From eaf2a1058a9e99fea780368415814785308d2f35 Mon Sep 17 00:00:00 2001
From: costin <costin@13f79535-47bb-0310-9956-ffa450edef68>
Date: Tue, 10 Nov 2009 01:02:43 +0000
Subject: [PATCH] Fix for the SSL midm - disable client re-negotiation,
 connection will be closed.

git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@834289 13f79535-47bb-0310-9956-ffa450edef68
---
 .../tomcat/util/net/jsse/JSSESocketFactory.java    | 27 ++++++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java b/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
index 98e60cf5d..0697c07db 100644
--- a/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
+++ b/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
@@ -42,6 +42,8 @@ import java.util.Collection;
 import java.util.Vector;
 
 import javax.net.ssl.CertPathTrustManagerParameters;
+import javax.net.ssl.HandshakeCompletedEvent;
+import javax.net.ssl.HandshakeCompletedListener;
 import javax.net.ssl.KeyManager;
 import javax.net.ssl.KeyManagerFactory;
 import javax.net.ssl.ManagerFactoryParameters;
@@ -93,6 +95,9 @@ public class JSSESocketFactory
     private static final int defaultSessionCacheSize = 0;
     private static final int defaultSessionTimeout = 86400;
     
+    private static final boolean midmMode = 
+        "true".equals(System.getProperty("enable_ssl_mitm_vulnerability"));
+    
     static org.apache.juli.logging.Log log =
         org.apache.juli.logging.LogFactory.getLog(JSSESocketFactory.class);
 
@@ -154,12 +159,34 @@ public class JSSESocketFactory
         SSLSocket asock = null;
         try {
              asock = (SSLSocket)socket.accept();
+             if (!midmMode) {
+                 asock.addHandshakeCompletedListener(
+                         new DisableSslRenegotiation());
+             }
              configureClientAuth(asock);
         } catch (SSLException e){
           throw new SocketException("SSL handshake error" + e.toString());
         }
         return asock;
     }
+    
+    private static class DisableSslRenegotiation 
+            implements HandshakeCompletedListener {
+        private volatile boolean completed = false;
+
+        public void handshakeCompleted(HandshakeCompletedEvent event) {
+            if (completed) {
+                try {
+                    log.warn("SSL renegotiation is disabled, closing connection");
+                    event.getSocket().close();
+                } catch (IOException e) {
+                    // ignore
+                }
+            }
+            completed = true;
+        }
+    }
+
 
     @Override
     public void handshake(Socket sock) throws IOException {
-- 
2.11.0