346614 – HttpConnection.handle() spins in case of SSL truncation attacks

Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 346614 - HttpConnection.handle() spins in case of SSL truncation attacks

Summary: HttpConnection.handle() spins in case of SSL truncation attacks

Status:	RESOLVED FIXED

Alias:	None

Product:	Jetty
Classification:	RT
Component:	server (show other bugs)
Version:	7.4.0
Hardware:	PC Linux

Importance:	P3 normal (vote)
Target Milestone:	7.2.x
Assignee:	Simone Bordet
QA Contact:

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2011-05-20 05:45 EDT by Simone Bordet
Modified:	2011-05-20 09:45 EDT (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Simone Bordet

2011-05-20 05:45:38 EDT

In case of an SSL truncation attack, i.e. when a remote socket sends a TCP FIN before a SSL close alert, Jetty does not detect the situation cleanly, and the selector will continuously dispatch the endpoint (and hence the connection) because we do not close it.

Instead, we should detect the case, and close the endpoint.

Comment 1 Simone Bordet

2011-05-20 09:45:38 EDT

Fixed. we detect the FIN and act accordingly.