Author: markt
Date: Thu Oct 11 10:18:39 2018
New Revision: 1843542

URL: http://svn.apache.org/viewvc?rev=1843542&view=rev
Log:
Fix server initiated TLS renegotiation to obtain a client certificate when 
using NIO/NIO2 and the OpenSSL backed JSSE TLS implementation.
Prior to this fix, the client would send the certs but the server would not 
read them and would timeout the request.

Modified:
    tomcat/trunk/java/org/apache/tomcat/jni/SSL.java
    tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
    tomcat/trunk/webapps/docs/changelog.xml

Modified: tomcat/trunk/java/org/apache/tomcat/jni/SSL.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/jni/SSL.java?rev=1843542&r1=1843541&r2=1843542&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/jni/SSL.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/jni/SSL.java Thu Oct 11 10:18:39 2018
@@ -557,6 +557,13 @@ public final class SSL {
     public static native int renegotiate(long ssl);
 
     /**
+     * SSL_renegotiate_pending
+     * @param ssl the SSL instance (SSL *)
+     * @return the operation status
+     */
+    public static native int renegotiatePending(long ssl);
+
+    /**
      * SSL_in_init.
      * @param ssl the SSL instance (SSL *)
      * @return the status

Modified: 
tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java?rev=1843542&r1=1843541&r2=1843542&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java 
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java Thu 
Oct 11 10:18:39 2018
@@ -982,7 +982,7 @@ public final class OpenSSLEngine extends
             // No pending data to be sent to the peer
             // Check to see if we have finished handshaking
             int handshakeCount = SSL.getHandshakeCount(ssl);
-            if (handshakeCount != currentHandshake) {
+            if (handshakeCount != currentHandshake && 
SSL.renegotiatePending(ssl) == 0) {
                 if (alpn) {
                     selectedProtocol = SSL.getAlpnSelected(ssl);
                     if (selectedProtocol == null) {
@@ -994,7 +994,7 @@ public final class OpenSSLEngine extends
                 return SSLEngineResult.HandshakeStatus.FINISHED;
             }
 
-            // No pending data and still handshaking
+            // No pending data and still handshaking / renegotiation pending
             // Must be waiting on the peer to send more data
             return SSLEngineResult.HandshakeStatus.NEED_UNWRAP;
         }

Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1843542&r1=1843541&r2=1843542&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Thu Oct 11 10:18:39 2018
@@ -127,6 +127,11 @@
         implementation that prevented from secure WebSocket connections from
         being established. (markt)
       </fix>
+      <fix>
+        Fix server initiated TLS renegotiation to obtain a client certificate
+        when using NIO/NIO2 and the OpenSSL backed JSSE TLS implementation.
+        (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Jasper">



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to