You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2019/11/04 14:27:04 UTC
[tomcat] branch master updated (f16ae27 -> 2c999ef)
This is an automated email from the ASF dual-hosted git repository.
markt pushed a change to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat.git.
from f16ae27 Remove unused code
new 65abaf3 Refactor to (slightly) reduce native calls when using OpenSSL
new 2c999ef OpenSSLEngine to differentiate between optional and optionalNoCA
The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
.../tomcat/util/net/AbstractJsseEndpoint.java | 28 +++++++++++-----------
.../tomcat/util/net/openssl/OpenSSLContext.java | 5 +++-
.../tomcat/util/net/openssl/OpenSSLEngine.java | 18 ++++++++++----
webapps/docs/changelog.xml | 6 +++++
4 files changed, 38 insertions(+), 19 deletions(-)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[tomcat] 01/02: Refactor to (slightly) reduce native calls when
using OpenSSL
Posted by ma...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 65abaf39171a45bc2cebb71dbde4690177051fca
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Mon Nov 4 14:22:27 2019 +0000
Refactor to (slightly) reduce native calls when using OpenSSL
---
.../tomcat/util/net/AbstractJsseEndpoint.java | 28 +++++++++++-----------
1 file changed, 14 insertions(+), 14 deletions(-)
diff --git a/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java b/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
index 8da93d6..fe94206 100644
--- a/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
+++ b/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
@@ -117,19 +117,6 @@ public abstract class AbstractJsseEndpoint<S,U> extends AbstractEndpoint<S,U> {
}
SSLEngine engine = sslContext.createSSLEngine();
- switch (sslHostConfig.getCertificateVerification()) {
- case NONE:
- engine.setNeedClientAuth(false);
- engine.setWantClientAuth(false);
- break;
- case OPTIONAL:
- case OPTIONAL_NO_CA:
- engine.setWantClientAuth(true);
- break;
- case REQUIRED:
- engine.setNeedClientAuth(true);
- break;
- }
engine.setUseClientMode(false);
engine.setEnabledCipherSuites(sslHostConfig.getEnabledCiphers());
engine.setEnabledProtocols(sslHostConfig.getEnabledProtocols());
@@ -151,7 +138,20 @@ public abstract class AbstractJsseEndpoint<S,U> extends AbstractEndpoint<S,U> {
JreCompat.getInstance().setApplicationProtocols(sslParameters, commonProtocolsArray);
}
}
- // In case the getter returns a defensive copy
+ switch (sslHostConfig.getCertificateVerification()) {
+ case NONE:
+ sslParameters.setNeedClientAuth(false);
+ sslParameters.setWantClientAuth(false);
+ break;
+ case OPTIONAL:
+ case OPTIONAL_NO_CA:
+ sslParameters.setWantClientAuth(true);
+ break;
+ case REQUIRED:
+ sslParameters.setNeedClientAuth(true);
+ break;
+ }
+ // The getter (at least in OpenJDK and derivatives) returns a defensive copy
engine.setSSLParameters(sslParameters);
return engine;
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[tomcat] 02/02: OpenSSLEngine to differentiate between optional and
optionalNoCA
Posted by ma...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 2c999ef1f758de3978842b020c45eec32b67d08a
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Mon Nov 4 14:26:43 2019 +0000
OpenSSLEngine to differentiate between optional and optionalNoCA
Patch by remm
---
.../apache/tomcat/util/net/openssl/OpenSSLContext.java | 5 ++++-
.../apache/tomcat/util/net/openssl/OpenSSLEngine.java | 18 ++++++++++++++----
webapps/docs/changelog.xml | 6 ++++++
3 files changed, 24 insertions(+), 5 deletions(-)
diff --git a/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java b/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
index fd8fc5c..81b2369 100644
--- a/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
+++ b/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
@@ -49,6 +49,7 @@ import org.apache.tomcat.jni.SSLContext;
import org.apache.tomcat.util.net.AbstractEndpoint;
import org.apache.tomcat.util.net.Constants;
import org.apache.tomcat.util.net.SSLHostConfig;
+import org.apache.tomcat.util.net.SSLHostConfig.CertificateVerification;
import org.apache.tomcat.util.net.SSLHostConfigCertificate;
import org.apache.tomcat.util.net.SSLHostConfigCertificate.Type;
import org.apache.tomcat.util.res.StringManager;
@@ -489,7 +490,9 @@ public class OpenSSLContext implements org.apache.tomcat.util.net.SSLContext {
@Override
public SSLEngine createSSLEngine() {
return new OpenSSLEngine(ctx, defaultProtocol, false, sessionContext,
- (negotiableProtocols != null && negotiableProtocols.size() > 0), initialized);
+ (negotiableProtocols != null && negotiableProtocols.size() > 0), initialized,
+ sslHostConfig.getCertificateVerificationDepth(),
+ sslHostConfig.getCertificateVerification() == CertificateVerification.OPTIONAL_NO_CA);
}
@Override
diff --git a/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java b/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
index 7ae6fe8..ede30a8 100644
--- a/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
+++ b/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
@@ -165,6 +165,8 @@ public final class OpenSSLEngine extends SSLEngine implements SSLUtil.ProtocolIn
private final OpenSSLSessionContext sessionContext;
private final boolean alpn;
private final boolean initialized;
+ private final int certificateVerificationDepth;
+ private final boolean certificateVerificationOptionalNoCA;
private String selectedProtocol = null;
@@ -183,10 +185,14 @@ public final class OpenSSLEngine extends SSLEngine implements SSLUtil.ProtocolIn
* otherwise
* @param initialized {@code true} if this instance gets its protocol,
* cipher and client verification from the {@code SSL_CTX} {@code sslCtx}
+ * @param certificateVerificationDepth Certificate verification depth
+ * @param certificateVerificationOptionalNoCA Skip CA verification in
+ * optional mode
*/
OpenSSLEngine(long sslCtx, String fallbackApplicationProtocol,
boolean clientMode, OpenSSLSessionContext sessionContext, boolean alpn,
- boolean initialized) {
+ boolean initialized, int certificateVerificationDepth,
+ boolean certificateVerificationOptionalNoCA) {
if (sslCtx == 0) {
throw new IllegalArgumentException(sm.getString("engine.noSSLContext"));
}
@@ -200,6 +206,8 @@ public final class OpenSSLEngine extends SSLEngine implements SSLUtil.ProtocolIn
this.sessionContext = sessionContext;
this.alpn = alpn;
this.initialized = initialized;
+ this.certificateVerificationDepth = certificateVerificationDepth;
+ this.certificateVerificationOptionalNoCA = certificateVerificationOptionalNoCA;
}
@Override
@@ -1092,13 +1100,15 @@ public final class OpenSSLEngine extends SSLEngine implements SSLUtil.ProtocolIn
}
switch (mode) {
case NONE:
- SSL.setVerify(ssl, SSL.SSL_CVERIFY_NONE, VERIFY_DEPTH);
+ SSL.setVerify(ssl, SSL.SSL_CVERIFY_NONE, certificateVerificationDepth);
break;
case REQUIRE:
- SSL.setVerify(ssl, SSL.SSL_CVERIFY_REQUIRE, VERIFY_DEPTH);
+ SSL.setVerify(ssl, SSL.SSL_CVERIFY_REQUIRE, certificateVerificationDepth);
break;
case OPTIONAL:
- SSL.setVerify(ssl, SSL.SSL_CVERIFY_OPTIONAL, VERIFY_DEPTH);
+ SSL.setVerify(ssl,
+ certificateVerificationOptionalNoCA ? SSL.SSL_CVERIFY_OPTIONAL_NO_CA : SSL.SSL_CVERIFY_OPTIONAL,
+ certificateVerificationDepth);
break;
}
clientAuth = mode;
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 6562e55..75e11fc 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -109,6 +109,12 @@
Move connection tracking to the endpoint, since it requires far fewer
operations. (remm)
</fix>
+ <fix>
+ <bug>63894</bug>: Ensure that the configured values for
+ <code>certificateVerification</code> and
+ <code>certificateVerificationDepth</code> are correctly based to the
+ OpenSSL based SSLEngine implementation. (remm)
+ </fix>
</changelog>
</subsection>
<subsection name="Web applications">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org