You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2015/04/21 21:07:58 UTC
svn commit: r1675185 - in /tomcat/trunk:
java/org/apache/coyote/http11/AbstractHttp11Protocol.java
java/org/apache/tomcat/util/net/SSLHostConfig.java
webapps/docs/config/http.xml
Author: markt
Date: Tue Apr 21 19:07:58 2015
New Revision: 1675185
URL: http://svn.apache.org/r1675185
Log:
Start to document SSLHostConfig
Tweak implementation to align with how my thinking evolved while writing the docs so far
Modified:
tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java
tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java
tomcat/trunk/webapps/docs/config/http.xml
Modified: tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java?rev=1675185&r1=1675184&r2=1675185&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java (original)
+++ tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java Tue Apr 21 19:07:58 2015
@@ -302,8 +302,9 @@ public abstract class AbstractHttp11Prot
/**
- * Maximum number of requests which can be performed over a keepalive
- * connection. The default is the same as for Apache HTTP Server.
+ * @return The maximum number of requests which can be performed over a
+ * keep-alive connection. The default is the same as for Apache HTTP
+ * Server (100).
*/
public int getMaxKeepAliveRequests() {
return getEndpoint().getMaxKeepAliveRequests();
@@ -327,6 +328,15 @@ public abstract class AbstractHttp11Prot
// ----------------------------------------------- HTTPS specific properties
// -------------------------------------------- Handled via an SSLHostConfig
+ private String defaultSSLHostConfigName = SSLHostConfig.DEFAULT_SSL_HOST_NAME;
+ public String getDefaultSSLHostConfigName() {
+ return defaultSSLHostConfigName;
+ }
+ public void setDefaultSSLHostConfigName(String defaultSSLHostConfigName) {
+ this.defaultSSLHostConfigName = defaultSSLHostConfigName;
+ }
+
+
@Override
public void addSslHostConfig(SSLHostConfig sslHostConfig) {
getEndpoint().addSslHostConfig(sslHostConfig);
@@ -337,7 +347,7 @@ public abstract class AbstractHttp11Prot
private void registerDefaultSSLHostConfig() {
if (defaultSSLHostConfig == null) {
defaultSSLHostConfig = new SSLHostConfig();
- defaultSSLHostConfig.setHostName(SSLHostConfig.DEFAULT_SSL_HOST_NAME);
+ defaultSSLHostConfig.setHostName(getDefaultSSLHostConfigName());
getEndpoint().addSslHostConfig(defaultSSLHostConfig);
}
}
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java?rev=1675185&r1=1675184&r2=1675185&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java Tue Apr 21 19:07:58 2015
@@ -21,9 +21,9 @@ import java.util.Set;
public class SSLHostConfig {
- public static final String DEFAULT_SSL_HOST_NAME = "*DEFAULT*";
+ public static final String DEFAULT_SSL_HOST_NAME = "_default_";
- private String hostName;
+ private String hostName = DEFAULT_SSL_HOST_NAME;
private Set<String> protocols = new HashSet<>();
Modified: tomcat/trunk/webapps/docs/config/http.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/http.xml?rev=1675185&r1=1675184&r2=1675185&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/config/http.xml (original)
+++ tomcat/trunk/webapps/docs/config/http.xml Tue Apr 21 19:07:58 2015
@@ -85,6 +85,15 @@
30000 (30 seconds).</p>
</attribute>
+ <attribute name="defaultSSLHostConfigName" required="false">
+ <p>The name of the default <strong>SSLHostConfig</strong> that will be
+ used for secure connections (if this connector is configured for secure
+ connections) if the client connection does not provide SNI or if the SNI
+ is provided but does not match any configured
+ <strong>SSLHostConfig</strong>. If not specified the default value of
+ <code>_default_</code> will be used.</p>
+ </attribute>
+
<attribute name="enableLookups" required="false">
<p>Set to <code>true</code> if you want calls to
<code>request.getRemoteHost()</code> to perform DNS lookups in
@@ -946,7 +955,14 @@
<section name="Nested Components">
- <p>None at this time.</p>
+ <p>Starting with Tomcat 9, Tomcat supports Server Name Indication (SNI). This
+ allows multiple SSL configurations to be associated with a single secure
+ connector with the configuration used for any given connection determined by
+ the host name requested by the client. To facilitate this, Tomcat 9 added the
+ <strong>SSLHostConfig</strong> element which can be used to define one of
+ these configurations. Any number of <strong>SSLHostConfig</strong> may be
+ nested in a <strong>Connector</strong>. For further information, see the
+ SSL Support section below.</p>
</section>
@@ -991,7 +1007,6 @@
</subsection>
-
<subsection name="SSL Support">
<p>You can enable SSL support for a particular instance of this
@@ -1002,15 +1017,55 @@
attributes to the values <code>https</code> and <code>true</code>
respectively, to pass correct information to the servlets.</p>
- <p>The NIO and NIO2 connectors use the JSSE SSL whereas the APR/native
- connector uses OpenSSL. Therefore, in addition to using different attributes
- to configure SSL, the APR/native connector also requires keys and certificates
- to be provided in a different format.</p>
+ <p>The NIO and NIO2 connectors use the JSSE SSL implementation whereas the
+ APR/native connector uses OpenSSL. Prior to Tomcat 9, different configuration
+ attributes were used for JSSE and OpenSSL. From Tomcat 9 onwards, and as far
+ as possible, common configuration attributes are used for both JSSE and
+ OpenSSL. This is to aid simpler switching between connector implementations
+ for SSL connectors.</p>
+
+ <p>Each secure connector must define at least one
+ <strong>SSLHostConfig</strong>. The names of the
+ <strong>SSLHostConfig</strong> elements must be unique and one of the must
+ match the <code>sslDefaultHost</code> attribute of the
+ <strong>Connector</strong>.</p>
+
+ <p>As of Tomcat 9, the SSL configuration attributes in the
+ <strong>Connector</strong> are deprecated. If specified, thwy will be used to
+ configure a <strong>SSLHostConfig</strong> for the
+ <code>sslDefaultHost</code>. Note that if an explicit
+ <strong>SSLHostConfig</strong> element also exists for the
+ <code>sslDefaultHost</code> then that will be treated as a configuration
+ error. It is expected that Tomcat 10 will drop support for the SSL
+ configuration attributes in the <strong>Connector</strong></p>.
<p>For more information, see the
<a href="../ssl-howto.html">SSL Configuration HOW-TO</a>.</p>
- <subsection name="SSL Support - NIO and NIO2">
+ </subsection>
+
+ <subsection name="SSL Support - SSLHostConfig">
+
+ <p></p>
+
+ <attributes>
+
+ <attribute name="hostName" required="true">
+ <p>The name of the SSL Host. This should either be the fully qualified
+ domain name (e.g. <code>tomcat.apache.org</code>) or a wild card domain
+ name (e.g. <code>*.apache.org</code>). If not specified, the default value
+ of <code>_default_</code> will be used.</p>
+ </attribute>
+
+ <attribute name="protocols" required="false">
+ <p></p>
+ </attribute>
+
+ </attributes>
+
+ </subsection>
+
+ <subsection name="SSL Support - NIO and NIO2 (deprecated)">
<p>The NIO and NIO2 connectors use the following attributes to configure SSL:
</p>
@@ -1226,7 +1281,7 @@
</subsection>
- <subsection name="SSL Support - APR/Native">
+ <subsection name="SSL Support - APR/Native (deprecated)">
<p>When APR/native is enabled, the HTTPS connector will use a socket poller
for keep-alive, increasing scalability of the server. It also uses OpenSSL,
@@ -1360,7 +1415,6 @@
</subsection>
- </subsection>
<subsection name="Connector Comparison">
<p>Below is a small chart that shows how the connectors differentiate.</p>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org