You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2022/10/11 20:12:49 UTC
[tomcat] 01/02: Remove JSSE specific abstract classes
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 2b4be933abc1176f1ed684202db8e6a3ef943eb7
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Mon Sep 26 18:15:21 2022 +0100
Remove JSSE specific abstract classes
With the removal of the APR/native connector, all end points now use
JSSE (even if it is a 'fake' JSSE implementation using OpenSSL).
---
java/org/apache/catalina/connector/Connector.java | 8 +-
.../catalina/startup/ConnectorCreateRule.java | 4 +-
.../coyote/http11/AbstractHttp11JsseProtocol.java | 56 -----
.../coyote/http11/AbstractHttp11Protocol.java | 22 ++
.../apache/coyote/http11/Http11Nio2Protocol.java | 2 +-
.../apache/coyote/http11/Http11NioProtocol.java | 2 +-
.../apache/tomcat/util/net/AbstractEndpoint.java | 189 ++++++++++++++++-
.../tomcat/util/net/AbstractJsseEndpoint.java | 225 ---------------------
java/org/apache/tomcat/util/net/Nio2Endpoint.java | 2 +-
java/org/apache/tomcat/util/net/NioEndpoint.java | 2 +-
.../tomcat/util/net/TestCustomSslTrustManager.java | 4 +-
11 files changed, 220 insertions(+), 296 deletions(-)
diff --git a/java/org/apache/catalina/connector/Connector.java b/java/org/apache/catalina/connector/Connector.java
index 1284d87551..26eb13c181 100644
--- a/java/org/apache/catalina/connector/Connector.java
+++ b/java/org/apache/catalina/connector/Connector.java
@@ -35,7 +35,7 @@ import org.apache.coyote.AbstractProtocol;
import org.apache.coyote.Adapter;
import org.apache.coyote.ProtocolHandler;
import org.apache.coyote.UpgradeProtocol;
-import org.apache.coyote.http11.AbstractHttp11JsseProtocol;
+import org.apache.coyote.http11.AbstractHttp11Protocol;
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
import org.apache.tomcat.util.IntrospectionUtils;
@@ -1042,9 +1042,9 @@ public class Connector extends LifecycleMBeanBase {
}
if (AprStatus.isAprAvailable() && AprStatus.getUseOpenSSL() &&
- protocolHandler instanceof AbstractHttp11JsseProtocol) {
- AbstractHttp11JsseProtocol<?> jsseProtocolHandler =
- (AbstractHttp11JsseProtocol<?>) protocolHandler;
+ protocolHandler instanceof AbstractHttp11Protocol) {
+ AbstractHttp11Protocol<?> jsseProtocolHandler =
+ (AbstractHttp11Protocol<?>) protocolHandler;
if (jsseProtocolHandler.isSSLEnabled() &&
jsseProtocolHandler.getSslImplementationName() == null) {
// OpenSSL is compatible with the JSSE configuration, so use it if APR is available
diff --git a/java/org/apache/catalina/startup/ConnectorCreateRule.java b/java/org/apache/catalina/startup/ConnectorCreateRule.java
index aa297fbd89..fbc528f6a8 100644
--- a/java/org/apache/catalina/startup/ConnectorCreateRule.java
+++ b/java/org/apache/catalina/startup/ConnectorCreateRule.java
@@ -22,7 +22,7 @@ import java.lang.reflect.Method;
import org.apache.catalina.Executor;
import org.apache.catalina.Service;
import org.apache.catalina.connector.Connector;
-import org.apache.coyote.http11.AbstractHttp11JsseProtocol;
+import org.apache.coyote.http11.AbstractHttp11Protocol;
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
import org.apache.tomcat.util.IntrospectionUtils;
@@ -86,7 +86,7 @@ public class ConnectorCreateRule extends Rule {
code.append(System.lineSeparator());
}
if (sslImplementationName != null) {
- code.append("((").append(AbstractHttp11JsseProtocol.class.getName()).append("<?>) ");
+ code.append("((").append(AbstractHttp11Protocol.class.getName()).append("<?>) ");
code.append(digester.toVariableName(con)).append(".getProtocolHandler()).setSslImplementationName(\"");
code.append(sslImplementationName).append("\");");
code.append(System.lineSeparator());
diff --git a/java/org/apache/coyote/http11/AbstractHttp11JsseProtocol.java b/java/org/apache/coyote/http11/AbstractHttp11JsseProtocol.java
deleted file mode 100644
index d8241a6bac..0000000000
--- a/java/org/apache/coyote/http11/AbstractHttp11JsseProtocol.java
+++ /dev/null
@@ -1,56 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.coyote.http11;
-
-import org.apache.tomcat.util.net.AbstractJsseEndpoint;
-import org.apache.tomcat.util.net.openssl.OpenSSLImplementation;
-
-public abstract class AbstractHttp11JsseProtocol<S>
- extends AbstractHttp11Protocol<S> {
-
- public AbstractHttp11JsseProtocol(AbstractJsseEndpoint<S,?> endpoint) {
- super(endpoint);
- }
-
-
- @Override
- protected AbstractJsseEndpoint<S,?> getEndpoint() {
- // Over-ridden to add cast
- return (AbstractJsseEndpoint<S,?>) super.getEndpoint();
- }
-
-
- protected String getSslImplementationShortName() {
- if (OpenSSLImplementation.class.getName().equals(getSslImplementationName())) {
- return "openssl";
- }
- if (getSslImplementationName() != null
- && getSslImplementationName().endsWith(".panama.OpenSSLImplementation")) {
- return "opensslforeign";
- }
- return "jsse";
- }
-
- public String getSslImplementationName() { return getEndpoint().getSslImplementationName(); }
- public void setSslImplementationName(String s) { getEndpoint().setSslImplementationName(s); }
-
-
- public int getSniParseLimit() { return getEndpoint().getSniParseLimit(); }
- public void setSniParseLimit(int sniParseLimit) {
- getEndpoint().setSniParseLimit(sniParseLimit);
- }
-}
diff --git a/java/org/apache/coyote/http11/AbstractHttp11Protocol.java b/java/org/apache/coyote/http11/AbstractHttp11Protocol.java
index ab74a5434d..f9d125630d 100644
--- a/java/org/apache/coyote/http11/AbstractHttp11Protocol.java
+++ b/java/org/apache/coyote/http11/AbstractHttp11Protocol.java
@@ -50,6 +50,7 @@ import org.apache.tomcat.util.modeler.Util;
import org.apache.tomcat.util.net.AbstractEndpoint;
import org.apache.tomcat.util.net.SSLHostConfig;
import org.apache.tomcat.util.net.SocketWrapperBase;
+import org.apache.tomcat.util.net.openssl.OpenSSLImplementation;
import org.apache.tomcat.util.res.StringManager;
public abstract class AbstractHttp11Protocol<S> extends AbstractProtocol<S> {
@@ -694,6 +695,27 @@ public abstract class AbstractHttp11Protocol<S> extends AbstractProtocol<S> {
}
+ protected String getSslImplementationShortName() {
+ if (OpenSSLImplementation.class.getName().equals(getSslImplementationName())) {
+ return "openssl";
+ }
+ if (getSslImplementationName() != null
+ && getSslImplementationName().endsWith(".panama.OpenSSLImplementation")) {
+ return "opensslforeign";
+ }
+ return "jsse";
+ }
+
+ public String getSslImplementationName() { return getEndpoint().getSslImplementationName(); }
+ public void setSslImplementationName(String s) { getEndpoint().setSslImplementationName(s); }
+
+
+ public int getSniParseLimit() { return getEndpoint().getSniParseLimit(); }
+ public void setSniParseLimit(int sniParseLimit) {
+ getEndpoint().setSniParseLimit(sniParseLimit);
+ }
+
+
// ------------------------------------------------------------- Common code
@Override
diff --git a/java/org/apache/coyote/http11/Http11Nio2Protocol.java b/java/org/apache/coyote/http11/Http11Nio2Protocol.java
index e30b41a552..c5754b6222 100644
--- a/java/org/apache/coyote/http11/Http11Nio2Protocol.java
+++ b/java/org/apache/coyote/http11/Http11Nio2Protocol.java
@@ -25,7 +25,7 @@ import org.apache.tomcat.util.net.Nio2Endpoint;
/**
* HTTP/1.1 protocol implementation using NIO2.
*/
-public class Http11Nio2Protocol extends AbstractHttp11JsseProtocol<Nio2Channel> {
+public class Http11Nio2Protocol extends AbstractHttp11Protocol<Nio2Channel> {
private static final Log log = LogFactory.getLog(Http11Nio2Protocol.class);
diff --git a/java/org/apache/coyote/http11/Http11NioProtocol.java b/java/org/apache/coyote/http11/Http11NioProtocol.java
index f77e45bad9..e9271025ef 100644
--- a/java/org/apache/coyote/http11/Http11NioProtocol.java
+++ b/java/org/apache/coyote/http11/Http11NioProtocol.java
@@ -30,7 +30,7 @@ import org.apache.tomcat.util.net.NioEndpoint;
* @author Remy Maucherat
* @author Costin Manolache
*/
-public class Http11NioProtocol extends AbstractHttp11JsseProtocol<NioChannel> {
+public class Http11NioProtocol extends AbstractHttp11Protocol<NioChannel> {
private static final Log log = LogFactory.getLog(Http11NioProtocol.class);
diff --git a/java/org/apache/tomcat/util/net/AbstractEndpoint.java b/java/org/apache/tomcat/util/net/AbstractEndpoint.java
index 2ce72e8acb..30aa1d006c 100644
--- a/java/org/apache/tomcat/util/net/AbstractEndpoint.java
+++ b/java/org/apache/tomcat/util/net/AbstractEndpoint.java
@@ -21,11 +21,14 @@ import java.io.OutputStreamWriter;
import java.net.InetAddress;
import java.net.InetSocketAddress;
import java.net.NetworkInterface;
+import java.net.SocketAddress;
import java.net.SocketException;
+import java.nio.channels.NetworkChannel;
import java.util.ArrayList;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.HashSet;
+import java.util.LinkedHashSet;
import java.util.List;
import java.util.Locale;
import java.util.Map;
@@ -40,6 +43,8 @@ import java.util.concurrent.TimeUnit;
import javax.management.MalformedObjectNameException;
import javax.management.ObjectName;
+import javax.net.ssl.SSLEngine;
+import javax.net.ssl.SSLParameters;
import org.apache.juli.logging.Log;
import org.apache.tomcat.util.ExceptionUtils;
@@ -47,6 +52,7 @@ import org.apache.tomcat.util.IntrospectionUtils;
import org.apache.tomcat.util.collections.SynchronizedStack;
import org.apache.tomcat.util.modeler.Registry;
import org.apache.tomcat.util.net.Acceptor.AcceptorState;
+import org.apache.tomcat.util.net.openssl.ciphers.Cipher;
import org.apache.tomcat.util.res.StringManager;
import org.apache.tomcat.util.threads.LimitLatch;
import org.apache.tomcat.util.threads.ResizableExecutor;
@@ -210,8 +216,32 @@ public abstract class AbstractEndpoint<S,U> {
return new HashSet<>(connections.values());
}
+ private SSLImplementation sslImplementation = null;
+ public SSLImplementation getSslImplementation() {
+ return sslImplementation;
+ }
+
+
// ----------------------------------------------------------------- Properties
+ private String sslImplementationName = null;
+ public String getSslImplementationName() {
+ return sslImplementationName;
+ }
+ public void setSslImplementationName(String s) {
+ this.sslImplementationName = s;
+ }
+
+
+ private int sniParseLimit = 64 * 1024;
+ public int getSniParseLimit() {
+ return sniParseLimit;
+ }
+ public void setSniParseLimit(int sniParseLimit) {
+ this.sniParseLimit = sniParseLimit;
+ }
+
+
private String defaultSSLHostConfigName = SSLHostConfig.DEFAULT_SSL_HOST_NAME;
/**
* @return The host name for the default SSL configuration for this endpoint
@@ -354,7 +384,138 @@ public abstract class AbstractEndpoint<S,U> {
* @throws Exception If the SSLContext cannot be created for the given
* SSLHostConfig
*/
- protected abstract void createSSLContext(SSLHostConfig sslHostConfig) throws Exception;
+ protected void createSSLContext(SSLHostConfig sslHostConfig) throws IllegalArgumentException {
+
+ // HTTP/2 does not permit optional certificate authentication with any
+ // version of TLS.
+ if (sslHostConfig.getCertificateVerification().isOptional() &&
+ negotiableProtocols.contains("h2")) {
+ getLog().warn(sm.getString("sslHostConfig.certificateVerificationWithHttp2", sslHostConfig.getHostName()));
+ }
+
+ boolean firstCertificate = true;
+ for (SSLHostConfigCertificate certificate : sslHostConfig.getCertificates(true)) {
+ SSLUtil sslUtil = sslImplementation.getSSLUtil(certificate);
+ if (firstCertificate) {
+ firstCertificate = false;
+ sslHostConfig.setEnabledProtocols(sslUtil.getEnabledProtocols());
+ sslHostConfig.setEnabledCiphers(sslUtil.getEnabledCiphers());
+ }
+
+ SSLContext sslContext;
+ try {
+ sslContext = sslUtil.createSSLContext(negotiableProtocols);
+ } catch (Exception e) {
+ throw new IllegalArgumentException(e.getMessage(), e);
+ }
+
+ certificate.setSslContext(sslContext);
+ }
+ }
+
+
+ protected SSLEngine createSSLEngine(String sniHostName, List<Cipher> clientRequestedCiphers,
+ List<String> clientRequestedApplicationProtocols) {
+ SSLHostConfig sslHostConfig = getSSLHostConfig(sniHostName);
+
+ SSLHostConfigCertificate certificate = selectCertificate(sslHostConfig, clientRequestedCiphers);
+
+ SSLContext sslContext = certificate.getSslContext();
+ if (sslContext == null) {
+ throw new IllegalStateException(
+ sm.getString("endpoint.jsse.noSslContext", sniHostName));
+ }
+
+ SSLEngine engine = sslContext.createSSLEngine();
+ engine.setUseClientMode(false);
+ engine.setEnabledCipherSuites(sslHostConfig.getEnabledCiphers());
+ engine.setEnabledProtocols(sslHostConfig.getEnabledProtocols());
+
+ SSLParameters sslParameters = engine.getSSLParameters();
+ sslParameters.setUseCipherSuitesOrder(sslHostConfig.getHonorCipherOrder());
+ if (clientRequestedApplicationProtocols != null
+ && clientRequestedApplicationProtocols.size() > 0
+ && negotiableProtocols.size() > 0) {
+ // Only try to negotiate if both client and server have at least
+ // one protocol in common
+ // Note: Tomcat does not explicitly negotiate http/1.1
+ // TODO: Is this correct? Should it change?
+ List<String> commonProtocols = new ArrayList<>(negotiableProtocols);
+ commonProtocols.retainAll(clientRequestedApplicationProtocols);
+ if (commonProtocols.size() > 0) {
+ String[] commonProtocolsArray = commonProtocols.toArray(new String[0]);
+ sslParameters.setApplicationProtocols(commonProtocolsArray);
+ }
+ }
+ switch (sslHostConfig.getCertificateVerification()) {
+ case NONE:
+ sslParameters.setNeedClientAuth(false);
+ sslParameters.setWantClientAuth(false);
+ break;
+ case OPTIONAL:
+ case OPTIONAL_NO_CA:
+ sslParameters.setWantClientAuth(true);
+ break;
+ case REQUIRED:
+ sslParameters.setNeedClientAuth(true);
+ break;
+ }
+ // The getter (at least in OpenJDK and derivatives) returns a defensive copy
+ engine.setSSLParameters(sslParameters);
+
+ return engine;
+ }
+
+
+ private SSLHostConfigCertificate selectCertificate(
+ SSLHostConfig sslHostConfig, List<Cipher> clientCiphers) {
+
+ Set<SSLHostConfigCertificate> certificates = sslHostConfig.getCertificates(true);
+ if (certificates.size() == 1) {
+ return certificates.iterator().next();
+ }
+
+ LinkedHashSet<Cipher> serverCiphers = sslHostConfig.getCipherList();
+
+ List<Cipher> candidateCiphers = new ArrayList<>();
+ if (sslHostConfig.getHonorCipherOrder()) {
+ candidateCiphers.addAll(serverCiphers);
+ candidateCiphers.retainAll(clientCiphers);
+ } else {
+ candidateCiphers.addAll(clientCiphers);
+ candidateCiphers.retainAll(serverCiphers);
+ }
+
+ for (Cipher candidate : candidateCiphers) {
+ for (SSLHostConfigCertificate certificate : certificates) {
+ if (certificate.getType().isCompatibleWith(candidate.getAu())) {
+ return certificate;
+ }
+ }
+ }
+
+ // No matches. Just return the first certificate. The handshake will
+ // then fail due to no matching ciphers.
+ return certificates.iterator().next();
+ }
+
+
+ protected void initialiseSsl() throws Exception {
+ if (isSSLEnabled()) {
+ sslImplementation = SSLImplementation.getInstance(getSslImplementationName());
+
+ for (SSLHostConfig sslHostConfig : sslHostConfigs.values()) {
+ createSSLContext(sslHostConfig);
+ }
+
+ // Validate default SSLHostConfigName
+ if (sslHostConfigs.get(getDefaultSSLHostConfigName()) == null) {
+ throw new IllegalArgumentException(sm.getString("endpoint.noSslHostConfig",
+ getDefaultSSLHostConfigName(), getName()));
+ }
+
+ }
+ }
protected void destroySsl() throws Exception {
@@ -578,6 +739,9 @@ public abstract class AbstractEndpoint<S,U> {
public void setAddress(InetAddress address) { this.address = address; }
+ protected abstract NetworkChannel getServerSocket();
+
+
/**
* Obtain the network address the server socket is bound to. This primarily
* exists to enable the correct address to be used when unlocking the server
@@ -590,7 +754,17 @@ public abstract class AbstractEndpoint<S,U> {
* @throws IOException If there is a problem determining the currently bound
* socket
*/
- protected abstract InetSocketAddress getLocalAddress() throws IOException;
+ protected final InetSocketAddress getLocalAddress() throws IOException {
+ NetworkChannel serverSock = getServerSocket();
+ if (serverSock == null) {
+ return null;
+ }
+ SocketAddress sa = serverSock.getLocalAddress();
+ if (sa instanceof InetSocketAddress) {
+ return (InetSocketAddress) sa;
+ }
+ return null;
+ }
/**
@@ -1162,8 +1336,17 @@ public abstract class AbstractEndpoint<S,U> {
*/
public abstract void bind() throws Exception;
- public abstract void unbind() throws Exception;
+
+ public void unbind() throws Exception {
+ for (SSLHostConfig sslHostConfig : sslHostConfigs.values()) {
+ for (SSLHostConfigCertificate certificate : sslHostConfig.getCertificates()) {
+ certificate.setSslContext(null);
+ }
+ }
+ }
+
public abstract void startInternal() throws Exception;
+
public abstract void stopInternal() throws Exception;
diff --git a/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java b/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
deleted file mode 100644
index 43fc71db7a..0000000000
--- a/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
+++ /dev/null
@@ -1,225 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.tomcat.util.net;
-
-import java.io.IOException;
-import java.net.InetSocketAddress;
-import java.net.SocketAddress;
-import java.nio.channels.NetworkChannel;
-import java.util.ArrayList;
-import java.util.LinkedHashSet;
-import java.util.List;
-import java.util.Set;
-
-import javax.net.ssl.SSLEngine;
-import javax.net.ssl.SSLParameters;
-
-import org.apache.tomcat.util.net.openssl.ciphers.Cipher;
-
-public abstract class AbstractJsseEndpoint<S,U> extends AbstractEndpoint<S,U> {
-
- private String sslImplementationName = null;
- private int sniParseLimit = 64 * 1024;
-
- private SSLImplementation sslImplementation = null;
-
- public String getSslImplementationName() {
- return sslImplementationName;
- }
-
-
- public void setSslImplementationName(String s) {
- this.sslImplementationName = s;
- }
-
-
- public SSLImplementation getSslImplementation() {
- return sslImplementation;
- }
-
-
- public int getSniParseLimit() {
- return sniParseLimit;
- }
-
-
- public void setSniParseLimit(int sniParseLimit) {
- this.sniParseLimit = sniParseLimit;
- }
-
-
- protected void initialiseSsl() throws Exception {
- if (isSSLEnabled()) {
- sslImplementation = SSLImplementation.getInstance(getSslImplementationName());
-
- for (SSLHostConfig sslHostConfig : sslHostConfigs.values()) {
- createSSLContext(sslHostConfig);
- }
-
- // Validate default SSLHostConfigName
- if (sslHostConfigs.get(getDefaultSSLHostConfigName()) == null) {
- throw new IllegalArgumentException(sm.getString("endpoint.noSslHostConfig",
- getDefaultSSLHostConfigName(), getName()));
- }
-
- }
- }
-
-
- @Override
- protected void createSSLContext(SSLHostConfig sslHostConfig) throws IllegalArgumentException {
-
- // HTTP/2 does not permit optional certificate authentication with any
- // version of TLS.
- if (sslHostConfig.getCertificateVerification().isOptional() &&
- negotiableProtocols.contains("h2")) {
- getLog().warn(sm.getString("sslHostConfig.certificateVerificationWithHttp2", sslHostConfig.getHostName()));
- }
-
- boolean firstCertificate = true;
- for (SSLHostConfigCertificate certificate : sslHostConfig.getCertificates(true)) {
- SSLUtil sslUtil = sslImplementation.getSSLUtil(certificate);
- if (firstCertificate) {
- firstCertificate = false;
- sslHostConfig.setEnabledProtocols(sslUtil.getEnabledProtocols());
- sslHostConfig.setEnabledCiphers(sslUtil.getEnabledCiphers());
- }
-
- SSLContext sslContext;
- try {
- sslContext = sslUtil.createSSLContext(negotiableProtocols);
- } catch (Exception e) {
- throw new IllegalArgumentException(e.getMessage(), e);
- }
-
- certificate.setSslContext(sslContext);
- }
- }
-
-
- protected SSLEngine createSSLEngine(String sniHostName, List<Cipher> clientRequestedCiphers,
- List<String> clientRequestedApplicationProtocols) {
- SSLHostConfig sslHostConfig = getSSLHostConfig(sniHostName);
-
- SSLHostConfigCertificate certificate = selectCertificate(sslHostConfig, clientRequestedCiphers);
-
- SSLContext sslContext = certificate.getSslContext();
- if (sslContext == null) {
- throw new IllegalStateException(
- sm.getString("endpoint.jsse.noSslContext", sniHostName));
- }
-
- SSLEngine engine = sslContext.createSSLEngine();
- engine.setUseClientMode(false);
- engine.setEnabledCipherSuites(sslHostConfig.getEnabledCiphers());
- engine.setEnabledProtocols(sslHostConfig.getEnabledProtocols());
-
- SSLParameters sslParameters = engine.getSSLParameters();
- sslParameters.setUseCipherSuitesOrder(sslHostConfig.getHonorCipherOrder());
- if (clientRequestedApplicationProtocols != null
- && clientRequestedApplicationProtocols.size() > 0
- && negotiableProtocols.size() > 0) {
- // Only try to negotiate if both client and server have at least
- // one protocol in common
- // Note: Tomcat does not explicitly negotiate http/1.1
- // TODO: Is this correct? Should it change?
- List<String> commonProtocols = new ArrayList<>(negotiableProtocols);
- commonProtocols.retainAll(clientRequestedApplicationProtocols);
- if (commonProtocols.size() > 0) {
- String[] commonProtocolsArray = commonProtocols.toArray(new String[0]);
- sslParameters.setApplicationProtocols(commonProtocolsArray);
- }
- }
- switch (sslHostConfig.getCertificateVerification()) {
- case NONE:
- sslParameters.setNeedClientAuth(false);
- sslParameters.setWantClientAuth(false);
- break;
- case OPTIONAL:
- case OPTIONAL_NO_CA:
- sslParameters.setWantClientAuth(true);
- break;
- case REQUIRED:
- sslParameters.setNeedClientAuth(true);
- break;
- }
- // The getter (at least in OpenJDK and derivatives) returns a defensive copy
- engine.setSSLParameters(sslParameters);
-
- return engine;
- }
-
-
- private SSLHostConfigCertificate selectCertificate(
- SSLHostConfig sslHostConfig, List<Cipher> clientCiphers) {
-
- Set<SSLHostConfigCertificate> certificates = sslHostConfig.getCertificates(true);
- if (certificates.size() == 1) {
- return certificates.iterator().next();
- }
-
- LinkedHashSet<Cipher> serverCiphers = sslHostConfig.getCipherList();
-
- List<Cipher> candidateCiphers = new ArrayList<>();
- if (sslHostConfig.getHonorCipherOrder()) {
- candidateCiphers.addAll(serverCiphers);
- candidateCiphers.retainAll(clientCiphers);
- } else {
- candidateCiphers.addAll(clientCiphers);
- candidateCiphers.retainAll(serverCiphers);
- }
-
- for (Cipher candidate : candidateCiphers) {
- for (SSLHostConfigCertificate certificate : certificates) {
- if (certificate.getType().isCompatibleWith(candidate.getAu())) {
- return certificate;
- }
- }
- }
-
- // No matches. Just return the first certificate. The handshake will
- // then fail due to no matching ciphers.
- return certificates.iterator().next();
- }
-
-
- @Override
- public void unbind() throws Exception {
- for (SSLHostConfig sslHostConfig : sslHostConfigs.values()) {
- for (SSLHostConfigCertificate certificate : sslHostConfig.getCertificates()) {
- certificate.setSslContext(null);
- }
- }
- }
-
-
- protected abstract NetworkChannel getServerSocket();
-
-
- @Override
- protected final InetSocketAddress getLocalAddress() throws IOException {
- NetworkChannel serverSock = getServerSocket();
- if (serverSock == null) {
- return null;
- }
- SocketAddress sa = serverSock.getLocalAddress();
- if (sa instanceof InetSocketAddress) {
- return (InetSocketAddress) sa;
- }
- return null;
- }
-}
diff --git a/java/org/apache/tomcat/util/net/Nio2Endpoint.java b/java/org/apache/tomcat/util/net/Nio2Endpoint.java
index 9875e3d406..75444cfbc2 100644
--- a/java/org/apache/tomcat/util/net/Nio2Endpoint.java
+++ b/java/org/apache/tomcat/util/net/Nio2Endpoint.java
@@ -52,7 +52,7 @@ import org.apache.tomcat.util.net.jsse.JSSESupport;
/**
* NIO2 endpoint.
*/
-public class Nio2Endpoint extends AbstractJsseEndpoint<Nio2Channel,AsynchronousSocketChannel> {
+public class Nio2Endpoint extends AbstractEndpoint<Nio2Channel,AsynchronousSocketChannel> {
// -------------------------------------------------------------- Constants
diff --git a/java/org/apache/tomcat/util/net/NioEndpoint.java b/java/org/apache/tomcat/util/net/NioEndpoint.java
index a228715123..d15aef314e 100644
--- a/java/org/apache/tomcat/util/net/NioEndpoint.java
+++ b/java/org/apache/tomcat/util/net/NioEndpoint.java
@@ -76,7 +76,7 @@ import org.apache.tomcat.util.net.jsse.JSSESupport;
* @author Mladen Turk
* @author Remy Maucherat
*/
-public class NioEndpoint extends AbstractJsseEndpoint<NioChannel,SocketChannel> {
+public class NioEndpoint extends AbstractEndpoint<NioChannel,SocketChannel> {
// -------------------------------------------------------------- Constants
diff --git a/test/org/apache/tomcat/util/net/TestCustomSslTrustManager.java b/test/org/apache/tomcat/util/net/TestCustomSslTrustManager.java
index affee0dbd8..c198af9891 100644
--- a/test/org/apache/tomcat/util/net/TestCustomSslTrustManager.java
+++ b/test/org/apache/tomcat/util/net/TestCustomSslTrustManager.java
@@ -36,7 +36,7 @@ import org.apache.catalina.core.StandardServer;
import org.apache.catalina.startup.Tomcat;
import org.apache.catalina.startup.TomcatBaseTest;
import org.apache.coyote.ProtocolHandler;
-import org.apache.coyote.http11.AbstractHttp11JsseProtocol;
+import org.apache.coyote.http11.AbstractHttp11Protocol;
import org.apache.tomcat.util.buf.ByteChunk;
/**
@@ -110,7 +110,7 @@ public class TestCustomSslTrustManager extends TomcatBaseTest {
// Override the defaults
ProtocolHandler handler = connector.getProtocolHandler();
- if (handler instanceof AbstractHttp11JsseProtocol) {
+ if (handler instanceof AbstractHttp11Protocol) {
connector.findSslHostConfigs()[0].setTruststoreFile(null);
} else {
// Unexpected
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org