Author: markt Date: Wed Nov 18 13:37:12 2009 New Revision: 881774 URL: http://svn.apache.org/viewvc?rev=881774&view=rev Log: Provide a workaround for CVE-2009-3555 for the BIO connector
Modified: tomcat/tc6.0.x/trunk/STATUS.txt tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESupport.java tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml tomcat/tc6.0.x/trunk/webapps/docs/config/http.xml Modified: tomcat/tc6.0.x/trunk/STATUS.txt URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=881774&r1=881773&r2=881774&view=diff ============================================================================== --- tomcat/tc6.0.x/trunk/STATUS.txt (original) +++ tomcat/tc6.0.x/trunk/STATUS.txt Wed Nov 18 13:37:12 2009 @@ -369,12 +369,6 @@ -1: +0: markt Combined patch needs to have 834047 removed and 881765 added -* Disable TLS renegotiation be default with an option to re-enable it - Based on Costin's patch for trunk with Mark's modifications - http://people.apache.org/~markt/patches/2009-11-10-cve-2009-3555-tc6.patch - +1: markt, billbarker, mturk, kkolinko, jfclere - -1: - * Improvements to memory leak prevention http://people.apache.org/~markt/patches/2009-11-10-leak-prevention.patch +1: markt, kkolinko Modified: tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java?rev=881774&r1=881773&r2=881774&view=diff ============================================================================== --- tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java (original) +++ tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java Wed Nov 18 13:37:12 2009 @@ -42,6 +42,8 @@ import java.util.Vector; import javax.net.ssl.CertPathTrustManagerParameters; +import javax.net.ssl.HandshakeCompletedEvent; +import javax.net.ssl.HandshakeCompletedListener; import javax.net.ssl.KeyManager; import javax.net.ssl.KeyManagerFactory; import javax.net.ssl.ManagerFactoryParameters; @@ -99,6 +101,7 @@ protected String clientAuth = "false"; protected SSLServerSocketFactory sslProxy = null; protected String[] enabledCiphers; + protected boolean allowUnsafeLegacyRenegotiation = false; /** * Flag to state that we require client authentication. @@ -149,12 +152,35 @@ SSLSocket asock = null; try { asock = (SSLSocket)socket.accept(); + if (!allowUnsafeLegacyRenegotiation) { + asock.addHandshakeCompletedListener( + new DisableSslRenegotiation()); + } configureClientAuth(asock); } catch (SSLException e){ throw new SocketException("SSL handshake error" + e.toString()); } return asock; } + + private static class DisableSslRenegotiation + implements HandshakeCompletedListener { + private volatile boolean completed = false; + + public void handshakeCompleted(HandshakeCompletedEvent event) { + if (completed) { + try { + log.warn("SSL renegotiation is disabled, closing connection"); + event.getSession().invalidate(); + event.getSocket().close(); + } catch (IOException e) { + // ignore + } + } + completed = true; + } + } + public void handshake(Socket sock) throws IOException { ((SSLSocket)sock).startHandshake(); @@ -447,6 +473,9 @@ enabledCiphers = getEnabledCiphers(requestedCiphers, sslProxy.getSupportedCipherSuites()); + allowUnsafeLegacyRenegotiation = + "true".equals(attributes.get("allowUnsafeLegacyRenegotiation")); + // Check the SSL config is OK checkConfig(); Modified: tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESupport.java URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESupport.java?rev=881774&r1=881773&r2=881774&view=diff ============================================================================== --- tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESupport.java (original) +++ tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESupport.java Wed Nov 18 13:37:12 2009 @@ -170,7 +170,10 @@ break; } } - ssl.setSoTimeout(oldTimeout); + // If legacy re-negotiation is disabled, socked could be closed here + if (!ssl.isClosed()) { + ssl.setSoTimeout(oldTimeout); + } if (listener.completed == false) { throw new SocketException("SSL Cert handshake timeout"); } Modified: tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml?rev=881774&r1=881773&r2=881774&view=diff ============================================================================== --- tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml (original) +++ tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml Wed Nov 18 13:37:12 2009 @@ -316,6 +316,10 @@ Use correct connector attribute (SSLEnabled) rather than secure to determine if SSL should be used. (fhanik) </fix> + <fix> + Provide a workaround for CVE-2009-3555, the TLS renegotiation issue for + the default Blocking IO Java connector. + </fix> </changelog> </subsection> <subsection name="Jasper"> Modified: tomcat/tc6.0.x/trunk/webapps/docs/config/http.xml URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/config/http.xml?rev=881774&r1=881773&r2=881774&view=diff ============================================================================== --- tomcat/tc6.0.x/trunk/webapps/docs/config/http.xml (original) +++ tomcat/tc6.0.x/trunk/webapps/docs/config/http.xml Wed Nov 18 13:37:12 2009 @@ -755,6 +755,13 @@ certificates.</p> </attribute> + <attribute name="allowUnsafeLegacyRenegotiation" required="false"> + <p>Is unsafe legacy TLS renegotiation allowed which is likely to expose + users to CVE-2009-3555, a man-in-the-middle vulnerability in the TLS + protocol that allows an attacker to inject arbitrary data into the user's + request. If not specified, a default of <code>false</code> is used.</p> + </attribute> + </attributes> <p>For more information, see the --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org