You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2015/04/24 20:01:36 UTC
svn commit: r1675908 - in /tomcat/trunk/java/org/apache: coyote/http11/
tomcat/util/net/ tomcat/util/net/jsse/
Author: markt
Date: Fri Apr 24 18:01:35 2015
New Revision: 1675908
URL: http://svn.apache.org/r1675908
Log:
Add server key+cert to SSLHostConfig. SNI now working with NIO although much of the config that should be per host is still at the connector level.
Also add the necessary code to SSLHostConfig to warn when OpenSSL config is used with JSSE (or the other way around)
Modified:
tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11JsseProtocol.java
tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java
tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java
tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java
tomcat/trunk/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
tomcat/trunk/java/org/apache/tomcat/util/net/LocalStrings.properties
tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
Modified: tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11JsseProtocol.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11JsseProtocol.java?rev=1675908&r1=1675907&r2=1675908&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11JsseProtocol.java (original)
+++ tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11JsseProtocol.java Fri Apr 24 18:01:35 2015
@@ -31,9 +31,6 @@ public abstract class AbstractHttp11Jsse
public String getClientAuth() { return getEndpoint().getClientAuth();}
public void setClientAuth(String s ) { getEndpoint().setClientAuth(s);}
- public String getKeystoreFile() { return getEndpoint().getKeystoreFile();}
- public void setKeystoreFile(String s ) { getEndpoint().setKeystoreFile(s);}
-
public String getKeystorePass() { return getEndpoint().getKeystorePass();}
public void setKeystorePass(String s ) { getEndpoint().setKeystorePass(s);}
Modified: tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java?rev=1675908&r1=1675907&r2=1675908&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java (original)
+++ tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java Fri Apr 24 18:01:35 2015
@@ -363,6 +363,20 @@ public abstract class AbstractHttp11Prot
}
+ public void setKeystoreFile(String keystoreFile) {
+ registerDefaultSSLHostConfig();
+ defaultSSLHostConfig.setKeystoreFile(keystoreFile);
+ }
+ public void setCertificateFile(String certificateFile) {
+ registerDefaultSSLHostConfig();
+ defaultSSLHostConfig.setCertificateFile(certificateFile);
+ }
+ public void setCertificateKeyFile(String certificateKeyFile) {
+ registerDefaultSSLHostConfig();
+ defaultSSLHostConfig.setCertificateKeyFile(certificateKeyFile);
+ }
+
+
// ------------------------------------------------------------- Common code
// Common configuration required for all new HTTP11 processors
Modified: tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java?rev=1675908&r1=1675907&r2=1675908&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java (original)
+++ tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java Fri Apr 24 18:01:35 2015
@@ -99,20 +99,6 @@ public class Http11AprProtocol extends A
/**
- * SSL certificate file.
- */
- public String getSSLCertificateFile() { return ((AprEndpoint)getEndpoint()).getSSLCertificateFile(); }
- public void setSSLCertificateFile(String SSLCertificateFile) { ((AprEndpoint)getEndpoint()).setSSLCertificateFile(SSLCertificateFile); }
-
-
- /**
- * SSL certificate key file.
- */
- public String getSSLCertificateKeyFile() { return ((AprEndpoint)getEndpoint()).getSSLCertificateKeyFile(); }
- public void setSSLCertificateKeyFile(String SSLCertificateKeyFile) { ((AprEndpoint)getEndpoint()).setSSLCertificateKeyFile(SSLCertificateKeyFile); }
-
-
- /**
* SSL certificate chain file.
*/
public String getSSLCertificateChainFile() { return ((AprEndpoint)getEndpoint()).getSSLCertificateChainFile(); }
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java?rev=1675908&r1=1675907&r2=1675908&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java Fri Apr 24 18:01:35 2015
@@ -227,8 +227,9 @@ public abstract class AbstractEndpoint<S
// TODO i18n
throw new IllegalArgumentException();
}
+ sslHostConfig.setConfigType(getSslConfigType());
}
-
+ protected abstract SSLHostConfig.Type getSslConfigType();
/**
* Has the user requested that send file be used where possible?
@@ -949,13 +950,6 @@ public abstract class AbstractEndpoint<S
public String getClientAuth() { return clientAuth;}
public void setClientAuth(String s ) { this.clientAuth = s;}
- private String keystoreFile = System.getProperty("user.home")+"/.keystore";
- public String getKeystoreFile() { return keystoreFile;}
- public void setKeystoreFile(String s ) {
- keystoreFile = adjustRelativePath(s,
- System.getProperty(Constants.CATALINA_BASE_PROP));
- }
-
private String keystorePass = null;
public String getKeystorePass() { return keystorePass;}
public void setKeystorePass(String s ) { this.keystorePass = s;}
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java?rev=1675908&r1=1675907&r2=1675908&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java Fri Apr 24 18:01:35 2015
@@ -27,6 +27,7 @@ import javax.net.ssl.SSLParameters;
import javax.net.ssl.SSLSessionContext;
import javax.net.ssl.X509KeyManager;
+import org.apache.tomcat.util.net.SSLHostConfig.Type;
import org.apache.tomcat.util.net.jsse.NioX509KeyManager;
public abstract class AbstractJsseEndpoint<S> extends AbstractEndpoint<S> {
@@ -39,6 +40,12 @@ public abstract class AbstractJsseEndpoi
}
+ @Override
+ protected Type getSslConfigType() {
+ return SSLHostConfig.Type.JSSE;
+ }
+
+
protected void initialiseSsl() throws Exception {
if (isSSLEnabled()) {
sslImplementation = SSLImplementation.getInstance(getSslImplementationName());
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java?rev=1675908&r1=1675907&r2=1675908&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java Fri Apr 24 18:01:35 2015
@@ -52,6 +52,7 @@ import org.apache.tomcat.jni.Status;
import org.apache.tomcat.util.ExceptionUtils;
import org.apache.tomcat.util.net.AbstractEndpoint.Acceptor.AcceptorState;
import org.apache.tomcat.util.net.AbstractEndpoint.Handler.SocketState;
+import org.apache.tomcat.util.net.SSLHostConfig.Type;
/**
@@ -200,6 +201,12 @@ public class AprEndpoint extends Abstrac
}
+ @Override
+ protected Type getSslConfigType() {
+ return SSLHostConfig.Type.OPENSSL;
+ }
+
+
/**
* SSL password (if a cert is encrypted, and no password has been provided, a callback
* will ask for a password).
@@ -218,22 +225,6 @@ public class AprEndpoint extends Abstrac
/**
- * SSL certificate file.
- */
- protected String SSLCertificateFile = null;
- public String getSSLCertificateFile() { return SSLCertificateFile; }
- public void setSSLCertificateFile(String SSLCertificateFile) { this.SSLCertificateFile = SSLCertificateFile; }
-
-
- /**
- * SSL certificate key file.
- */
- protected String SSLCertificateKeyFile = null;
- public String getSSLCertificateKeyFile() { return SSLCertificateKeyFile; }
- public void setSSLCertificateKeyFile(String SSLCertificateKeyFile) { this.SSLCertificateKeyFile = SSLCertificateKeyFile; }
-
-
- /**
* SSL certificate chain file.
*/
protected String SSLCertificateChainFile = null;
@@ -496,7 +487,7 @@ public class AprEndpoint extends Abstrac
continue;
}
- if (SSLCertificateFile == null) {
+ if (sslHostConfig.getCertificateFile() == null) {
// This is required
throw new Exception(sm.getString("endpoint.apr.noSslCertFile"));
}
@@ -613,7 +604,8 @@ public class AprEndpoint extends Abstrac
// List the ciphers that the client is permitted to negotiate
SSLContext.setCipherSuite(sslContext, SSLCipherSuite);
// Load Server key and certificate
- SSLContext.setCertificate(sslContext, SSLCertificateFile, SSLCertificateKeyFile, SSLPassword, SSL.SSL_AIDX_RSA);
+ SSLContext.setCertificate(sslContext, sslHostConfig.getCertificateFile(),
+ sslHostConfig.getCertificateKeyFile(), SSLPassword, SSL.SSL_AIDX_RSA);
// Set certificate chain file
SSLContext.setCertificateChainFile(sslContext, SSLCertificateChainFile, false);
// Support Client Certificates
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/LocalStrings.properties
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/LocalStrings.properties?rev=1675908&r1=1675907&r2=1675908&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/LocalStrings.properties (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/LocalStrings.properties Fri Apr 24 18:01:35 2015
@@ -108,3 +108,4 @@ socket.apr.read.sslGeneralError=An APR g
socket.apr.write.error=Unexpected error [{0}] writing data to the APR/native socket [{1}] with wrapper [{2}].
socket.apr.closed=The socket [{0}] associated with this connection has been closed.
+sslHostConfig.mismatch=The property [{0}] was set on the SSLHostConfig named [{1}] but this property is for connectors of type [{2}] by the SSLHostConfig is being used with a connector of type [{3}]
\ No newline at end of file
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java?rev=1675908&r1=1675907&r2=1675908&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java Fri Apr 24 18:01:35 2015
@@ -16,22 +16,72 @@
*/
package org.apache.tomcat.util.net;
+import java.util.HashMap;
import java.util.HashSet;
+import java.util.Map;
import java.util.Set;
+import org.apache.juli.logging.Log;
+import org.apache.juli.logging.LogFactory;
+import org.apache.tomcat.util.res.StringManager;
+
public class SSLHostConfig {
+ private static final Log log = LogFactory.getLog(SSLHostConfig.class);
+ private static final StringManager sm = StringManager.getManager(SSLHostConfig.class);
+
public static final String DEFAULT_SSL_HOST_NAME = "_default_";
+ private Type configType = null;
+ private Map<Type,Set<String>> configuredProperties = new HashMap<>();
+
private String hostName = DEFAULT_SSL_HOST_NAME;
+ // Common
private Set<String> protocols = new HashSet<>();
+ // JSSE
+ private String keystoreFile = System.getProperty("user.home")+"/.keystore";
+ // OpenSSL
+ private String certificateFile;
+ private String certificateKeyFile;
public SSLHostConfig() {
// Set defaults that can't be (easily) set when defining the fields.
setProtocols("all");
}
+
+ public void setConfigType(Type configType) {
+ this.configType = configType;
+ configuredProperties.remove(configType);
+ for (Map.Entry<Type,Set<String>> entry : configuredProperties.entrySet()) {
+ for (String property : entry.getValue()) {
+ log.warn(sm.getString("sslHostConfig.mismatch",
+ property, getHostName(), entry.getKey(), configType));
+ }
+ }
+ }
+
+
+ private void setProperty(String name, Type configType) {
+ if (this.configType == null) {
+ Set<String> properties = configuredProperties.get(configType);
+ if (properties == null) {
+ properties = new HashSet<>();
+ configuredProperties.put(configType, properties);
+ }
+ properties.add(name);
+ } else {
+ if (configType != this.configType) {
+ log.warn(sm.getString("sslHostConfig.mismatch",
+ name, getHostName(), configType, this.configType));
+ }
+ }
+ }
+
+
+ // ----------------------------------------- Common configuration properties
+
public void setHostName(String hostName) {
this.hostName = hostName;
}
@@ -66,4 +116,49 @@ public class SSLHostConfig {
public Set<String> getProtocols() {
return protocols;
}
+
+
+ // ---------------------------------- JSSE specific configuration properties
+
+ public void setKeystoreFile(String keystoreFile) {
+ setProperty("keystoreFile", Type.JSSE);
+ this.keystoreFile = keystoreFile;
+ }
+
+
+ public String getKeystoreFile() {
+ return keystoreFile;
+ }
+
+
+ // ------------------------------- OpenSSL specific configuration properties
+
+ public void setCertificateFile(String certificateFile) {
+ setProperty("certificateFile", Type.OPENSSL);
+ this.certificateFile = certificateFile;
+ }
+
+
+ public String getCertificateFile() {
+ return certificateFile;
+ }
+
+
+ public void setCertificateKeyFile(String certificateKeyFile) {
+ setProperty("certificateKeyFile", Type.OPENSSL);
+ this.certificateKeyFile = certificateKeyFile;
+ }
+
+
+ public String getCertificateKeyFile() {
+ return certificateKeyFile;
+ }
+
+
+ // ----------------------------------------------------------- Inner classes
+
+ public static enum Type {
+ JSSE,
+ OPENSSL
+ }
}
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java?rev=1675908&r1=1675907&r2=1675908&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java Fri Apr 24 18:01:35 2015
@@ -235,7 +235,7 @@ public class JSSESocketFactory implement
protected KeyStore getKeystore(String type, String provider, String pass)
throws IOException {
- String keystoreFile = endpoint.getKeystoreFile();
+ String keystoreFile = sslHostConfig.getKeystoreFile();
if (keystoreFile == null)
keystoreFile = defaultKeystoreFile;
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org