You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2023/02/16 14:46:27 UTC
[tomcat] branch 9.0.x updated (30f3e22900 -> d92f52a02c)
This is an automated email from the ASF dual-hosted git repository.
markt pushed a change to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
from 30f3e22900 Use a constant for the default certificate alias
new 79404d7009 Refactor to make using custom endpoints easier
new 6058ae4f61 Correct comment
new 497f182403 Add dedicated logger for TLS certifcates
new d92f52a02c Create a Java KeyManager for APR TLS endpoints if possible
The 4 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
.../apache/coyote/http11/Http11AprProtocol.java | 14 +++---
.../apache/coyote/http11/Http11Nio2Protocol.java | 7 ++-
.../apache/coyote/http11/Http11NioProtocol.java | 14 +++---
.../apache/tomcat/util/net/AbstractEndpoint.java | 55 +++++++++++++++++++++-
.../tomcat/util/net/AbstractJsseEndpoint.java | 2 +-
java/org/apache/tomcat/util/net/AprEndpoint.java | 15 +++++-
.../apache/tomcat/util/net/LocalStrings.properties | 3 ++
java/org/apache/tomcat/util/net/Nio2Endpoint.java | 7 +++
java/org/apache/tomcat/util/net/NioEndpoint.java | 7 +++
webapps/docs/changelog.xml | 6 +++
10 files changed, 111 insertions(+), 19 deletions(-)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[tomcat] 02/04: Correct comment
Posted by ma...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 6058ae4f61d2baa3a4c804fa62f73fe4034caaf0
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Thu Feb 16 13:53:27 2023 +0000
Correct comment
---
java/org/apache/coyote/http11/Http11AprProtocol.java | 7 +------
java/org/apache/coyote/http11/Http11NioProtocol.java | 7 +------
2 files changed, 2 insertions(+), 12 deletions(-)
diff --git a/java/org/apache/coyote/http11/Http11AprProtocol.java b/java/org/apache/coyote/http11/Http11AprProtocol.java
index 92b24022fb..a13a4d0c66 100644
--- a/java/org/apache/coyote/http11/Http11AprProtocol.java
+++ b/java/org/apache/coyote/http11/Http11AprProtocol.java
@@ -22,12 +22,7 @@ import org.apache.tomcat.util.net.AprEndpoint;
/**
- * Abstract the protocol implementation, including threading, etc.
- * Processor is single threaded and specific to stream-based protocols,
- * will not fit Jk protocols like JNI.
- *
- * @author Remy Maucherat
- * @author Costin Manolache
+ * HTTP/1.1 protocol implementation using APR/native.
*
* @deprecated The APR/Native Connector will be removed in Tomcat 10.1.x
* onwards.
diff --git a/java/org/apache/coyote/http11/Http11NioProtocol.java b/java/org/apache/coyote/http11/Http11NioProtocol.java
index ec6daabb5a..7e58ff5031 100644
--- a/java/org/apache/coyote/http11/Http11NioProtocol.java
+++ b/java/org/apache/coyote/http11/Http11NioProtocol.java
@@ -23,12 +23,7 @@ import org.apache.tomcat.util.net.NioEndpoint;
/**
- * Abstract the protocol implementation, including threading, etc.
- * Processor is single threaded and specific to stream-based protocols,
- * will not fit Jk protocols like JNI.
- *
- * @author Remy Maucherat
- * @author Costin Manolache
+ * HTTP/1.1 protocol implementation using NIO.
*/
public class Http11NioProtocol extends AbstractHttp11JsseProtocol<NioChannel> {
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[tomcat] 01/04: Refactor to make using custom endpoints easier
Posted by ma...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 79404d7009b06290e5ddb8fc95830bc8a53c7e1f
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Thu Feb 16 13:53:10 2023 +0000
Refactor to make using custom endpoints easier
---
java/org/apache/coyote/http11/Http11AprProtocol.java | 7 ++++++-
java/org/apache/coyote/http11/Http11Nio2Protocol.java | 7 ++++++-
java/org/apache/coyote/http11/Http11NioProtocol.java | 7 ++++++-
3 files changed, 18 insertions(+), 3 deletions(-)
diff --git a/java/org/apache/coyote/http11/Http11AprProtocol.java b/java/org/apache/coyote/http11/Http11AprProtocol.java
index b3e681d4f0..92b24022fb 100644
--- a/java/org/apache/coyote/http11/Http11AprProtocol.java
+++ b/java/org/apache/coyote/http11/Http11AprProtocol.java
@@ -38,7 +38,12 @@ public class Http11AprProtocol extends AbstractHttp11Protocol<Long> {
private static final Log log = LogFactory.getLog(Http11AprProtocol.class);
public Http11AprProtocol() {
- super(new AprEndpoint());
+ this(new AprEndpoint());
+ }
+
+
+ public Http11AprProtocol(AprEndpoint endpoint) {
+ super(endpoint);
}
diff --git a/java/org/apache/coyote/http11/Http11Nio2Protocol.java b/java/org/apache/coyote/http11/Http11Nio2Protocol.java
index e30b41a552..84ce5fb946 100644
--- a/java/org/apache/coyote/http11/Http11Nio2Protocol.java
+++ b/java/org/apache/coyote/http11/Http11Nio2Protocol.java
@@ -31,7 +31,12 @@ public class Http11Nio2Protocol extends AbstractHttp11JsseProtocol<Nio2Channel>
public Http11Nio2Protocol() {
- super(new Nio2Endpoint());
+ this(new Nio2Endpoint());
+ }
+
+
+ public Http11Nio2Protocol(Nio2Endpoint endpoint) {
+ super(endpoint);
}
diff --git a/java/org/apache/coyote/http11/Http11NioProtocol.java b/java/org/apache/coyote/http11/Http11NioProtocol.java
index 43327f361b..ec6daabb5a 100644
--- a/java/org/apache/coyote/http11/Http11NioProtocol.java
+++ b/java/org/apache/coyote/http11/Http11NioProtocol.java
@@ -36,7 +36,12 @@ public class Http11NioProtocol extends AbstractHttp11JsseProtocol<NioChannel> {
public Http11NioProtocol() {
- super(new NioEndpoint());
+ this(new NioEndpoint());
+ }
+
+
+ public Http11NioProtocol(NioEndpoint endpoint) {
+ super(endpoint);
}
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[tomcat] 04/04: Create a Java KeyManager for APR TLS endpoints if possible
Posted by ma...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit d92f52a02cacc285ebec8c83bf91670f5a704345
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Thu Feb 16 14:45:57 2023 +0000
Create a Java KeyManager for APR TLS endpoints if possible
This exposes the certs to the Manager app and certificate debug logging
---
java/org/apache/tomcat/util/net/AprEndpoint.java | 6 ++++++
java/org/apache/tomcat/util/net/LocalStrings.properties | 1 +
2 files changed, 7 insertions(+)
diff --git a/java/org/apache/tomcat/util/net/AprEndpoint.java b/java/org/apache/tomcat/util/net/AprEndpoint.java
index 11ac0d901c..5a82cfcf42 100644
--- a/java/org/apache/tomcat/util/net/AprEndpoint.java
+++ b/java/org/apache/tomcat/util/net/AprEndpoint.java
@@ -468,6 +468,12 @@ public class AprEndpoint extends AbstractEndpoint<Long,Long> implements SNICallB
} catch (Exception e) {
throw new IllegalArgumentException(e.getMessage(), e);
}
+ try {
+ KeyManager[] kms = sslUtil.getKeyManagers();
+ certificate.setCertificateKeyManager(OpenSSLUtil.chooseKeyManager(kms));
+ } catch (Exception e) {
+ log.debug(sm.getString("endpoint.apr.keyManagerError"), e);
+ }
} else {
SSLUtil sslUtil = new OpenSSLUtil(certificate);
KeyManager[] kms = sslUtil.getKeyManagers();
diff --git a/java/org/apache/tomcat/util/net/LocalStrings.properties b/java/org/apache/tomcat/util/net/LocalStrings.properties
index b09b0b0094..0dce57d31a 100644
--- a/java/org/apache/tomcat/util/net/LocalStrings.properties
+++ b/java/org/apache/tomcat/util/net/LocalStrings.properties
@@ -52,6 +52,7 @@ endpoint.apr.errApplyConf=Could not apply OpenSSLConf to SSL context
endpoint.apr.errCheckConf=Error during OpenSSLConf check
endpoint.apr.errMakeConf=Could not create OpenSSLConf context
endpoint.apr.failSslContextMake=Unable to create SSLContext. Check that SSLEngine is enabled in the AprLifecycleListener, the AprLifecycleListener has initialised correctly and that a valid SSLProtocol has been specified
+endpoint.apr.keyManagerError=Unable to construct Java KeyManager for provided TLS key
endpoint.apr.invalidSslProtocol=An invalid value [{0}] was provided for the SSLProtocol attribute
endpoint.apr.maxConnections.running=The APR endpoint does not support the setting of maxConnections while it is running. The existing value of [{0}] will continue to be used.
endpoint.apr.maxConnections.unlimited=The APR endpoint does not support unlimited connections. The existing value of [{0}] will continue to be used.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[tomcat] 03/04: Add dedicated logger for TLS certifcates
Posted by ma...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 497f18240318e623ae608f8d4bdcbb366e2eab54
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Thu Feb 16 13:57:55 2023 +0000
Add dedicated logger for TLS certifcates
Allows debug logging to be enabled just for certificates
---
.../apache/tomcat/util/net/AbstractEndpoint.java | 55 +++++++++++++++++++++-
.../tomcat/util/net/AbstractJsseEndpoint.java | 2 +-
java/org/apache/tomcat/util/net/AprEndpoint.java | 9 +++-
.../apache/tomcat/util/net/LocalStrings.properties | 2 +
java/org/apache/tomcat/util/net/Nio2Endpoint.java | 7 +++
java/org/apache/tomcat/util/net/NioEndpoint.java | 7 +++
webapps/docs/changelog.xml | 6 +++
7 files changed, 84 insertions(+), 4 deletions(-)
diff --git a/java/org/apache/tomcat/util/net/AbstractEndpoint.java b/java/org/apache/tomcat/util/net/AbstractEndpoint.java
index 87436023b6..2a14da3d45 100644
--- a/java/org/apache/tomcat/util/net/AbstractEndpoint.java
+++ b/java/org/apache/tomcat/util/net/AbstractEndpoint.java
@@ -22,6 +22,10 @@ import java.net.InetAddress;
import java.net.InetSocketAddress;
import java.net.NetworkInterface;
import java.net.SocketException;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.CertificateEncodingException;
+import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Enumeration;
import java.util.HashMap;
@@ -44,6 +48,7 @@ import javax.management.ObjectName;
import org.apache.juli.logging.Log;
import org.apache.tomcat.util.ExceptionUtils;
import org.apache.tomcat.util.IntrospectionUtils;
+import org.apache.tomcat.util.buf.HexUtils;
import org.apache.tomcat.util.collections.SynchronizedStack;
import org.apache.tomcat.util.modeler.Registry;
import org.apache.tomcat.util.net.Acceptor.AcceptorState;
@@ -388,8 +393,50 @@ public abstract class AbstractEndpoint<S,U> {
trustStoreSource = sslHostConfig.getCaCertificatePath();
}
- getLog().info(sm.getString("endpoint.tls.info", getName(), sslHostConfig.getHostName(), certificate.getType(),
- certificateSource, keyAlias, trustStoreSource));
+ getLogCertificate().info(sm.getString("endpoint.tls.info", getName(), sslHostConfig.getHostName(),
+ certificate.getType(), certificateSource, keyAlias, trustStoreSource));
+
+ if (getLogCertificate().isDebugEnabled()) {
+ String alias = certificate.getCertificateKeyAlias();
+ if (alias == null) {
+ alias = SSLUtilBase.DEFAULT_KEY_ALIAS;
+ }
+ X509Certificate[] x509Certificates = certificate.getSslContext().getCertificateChain(alias);
+ if (x509Certificates != null && x509Certificates.length > 0) {
+ getLogCertificate().debug(generateCertificateDebug(x509Certificates[0]));
+ } else {
+ getLogCertificate().debug(sm.getString("endpoint.tls.cert.noCerts"));
+ }
+ }
+ }
+
+
+ protected String generateCertificateDebug(X509Certificate certificate) {
+ StringBuilder sb = new StringBuilder();
+ sb.append("\n[");
+ try {
+ byte[] certBytes = certificate.getEncoded();
+ // SHA-256 fingerprint
+ sb.append("\nSHA-256 fingerprint: ");
+ MessageDigest sha512Digest = MessageDigest.getInstance("SHA-256");
+ sha512Digest.update(certBytes);
+ sb.append(HexUtils.toHexString(sha512Digest.digest()));
+ // SHA-256 fingerprint
+ sb.append("\nSHA-1 fingerprint: ");
+ MessageDigest sha1Digest = MessageDigest.getInstance("SHA-1");
+ sha1Digest.update(certBytes);
+ sb.append(HexUtils.toHexString(sha1Digest.digest()));
+ } catch (CertificateEncodingException e) {
+ getLogCertificate().warn(sm.getString("endpoint.tls.cert.encodingError"), e);
+ } catch (NoSuchAlgorithmException e) {
+ // Unreachable code
+ // All JREs are required to support SHA-1 and SHA-256
+ throw new RuntimeException(e);
+ }
+ sb.append("\n");
+ sb.append(certificate);
+ sb.append("\n]");
+ return sb.toString();
}
@@ -1403,6 +1450,10 @@ public abstract class AbstractEndpoint<S,U> {
protected abstract Log getLog();
+ protected Log getLogCertificate() {
+ return getLog();
+ }
+
protected LimitLatch initializeConnectionLatch() {
if (maxConnections==-1) {
return null;
diff --git a/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java b/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
index a363bef182..4732026c26 100644
--- a/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
+++ b/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
@@ -107,8 +107,8 @@ public abstract class AbstractJsseEndpoint<S,U> extends AbstractEndpoint<S,U> {
throw new IllegalArgumentException(e.getMessage(), e);
}
- logCertificate(certificate);
certificate.setSslContext(sslContext);
+ logCertificate(certificate);
}
}
diff --git a/java/org/apache/tomcat/util/net/AprEndpoint.java b/java/org/apache/tomcat/util/net/AprEndpoint.java
index 150e7b3915..11ac0d901c 100644
--- a/java/org/apache/tomcat/util/net/AprEndpoint.java
+++ b/java/org/apache/tomcat/util/net/AprEndpoint.java
@@ -90,6 +90,7 @@ public class AprEndpoint extends AbstractEndpoint<Long,Long> implements SNICallB
// -------------------------------------------------------------- Constants
private static final Log log = LogFactory.getLog(AprEndpoint.class);
+ private static final Log logCertificate = LogFactory.getLog(AprEndpoint.class.getName() + ".certificate");
// ----------------------------------------------------------------- Fields
@@ -474,8 +475,8 @@ public class AprEndpoint extends AbstractEndpoint<Long,Long> implements SNICallB
sslContext.addCertificate(certificate);
}
- logCertificate(certificate);
certificate.setSslContext(sslContext);
+ logCertificate(certificate);
}
if (certificates.size() > 2) {
@@ -932,6 +933,12 @@ public class AprEndpoint extends AbstractEndpoint<Long,Long> implements SNICallB
return log;
}
+ @Override
+ protected Log getLogCertificate() {
+ return logCertificate;
+ }
+
+
// -------------------------------------------------- SocketInfo Inner Class
public static class SocketInfo {
diff --git a/java/org/apache/tomcat/util/net/LocalStrings.properties b/java/org/apache/tomcat/util/net/LocalStrings.properties
index fc7150cd74..b09b0b0094 100644
--- a/java/org/apache/tomcat/util/net/LocalStrings.properties
+++ b/java/org/apache/tomcat/util/net/LocalStrings.properties
@@ -131,6 +131,8 @@ endpoint.setAttribute=Set [{0}] to [{1}]
endpoint.setAttributeError=Unable to set attribute [{0}] to [{1}]
endpoint.socketOptionsError=Error setting socket options
endpoint.timeout.err=Error processing socket timeout
+endpoint.tls.cert.encodingError=Certificate fingerprints not available
+endpoint.tls.cert.noCerts=Certificate details not available as the certificate chain returned from the SSLContext was empty
endpoint.tls.info=Connector [{0}], TLS virtual host [{1}], certificate type [{2}] configured from [{3}] using alias [{4}] and with trust store [{5}]
endpoint.unknownSslHostName=The SSL host name [{0}] is not recognised for this endpoint
endpoint.warn.executorShutdown=The executor associated with thread pool [{0}] has not fully shutdown. Some application threads may still be running.
diff --git a/java/org/apache/tomcat/util/net/Nio2Endpoint.java b/java/org/apache/tomcat/util/net/Nio2Endpoint.java
index 5386b6e0bd..7eb12b710f 100644
--- a/java/org/apache/tomcat/util/net/Nio2Endpoint.java
+++ b/java/org/apache/tomcat/util/net/Nio2Endpoint.java
@@ -59,6 +59,7 @@ public class Nio2Endpoint extends AbstractJsseEndpoint<Nio2Channel,AsynchronousS
private static final Log log = LogFactory.getLog(Nio2Endpoint.class);
+ private static final Log logCertificate = LogFactory.getLog(Nio2Endpoint.class.getName() + ".certificate");
private static final Log logHandshake = LogFactory.getLog(Nio2Endpoint.class.getName() + ".handshake");
@@ -398,6 +399,12 @@ public class Nio2Endpoint extends AbstractJsseEndpoint<Nio2Channel,AsynchronousS
}
+ @Override
+ protected Log getLogCertificate() {
+ return logCertificate;
+ }
+
+
@Override
protected SocketProcessorBase<Nio2Channel> createSocketProcessor(
SocketWrapperBase<Nio2Channel> socketWrapper, SocketEvent event) {
diff --git a/java/org/apache/tomcat/util/net/NioEndpoint.java b/java/org/apache/tomcat/util/net/NioEndpoint.java
index e30f4a7c2d..915a057297 100644
--- a/java/org/apache/tomcat/util/net/NioEndpoint.java
+++ b/java/org/apache/tomcat/util/net/NioEndpoint.java
@@ -83,6 +83,7 @@ public class NioEndpoint extends AbstractJsseEndpoint<NioChannel,SocketChannel>
private static final Log log = LogFactory.getLog(NioEndpoint.class);
+ private static final Log logCertificate = LogFactory.getLog(NioEndpoint.class.getName() + ".certificate");
private static final Log logHandshake = LogFactory.getLog(NioEndpoint.class.getName() + ".handshake");
@@ -568,6 +569,12 @@ public class NioEndpoint extends AbstractJsseEndpoint<NioChannel,SocketChannel>
}
+ @Override
+ protected Log getLogCertificate() {
+ return logCertificate;
+ }
+
+
@Override
protected SocketProcessorBase<NioChannel> createSocketProcessor(
SocketWrapperBase<NioChannel> socketWrapper, SocketEvent event) {
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index bd48a8bace..b1b4f0b15f 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -156,6 +156,12 @@
from timing out when using a Connector configured with
<code>useAsyncIO=true</code> (the default for NIO and NIO2). (markt)
</fix>
+ <add>
+ Provided dedicated loggers
+ (<code>org.apache.tomcat.util.net.NioEndpoint.certificate</code> /
+ <code>org.apache.tomcat.util.net.Nio2Endpoint.certificate</code>) for
+ logging of configured TLS certificates. (markt)
+ </add>
</changelog>
</subsection>
<subsection name="Jasper">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org