Allow SSL renegotiation on Java 1.6.0_22 and later

diff --git a/docs/00_index.mkd b/docs/00_index.mkd
index 856c3eb23f50fd2fe22a82a8ff0db69290dae01d..48d373b76526d679077a14c638f3280fdf743498 100644 (file)
--- a/docs/00_index.mkd
+++ b/docs/00_index.mkd
@@ -28,6 +28,7 @@ Gitblit requires a Java 6 Runtime Environment (JRE) or a Java 6 Development Kit
 \r
 **%VERSION%** ([go](http://code.google.com/p/gitblit/downloads/detail?name=%GO%)|[war](http://code.google.com/p/gitblit/downloads/detail?name=%WAR%)|[fedclient](http://code.google.com/p/gitblit/downloads/detail?name=%FEDCLIENT%)) based on [%JGIT%][jgit]   *released %BUILDDATE%*\r
 \r
+- fixed: Gitblit GO allows SSL renegotiation if running on Java 1.6.0_22 or later\r
 - added: IUserService.setup(IStoredSettings) for custom user service implementations\r
 \r
 issues, binaries, and sources @ [Google Code][googlecode]<br/>\r

diff --git a/docs/04_releases.mkd b/docs/04_releases.mkd
index a77cfd5085ebdadc28136f4411bda28376cf3df0..c63f6ebd0be0cdb67da09a3283a829d427942847 100644 (file)
--- a/docs/04_releases.mkd
+++ b/docs/04_releases.mkd
@@ -3,6 +3,7 @@
 ### Current Release\r
 **%VERSION%** ([go](http://code.google.com/p/gitblit/downloads/detail?name=%GO%)|[war](http://code.google.com/p/gitblit/downloads/detail?name=%WAR%)|[fedclient](http://code.google.com/p/gitblit/downloads/detail?name=%FEDCLIENT%)) based on [%JGIT%][jgit]   *released %BUILDDATE%*\r
 \r
+- fixed: Gitblit GO allows SSL renegotiation if running on Java 1.6.0_22 or later\r
 - added: IUserService.setup(IStoredSettings) for custom user service implementations\r
 \r
 ### Older Releases\r

diff --git a/src/com/gitblit/GitBlitServer.java b/src/com/gitblit/GitBlitServer.java
index 039f59d3a78e168c75fa14a71a585ce7139ffbab..204ae4d9dde339746fcf79d904ec231461f5202b 100644 (file)
--- a/src/com/gitblit/GitBlitServer.java
+++ b/src/com/gitblit/GitBlitServer.java
@@ -288,6 +288,9 @@ public class GitBlitServer {
        /**\r
         * Creates an https connector.\r
         * \r
+        * SSL renegotiation will be enabled if the JVM is 1.6.0_22 or later.\r
+        * oracle.com/technetwork/java/javase/documentation/tlsreadme2-176330.html\r
+        * \r
         * @param keystore\r
         * @param password\r
         * @param useNIO\r
@@ -308,7 +311,24 @@ public class GitBlitServer {
                        SslSocketConnector ssl = new SslSocketConnector();\r
                        connector = ssl;\r
                }\r
-               connector.setAllowRenegotiate(false);\r
+               // disable renegotiation unless this is a patched JVM\r
+               boolean allowRenegotiation = false;\r
+               String v = System.getProperty("java.version");\r
+               if (v.startsWith("1.7")) {\r
+                       allowRenegotiation = true;\r
+               } else if (v.startsWith("1.6")) {\r
+                       // 1.6.0_22 was first release with RFC-5746 implemented fix.\r
+                       if (v.indexOf('_') > -1) {\r
+                               String b = v.substring(v.indexOf('_') + 1);\r
+                               if (Integer.parseInt(b) >= 22) {\r
+                                       allowRenegotiation = true;\r
+                               }\r
+                       }\r
+               }\r
+               if (allowRenegotiation) {\r
+                       logger.info("   allowing SSL renegotiation on Java " + v);\r
+               }\r
+               connector.setAllowRenegotiate(true);\r
                connector.setKeystore(keystore.getAbsolutePath());\r
                connector.setPassword(password);\r
                connector.setPort(port);\r