You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2015/05/06 23:30:54 UTC
svn commit: r1678097 - in /tomcat/trunk: java/org/apache/coyote/http11/
java/org/apache/tomcat/util/net/ java/org/apache/tomcat/util/net/jsse/
webapps/docs/config/
Author: markt
Date: Wed May 6 21:30:54 2015
New Revision: 1678097
URL: http://svn.apache.org/r1678097
Log:
Move the truststore attributes to SSLHostConfig
Move as much of the default / fall-back code to SSLHostConfig rather than spreading it through JSSESocketFactory. This makes the defaults/fallbacks easier to read (in my view) and allowed some clean-up in JSSESocketFactory.
Modified:
tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11JsseProtocol.java
tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java
tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java
tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
tomcat/trunk/webapps/docs/config/http.xml
Modified: tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11JsseProtocol.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11JsseProtocol.java?rev=1678097&r1=1678096&r2=1678097&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11JsseProtocol.java (original)
+++ tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11JsseProtocol.java Wed May 6 21:30:54 2015
@@ -28,29 +28,6 @@ public abstract class AbstractHttp11Jsse
public String getSslProtocol() { return getEndpoint().getSslProtocol();}
public void setSslProtocol(String s) { getEndpoint().setSslProtocol(s);}
- public void setTruststoreFile(String f){ getEndpoint().setTruststoreFile(f);}
- public String getTruststoreFile(){ return getEndpoint().getTruststoreFile();}
-
- public void setTruststorePass(String p){ getEndpoint().setTruststorePass(p);}
- public String getTruststorePass(){return getEndpoint().getTruststorePass();}
-
- public void setTruststoreType(String t){ getEndpoint().setTruststoreType(t);}
- public String getTruststoreType(){ return getEndpoint().getTruststoreType();}
-
- public void setTruststoreProvider(String t){
- getEndpoint().setTruststoreProvider(t);
- }
- public String getTruststoreProvider(){
- return getEndpoint().getTruststoreProvider();
- }
-
- public void setTruststoreAlgorithm(String a){
- getEndpoint().setTruststoreAlgorithm(a);
- }
- public String getTruststoreAlgorithm(){
- return getEndpoint().getTruststoreAlgorithm();
- }
-
public void setSessionCacheSize(String s){getEndpoint().setSessionCacheSize(s);}
public String getSessionCacheSize(){ return getEndpoint().getSessionCacheSize();}
Modified: tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java?rev=1678097&r1=1678096&r2=1678097&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java (original)
+++ tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java Wed May 6 21:30:54 2015
@@ -476,6 +476,35 @@ public abstract class AbstractHttp11Prot
defaultSSLHostConfig.setCertificateKeyAlias(certificateKeyAlias);
}
+ public void setTruststoreAlgorithm(String truststoreAlgorithm){
+ registerDefaultSSLHostConfig();
+ defaultSSLHostConfig.setTruststoreAlgorithm(truststoreAlgorithm);
+ }
+
+
+ public void setTruststoreFile(String truststoreFile){
+ registerDefaultSSLHostConfig();
+ defaultSSLHostConfig.setTruststoreFile(truststoreFile);
+ }
+
+
+ public void setTruststorePass(String truststorePassword){
+ registerDefaultSSLHostConfig();
+ defaultSSLHostConfig.setTruststorePassword(truststorePassword);
+ }
+
+
+ public void setTruststoreType(String truststoreType){
+ registerDefaultSSLHostConfig();
+ defaultSSLHostConfig.setTruststoreType(truststoreType);
+ }
+
+
+ public void setTruststoreProvider(String truststoreProvider){
+ registerDefaultSSLHostConfig();
+ defaultSSLHostConfig.setTruststoreProvider(truststoreProvider);
+ }
+
// ------------------------------------------------------------- Common code
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java?rev=1678097&r1=1678096&r2=1678097&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java Wed May 6 21:30:54 2015
@@ -16,7 +16,6 @@
*/
package org.apache.tomcat.util.net;
-import java.io.File;
import java.io.OutputStreamWriter;
import java.net.InetAddress;
import java.net.InetSocketAddress;
@@ -890,24 +889,6 @@ public abstract class AbstractEndpoint<S
}
- private String adjustRelativePath(String path, String relativeTo) {
- // Empty or null path can't point to anything useful. The assumption is
- // that the value is deliberately empty / null so leave it that way.
- if (path == null || path.length() == 0) {
- return path;
- }
- String newPath = path;
- File f = new File(newPath);
- if ( !f.isAbsolute()) {
- newPath = relativeTo + File.separator + newPath;
- f = new File(newPath);
- }
- if (!f.exists()) {
- getLog().warn("configured file:["+newPath+"] does not exist.");
- }
- return newPath;
- }
-
protected abstract Log getLog();
protected LimitLatch initializeConnectionLatch() {
@@ -986,45 +967,6 @@ public abstract class AbstractEndpoint<S
public String getSslProtocol() { return sslProtocol;}
public void setSslProtocol(String s) { sslProtocol = s;}
- private String truststoreFile = System.getProperty("javax.net.ssl.trustStore");
- public String getTruststoreFile() {return truststoreFile;}
- public void setTruststoreFile(String s) {
- truststoreFile = adjustRelativePath(s,
- System.getProperty(Constants.CATALINA_BASE_PROP));
- }
-
- private String truststorePass =
- System.getProperty("javax.net.ssl.trustStorePassword");
- public String getTruststorePass() {return truststorePass;}
- public void setTruststorePass(String truststorePass) {
- this.truststorePass = truststorePass;
- }
-
- private String truststoreType =
- System.getProperty("javax.net.ssl.trustStoreType");
- public String getTruststoreType() {return truststoreType;}
- public void setTruststoreType(String truststoreType) {
- this.truststoreType = truststoreType;
- }
-
- private String truststoreProvider = null;
- public String getTruststoreProvider() {return truststoreProvider;}
- public void setTruststoreProvider(String truststoreProvider) {
- this.truststoreProvider = truststoreProvider;
- }
-
- private String truststoreAlgorithm = null;
- public String getTruststoreAlgorithm() {return truststoreAlgorithm;}
- public void setTruststoreAlgorithm(String truststoreAlgorithm) {
- this.truststoreAlgorithm = truststoreAlgorithm;
- }
-
- private String trustManagerClassName = null;
- public String getTrustManagerClassName() {return trustManagerClassName;}
- public void setTrustManagerClassName(String trustManagerClassName) {
- this.trustManagerClassName = trustManagerClassName;
- }
-
private String sessionCacheSize = null;
public String getSessionCacheSize() { return sessionCacheSize;}
public void setSessionCacheSize(String s) { sessionCacheSize = s;}
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java?rev=1678097&r1=1678096&r2=1678097&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java Wed May 6 21:30:54 2015
@@ -16,18 +16,23 @@
*/
package org.apache.tomcat.util.net;
+import java.io.File;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.TrustManagerFactory;
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
import org.apache.tomcat.util.net.jsse.openssl.OpenSSLCipherConfigurationParser;
import org.apache.tomcat.util.res.StringManager;
+/**
+ * Represents the TLS configuration for a virtual host.
+ */
public class SSLHostConfig {
private static final Log log = LogFactory.getLog(SSLHostConfig.class);
@@ -46,19 +51,26 @@ public class SSLHostConfig {
// Common
private String certificateKeyPassword = null;
+ private String certificateRevocationListFile;
private CertificateVerification certificateVerification = CertificateVerification.NONE;
private int certificateVerificationDepth = 10;
private String ciphers = "HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA";
private boolean honorCipherOrder = false;
private Set<String> protocols = new HashSet<>();
- private String certificateRevocationListFile;
// JSSE
private String certificateKeyAlias;
private String certificateKeystorePassword = "changeit";
private String certificateKeystoreFile = System.getProperty("user.home")+"/.keystore";
- private String certificateKeystoreProvider;
- private String certificateKeystoreType = "JKS";
+ private String certificateKeystoreProvider = System.getProperty("javax.net.ssl.keyStoreProvider");
+ private String certificateKeystoreType = System.getProperty("javax.net.ssl.keyStoreType");
private String keyManagerAlgorithm = KeyManagerFactory.getDefaultAlgorithm();
+ private String trustManagerClassName;
+ private String truststoreAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
+ private String truststoreFile = System.getProperty("javax.net.ssl.trustStore");
+ private String truststorePassword = System.getProperty("javax.net.ssl.trustStorePassword");
+ private String truststoreProvider = System.getProperty("javax.net.ssl.trustStoreProvider");
+ private String truststoreType = System.getProperty("javax.net.ssl.trustStoreType");
+
// OpenSSL
private String certificateFile;
private String certificateKeyFile;
@@ -67,6 +79,10 @@ public class SSLHostConfig {
public SSLHostConfig() {
// Set defaults that can't be (easily) set when defining the fields.
setProtocols("all");
+ // Configure fall-back defaults if system property is not set.
+ if (certificateKeystoreType == null) {
+ certificateKeystoreType = "JKS";
+ }
}
@@ -122,7 +138,7 @@ public class SSLHostConfig {
public void setCertificateRevocationListFile(String certificateRevocationListFile) {
- this.certificateRevocationListFile = certificateRevocationListFile;
+ this.certificateRevocationListFile = adjustRelativePath(certificateRevocationListFile);
}
@@ -246,7 +262,7 @@ public class SSLHostConfig {
public void setCertificateKeystoreFile(String certificateKeystoreFile) {
setProperty("certificateKeystoreFile", Type.JSSE);
- this.certificateKeystoreFile = certificateKeystoreFile;
+ this.certificateKeystoreFile = adjustRelativePath(certificateKeystoreFile);
}
@@ -299,11 +315,85 @@ public class SSLHostConfig {
}
+ public void setTrustManagerClassName(String trustManagerClassName) {
+ setProperty("trustManagerClassName", Type.JSSE);
+ this.trustManagerClassName = trustManagerClassName;
+ }
+
+
+ public String getTrustManagerClassName() {
+ return trustManagerClassName;
+ }
+
+
+ public void setTruststoreAlgorithm(String truststoreAlgorithm) {
+ setProperty("truststoreAlgorithm", Type.JSSE);
+ this.truststoreAlgorithm = truststoreAlgorithm;
+ }
+
+
+ public String getTruststoreAlgorithm() {
+ return truststoreAlgorithm;
+ }
+
+
+ public void setTruststoreFile(String truststoreFile) {
+ setProperty("truststoreFile", Type.JSSE);
+ this.truststoreFile = adjustRelativePath(truststoreFile);
+ }
+
+
+ public String getTruststoreFile() {
+ return truststoreFile;
+ }
+
+
+ public void setTruststorePassword(String truststorePassword) {
+ setProperty("truststorePassword", Type.JSSE);
+ this.truststorePassword = truststorePassword;
+ }
+
+
+ public String getTruststorePassword() {
+ return truststorePassword;
+ }
+
+
+ public void setTruststoreProvider(String truststoreProvider) {
+ setProperty("truststoreProvider", Type.JSSE);
+ this.truststoreProvider = truststoreProvider;
+ }
+
+
+ public String getTruststoreProvider() {
+ if (truststoreProvider == null) {
+ return getCertificateKeystoreProvider();
+ } else {
+ return truststoreProvider;
+ }
+ }
+
+
+ public void setTruststoreType(String truststoreType) {
+ setProperty("truststoreType", Type.JSSE);
+ this.truststoreType = truststoreType;
+ }
+
+
+ public String getTruststoreType() {
+ if (truststoreType == null) {
+ return getCertificateKeystoreType();
+ } else {
+ return truststoreType;
+ }
+ }
+
+
// ------------------------------- OpenSSL specific configuration properties
public void setCertificateFile(String certificateFile) {
setProperty("certificateFile", Type.OPENSSL);
- this.certificateFile = certificateFile;
+ this.certificateFile = adjustRelativePath(certificateFile);
}
@@ -314,7 +404,7 @@ public class SSLHostConfig {
public void setCertificateKeyFile(String certificateKeyFile) {
setProperty("certificateKeyFile", Type.OPENSSL);
- this.certificateKeyFile = certificateKeyFile;
+ this.certificateKeyFile = adjustRelativePath(certificateKeyFile);
}
@@ -325,7 +415,7 @@ public class SSLHostConfig {
public void setCertificateRevocationListPath(String certificateRevocationListPath) {
setProperty("certificateRevocationListPath", Type.OPENSSL);
- this.certificateRevocationListPath = certificateRevocationListPath;
+ this.certificateRevocationListPath = adjustRelativePath(certificateRevocationListPath);
}
@@ -334,6 +424,28 @@ public class SSLHostConfig {
}
+ // --------------------------------------------------------- Support methods
+
+ private String adjustRelativePath(String path) {
+ // Empty or null path can't point to anything useful. The assumption is
+ // that the value is deliberately empty / null so leave it that way.
+ if (path == null || path.length() == 0) {
+ return path;
+ }
+ String newPath = path;
+ File f = new File(newPath);
+ if ( !f.isAbsolute()) {
+ newPath = System.getProperty(Constants.CATALINA_BASE_PROP) + File.separator + newPath;
+ f = new File(newPath);
+ }
+ if (!f.exists()) {
+ // TODO i18n, sm
+ log.warn("configured file:["+newPath+"] does not exist.");
+ }
+ return newPath;
+ }
+
+
// ----------------------------------------------------------- Inner classes
public static enum Type {
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java?rev=1678097&r1=1678096&r2=1678097&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java Wed May 6 21:30:54 2015
@@ -83,12 +83,8 @@ public class JSSESocketFactory implement
// Defaults - made public where re-used
private static final String defaultProtocol = "TLS";
- private static final String defaultKeystoreType = "JKS";
- private static final String defaultKeystoreFile
- = System.getProperty("user.home") + "/.keystore";
private static final int defaultSessionCacheSize = 0;
private static final int defaultSessionTimeout = 86400;
- public static final String DEFAULT_KEY_PASS = "changeit";
private final AbstractEndpoint<?> endpoint;
private final SSLHostConfig sslHostConfig;
@@ -185,70 +181,21 @@ public class JSSESocketFactory implement
return ciphers.toArray(new String[ciphers.size()]);
}
- /*
- * Gets the SSL server's keystore.
- */
- protected KeyStore getKeystore(String type, String provider, String pass)
- throws IOException {
-
- String keystoreFile = sslHostConfig.getCertificateKeystoreFile();
- if (keystoreFile == null)
- keystoreFile = defaultKeystoreFile;
-
- return getStore(type, provider, keystoreFile, pass);
- }
/*
* Gets the SSL server's truststore.
*/
- protected KeyStore getTrustStore(String keystoreType,
- String keystoreProvider) throws IOException {
+ protected KeyStore getTrustStore() throws IOException {
KeyStore trustStore = null;
- String truststoreFile = endpoint.getTruststoreFile();
- if(truststoreFile == null) {
- truststoreFile = System.getProperty("javax.net.ssl.trustStore");
- }
- if(log.isDebugEnabled()) {
- log.debug("Truststore = " + truststoreFile);
- }
-
- String truststorePassword = endpoint.getTruststorePass();
- if( truststorePassword == null) {
- truststorePassword =
- System.getProperty("javax.net.ssl.trustStorePassword");
- }
- if(log.isDebugEnabled()) {
- log.debug("TrustPass = " + truststorePassword);
- }
-
- String truststoreType = endpoint.getTruststoreType();
- if( truststoreType == null) {
- truststoreType = System.getProperty("javax.net.ssl.trustStoreType");
- }
- if(truststoreType == null) {
- truststoreType = keystoreType;
- }
- if(log.isDebugEnabled()) {
- log.debug("trustType = " + truststoreType);
- }
-
- String truststoreProvider = endpoint.getTruststoreProvider();
- if( truststoreProvider == null) {
- truststoreProvider =
- System.getProperty("javax.net.ssl.trustStoreProvider");
- }
- if (truststoreProvider == null) {
- truststoreProvider = keystoreProvider;
- }
- if(log.isDebugEnabled()) {
- log.debug("trustProvider = " + truststoreProvider);
- }
+ String truststoreFile = sslHostConfig.getTruststoreFile();
+ String truststoreType = sslHostConfig.getTruststoreType();
+ String truststoreProvider = sslHostConfig.getTruststoreProvider();
if (truststoreFile != null){
try {
trustStore = getStore(truststoreType, truststoreProvider,
- truststoreFile, truststorePassword);
+ truststoreFile, sslHostConfig.getTruststorePassword());
} catch (IOException ioe) {
Throwable cause = ioe.getCause();
if (cause instanceof UnrecoverableKeyException) {
@@ -268,6 +215,7 @@ public class JSSESocketFactory implement
return trustStore;
}
+
/*
* Gets the key- or truststore with the specified type, path, and password.
*/
@@ -283,12 +231,9 @@ public class JSSESocketFactory implement
ks = KeyStore.getInstance(type, provider);
}
if(!("PKCS11".equalsIgnoreCase(type) ||
- "".equalsIgnoreCase(path))) {
+ "".equalsIgnoreCase(path)) ||
+ "NONE".equalsIgnoreCase(path)) {
File keyStoreFile = new File(path);
- if (!keyStoreFile.isAbsolute()) {
- keyStoreFile = new File(System.getProperty(
- Constants.CATALINA_BASE_PROP), path);
- }
istream = new FileInputStream(keyStoreFile);
}
@@ -335,84 +280,31 @@ public class JSSESocketFactory implement
return new JSSESSLContext(protocol);
}
+
@Override
public KeyManager[] getKeyManagers() throws Exception {
String keystoreType = sslHostConfig.getCertificateKeystoreType();
- if (keystoreType == null) {
- keystoreType = defaultKeystoreType;
- }
-
- return getKeyManagers(keystoreType, sslHostConfig.getCertificateKeystoreProvider(),
- sslHostConfig.getKeyManagerAlgorithm(),
- sslHostConfig.getCertificateKeyAlias());
- }
-
- @Override
- public TrustManager[] getTrustManagers() throws Exception {
- String truststoreType = endpoint.getTruststoreType();
- if (truststoreType == null) {
- truststoreType = System.getProperty("javax.net.ssl.trustStoreType");
- }
- if (truststoreType == null) {
- truststoreType = sslHostConfig.getCertificateKeystoreType();
- }
- if (truststoreType == null) {
- truststoreType = defaultKeystoreType;
- }
-
- String algorithm = endpoint.getTruststoreAlgorithm();
- if (algorithm == null) {
- algorithm = TrustManagerFactory.getDefaultAlgorithm();
- }
-
- return getTrustManagers(truststoreType, endpoint.getTruststoreProvider(), algorithm);
- }
-
- @Override
- public void configureSessionContext(SSLSessionContext sslSessionContext) {
- int sessionCacheSize;
- if (endpoint.getSessionCacheSize() != null) {
- sessionCacheSize = Integer.parseInt(
- endpoint.getSessionCacheSize());
- } else {
- sessionCacheSize = defaultSessionCacheSize;
- }
-
- int sessionTimeout;
- if (endpoint.getSessionTimeout() != null) {
- sessionTimeout = Integer.parseInt(endpoint.getSessionTimeout());
- } else {
- sessionTimeout = defaultSessionTimeout;
+ String keystoreProvider = sslHostConfig.getCertificateKeystoreProvider();
+ String keystoreFile = sslHostConfig.getCertificateKeystoreFile();
+ String keystorePass = sslHostConfig.getCertificateKeystorePassword();
+ String keyAlias = sslHostConfig.getCertificateKeyAlias();
+ String algorithm = sslHostConfig.getKeyManagerAlgorithm();
+ String keyPass = sslHostConfig.getCertificateKeyPassword();
+ // This has to be here as it can't be moved to SSLHostConfig since the
+ // defaults vary between JSSE and OpenSSL.
+ if (keyPass == null) {
+ keyPass = sslHostConfig.getCertificateKeystorePassword();
}
- sslSessionContext.setSessionCacheSize(sessionCacheSize);
- sslSessionContext.setSessionTimeout(sessionTimeout);
- }
-
- /**
- * Gets the initialized key managers.
- */
- protected KeyManager[] getKeyManagers(String keystoreType,
- String keystoreProvider,
- String algorithm,
- String keyAlias)
- throws Exception {
-
KeyManager[] kms = null;
- String keystorePass = sslHostConfig.getCertificateKeystorePassword();
-
- KeyStore ks = getKeystore(keystoreType, keystoreProvider, keystorePass);
+ KeyStore ks = getStore(keystoreType, keystoreProvider, keystoreFile, keystorePass);
if (keyAlias != null && !ks.isKeyEntry(keyAlias)) {
throw new IOException(
sm.getString("jsse.alias_no_key_entry", keyAlias));
}
KeyManagerFactory kmf = KeyManagerFactory.getInstance(algorithm);
- String keyPass = sslHostConfig.getCertificateKeyPassword();
- if (keyPass == null) {
- keyPass = keystorePass;
- }
kmf.init(ks, keyPass.toCharArray());
kms = kmf.getKeyManagers();
@@ -429,15 +321,14 @@ public class JSSESocketFactory implement
return kms;
}
- /**
- * Gets the initialized trust managers.
- */
- protected TrustManager[] getTrustManagers(String keystoreType,
- String keystoreProvider, String algorithm)
- throws Exception {
+
+ @Override
+ public TrustManager[] getTrustManagers() throws Exception {
+ String algorithm = sslHostConfig.getTruststoreAlgorithm();
+
String crlf = sslHostConfig.getCertificateRevocationListFile();
- String className = endpoint.getTrustManagerClassName();
+ String className = sslHostConfig.getTrustManagerClassName();
if(className != null && className.length() > 0) {
ClassLoader classLoader = getClass().getClassLoader();
Class<?> clazz = classLoader.loadClass(className);
@@ -452,20 +343,16 @@ public class JSSESocketFactory implement
TrustManager[] tms = null;
- KeyStore trustStore = getTrustStore(keystoreType, keystoreProvider);
- if (trustStore != null || endpoint.getTrustManagerClassName() != null) {
+ KeyStore trustStore = getTrustStore();
+ if (trustStore != null || className != null) {
if (crlf == null) {
- TrustManagerFactory tmf =
- TrustManagerFactory.getInstance(algorithm);
+ TrustManagerFactory tmf = TrustManagerFactory.getInstance(algorithm);
tmf.init(trustStore);
tms = tmf.getTrustManagers();
} else {
- TrustManagerFactory tmf =
- TrustManagerFactory.getInstance(algorithm);
- CertPathParameters params =
- getParameters(algorithm, crlf, trustStore);
- ManagerFactoryParameters mfp =
- new CertPathTrustManagerParameters(params);
+ TrustManagerFactory tmf = TrustManagerFactory.getInstance(algorithm);
+ CertPathParameters params = getParameters(algorithm, crlf, trustStore);
+ ManagerFactoryParameters mfp = new CertPathTrustManagerParameters(params);
tmf.init(mfp);
tms = tmf.getTrustManagers();
}
@@ -474,6 +361,28 @@ public class JSSESocketFactory implement
return tms;
}
+ @Override
+ public void configureSessionContext(SSLSessionContext sslSessionContext) {
+ int sessionCacheSize;
+ if (endpoint.getSessionCacheSize() != null) {
+ sessionCacheSize = Integer.parseInt(
+ endpoint.getSessionCacheSize());
+ } else {
+ sessionCacheSize = defaultSessionCacheSize;
+ }
+
+ int sessionTimeout;
+ if (endpoint.getSessionTimeout() != null) {
+ sessionTimeout = Integer.parseInt(endpoint.getSessionTimeout());
+ } else {
+ sessionTimeout = defaultSessionTimeout;
+ }
+
+ sslSessionContext.setSessionCacheSize(sessionCacheSize);
+ sslSessionContext.setSessionTimeout(sessionTimeout);
+ }
+
+
/**
* Return the initialization parameters for the TrustManager.
* Currently, only the default <code>PKIX</code> is supported.
Modified: tomcat/trunk/webapps/docs/config/http.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/http.xml?rev=1678097&r1=1678096&r2=1678097&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/config/http.xml (original)
+++ tomcat/trunk/webapps/docs/config/http.xml Wed May 6 21:30:54 2015
@@ -1034,7 +1034,8 @@
<attribute name="certificateFile" required="true">
<p>OpenSSL only.</p>
<p>Name of the file that contains the server certificate. The format is
- PEM-encoded.</p>
+ PEM-encoded. Relative paths will be resolved against
+ <code>$CATALINA_BASE</code>.</p>
</attribute>
<attribute name="certificateKeyAlias" required="true">
@@ -1051,9 +1052,10 @@
<attribute name="certificateKeyFile" required="false">
<p>OpenSSL only.</p>
<p>Name of the file that contains the server private key. The format is
- PEM-encoded. The default value is the value of "SSLCertificateFile" and in
- this case both certificate and private key have to be in this file (NOT
- RECOMMENDED).</p>
+ PEM-encoded. The default value is the value of
+ <strong>certificateFile</strong> and in this case both certificate and
+ private key have to be in this file (NOT RECOMMENDED). Relative paths will
+ be resolved against <code>$CATALINA_BASE</code>.</p>
</attribute>
<attribute name="certificateKeyPassword" required="false">
@@ -1070,7 +1072,9 @@
certificate and key to be loaded. By default, the pathname is the file
<code>.keystore</code> in the operating system home directory of the user
that is running Tomcat. If your <code>keystoreType</code> doesn't need a
- file use <code>""</code> (empty string) for this parameter.</p>
+ file use <code>""</code> (empty string) or <code>NONE</code> for this
+ parameter. Relative paths will be resolved against
+ <code>$CATALINA_BASE</code>.</p>
</attribute>
<attribute name="certificateKeystorePassword" required="false">
@@ -1083,16 +1087,21 @@
<attribute name="certificateKeystoreProvider" required="true">
<p>JSSE only.</p>
<p>The name of the keystore provider to be used for the server
- certificate. If not specified, the list of registered providers is
- traversed in preference order and the first provider that supports the
- <code>keystoreType</code> is used.
+ certificate. If not specified, the value of the system property
+ <code>javax.net.ssl.keyStoreProvider</code> is used. If neither this
+ attribute nor the system property are set, the list of registered
+ providers is traversed in preference order and the first provider that
+ supports the <code>keystoreType</code> is used.
</p>
</attribute>
<attribute name="certificateKeystoreType" required="true">
<p>JSSE only.</p>
<p>The type of keystore file to be used for the server certificate.
- If not specified, the default value is "<code>JKS</code>".</p>
+ If not specified, the value of the system property
+ <code>javax.net.ssl.keyStoreType</code> is used. If neither this attribute
+ nor the system property are set, a default value of "<code>JKS</code>". is
+ used.</p>
</attribute>
<attribute name="certificateRevocationFile" required="false">
@@ -1100,13 +1109,15 @@
lists for the certificate authorities. The format is PEM-encoded. If not
defined, client certificates will not be checked against a certificate
revocation list (unless an OpenSSl based connector is used and
- <strong>certificateRevocationPath</strong> is defined).</p>
+ <strong>certificateRevocationPath</strong> is defined). Relative paths
+ will be resolved against <code>$CATALINA_BASE</code>.</p>
</attribute>
<attribute name="certificateRevocationPath" required="false">
<p>OpenSSL only.</p>
<p>Name of the directory that contains the certificate revocation lists
- for the certificate authorities. The format is PEM-encoded.</p>
+ for the certificate authorities. The format is PEM-encoded. Relative paths
+ will be resolved against <code>$CATALINA_BASE</code>.</p>
</attribute>
<attribute name="certificateVerification" required="false">
@@ -1186,6 +1197,62 @@
used.</p>
</attribute>
+ <attribute name="trustManagerClassName" required="false">
+ <p>JSSE only.</p>
+ <p>The name of a custom trust manager class to use to validate client
+ certificates. The class must have a zero argument constructor and must
+ also implement <code>javax.net.ssl.X509TrustManager</code>. If this
+ attribute is set, the trust store attributes may be ignored.</p>
+ </attribute>
+
+ <attribute name="truststoreAlgorithm" required="false">
+ <p>JSSE only.</p>
+ <p>The algorithm to use for truststore. If not specified, the default
+ value returned by
+ <code>javax.net.ssl.TrustManagerFactory.getDefaultAlgorithm()</code> is
+ used.</p>
+ </attribute>
+
+ <attribute name="truststoreFile" required="false">
+ <p>JSSE only.</p>
+ <p>The trust store file to use to validate client certificates. The
+ default is the value of the <code>javax.net.ssl.trustStore</code> system
+ property. If neither this attribute nor the default system property is
+ set, no trust store will be configured. Relative paths
+ will be resolved against <code>$CATALINA_BASE</code>.</p>
+ </attribute>
+
+ <attribute name="truststorePass" required="false">
+ <p>JSSE only.</p>
+ <p>The password to access the trust store. The default is the value of the
+ <code>javax.net.ssl.trustStorePassword</code> system property. If that
+ property is null, no trust store password will be configured. If an
+ invalid trust store password is specified, a warning will be logged and an
+ attempt will be made to access the trust store without a password which
+ will skip validation of the trust store contents.</p>
+ </attribute>
+
+ <attribute name="truststoreProvider" required="false">
+ <p>JSSE only.</p>
+ <p>The name of the truststore provider to be used for the server
+ certificate. The default is the value of the
+ <code>javax.net.ssl.trustStoreProvider</code> system property. If
+ that property is null, the value of <code>keystoreProvider</code> is used
+ as the default. If neither this attribute, the default system property nor
+ <code>keystoreProvider</code>is set, the list of registered providers is
+ traversed in preference order and the first provider that supports the
+ <code>truststoreType</code> is used.
+ </p>
+ </attribute>
+
+ <attribute name="truststoreType" required="false">
+ <p>JSSE only.</p>
+ <p>The type of key store used for the trust store. The default is the
+ value of the <code>javax.net.ssl.trustStoreType</code> system property. If
+ that property is null, the value of <code>keystoreType</code> is used as
+ the default.</p>
+ </attribute>
+
</attributes>
</subsection>
@@ -1293,11 +1360,9 @@
</attribute>
<attribute name="trustManagerClassName" required="false">
- <p>The name of a custom trust manager class to use to validate client
- certificates. The class must have a zero argument constructor and must
- also implement <code>javax.net.ssl.X509TrustManager</code>. If this
- attribute is set, the trust store attributes may be ignored.
- </p>
+ <p>This is an alias for the <code>trustManagerClassName</code> attribute
+ of the default <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a>
+ element.</p>
</attribute>
<attribute name="trustMaxCertLength" required="false">
@@ -1307,45 +1372,33 @@
</attribute>
<attribute name="truststoreAlgorithm" required="false">
- <p>The algorithm to use for truststore. If not specified, the default
- value returned by
- <code>javax.net.ssl.TrustManagerFactory.getDefaultAlgorithm()</code> is
- used.</p>
+ <p>This is an alias for the <code>truststoreAlgorithm</code> attribute of
+ the default <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a>
+ element.</p>
</attribute>
<attribute name="truststoreFile" required="false">
- <p>The trust store file to use to validate client certificates. The
- default is the value of the <code>javax.net.ssl.trustStore</code> system
- property. If neither this attribute nor the default system property is
- set, no trust store will be configured.</p>
+ <p>This is an alias for the <code>truststoreFile</code> attribute of
+ the default <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a>
+ element.</p>
</attribute>
<attribute name="truststorePass" required="false">
- <p>The password to access the trust store. The default is the value of the
- <code>javax.net.ssl.trustStorePassword</code> system property. If that
- property is null, no trust store password will be configured. If an
- invalid trust store password is specified, a warning will be logged and an
- attempt will be made to access the trust store without a password which
- will skip validation of the trust store contents.</p>
+ <p>This is an alias for the <code>truststorePass</code> attribute of
+ the default <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a>
+ element.</p>
</attribute>
<attribute name="truststoreProvider" required="false">
- <p>The name of the truststore provider to be used for the server
- certificate. The default is the value of the
- <code>javax.net.ssl.trustStoreProvider</code> system property. If
- that property is null, the value of <code>keystoreProvider</code> is used
- as the default. If neither this attribute, the default system property nor
- <code>keystoreProvider</code>is set, the list of registered providers is
- traversed in preference order and the first provider that supports the
- <code>truststoreType</code> is used.
- </p>
+ <p>This is an alias for the <code>truststoreProvider</code> attribute of
+ the default <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a>
+ element.</p>
</attribute>
<attribute name="truststoreType" required="false">
- <p>The type of key store used for the trust store. The default is the
- value of the <code>javax.net.ssl.trustStoreType</code> system property. If
- that property is null, the value of <code>keystoreType</code> is used as
- the default.</p>
+ <p>This is an alias for the <code>truststoreType</code> attribute of
+ the default <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a>
+ element.</p>
</attribute>
<attribute name="useServerCipherSuitesOrder" required="false">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org