<cos...@apache.org> wrote in message
news:20091110010244.4f8382388...@eris.apache.org...
> Author: costin
> Date: Tue Nov 10 01:02:43 2009
> New Revision: 834289
>
> URL: http://svn.apache.org/viewvc?rev=834289&view=rev
> Log:
> Fix for the SSL midm - disable client re-negotiation, connection will be
> closed.
>
>
> Modified:
>
> tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
>
> Modified:
> tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
> URL:
> http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java?rev=834289&r1=834288&r2=834289&view=diff
> ==============================================================================
> ---
> tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
> (original)
> +++
> tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
> Tue Nov 10 01:02:43 2009
> @@ -42,6 +42,8 @@
> import java.util.Vector;
>
> import javax.net.ssl.CertPathTrustManagerParameters;
> +import javax.net.ssl.HandshakeCompletedEvent;
> +import javax.net.ssl.HandshakeCompletedListener;
> import javax.net.ssl.KeyManager;
> import javax.net.ssl.KeyManagerFactory;
> import javax.net.ssl.ManagerFactoryParameters;
> @@ -93,6 +95,9 @@
> private static final int defaultSessionCacheSize = 0;
> private static final int defaultSessionTimeout = 86400;
>
> + private static final boolean midmMode =
> +
> "true".equals(System.getProperty("enable_ssl_mitm_vulnerability"));
> +
> static org.apache.juli.logging.Log log =
>
> org.apache.juli.logging.LogFactory.getLog(JSSESocketFactory.class);
>
> @@ -154,12 +159,34 @@
> SSLSocket asock = null;
> try {
> asock = (SSLSocket)socket.accept();
> + if (!midmMode) {
> + asock.addHandshakeCompletedListener(
> + new DisableSslRenegotiation());
> + }
> configureClientAuth(asock);
> } catch (SSLException e){
> throw new SocketException("SSL handshake error" + e.toString());
> }
> return asock;
> }
> +
> + private static class DisableSslRenegotiation
> + implements HandshakeCompletedListener {
> + private volatile boolean completed = false;
> +
> + public void handshakeCompleted(HandshakeCompletedEvent event) {
> + if (completed) {
> + try {
> + log.warn("SSL renegotiation is disabled, closing
> connection");
> + event.getSocket().close();
This is just a nuisance. The black-hat can simply reconnect and request to
resume the session. At the very least, the session would need to be
invalidated as well. But from what I've read, even this isn't a very
effective mitigation tactic. Since we are notified after the handshake is
done, the black-hat already has all the information she needs to continue
the attack.
> + } catch (IOException e) {
> + // ignore
> + }
> + }
> + completed = true;
> + }
> + }
> +
>
> @Override
> public void handshake(Socket sock) throws IOException {
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
