From c7ebb2407112b8137e2cd7c108dd13957b4cff1e Mon Sep 17 00:00:00 2001
From: James Moger <james.moger@gitblit.com>
Date: Wed, 28 Sep 2011 20:44:23 -0400
Subject: [PATCH] Allow SSL renegotiation on Java 1.6.0_22 and later

---
 src/com/gitblit/GitBlitServer.java |   22 +++++++++++++++++++++-
 docs/04_releases.mkd               |    1 +
 docs/00_index.mkd                  |    1 +
 3 files changed, 23 insertions(+), 1 deletions(-)

diff --git a/docs/00_index.mkd b/docs/00_index.mkd
index 856c3eb..48d373b 100644
--- a/docs/00_index.mkd
+++ b/docs/00_index.mkd
@@ -28,6 +28,7 @@
 
 **%VERSION%** ([go](http://code.google.com/p/gitblit/downloads/detail?name=%GO%)|[war](http://code.google.com/p/gitblit/downloads/detail?name=%WAR%)|[fedclient](http://code.google.com/p/gitblit/downloads/detail?name=%FEDCLIENT%)) based on [%JGIT%][jgit] &nbsp; *released %BUILDDATE%*
 
+- fixed: Gitblit GO allows SSL renegotiation if running on Java 1.6.0_22 or later
 - added: IUserService.setup(IStoredSettings) for custom user service implementations
 
 issues, binaries, and sources @ [Google Code][googlecode]<br/>
diff --git a/docs/04_releases.mkd b/docs/04_releases.mkd
index a77cfd5..c63f6eb 100644
--- a/docs/04_releases.mkd
+++ b/docs/04_releases.mkd
@@ -3,6 +3,7 @@
 ### Current Release
 **%VERSION%** ([go](http://code.google.com/p/gitblit/downloads/detail?name=%GO%)|[war](http://code.google.com/p/gitblit/downloads/detail?name=%WAR%)|[fedclient](http://code.google.com/p/gitblit/downloads/detail?name=%FEDCLIENT%)) based on [%JGIT%][jgit] &nbsp; *released %BUILDDATE%*
 
+- fixed: Gitblit GO allows SSL renegotiation if running on Java 1.6.0_22 or later
 - added: IUserService.setup(IStoredSettings) for custom user service implementations
 
 ### Older Releases
diff --git a/src/com/gitblit/GitBlitServer.java b/src/com/gitblit/GitBlitServer.java
index 039f59d..204ae4d 100644
--- a/src/com/gitblit/GitBlitServer.java
+++ b/src/com/gitblit/GitBlitServer.java
@@ -288,6 +288,9 @@
 	/**
 	 * Creates an https connector.
 	 * 
+	 * SSL renegotiation will be enabled if the JVM is 1.6.0_22 or later.
+	 * oracle.com/technetwork/java/javase/documentation/tlsreadme2-176330.html
+	 * 
 	 * @param keystore
 	 * @param password
 	 * @param useNIO
@@ -308,7 +311,24 @@
 			SslSocketConnector ssl = new SslSocketConnector();
 			connector = ssl;
 		}
-		connector.setAllowRenegotiate(false);
+		// disable renegotiation unless this is a patched JVM
+		boolean allowRenegotiation = false;
+		String v = System.getProperty("java.version");
+		if (v.startsWith("1.7")) {
+			allowRenegotiation = true;
+		} else if (v.startsWith("1.6")) {
+			// 1.6.0_22 was first release with RFC-5746 implemented fix.
+			if (v.indexOf('_') > -1) {
+				String b = v.substring(v.indexOf('_') + 1);
+				if (Integer.parseInt(b) >= 22) {
+					allowRenegotiation = true;
+				}
+			}
+		}
+		if (allowRenegotiation) {
+			logger.info("   allowing SSL renegotiation on Java " + v);
+		}
+		connector.setAllowRenegotiate(true);
 		connector.setKeystore(keystore.getAbsolutePath());
 		connector.setPassword(password);
 		connector.setPort(port);

--
Gitblit v1.9.1