tomcat 6.0.32 중요 패치 내용

Web service 2011. 3. 2. 23:16

1. InternalNioInputBuffer should honor maxHttpHeadSize. (kkolinko)
2. TLS/SSL 공격으로 인해서 인증되는 부분 버그 패치




http://www.oracle.com/technetwork/java/javase/documentation/tlsreadme2-176330.html


Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=50325
Use JVM provided solutions to CVE-2009-3555 if available (i.e. RFC 5746 support)


of /tomcat/tc5.5.x/trunk/connectors/util/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java

Parent Directory Parent Directory | Revision Log Revision Log | View Patch Patch 

--- tomcat/tc5.5.x/trunk/connectors/util/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java	2011/02/07 13:56:20	1067948
+++ tomcat/tc5.5.x/trunk/connectors/util/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java	2011/02/07 14:16:42	1067949
@@ -26,9 +26,13 @@ import java.net.InetAddress;
 import java.net.ServerSocket;
 import java.net.Socket;
 import java.net.SocketException;
+import java.security.KeyManagementException;
 import java.security.KeyStore;
+import java.security.NoSuchAlgorithmException;
+import java.security.SecureRandom;
 import java.util.Vector;
 
+import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLException;
 import javax.net.ssl.SSLServerSocket;
 import javax.net.ssl.SSLServerSocketFactory;
@@ -77,6 +81,29 @@ public abstract class JSSESocketFactory
     protected String[] enabledCiphers;
     protected boolean allowUnsafeLegacyRenegotiation = false;
 
+    protected static final boolean RFC_5746_SUPPORTED;
+
+    static {
+        boolean result = false;
+        SSLContext context;
+        try {
+            context = SSLContext.getInstance("TLS");
+            context.init(null, null, new SecureRandom());
+            SSLServerSocketFactory ssf = context.getServerSocketFactory();
+            String ciphers[] = ssf.getSupportedCipherSuites();
+            for (String cipher : ciphers) {
+                if ("TLS_EMPTY_RENEGOTIATION_INFO_SCSV".equals(cipher)) {
+                    result = true;
+                    break;
+                }
+            }
+        } catch (NoSuchAlgorithmException e) {
+            // Assume no RFC 5746 support
+        } catch (KeyManagementException e) {
+            // Assume no RFC 5746 support
+        }
+        RFC_5746_SUPPORTED = result;
+    }
 
     public JSSESocketFactory () {
     }
@@ -127,7 +154,7 @@ public abstract class JSSESocketFactory
     public void handshake(Socket sock) throws IOException {
         ((SSLSocket)sock).startHandshake();
         
-        if (!allowUnsafeLegacyRenegotiation) {
+        if (!allowUnsafeLegacyRenegotiation && !RFC_5746_SUPPORTED) {
             // Prevent futher handshakes by removing all cipher suites
             ((SSLSocket) sock).setEnabledCipherSuites(new String[0]);
         }


저작자표시

'Web service' 카테고리의 다른 글

Dependency Jar를 모아 하나로 모아주기 - maven-shade-plugin  (0) 2011.03.03
tomcat 6.0.31 패치 눈에 띄는것  (0) 2011.03.02
tomcat 6.0.30 중요 패치 내용  (0) 2011.03.02
해외, 국내 IP 판별하기  (0) 2011.02.25
Oracle Application Testing Suite  (0) 2011.02.18
Posted by '김용환'
,

티스토리툴바