You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2023/02/16 14:09:22 UTC
[tomcat] branch main updated (a0de147dc1 -> e4546af630)
This is an automated email from the ASF dual-hosted git repository.
markt pushed a change to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
from a0de147dc1 Use a constant for the default certificate alias
new 992bf9219b Refactor to make using custom endpoints easier
new 946c84ad97 Correct comment
new e4546af630 Add dedicated logger for TS certifcates
The 3 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
.../apache/coyote/http11/Http11Nio2Protocol.java | 7 ++-
.../apache/coyote/http11/Http11NioProtocol.java | 14 +++---
.../apache/tomcat/util/net/AbstractEndpoint.java | 57 ++++++++++++++++++++--
.../apache/tomcat/util/net/LocalStrings.properties | 2 +
java/org/apache/tomcat/util/net/Nio2Endpoint.java | 7 +++
java/org/apache/tomcat/util/net/NioEndpoint.java | 7 +++
webapps/docs/changelog.xml | 6 +++
7 files changed, 89 insertions(+), 11 deletions(-)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[tomcat] 01/03: Refactor to make using custom endpoints easier
Posted by ma...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 992bf9219b33d8ac2e694b44f8cb451c425441c1
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Thu Feb 16 13:53:10 2023 +0000
Refactor to make using custom endpoints easier
---
java/org/apache/coyote/http11/Http11Nio2Protocol.java | 7 ++++++-
java/org/apache/coyote/http11/Http11NioProtocol.java | 7 ++++++-
2 files changed, 12 insertions(+), 2 deletions(-)
diff --git a/java/org/apache/coyote/http11/Http11Nio2Protocol.java b/java/org/apache/coyote/http11/Http11Nio2Protocol.java
index da91eb3581..94c271e87f 100644
--- a/java/org/apache/coyote/http11/Http11Nio2Protocol.java
+++ b/java/org/apache/coyote/http11/Http11Nio2Protocol.java
@@ -32,7 +32,12 @@ public class Http11Nio2Protocol extends AbstractHttp11Protocol<Nio2Channel> {
public Http11Nio2Protocol() {
- super(new Nio2Endpoint());
+ this(new Nio2Endpoint());
+ }
+
+
+ public Http11Nio2Protocol(Nio2Endpoint endpoint) {
+ super(endpoint);
}
diff --git a/java/org/apache/coyote/http11/Http11NioProtocol.java b/java/org/apache/coyote/http11/Http11NioProtocol.java
index 9af112ceb5..a2839ac6d6 100644
--- a/java/org/apache/coyote/http11/Http11NioProtocol.java
+++ b/java/org/apache/coyote/http11/Http11NioProtocol.java
@@ -37,7 +37,12 @@ public class Http11NioProtocol extends AbstractHttp11Protocol<NioChannel> {
public Http11NioProtocol() {
- super(new NioEndpoint());
+ this(new NioEndpoint());
+ }
+
+
+ public Http11NioProtocol(NioEndpoint endpoint) {
+ super(endpoint);
}
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[tomcat] 02/03: Correct comment
Posted by ma...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 946c84ad978ec429febd368eb345342b4ea9a845
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Thu Feb 16 13:53:27 2023 +0000
Correct comment
---
java/org/apache/coyote/http11/Http11NioProtocol.java | 7 +------
1 file changed, 1 insertion(+), 6 deletions(-)
diff --git a/java/org/apache/coyote/http11/Http11NioProtocol.java b/java/org/apache/coyote/http11/Http11NioProtocol.java
index a2839ac6d6..98e4a3352b 100644
--- a/java/org/apache/coyote/http11/Http11NioProtocol.java
+++ b/java/org/apache/coyote/http11/Http11NioProtocol.java
@@ -24,12 +24,7 @@ import org.apache.tomcat.util.net.NioEndpoint;
/**
- * Abstract the protocol implementation, including threading, etc.
- * Processor is single threaded and specific to stream-based protocols,
- * will not fit Jk protocols like JNI.
- *
- * @author Remy Maucherat
- * @author Costin Manolache
+ * HTTP/1.1 protocol implementation using NIO.
*/
public class Http11NioProtocol extends AbstractHttp11Protocol<NioChannel> {
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[tomcat] 03/03: Add dedicated logger for TS certifcates
Posted by ma...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit e4546af630299576f9cc564f207b83f9e5f9f585
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Thu Feb 16 13:57:55 2023 +0000
Add dedicated logger for TS certifcates
Allows debug logging to be enabled just for certificates
---
.../apache/tomcat/util/net/AbstractEndpoint.java | 57 ++++++++++++++++++++--
.../apache/tomcat/util/net/LocalStrings.properties | 2 +
java/org/apache/tomcat/util/net/Nio2Endpoint.java | 7 +++
java/org/apache/tomcat/util/net/NioEndpoint.java | 7 +++
webapps/docs/changelog.xml | 6 +++
5 files changed, 76 insertions(+), 3 deletions(-)
diff --git a/java/org/apache/tomcat/util/net/AbstractEndpoint.java b/java/org/apache/tomcat/util/net/AbstractEndpoint.java
index 7839849c38..5d202557c3 100644
--- a/java/org/apache/tomcat/util/net/AbstractEndpoint.java
+++ b/java/org/apache/tomcat/util/net/AbstractEndpoint.java
@@ -21,6 +21,10 @@ import java.net.InetAddress;
import java.net.InetSocketAddress;
import java.net.NetworkInterface;
import java.net.SocketException;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.CertificateEncodingException;
+import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Enumeration;
import java.util.HashMap;
@@ -46,6 +50,7 @@ import javax.net.ssl.SSLParameters;
import org.apache.juli.logging.Log;
import org.apache.tomcat.util.ExceptionUtils;
import org.apache.tomcat.util.IntrospectionUtils;
+import org.apache.tomcat.util.buf.HexUtils;
import org.apache.tomcat.util.collections.SynchronizedStack;
import org.apache.tomcat.util.modeler.Registry;
import org.apache.tomcat.util.net.Acceptor.AcceptorState;
@@ -406,8 +411,8 @@ public abstract class AbstractEndpoint<S,U> {
throw new IllegalArgumentException(e.getMessage(), e);
}
- logCertificate(certificate);
certificate.setSslContext(sslContext);
+ logCertificate(certificate);
}
}
@@ -433,8 +438,50 @@ public abstract class AbstractEndpoint<S,U> {
trustStoreSource = sslHostConfig.getCaCertificatePath();
}
- getLog().info(sm.getString("endpoint.tls.info", getName(), sslHostConfig.getHostName(), certificate.getType(),
- certificateSource, keyAlias, trustStoreSource));
+ getLogCertificate().info(sm.getString("endpoint.tls.info", getName(), sslHostConfig.getHostName(),
+ certificate.getType(), certificateSource, keyAlias, trustStoreSource));
+
+ if (getLogCertificate().isDebugEnabled()) {
+ String alias = certificate.getCertificateKeyAlias();
+ if (alias == null) {
+ alias = SSLUtilBase.DEFAULT_KEY_ALIAS;
+ }
+ X509Certificate[] x509Certificates = certificate.getSslContext().getCertificateChain(alias);
+ if (x509Certificates != null && x509Certificates.length > 0) {
+ getLogCertificate().debug(generateCertificateDebug(x509Certificates[0]));
+ } else {
+ getLogCertificate().debug(sm.getString("endpoint.tls.cert.noCerts"));
+ }
+ }
+ }
+
+
+ protected String generateCertificateDebug(X509Certificate certificate) {
+ StringBuilder sb = new StringBuilder();
+ sb.append("\n[");
+ try {
+ byte[] certBytes = certificate.getEncoded();
+ // SHA-256 fingerprint
+ sb.append("\nSHA-256 fingerprint: ");
+ MessageDigest sha512Digest = MessageDigest.getInstance("SHA-256");
+ sha512Digest.update(certBytes);
+ sb.append(HexUtils.toHexString(sha512Digest.digest()));
+ // SHA-256 fingerprint
+ sb.append("\nSHA-1 fingerprint: ");
+ MessageDigest sha1Digest = MessageDigest.getInstance("SHA-1");
+ sha1Digest.update(certBytes);
+ sb.append(HexUtils.toHexString(sha1Digest.digest()));
+ } catch (CertificateEncodingException e) {
+ getLogCertificate().warn(sm.getString("endpoint.tls.cert.encodingError"), e);
+ } catch (NoSuchAlgorithmException e) {
+ // Unreachable code
+ // All JREs are required to support SHA-1 and SHA-256
+ throw new RuntimeException(e);
+ }
+ sb.append("\n");
+ sb.append(certificate);
+ sb.append("\n]");
+ return sb.toString();
}
protected SSLEngine createSSLEngine(String sniHostName, List<Cipher> clientRequestedCiphers,
@@ -1498,6 +1545,10 @@ public abstract class AbstractEndpoint<S,U> {
protected abstract Log getLog();
+ protected Log getLogCertificate() {
+ return getLog();
+ }
+
protected LimitLatch initializeConnectionLatch() {
if (maxConnections==-1) {
return null;
diff --git a/java/org/apache/tomcat/util/net/LocalStrings.properties b/java/org/apache/tomcat/util/net/LocalStrings.properties
index dc7b9b9361..8e845821bd 100644
--- a/java/org/apache/tomcat/util/net/LocalStrings.properties
+++ b/java/org/apache/tomcat/util/net/LocalStrings.properties
@@ -114,6 +114,8 @@ endpoint.setAttribute=Set [{0}] to [{1}]
endpoint.setAttributeError=Unable to set attribute [{0}] to [{1}]
endpoint.socketOptionsError=Error setting socket options
endpoint.timeout.err=Error processing socket timeout
+endpoint.tls.cert.encodingError=Certificate fingerprints not available
+endpoint.tls.cert.noCerts=Certificate details not available as the certificate chain returned from the SSLContext was empty
endpoint.tls.info=Connector [{0}], TLS virtual host [{1}], certificate type [{2}] configured from [{3}] using alias [{4}] and with trust store [{5}]
endpoint.unknownSslHostName=The SSL host name [{0}] is not recognised for this endpoint
endpoint.warn.executorShutdown=The executor associated with thread pool [{0}] has not fully shutdown. Some application threads may still be running.
diff --git a/java/org/apache/tomcat/util/net/Nio2Endpoint.java b/java/org/apache/tomcat/util/net/Nio2Endpoint.java
index 9ad21cfbde..2887ba5039 100644
--- a/java/org/apache/tomcat/util/net/Nio2Endpoint.java
+++ b/java/org/apache/tomcat/util/net/Nio2Endpoint.java
@@ -59,6 +59,7 @@ public class Nio2Endpoint extends AbstractNetworkChannelEndpoint<Nio2Channel,Asy
private static final Log log = LogFactory.getLog(Nio2Endpoint.class);
+ private static final Log logCertificate = LogFactory.getLog(Nio2Endpoint.class.getName() + ".certificate");
private static final Log logHandshake = LogFactory.getLog(Nio2Endpoint.class.getName() + ".handshake");
@@ -387,6 +388,12 @@ public class Nio2Endpoint extends AbstractNetworkChannelEndpoint<Nio2Channel,Asy
}
+ @Override
+ protected Log getLogCertificate() {
+ return logCertificate;
+ }
+
+
@Override
protected SocketProcessorBase<Nio2Channel> createSocketProcessor(
SocketWrapperBase<Nio2Channel> socketWrapper, SocketEvent event) {
diff --git a/java/org/apache/tomcat/util/net/NioEndpoint.java b/java/org/apache/tomcat/util/net/NioEndpoint.java
index 8c6a3ae566..bb3cb69458 100644
--- a/java/org/apache/tomcat/util/net/NioEndpoint.java
+++ b/java/org/apache/tomcat/util/net/NioEndpoint.java
@@ -84,6 +84,7 @@ public class NioEndpoint extends AbstractNetworkChannelEndpoint<NioChannel,Socke
private static final Log log = LogFactory.getLog(NioEndpoint.class);
+ private static final Log logCertificate = LogFactory.getLog(NioEndpoint.class.getName() + ".certificate");
private static final Log logHandshake = LogFactory.getLog(NioEndpoint.class.getName() + ".handshake");
@@ -542,6 +543,12 @@ public class NioEndpoint extends AbstractNetworkChannelEndpoint<NioChannel,Socke
}
+ @Override
+ protected Log getLogCertificate() {
+ return logCertificate;
+ }
+
+
@Override
protected SocketProcessorBase<NioChannel> createSocketProcessor(
SocketWrapperBase<NioChannel> socketWrapper, SocketEvent event) {
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 145fdaa5ad..08cbc1fc49 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -210,6 +210,12 @@
a Connector configured with <code>useAsyncIO=true</code> (the default).
(markt)
</fix>
+ <add>
+ Provided dedicated loggers
+ (<code>org.apache.tomcat.util.net.NioEndpoint.certificate</code> /
+ <code>org.apache.tomcat.util.net.Nio2Endpoint.certificate</code>) for
+ logging of configured TLS certificates. (markt)
+ </add>
</changelog>
</subsection>
<subsection name="Jasper">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org