You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2024/02/07 13:47:50 UTC
(tomcat) branch main updated: Allow user provided SSLContext instances on SSLHostConfigCertificate
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new e6da237431 Allow user provided SSLContext instances on SSLHostConfigCertificate
e6da237431 is described below
commit e6da2374315f322a7abf24d4a3faddfea7a3f7f0
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Wed Feb 7 13:47:32 2024 +0000
Allow user provided SSLContext instances on SSLHostConfigCertificate
Based on pull request #673 provided by Hakan Altındağ
https://github.com/apache/tomcat/pull/673
---
.../apache/tomcat/util/net/AbstractEndpoint.java | 25 +++++++++++++------
.../tomcat/util/net/SSLHostConfigCertificate.java | 29 +++++++++++++++++-----
webapps/docs/changelog.xml | 5 ++++
3 files changed, 45 insertions(+), 14 deletions(-)
diff --git a/java/org/apache/tomcat/util/net/AbstractEndpoint.java b/java/org/apache/tomcat/util/net/AbstractEndpoint.java
index dfc0eb65f9..09559b4f72 100644
--- a/java/org/apache/tomcat/util/net/AbstractEndpoint.java
+++ b/java/org/apache/tomcat/util/net/AbstractEndpoint.java
@@ -408,14 +408,18 @@ public abstract class AbstractEndpoint<S,U> {
sslHostConfig.setEnabledCiphers(sslUtil.getEnabledCiphers());
}
- SSLContext sslContext;
- try {
- sslContext = sslUtil.createSSLContext(negotiableProtocols);
- } catch (Exception e) {
- throw new IllegalArgumentException(e.getMessage(), e);
+ SSLContext sslContext = certificate.getSslContext();
+ // Generate the SSLContext from configuration unless (e.g. embedded) an SSLContext has been provided.
+ if (sslContext == null) {
+ try {
+ sslContext = sslUtil.createSSLContext(negotiableProtocols);
+ } catch (Exception e) {
+ throw new IllegalArgumentException(e.getMessage(), e);
+ }
+
+ certificate.setSslContextGenerated(sslContext);
}
- certificate.setSslContext(sslContext);
logCertificate(certificate);
}
}
@@ -616,7 +620,8 @@ public abstract class AbstractEndpoint<S,U> {
protected void releaseSSLContext(SSLHostConfig sslHostConfig) {
for (SSLHostConfigCertificate certificate : sslHostConfig.getCertificates()) {
if (certificate.getSslContext() != null) {
- SSLContext sslContext = certificate.getSslContext();
+ // Only release the SSLContext if we generated it.
+ SSLContext sslContext = certificate.getSslContextGenerated();
if (sslContext != null) {
sslContext.destroy();
}
@@ -1407,7 +1412,11 @@ public abstract class AbstractEndpoint<S,U> {
public void unbind() throws Exception {
for (SSLHostConfig sslHostConfig : sslHostConfigs.values()) {
for (SSLHostConfigCertificate certificate : sslHostConfig.getCertificates()) {
- certificate.setSslContext(null);
+ /*
+ * Only remove any generated SSLContext. If the SSLContext was provided it is left in place in case the
+ * endpoint is re-started.
+ */
+ certificate.setSslContextGenerated(null);
}
}
}
diff --git a/java/org/apache/tomcat/util/net/SSLHostConfigCertificate.java b/java/org/apache/tomcat/util/net/SSLHostConfigCertificate.java
index 4b7b2a4c70..e50b4b0c5d 100644
--- a/java/org/apache/tomcat/util/net/SSLHostConfigCertificate.java
+++ b/java/org/apache/tomcat/util/net/SSLHostConfigCertificate.java
@@ -50,10 +50,14 @@ public class SSLHostConfigCertificate implements Serializable {
// Internal
private ObjectName oname;
- // OpenSSL can handle multiple certs in a single config so the reference to
- // the context is at the virtual host level. JSSE can't so the reference is
- // held here on the certificate.
- private transient volatile SSLContext sslContext;
+ /*
+ * OpenSSL can handle multiple certs in a single config so the reference to the context is at the virtual host
+ * level. JSSE can't so the reference is held here on the certificate. Typically, the SSLContext is generated from
+ * the configuration but, particularly in embedded scenarios, it can be provided directly.
+ */
+ private transient volatile SSLContext sslContextProvided;
+ private transient volatile SSLContext sslContextGenerated;
+
// Common
private final SSLHostConfig sslHostConfig;
@@ -90,12 +94,25 @@ public class SSLHostConfigCertificate implements Serializable {
public SSLContext getSslContext() {
- return sslContext;
+ if (sslContextProvided != null) {
+ return sslContextProvided;
+ }
+ return sslContextGenerated;
}
public void setSslContext(SSLContext sslContext) {
- this.sslContext = sslContext;
+ this.sslContextProvided = sslContext;
+ }
+
+
+ public SSLContext getSslContextGenerated() {
+ return sslContextGenerated;
+ }
+
+
+ void setSslContextGenerated(SSLContext sslContext) {
+ this.sslContextGenerated = sslContext;
}
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 725f0ee94d..f5b2319f59 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -162,6 +162,11 @@
operations from debug level to trace. In particular, most of the
HTTP/2 debug logging has been changed to trace level. (remm)
</fix>
+ <fix>
+ Add support for user provided <code>SSLContext</code> instances
+ configured on <code>SSLHostConfigCertificate</code> instances. Based on
+ pull request <pr>673</pr> provided by Hakan Altındağ. (markt)
+ </fix>
</changelog>
</subsection>
<subsection name="Jasper">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org