You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2023/02/16 14:13:15 UTC
[tomcat] branch 10.1.x updated (789d707450 -> 309a3f59d1)
This is an automated email from the ASF dual-hosted git repository.
markt pushed a change to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
from 789d707450 Use a constant for the default certificate alias
new 82c9488fbe Refactor to make using custom endpoints easier
new 0f92b76383 Correct comment
new 309a3f59d1 Add dedicated logger for TLS certifcates
The 3 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
.../apache/coyote/http11/Http11Nio2Protocol.java | 7 ++-
.../apache/coyote/http11/Http11NioProtocol.java | 14 +++---
.../apache/tomcat/util/net/AbstractEndpoint.java | 55 +++++++++++++++++++++-
.../tomcat/util/net/AbstractJsseEndpoint.java | 2 +-
.../apache/tomcat/util/net/LocalStrings.properties | 2 +
java/org/apache/tomcat/util/net/Nio2Endpoint.java | 7 +++
java/org/apache/tomcat/util/net/NioEndpoint.java | 7 +++
webapps/docs/changelog.xml | 6 +++
8 files changed, 89 insertions(+), 11 deletions(-)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[tomcat] 02/03: Correct comment
Posted by ma...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 0f92b76383136c4604fca67469102464fb212a30
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Thu Feb 16 13:53:27 2023 +0000
Correct comment
---
java/org/apache/coyote/http11/Http11NioProtocol.java | 7 +------
1 file changed, 1 insertion(+), 6 deletions(-)
diff --git a/java/org/apache/coyote/http11/Http11NioProtocol.java b/java/org/apache/coyote/http11/Http11NioProtocol.java
index 1f52c6e7f0..94c092cc7d 100644
--- a/java/org/apache/coyote/http11/Http11NioProtocol.java
+++ b/java/org/apache/coyote/http11/Http11NioProtocol.java
@@ -23,12 +23,7 @@ import org.apache.tomcat.util.net.NioEndpoint;
/**
- * Abstract the protocol implementation, including threading, etc.
- * Processor is single threaded and specific to stream-based protocols,
- * will not fit Jk protocols like JNI.
- *
- * @author Remy Maucherat
- * @author Costin Manolache
+ * HTTP/1.1 protocol implementation using NIO.
*/
public class Http11NioProtocol extends AbstractHttp11JsseProtocol<NioChannel> {
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[tomcat] 01/03: Refactor to make using custom endpoints easier
Posted by ma...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 82c9488fbe3e51e839502e9a6c34fc92123d0372
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Thu Feb 16 13:53:10 2023 +0000
Refactor to make using custom endpoints easier
---
java/org/apache/coyote/http11/Http11Nio2Protocol.java | 7 ++++++-
java/org/apache/coyote/http11/Http11NioProtocol.java | 7 ++++++-
2 files changed, 12 insertions(+), 2 deletions(-)
diff --git a/java/org/apache/coyote/http11/Http11Nio2Protocol.java b/java/org/apache/coyote/http11/Http11Nio2Protocol.java
index e30b41a552..84ce5fb946 100644
--- a/java/org/apache/coyote/http11/Http11Nio2Protocol.java
+++ b/java/org/apache/coyote/http11/Http11Nio2Protocol.java
@@ -31,7 +31,12 @@ public class Http11Nio2Protocol extends AbstractHttp11JsseProtocol<Nio2Channel>
public Http11Nio2Protocol() {
- super(new Nio2Endpoint());
+ this(new Nio2Endpoint());
+ }
+
+
+ public Http11Nio2Protocol(Nio2Endpoint endpoint) {
+ super(endpoint);
}
diff --git a/java/org/apache/coyote/http11/Http11NioProtocol.java b/java/org/apache/coyote/http11/Http11NioProtocol.java
index f77e45bad9..1f52c6e7f0 100644
--- a/java/org/apache/coyote/http11/Http11NioProtocol.java
+++ b/java/org/apache/coyote/http11/Http11NioProtocol.java
@@ -36,7 +36,12 @@ public class Http11NioProtocol extends AbstractHttp11JsseProtocol<NioChannel> {
public Http11NioProtocol() {
- super(new NioEndpoint());
+ this(new NioEndpoint());
+ }
+
+
+ public Http11NioProtocol(NioEndpoint endpoint) {
+ super(endpoint);
}
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[tomcat] 03/03: Add dedicated logger for TLS certifcates
Posted by ma...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 309a3f59d1586c7b7818cc9ad2bb4e3957766bc7
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Thu Feb 16 13:57:55 2023 +0000
Add dedicated logger for TLS certifcates
Allows debug logging to be enabled just for certificates
---
.../apache/tomcat/util/net/AbstractEndpoint.java | 55 +++++++++++++++++++++-
.../tomcat/util/net/AbstractJsseEndpoint.java | 2 +-
.../apache/tomcat/util/net/LocalStrings.properties | 2 +
java/org/apache/tomcat/util/net/Nio2Endpoint.java | 7 +++
java/org/apache/tomcat/util/net/NioEndpoint.java | 7 +++
webapps/docs/changelog.xml | 6 +++
6 files changed, 76 insertions(+), 3 deletions(-)
diff --git a/java/org/apache/tomcat/util/net/AbstractEndpoint.java b/java/org/apache/tomcat/util/net/AbstractEndpoint.java
index ac49fd7a20..c0f6ee9c44 100644
--- a/java/org/apache/tomcat/util/net/AbstractEndpoint.java
+++ b/java/org/apache/tomcat/util/net/AbstractEndpoint.java
@@ -22,6 +22,10 @@ import java.net.InetAddress;
import java.net.InetSocketAddress;
import java.net.NetworkInterface;
import java.net.SocketException;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.CertificateEncodingException;
+import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Enumeration;
import java.util.HashMap;
@@ -44,6 +48,7 @@ import javax.management.ObjectName;
import org.apache.juli.logging.Log;
import org.apache.tomcat.util.ExceptionUtils;
import org.apache.tomcat.util.IntrospectionUtils;
+import org.apache.tomcat.util.buf.HexUtils;
import org.apache.tomcat.util.collections.SynchronizedStack;
import org.apache.tomcat.util.modeler.Registry;
import org.apache.tomcat.util.net.Acceptor.AcceptorState;
@@ -378,8 +383,50 @@ public abstract class AbstractEndpoint<S,U> {
trustStoreSource = sslHostConfig.getCaCertificatePath();
}
- getLog().info(sm.getString("endpoint.tls.info", getName(), sslHostConfig.getHostName(), certificate.getType(),
- certificateSource, keyAlias, trustStoreSource));
+ getLogCertificate().info(sm.getString("endpoint.tls.info", getName(), sslHostConfig.getHostName(),
+ certificate.getType(), certificateSource, keyAlias, trustStoreSource));
+
+ if (getLogCertificate().isDebugEnabled()) {
+ String alias = certificate.getCertificateKeyAlias();
+ if (alias == null) {
+ alias = SSLUtilBase.DEFAULT_KEY_ALIAS;
+ }
+ X509Certificate[] x509Certificates = certificate.getSslContext().getCertificateChain(alias);
+ if (x509Certificates != null && x509Certificates.length > 0) {
+ getLogCertificate().debug(generateCertificateDebug(x509Certificates[0]));
+ } else {
+ getLogCertificate().debug(sm.getString("endpoint.tls.cert.noCerts"));
+ }
+ }
+ }
+
+
+ protected String generateCertificateDebug(X509Certificate certificate) {
+ StringBuilder sb = new StringBuilder();
+ sb.append("\n[");
+ try {
+ byte[] certBytes = certificate.getEncoded();
+ // SHA-256 fingerprint
+ sb.append("\nSHA-256 fingerprint: ");
+ MessageDigest sha512Digest = MessageDigest.getInstance("SHA-256");
+ sha512Digest.update(certBytes);
+ sb.append(HexUtils.toHexString(sha512Digest.digest()));
+ // SHA-256 fingerprint
+ sb.append("\nSHA-1 fingerprint: ");
+ MessageDigest sha1Digest = MessageDigest.getInstance("SHA-1");
+ sha1Digest.update(certBytes);
+ sb.append(HexUtils.toHexString(sha1Digest.digest()));
+ } catch (CertificateEncodingException e) {
+ getLogCertificate().warn(sm.getString("endpoint.tls.cert.encodingError"), e);
+ } catch (NoSuchAlgorithmException e) {
+ // Unreachable code
+ // All JREs are required to support SHA-1 and SHA-256
+ throw new RuntimeException(e);
+ }
+ sb.append("\n");
+ sb.append(certificate);
+ sb.append("\n]");
+ return sb.toString();
}
@@ -1357,6 +1404,10 @@ public abstract class AbstractEndpoint<S,U> {
protected abstract Log getLog();
+ protected Log getLogCertificate() {
+ return getLog();
+ }
+
protected LimitLatch initializeConnectionLatch() {
if (maxConnections==-1) {
return null;
diff --git a/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java b/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
index 261ed118c2..0aabf8403a 100644
--- a/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
+++ b/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
@@ -106,8 +106,8 @@ public abstract class AbstractJsseEndpoint<S,U> extends AbstractEndpoint<S,U> {
throw new IllegalArgumentException(e.getMessage(), e);
}
- logCertificate(certificate);
certificate.setSslContext(sslContext);
+ logCertificate(certificate);
}
}
diff --git a/java/org/apache/tomcat/util/net/LocalStrings.properties b/java/org/apache/tomcat/util/net/LocalStrings.properties
index dc7b9b9361..8e845821bd 100644
--- a/java/org/apache/tomcat/util/net/LocalStrings.properties
+++ b/java/org/apache/tomcat/util/net/LocalStrings.properties
@@ -114,6 +114,8 @@ endpoint.setAttribute=Set [{0}] to [{1}]
endpoint.setAttributeError=Unable to set attribute [{0}] to [{1}]
endpoint.socketOptionsError=Error setting socket options
endpoint.timeout.err=Error processing socket timeout
+endpoint.tls.cert.encodingError=Certificate fingerprints not available
+endpoint.tls.cert.noCerts=Certificate details not available as the certificate chain returned from the SSLContext was empty
endpoint.tls.info=Connector [{0}], TLS virtual host [{1}], certificate type [{2}] configured from [{3}] using alias [{4}] and with trust store [{5}]
endpoint.unknownSslHostName=The SSL host name [{0}] is not recognised for this endpoint
endpoint.warn.executorShutdown=The executor associated with thread pool [{0}] has not fully shutdown. Some application threads may still be running.
diff --git a/java/org/apache/tomcat/util/net/Nio2Endpoint.java b/java/org/apache/tomcat/util/net/Nio2Endpoint.java
index 9875e3d406..f22c64abcc 100644
--- a/java/org/apache/tomcat/util/net/Nio2Endpoint.java
+++ b/java/org/apache/tomcat/util/net/Nio2Endpoint.java
@@ -59,6 +59,7 @@ public class Nio2Endpoint extends AbstractJsseEndpoint<Nio2Channel,AsynchronousS
private static final Log log = LogFactory.getLog(Nio2Endpoint.class);
+ private static final Log logCertificate = LogFactory.getLog(Nio2Endpoint.class.getName() + ".certificate");
private static final Log logHandshake = LogFactory.getLog(Nio2Endpoint.class.getName() + ".handshake");
@@ -387,6 +388,12 @@ public class Nio2Endpoint extends AbstractJsseEndpoint<Nio2Channel,AsynchronousS
}
+ @Override
+ protected Log getLogCertificate() {
+ return logCertificate;
+ }
+
+
@Override
protected SocketProcessorBase<Nio2Channel> createSocketProcessor(
SocketWrapperBase<Nio2Channel> socketWrapper, SocketEvent event) {
diff --git a/java/org/apache/tomcat/util/net/NioEndpoint.java b/java/org/apache/tomcat/util/net/NioEndpoint.java
index d1864aec5a..5f9beb80c8 100644
--- a/java/org/apache/tomcat/util/net/NioEndpoint.java
+++ b/java/org/apache/tomcat/util/net/NioEndpoint.java
@@ -83,6 +83,7 @@ public class NioEndpoint extends AbstractJsseEndpoint<NioChannel,SocketChannel>
private static final Log log = LogFactory.getLog(NioEndpoint.class);
+ private static final Log logCertificate = LogFactory.getLog(NioEndpoint.class.getName() + ".certificate");
private static final Log logHandshake = LogFactory.getLog(NioEndpoint.class.getName() + ".handshake");
@@ -541,6 +542,12 @@ public class NioEndpoint extends AbstractJsseEndpoint<NioChannel,SocketChannel>
}
+ @Override
+ protected Log getLogCertificate() {
+ return logCertificate;
+ }
+
+
@Override
protected SocketProcessorBase<NioChannel> createSocketProcessor(
SocketWrapperBase<NioChannel> socketWrapper, SocketEvent event) {
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index ddf4189f80..5f10ca55b4 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -169,6 +169,12 @@
connections from timing out when using a Connector configured with
<code>useAsyncIO=true</code> (the default). (markt)
</fix>
+ <add>
+ Provided dedicated loggers
+ (<code>org.apache.tomcat.util.net.NioEndpoint.certificate</code> /
+ <code>org.apache.tomcat.util.net.Nio2Endpoint.certificate</code>) for
+ logging of configured TLS certificates. (markt)
+ </add>
</changelog>
</subsection>
<subsection name="Jasper">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org