You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Wolfgang Hoschek <wo...@cern.ch> on 2001/09/10 16:50:26 UTC
[PATCH] SSLServerSocketFactory.java
It itched me a lot that to enable SSL in TC4 a standard JDK has to be modified
(copy JSSE libs into jdk/jre/lib/ext and add
security.provider.3=com.sun.net.ssl.internal.ssl.Provider).
This was not necessary in TC 3.2.x because of different class loading
semantics.
In our environment jdks cannot well be modified due to separate JDKs/archs,
TCs, JSSEs, etc on shared read-only filesystems.
So here are three TC4 patches (against the latest CVS) that allow JSSE to
be picked up from anywhere on the filesystem.
Patches are along the lines Craig suggested yesterday.
1) Modify catalina.sh and catalina.bat as indicated below to be able to add
external jars to the system classpath (new env var CATALINA_SYSTEM_CLASSPATH).
2) Modify
jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/net/SSLServerSocketFactory.java
to dynamically add the com.sun.net.ssl.internal.ssl.Provider provider
In case you don't like 1) because it allows external things to be added,
then 2) is still of value because people don't need to write their own
SSLServerSocketFactory
Hope someone wants to try this out and commit before 4.0 FCS.
Wolfgang.
--- SSLServerSocketFactory.java.orig Fri Sep 7 20:39:08 2001
+++ SSLServerSocketFactory.java Mon Sep 10 15:31:16 2001
@@ -386,6 +386,14 @@
Security.addProvider(new sun.security.provider.Sun());
Security.addProvider(new
com.sun.net.ssl.internal.ssl.Provider());
*/
+ // even if jsse provider is already installed it can't hurt to
make sure
+ // and we do need to install it here if it isn't hard-wired in
jdk/jre/lib/security/java.security
+ try {
+
java.security.Security.addProvider(((java.security.Provider)
Class.forName("com.sun.net.ssl.internal.ssl.Provider").newInstance()));
+ }
+ catch (IllegalAccessException exc) {}
+ catch (ClassNotFoundException exc) {}
+ catch (InstantiationException exc) {}
// Create an SSL context used to create an SSL socket factory
SSLContext context = SSLContext.getInstance(protocol);
--- jakarta-tomcat-4.0/catalina/src/bin/catalina.sh.orig Sat Sep 8
12:13:28 2001
+++ jakarta-tomcat-4.0/catalina/src/bin/catalina.sh Mon Sep 10 16:28:25 2001
@@ -70,6 +70,12 @@
CP=$CP:"$JAVA_HOME/lib/tools.jar"
fi
+# add CATALINA_SYSTEM_CLASSPATH custom jars to classpath. For example define
+# export
CATALINA_SYSTEM_CLASSPATH=/path/to/jsse/lib/jsse.jar:/path/to/jsse/lib/jnet.jar:/path/to/jsse/lib/jcert.jar
+if [ ! -z "$CATALINA_SYSTEM_CLASSPATH" ] ; then
+ CP=$CP:$CATALINA_SYSTEM_CLASSPATH
+fi
+
# convert the existing path to windows
if [ "$OSTYPE" = "cygwin32" ] || [ "$OSTYPE" = "cygwin" ] ; then
CP=`cygpath --path --windows "$CP"`
--- jakarta-tomcat-4.0/catalina/src/bin/catalina.bat.orig Mon Aug 27
21:10:25 2001
+++ jakarta-tomcat-4.0/catalina/src/bin/catalina.bat Mon Sep 10 16:16:43 2001
@@ -65,6 +65,11 @@
rem ----- Set Up The Runtime Classpath
----------------------------------------
set CP=%CATALINA_HOME%\bin\bootstrap.jar;%JAVA_HOME%\lib\tools.jar
+
+# add CATALINA_SYSTEM_CLASSPATH custom jars to classpath. For example define
+# set
CATALINA_SYSTEM_CLASSPATH=\path\to\jsse\lib\jsse.jar;\path\to\jsse\lib\jnet.jar;\path\to\jsse\lib\jcert.jar
+set CP=%CP%;%CATALINA_SYSTEM_CLASSPATH%
+
set CLASSPATH=%CP%
echo Using CATALINA_BASE: %CATALINA_BASE%
echo Using CATALINA_HOME: %CATALINA_HOME%
Re: [PATCH] SSLServerSocketFactory.java
Posted by Christopher Cain <cc...@mhsoftware.com>.
I don't have a problem with dynamically registering the SSL provider in
SSLServerSocketFactory, as is done in the patch below. There was
actually some existing code in there which did that, but it was
commented out at some point. Does anyone know why?
Unless anyone objects, I'll include the dynamic loading bit in a set of
patches I'm going to commit shortly (exceptions cleanup).
As far as the CATALINA_SYSTEM_CLASSPATH thing, I'd need for Craig
review/commit that. He's out today, but I'm sure he'll address it when
he gets back.
Wolfgang Hoschek wrote:
>
> It itched me a lot that to enable SSL in TC4 a standard JDK has to be modified
> (copy JSSE libs into jdk/jre/lib/ext and add
> security.provider.3=com.sun.net.ssl.internal.ssl.Provider).
> This was not necessary in TC 3.2.x because of different class loading
> semantics.
> In our environment jdks cannot well be modified due to separate JDKs/archs,
> TCs, JSSEs, etc on shared read-only filesystems.
>
> So here are three TC4 patches (against the latest CVS) that allow JSSE to
> be picked up from anywhere on the filesystem.
> Patches are along the lines Craig suggested yesterday.
> 1) Modify catalina.sh and catalina.bat as indicated below to be able to add
> external jars to the system classpath (new env var CATALINA_SYSTEM_CLASSPATH).
> 2) Modify
> jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/net/SSLServerSocketFactory.java
> to dynamically add the com.sun.net.ssl.internal.ssl.Provider provider
>
> In case you don't like 1) because it allows external things to be added,
> then 2) is still of value because people don't need to write their own
> SSLServerSocketFactory
> Hope someone wants to try this out and commit before 4.0 FCS.
> Wolfgang.
>
> --- SSLServerSocketFactory.java.orig Fri Sep 7 20:39:08 2001
> +++ SSLServerSocketFactory.java Mon Sep 10 15:31:16 2001
> @@ -386,6 +386,14 @@
> Security.addProvider(new sun.security.provider.Sun());
> Security.addProvider(new
> com.sun.net.ssl.internal.ssl.Provider());
> */
> + // even if jsse provider is already installed it can't hurt to
> make sure
> + // and we do need to install it here if it isn't hard-wired in
> jdk/jre/lib/security/java.security
> + try {
> +
> java.security.Security.addProvider(((java.security.Provider)
> Class.forName("com.sun.net.ssl.internal.ssl.Provider").newInstance()));
> + }
> + catch (IllegalAccessException exc) {}
> + catch (ClassNotFoundException exc) {}
> + catch (InstantiationException exc) {}
>
> // Create an SSL context used to create an SSL socket factory
> SSLContext context = SSLContext.getInstance(protocol);
>
> --- jakarta-tomcat-4.0/catalina/src/bin/catalina.sh.orig Sat Sep 8
> 12:13:28 2001
> +++ jakarta-tomcat-4.0/catalina/src/bin/catalina.sh Mon Sep 10 16:28:25 2001
> @@ -70,6 +70,12 @@
> CP=$CP:"$JAVA_HOME/lib/tools.jar"
> fi
>
> +# add CATALINA_SYSTEM_CLASSPATH custom jars to classpath. For example define
> +# export
> CATALINA_SYSTEM_CLASSPATH=/path/to/jsse/lib/jsse.jar:/path/to/jsse/lib/jnet.jar:/path/to/jsse/lib/jcert.jar
> +if [ ! -z "$CATALINA_SYSTEM_CLASSPATH" ] ; then
> + CP=$CP:$CATALINA_SYSTEM_CLASSPATH
> +fi
> +
> # convert the existing path to windows
> if [ "$OSTYPE" = "cygwin32" ] || [ "$OSTYPE" = "cygwin" ] ; then
> CP=`cygpath --path --windows "$CP"`
>
> --- jakarta-tomcat-4.0/catalina/src/bin/catalina.bat.orig Mon Aug 27
> 21:10:25 2001
> +++ jakarta-tomcat-4.0/catalina/src/bin/catalina.bat Mon Sep 10 16:16:43 2001
> @@ -65,6 +65,11 @@
> rem ----- Set Up The Runtime Classpath
> ----------------------------------------
>
> set CP=%CATALINA_HOME%\bin\bootstrap.jar;%JAVA_HOME%\lib\tools.jar
> +
> +# add CATALINA_SYSTEM_CLASSPATH custom jars to classpath. For example define
> +# set
> CATALINA_SYSTEM_CLASSPATH=\path\to\jsse\lib\jsse.jar;\path\to\jsse\lib\jnet.jar;\path\to\jsse\lib\jcert.jar
> +set CP=%CP%;%CATALINA_SYSTEM_CLASSPATH%
> +
> set CLASSPATH=%CP%
> echo Using CATALINA_BASE: %CATALINA_BASE%
> echo Using CATALINA_HOME: %CATALINA_HOME%
>
> ------------------------------------------------------------------------
> Name: SSLServerSocketFactory.diff
> SSLServerSocketFactory.diff Type: DIFF File (application/x-unknown-content-type-diff_auto_file)
> Encoding: base64
>
> Name: catalina.sh.diff
> catalina.sh.diff Type: DIFF File (application/x-unknown-content-type-diff_auto_file)
> Encoding: base64
>
> Name: catalina.bat.diff
> catalina.bat.diff Type: DIFF File (application/x-unknown-content-type-diff_auto_file)
> Encoding: base64
- Christopher
/**
* Pleurez, pleurez, mes yeux, et fondez vous en eau!
* La moitiƩ de ma vie a mis l'autre au tombeau.
* ---Corneille
*/
Re: [PATCH] SSLServerSocketFactory.java
Posted by "Craig R. McClanahan" <cr...@apache.org>.
As you can see from the commit messages, I committed a variation on your
#1 approach that lets you define a JSSE_HOME environment variable to
locate the JSSE jar files. Coupled with registering the provider
automatically (your #2 approach), this simplifies the process of getting
set up to use SSL on Tomcat 4. Thanks for the patches!
Craig
On Mon, 10 Sep 2001, Wolfgang Hoschek wrote:
> Date: Mon, 10 Sep 2001 16:50:26 +0200
> From: Wolfgang Hoschek <wo...@cern.ch>
> Reply-To: tomcat-dev@jakarta.apache.org
> To: tomcat-dev@jakarta.apache.org
> Subject: [PATCH] SSLServerSocketFactory.java
>
> It itched me a lot that to enable SSL in TC4 a standard JDK has to be modified
> (copy JSSE libs into jdk/jre/lib/ext and add
> security.provider.3=com.sun.net.ssl.internal.ssl.Provider).
> This was not necessary in TC 3.2.x because of different class loading
> semantics.
> In our environment jdks cannot well be modified due to separate JDKs/archs,
> TCs, JSSEs, etc on shared read-only filesystems.
>
> So here are three TC4 patches (against the latest CVS) that allow JSSE to
> be picked up from anywhere on the filesystem.
> Patches are along the lines Craig suggested yesterday.
> 1) Modify catalina.sh and catalina.bat as indicated below to be able to add
> external jars to the system classpath (new env var CATALINA_SYSTEM_CLASSPATH).
> 2) Modify
> jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/net/SSLServerSocketFactory.java
> to dynamically add the com.sun.net.ssl.internal.ssl.Provider provider
>
> In case you don't like 1) because it allows external things to be added,
> then 2) is still of value because people don't need to write their own
> SSLServerSocketFactory
> Hope someone wants to try this out and commit before 4.0 FCS.
> Wolfgang.
>
> --- SSLServerSocketFactory.java.orig Fri Sep 7 20:39:08 2001
> +++ SSLServerSocketFactory.java Mon Sep 10 15:31:16 2001
> @@ -386,6 +386,14 @@
> Security.addProvider(new sun.security.provider.Sun());
> Security.addProvider(new
> com.sun.net.ssl.internal.ssl.Provider());
> */
> + // even if jsse provider is already installed it can't hurt to
> make sure
> + // and we do need to install it here if it isn't hard-wired in
> jdk/jre/lib/security/java.security
> + try {
> +
> java.security.Security.addProvider(((java.security.Provider)
> Class.forName("com.sun.net.ssl.internal.ssl.Provider").newInstance()));
> + }
> + catch (IllegalAccessException exc) {}
> + catch (ClassNotFoundException exc) {}
> + catch (InstantiationException exc) {}
>
> // Create an SSL context used to create an SSL socket factory
> SSLContext context = SSLContext.getInstance(protocol);
>
>
>
> --- jakarta-tomcat-4.0/catalina/src/bin/catalina.sh.orig Sat Sep 8
> 12:13:28 2001
> +++ jakarta-tomcat-4.0/catalina/src/bin/catalina.sh Mon Sep 10 16:28:25 2001
> @@ -70,6 +70,12 @@
> CP=$CP:"$JAVA_HOME/lib/tools.jar"
> fi
>
> +# add CATALINA_SYSTEM_CLASSPATH custom jars to classpath. For example define
> +# export
> CATALINA_SYSTEM_CLASSPATH=/path/to/jsse/lib/jsse.jar:/path/to/jsse/lib/jnet.jar:/path/to/jsse/lib/jcert.jar
> +if [ ! -z "$CATALINA_SYSTEM_CLASSPATH" ] ; then
> + CP=$CP:$CATALINA_SYSTEM_CLASSPATH
> +fi
> +
> # convert the existing path to windows
> if [ "$OSTYPE" = "cygwin32" ] || [ "$OSTYPE" = "cygwin" ] ; then
> CP=`cygpath --path --windows "$CP"`
>
>
>
>
>
>
> --- jakarta-tomcat-4.0/catalina/src/bin/catalina.bat.orig Mon Aug 27
> 21:10:25 2001
> +++ jakarta-tomcat-4.0/catalina/src/bin/catalina.bat Mon Sep 10 16:16:43 2001
> @@ -65,6 +65,11 @@
> rem ----- Set Up The Runtime Classpath
> ----------------------------------------
>
> set CP=%CATALINA_HOME%\bin\bootstrap.jar;%JAVA_HOME%\lib\tools.jar
> +
> +# add CATALINA_SYSTEM_CLASSPATH custom jars to classpath. For example define
> +# set
> CATALINA_SYSTEM_CLASSPATH=\path\to\jsse\lib\jsse.jar;\path\to\jsse\lib\jnet.jar;\path\to\jsse\lib\jcert.jar
> +set CP=%CP%;%CATALINA_SYSTEM_CLASSPATH%
> +
> set CLASSPATH=%CP%
> echo Using CATALINA_BASE: %CATALINA_BASE%
> echo Using CATALINA_HOME: %CATALINA_HOME%