You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2015/05/07 13:07:50 UTC
svn commit: r1678165 - in /tomcat/trunk: java/org/apache/coyote/http11/
java/org/apache/tomcat/util/net/ webapps/docs/config/
Author: markt
Date: Thu May 7 11:07:50 2015
New Revision: 1678165
URL: http://svn.apache.org/r1678165
Log:
Move remaining OpenSSL TLS config attributes to SSLHostConfig
Modified:
tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java
tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java
tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java
tomcat/trunk/webapps/docs/config/http.xml
Modified: tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java?rev=1678165&r1=1678164&r2=1678165&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java (original)
+++ tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java Thu May 7 11:07:50 2015
@@ -524,6 +524,36 @@ public abstract class AbstractHttp11Prot
}
+ public void setSSLCertificateChainFile(String certificateChainFile) {
+ registerDefaultSSLHostConfig();
+ defaultSSLHostConfig.setCertificateChainFile(certificateChainFile);
+ }
+
+
+ public void setSSLCACertificatePath(String caCertificatePath) {
+ registerDefaultSSLHostConfig();
+ defaultSSLHostConfig.setCaCertificatePath(caCertificatePath);
+ }
+
+
+ public void setSSLCACertificateFile(String caCertificateFile) {
+ registerDefaultSSLHostConfig();
+ defaultSSLHostConfig.setCaCertificateFile(caCertificateFile);
+ }
+
+
+ public void setSSLDisableCompression(boolean disableCompression) {
+ registerDefaultSSLHostConfig();
+ defaultSSLHostConfig.setDisableCompression(disableCompression);
+ }
+
+
+ public void setSSLDisableSessionTickets(boolean disableSessionTickets) {
+ registerDefaultSSLHostConfig();
+ defaultSSLHostConfig.setDisableSessionTickets(disableSessionTickets);
+ }
+
+
// ------------------------------------------------------------- Common code
// Common configuration required for all new HTTP11 processors
Modified: tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java?rev=1678165&r1=1678164&r2=1678165&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java (original)
+++ tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java Thu May 7 11:07:50 2015
@@ -70,42 +70,6 @@ public class Http11AprProtocol extends A
public void setDeferAccept(boolean deferAccept) { ((AprEndpoint)getEndpoint()).setDeferAccept(deferAccept); }
- // -------------------- SSL related properties --------------------
-
- /**
- * SSL certificate chain file.
- */
- public String getSSLCertificateChainFile() { return ((AprEndpoint)getEndpoint()).getSSLCertificateChainFile(); }
- public void setSSLCertificateChainFile(String SSLCertificateChainFile) { ((AprEndpoint)getEndpoint()).setSSLCertificateChainFile(SSLCertificateChainFile); }
-
-
- /**
- * SSL CA certificate path.
- */
- public String getSSLCACertificatePath() { return ((AprEndpoint)getEndpoint()).getSSLCACertificatePath(); }
- public void setSSLCACertificatePath(String SSLCACertificatePath) { ((AprEndpoint)getEndpoint()).setSSLCACertificatePath(SSLCACertificatePath); }
-
-
- /**
- * SSL CA certificate file.
- */
- public String getSSLCACertificateFile() { return ((AprEndpoint)getEndpoint()).getSSLCACertificateFile(); }
- public void setSSLCACertificateFile(String SSLCACertificateFile) { ((AprEndpoint)getEndpoint()).setSSLCACertificateFile(SSLCACertificateFile); }
-
-
- /**
- * Disable SSL compression.
- */
- public boolean getSSLDisableCompression() { return ((AprEndpoint)getEndpoint()).getSSLDisableCompression(); }
- public void setSSLDisableCompression(boolean disable) { ((AprEndpoint)getEndpoint()).setSSLDisableCompression(disable); }
-
- /**
- * Disable TLS Session Tickets (RFC 4507).
- */
- public boolean getSSLDisableSessionTickets() { return ((AprEndpoint)getEndpoint()).getSSLDisableSessionTickets(); }
- public void setSSLDisableSessionTickets(boolean enable) { ((AprEndpoint)getEndpoint()).setSSLDisableSessionTickets(enable); }
-
-
// ----------------------------------------------------- JMX related methods
@Override
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java?rev=1678165&r1=1678164&r2=1678165&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java Thu May 7 11:07:50 2015
@@ -209,62 +209,6 @@ public class AprEndpoint extends Abstrac
/**
- * SSL certificate chain file.
- */
- protected String SSLCertificateChainFile = null;
- public String getSSLCertificateChainFile() { return SSLCertificateChainFile; }
- public void setSSLCertificateChainFile(String SSLCertificateChainFile) { this.SSLCertificateChainFile = SSLCertificateChainFile; }
-
-
- /**
- * SSL CA certificate path.
- */
- protected String SSLCACertificatePath = null;
- public String getSSLCACertificatePath() { return SSLCACertificatePath; }
- public void setSSLCACertificatePath(String SSLCACertificatePath) { this.SSLCACertificatePath = SSLCACertificatePath; }
-
-
- /**
- * SSL CA certificate file.
- */
- protected String SSLCACertificateFile = null;
- public String getSSLCACertificateFile() { return SSLCACertificateFile; }
- public void setSSLCACertificateFile(String SSLCACertificateFile) { this.SSLCACertificateFile = SSLCACertificateFile; }
-
-
- /**
- * SSL disable TLS Session Tickets (RFC 4507).
- */
- protected boolean SSLDisableSessionTickets = false;
- public boolean getSSLDisableSessionTickets() { return SSLDisableSessionTickets; }
- public void setSSLDisableSessionTickets(boolean SSLDisableSessionTickets) { this.SSLDisableSessionTickets = SSLDisableSessionTickets; }
-
- /**
- * SSL allow insecure renegotiation for the the client that does not
- * support the secure renegotiation.
- */
- protected boolean SSLInsecureRenegotiation = false;
- public void setSSLInsecureRenegotiation(boolean SSLInsecureRenegotiation) { this.SSLInsecureRenegotiation = SSLInsecureRenegotiation; }
- public boolean getSSLInsecureRenegotiation() { return SSLInsecureRenegotiation; }
-
- /**
- * Disables compression of the SSL stream. This thwarts CRIME attack
- * and possibly improves performance by not compressing uncompressible
- * content such as JPEG, etc.
- */
- protected boolean SSLDisableCompression = false;
-
- /**
- * Configures whether or not to use SSL compression. The default is
- * <code>false</code>.
- *
- * @param SSLDisableCompression Set to <code>true</code> to disable SSL
- * compression. This thwarts the CRIMEattack.
- */
- public void setSSLDisableCompression(boolean SSLDisableCompression) { this.SSLDisableCompression = SSLDisableCompression; }
- public boolean getSSLDisableCompression() { return SSLDisableCompression; }
-
- /**
* Port in use.
*/
@Override
@@ -470,7 +414,7 @@ public class AprEndpoint extends Abstrac
sm.getString("endpoint.apr.failSslContextMake"), e);
}
- if (SSLInsecureRenegotiation) {
+ if (sslHostConfig.getInsecureRenegotiation()) {
boolean legacyRenegSupported = false;
try {
legacyRenegSupported = SSL.hasOp(SSL.SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
@@ -504,7 +448,7 @@ public class AprEndpoint extends Abstrac
}
// Disable compression if requested
- if (SSLDisableCompression) {
+ if (sslHostConfig.getDisableCompression()) {
boolean disableCompressionSupported = false;
try {
disableCompressionSupported = SSL.hasOp(SSL.SSL_OP_NO_COMPRESSION);
@@ -521,7 +465,7 @@ public class AprEndpoint extends Abstrac
}
// Disable TLS Session Tickets (RFC4507) to protect perfect forward secrecy
- if (SSLDisableSessionTickets) {
+ if (sslHostConfig.getDisableSessionTickets()) {
boolean disableSessionTicketsSupported = false;
try {
disableSessionTicketsSupported = SSL.hasOp(SSL.SSL_OP_NO_TICKET);
@@ -545,9 +489,11 @@ public class AprEndpoint extends Abstrac
sslHostConfig.getCertificateKeyFile(),
sslHostConfig.getCertificateKeyPassword(), SSL.SSL_AIDX_RSA);
// Set certificate chain file
- SSLContext.setCertificateChainFile(ctx, SSLCertificateChainFile, false);
+ SSLContext.setCertificateChainFile(
+ ctx, sslHostConfig.getCertificateChainFile(), false);
// Support Client Certificates
- SSLContext.setCACertificate(ctx, SSLCACertificateFile, SSLCACertificatePath);
+ SSLContext.setCACertificate(ctx, sslHostConfig.getCaCertificateFile(),
+ sslHostConfig.getCaCertificatePath());
// Set revocation
SSLContext.setCARevocation(ctx, sslHostConfig.getCertificateRevocationListFile(),
sslHostConfig.getCertificateRevocationListPath());
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java?rev=1678165&r1=1678164&r2=1678165&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java Thu May 7 11:07:50 2015
@@ -73,11 +73,16 @@ public class SSLHostConfig {
private String truststorePassword = System.getProperty("javax.net.ssl.trustStorePassword");
private String truststoreProvider = System.getProperty("javax.net.ssl.trustStoreProvider");
private String truststoreType = System.getProperty("javax.net.ssl.trustStoreType");
-
// OpenSSL
+ private String certificateChainFile;
private String certificateFile;
private String certificateKeyFile;
private String certificateRevocationListPath;
+ private String caCertificateFile;
+ private String caCertificatePath;
+ private boolean disableCompression = true;
+ private boolean disableSessionTickets = false;
+ private boolean insecureRenegotiation = false;
public SSLHostConfig() {
// Set defaults that can't be (easily) set when defining the fields.
@@ -427,6 +432,16 @@ public class SSLHostConfig {
// ------------------------------- OpenSSL specific configuration properties
+ public void setCertificateChainFile(String certificateChainFile) {
+ setProperty("certificateChainFile", Type.OPENSSL);
+ this.certificateChainFile = adjustRelativePath(certificateChainFile);
+ }
+
+ public String getCertificateChainFile() {
+ return certificateChainFile;
+ }
+
+
public void setCertificateFile(String certificateFile) {
setProperty("certificateFile", Type.OPENSSL);
this.certificateFile = adjustRelativePath(certificateFile);
@@ -460,6 +475,61 @@ public class SSLHostConfig {
}
+ public void setCaCertificateFile(String caCertificateFile) {
+ setProperty("caCertificateFile", Type.OPENSSL);
+ this.caCertificateFile = adjustRelativePath(caCertificateFile);
+ }
+
+
+ public String getCaCertificateFile() {
+ return caCertificateFile;
+ }
+
+
+ public void setCaCertificatePath(String caCertificatePath) {
+ setProperty("caCertificatePath", Type.OPENSSL);
+ this.caCertificatePath = adjustRelativePath(caCertificatePath);
+ }
+
+
+ public String getCaCertificatePath() {
+ return caCertificatePath;
+ }
+
+
+ public void setDisableCompression(boolean disableCompression) {
+ setProperty("disableCompression", Type.OPENSSL);
+ this.disableCompression = disableCompression;
+ }
+
+
+ public boolean getDisableCompression() {
+ return disableCompression;
+ }
+
+
+ public void setDisableSessionTickets(boolean disableSessionTickets) {
+ setProperty("disableSessionTickets", Type.OPENSSL);
+ this.disableSessionTickets = disableSessionTickets;
+ }
+
+
+ public boolean getDisableSessionTickets() {
+ return disableSessionTickets;
+ }
+
+
+ public void setInsecureRenegotiation(boolean insecureRenegotiation) {
+ setProperty("insecureRenegotiation", Type.OPENSSL);
+ this.insecureRenegotiation = insecureRenegotiation;
+ }
+
+
+ public boolean getInsecureRenegotiation() {
+ return insecureRenegotiation;
+ }
+
+
// --------------------------------------------------------- Support methods
private String adjustRelativePath(String path) {
Modified: tomcat/trunk/webapps/docs/config/http.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/http.xml?rev=1678165&r1=1678164&r2=1678165&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/config/http.xml (original)
+++ tomcat/trunk/webapps/docs/config/http.xml Thu May 7 11:07:50 2015
@@ -1031,6 +1031,13 @@
<attributes>
+ <attribute name="certificateChainFile" required="false">
+ <p>OpenSSL only.</p>
+ <p>Name of the file that contains concatenated certifcates for the
+ certificate authorities which form the certifcate chain for the server
+ certificate. The format is PEM-encoded.</p>
+ </attribute>
+
<attribute name="certificateFile" required="true">
<p>OpenSSL only.</p>
<p>Name of the file that contains the server certificate. The format is
@@ -1140,6 +1147,18 @@
of 10 will be used.</p>
</attribute>
+ <attribute name="caCertificateFile" required="false">
+ <p>OpenSSL only.</p>
+ <p>Name of the file that contains the concatenated certificates for the
+ trusted certificate authorities. The format is PEM-encoded.</p>
+ </attribute>
+
+ <attribute name="caCertificatePath" required="false">
+ <p>OpenSSL only.</p>
+ <p>Name of the directory that contains the certificates for the trusted
+ certificate authorities. The format is PEM-encoded.</p>
+ </attribute>
+
<attribute name="ciphers" required="false">
<p>The ciphers to enable using the OpenSSL syntax. (See the OpenSSL
documentation for the list of ciphers supported and the syntax).
@@ -1156,6 +1175,19 @@
treated as an order of preference. See <code>honorCipherOrder</code>.</p>
</attribute>
+ <attribute name="disableCompression" required="false">
+ <p>OpenSSL only.</p>
+ <p>Disables compression if set to <code>true</code> and OpenSSL supports
+ disabling compression. Default is <code>true</code>. If <code>false</code>
+ the default compression setting in OpenSSL will be used.</p>
+ </attribute>
+
+ <attribute name="disableSessionTickets" required="false">
+ <p>OpenSSL only.</p>
+ <p>Disables use of TLS Session Tickets (RFC 4507) if set to
+ <code>true</code>. Default is <code>false</code>.</p>
+ </attribute>
+
<attribute name="honorCipherOrder" required="false">
<p>Set to <code>true</code> to enforce the server's cipher order
(from the <code>ciphers</code> setting) instead of allowing
@@ -1169,6 +1201,14 @@
of <code>_default_</code> will be used.</p>
</attribute>
+ <attribute name="insecureRenegotiation" required="false">
+ <p>OpenSSL only.</p>
+ <p>Enables insecure renegotiation if set to <code>true</code> and OpenSSL
+ supports enabling insecure renegotiation. Default is <code>false</code>.
+ If <code>false</code> the default insecure renegotiation setting in
+ OpenSSL will be used.</p>
+ </attribute>
+
<attribute name="keyManagerAlgorithm" required="false">
<p>JSSE only.</p>
<p>The <code>KeyManager</code> algorithm to be used. This defaults to
@@ -1451,13 +1491,15 @@
<attributes>
<attribute name="SSLCACertificateFile" required="false">
- <p>Name of the file that contains the concatenated certificates for the
- trusted certificate authorities. The format is PEM-encoded.</p>
+ <p>This is an alias for the <code>caCertificateFile</code>
+ attribute of the default
+ <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a> element.</p>
</attribute>
<attribute name="SSLCACertificatePath" required="false">
- <p>Name of the directory that contains the certificates for the trusted
- certificate authorities. The format is PEM-encoded.</p>
+ <p>This is an alias for the <code>caCertificatePath</code>
+ attribute of the default
+ <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a> element.</p>
</attribute>
<attribute name="SSLCARevocationFile" required="false">
@@ -1473,9 +1515,9 @@
</attribute>
<attribute name="SSLCertificateChainFile" required="false">
- <p>Name of the file that contains concatenated certifcates for the
- certificate authorities which form the certifcate chain for the server
- certificate. The format is PEM-encoded.</p>
+ <p>This is an alias for the <code>certificateChainFile</code>
+ attribute of the default
+ <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a> element.</p>
</attribute>
<attribute name="SSLCertificateFile" required="true">
@@ -1496,9 +1538,9 @@
</attribute>
<attribute name="SSLDisableCompression" required="false">
- <p>Disables compression if set to <code>true</code> and OpenSSL supports
- disabling compression. Default is <code>false</code> which inherits the
- default compression setting in OpenSSL.</p>
+ <p>This is an alias for the <code>disableCompression</code> attribute of
+ the default <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a>
+ element.</p>
</attribute>
<attribute name="SSLHonorCipherOrder" required="false">
@@ -1532,8 +1574,9 @@
</attribute>
<attribute name="SSLDisableSessionTickets" required="false">
- <p>Disables use of TLS Session Tickets (RFC 4507) if set to
- <code>true</code>. Default is <code>false</code>.</p>
+ <p>This is an alias for the <code>disableSessionTickets</code> attribute
+ of the default <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a>
+ element.</p>
</attribute>
</attributes>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org