<cos...@apache.org> wrote in message news:20091110010244.4f8382388...@eris.apache.org... > Author: costin > Date: Tue Nov 10 01:02:43 2009 > New Revision: 834289 > > URL: http://svn.apache.org/viewvc?rev=834289&view=rev > Log: > Fix for the SSL midm - disable client re-negotiation, connection will be > closed. > > > Modified: > > tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java > > Modified: > tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java > URL: > http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java?rev=834289&r1=834288&r2=834289&view=diff > ============================================================================== > --- > tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java > (original) > +++ > tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java > Tue Nov 10 01:02:43 2009 > @@ -42,6 +42,8 @@ > import java.util.Vector; > > import javax.net.ssl.CertPathTrustManagerParameters; > +import javax.net.ssl.HandshakeCompletedEvent; > +import javax.net.ssl.HandshakeCompletedListener; > import javax.net.ssl.KeyManager; > import javax.net.ssl.KeyManagerFactory; > import javax.net.ssl.ManagerFactoryParameters; > @@ -93,6 +95,9 @@ > private static final int defaultSessionCacheSize = 0; > private static final int defaultSessionTimeout = 86400; > > + private static final boolean midmMode = > + > "true".equals(System.getProperty("enable_ssl_mitm_vulnerability")); > + > static org.apache.juli.logging.Log log = > > org.apache.juli.logging.LogFactory.getLog(JSSESocketFactory.class); > > @@ -154,12 +159,34 @@ > SSLSocket asock = null; > try { > asock = (SSLSocket)socket.accept(); > + if (!midmMode) { > + asock.addHandshakeCompletedListener( > + new DisableSslRenegotiation()); > + } > configureClientAuth(asock); > } catch (SSLException e){ > throw new SocketException("SSL handshake error" + e.toString()); > } > return asock; > } > + > + private static class DisableSslRenegotiation > + implements HandshakeCompletedListener { > + private volatile boolean completed = false; > + > + public void handshakeCompleted(HandshakeCompletedEvent event) { > + if (completed) { > + try { > + log.warn("SSL renegotiation is disabled, closing > connection"); > + event.getSocket().close();
This is just a nuisance. The black-hat can simply reconnect and request to resume the session. At the very least, the session would need to be invalidated as well. But from what I've read, even this isn't a very effective mitigation tactic. Since we are notified after the handshake is done, the black-hat already has all the information she needs to continue the attack. > + } catch (IOException e) { > + // ignore > + } > + } > + completed = true; > + } > + } > + > > @Override > public void handshake(Socket sock) throws IOException { --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org