementException e) { + // Assume no RFC 5746 support + } + RFC_5746_SUPPORTED = result; + } + protected static final TrustManager[] TRUST_ALL_CERTS = new TrustManager[] { new X509TrustManager() { @Override @@ -65,4 +95,5 @@ public final class TesterSupport { tomcat.getConnector().setSecure(true); tomcat.getConnector().setProperty("SSLEnabled", "true"); } + } -- 2.11.0