You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2008/12/04 20:31:34 UTC
svn commit: r723404 - in /tomcat/trunk:
java/org/apache/tomcat/util/net/NioEndpoint.java
java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
webapps/docs/config/http.xml
Author: markt
Date: Thu Dec 4 11:31:34 2008
New Revision: 723404
URL: http://svn.apache.org/viewvc?rev=723404&view=rev
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=44285
Provide support for configuring the JSSE SSL session cache size and timeout
Modified:
tomcat/trunk/java/org/apache/tomcat/util/net/NioEndpoint.java
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
tomcat/trunk/webapps/docs/config/http.xml
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/NioEndpoint.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/NioEndpoint.java?rev=723404&r1=723403&r2=723404&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/NioEndpoint.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/NioEndpoint.java Thu Dec 4 11:31:34 2008
@@ -50,6 +50,7 @@
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
+import javax.net.ssl.SSLSessionContext;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509KeyManager;
@@ -604,7 +605,6 @@
public void setKeystoreType(String s ) { this.keystoreType = s;}
protected String sslProtocol = "TLS";
-
public String getSslProtocol() { return sslProtocol;}
public void setSslProtocol(String s) { sslProtocol = s;}
@@ -617,7 +617,6 @@
for (int i=0; i<sslEnabledProtocolsarr.length; i++ ) sslEnabledProtocolsarr[i] = t.nextToken();
}
-
protected String ciphers = null;
protected String[] ciphersarr = new String[0];
public String getCiphers() { return ciphers;}
@@ -630,7 +629,15 @@
for (int i=0; i<ciphersarr.length; i++ ) ciphersarr[i] = t.nextToken();
}
}
-
+
+ protected int sessionCacheSize = 0;
+ public int getSessionCacheSize() { return sessionCacheSize;}
+ public void setSessionCacheSize(int i) { sessionCacheSize = i;}
+
+ protected int sessionCacheTimeout = 86400;
+ public int getSessionCacheTimeout() { return sessionCacheTimeout;}
+ public void setSessionCacheTimeout(int i) { sessionCacheTimeout = i;}
+
/**
* SSL engine.
*/
@@ -808,6 +815,12 @@
sslContext = SSLContext.getInstance(getSslProtocol());
sslContext.init(wrap(kmf.getKeyManagers()), tmf.getTrustManagers(), null);
+ SSLSessionContext sessionContext =
+ sslContext.getServerSessionContext();
+ if (sessionContext != null) {
+ sessionContext.setSessionCacheSize(sessionCacheSize);
+ sessionContext.setSessionTimeout(sessionCacheTimeout);
+ }
}
if (oomParachute>0) reclaimParachute(true);
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java?rev=723404&r1=723403&r2=723404&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java Thu Dec 4 11:31:34 2008
@@ -49,6 +49,7 @@
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLServerSocket;
import javax.net.ssl.SSLServerSocketFactory;
+import javax.net.ssl.SSLSessionContext;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
@@ -88,6 +89,9 @@
private static final String defaultKeystoreFile
= System.getProperty("user.home") + "/.keystore";
private static final String defaultKeyPass = "changeit";
+ private static final int defaultSessionCacheSize = 0;
+ private static final int defaultSessionTimeout = 86400;
+
static org.apache.juli.logging.Log log =
org.apache.juli.logging.LogFactory.getLog(JSSESocketFactory.class);
@@ -419,6 +423,28 @@
trustAlgorithm),
new SecureRandom());
+ // Configure SSL session cache
+ int sessionCacheSize;
+ if (attributes.get("sessionCacheSize") != null) {
+ sessionCacheSize = Integer.parseInt(
+ (String)attributes.get("sessionCacheSize"));
+ } else {
+ sessionCacheSize = defaultSessionCacheSize;
+ }
+ int sessionCacheTimeout;
+ if (attributes.get("sessionCacheTimeout") != null) {
+ sessionCacheTimeout = Integer.parseInt(
+ (String)attributes.get("sessionCacheTimeout"));
+ } else {
+ sessionCacheTimeout = defaultSessionTimeout;
+ }
+ SSLSessionContext sessionContext =
+ context.getServerSessionContext();
+ if (sessionContext != null) {
+ sessionContext.setSessionCacheSize(sessionCacheSize);
+ sessionContext.setSessionTimeout(sessionCacheTimeout);
+ }
+
// create proxy
sslProxy = context.getServerSocketFactory();
Modified: tomcat/trunk/webapps/docs/config/http.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/http.xml?rev=723404&r1=723403&r2=723404&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/config/http.xml (original)
+++ tomcat/trunk/webapps/docs/config/http.xml Thu Dec 4 11:31:34 2008
@@ -103,20 +103,14 @@
the container during FORM or CLIENT-CERT authentication. For both types
of authentication, the POST will be saved/buffered before the user is
authenticated. For CLIENT-CERT authentication, the POST is buffered for
- the duration of
- the SSL handshake and the buffer emptied when the request
- is processed. For FORM authentication the POST is
- saved whilst the user
+ the duration of the SSL handshake and the buffer emptied when the request
+ is processed. For FORM authentication the POST is saved whilst the user
is re-directed to the login form and is retained until the user
successfully authenticates or the session associated with the
authentication request expires. The limit can be disabled by setting this
- attribute to -1. Setting the attribute to
- zero will disable the saving of
- POST data during authentication
-. If not
- specified, this attribute is set
- to
- 4096 (4 kilobytes).</p>
+ attribute to -1. Setting the attribute to zero will disable the saving of
+ POST data during authentication. If not specified, this attribute is set
+ to 4096 (4 kilobytes).</p>
</attribute>
<attribute name="protocol" required="false">
@@ -748,6 +742,18 @@
</p>
</attribute>
+ <attribute name="sessionCacheSize" required="false">
+ <p>The number of SSL sessions to maintain in the session cache. Use 0 to
+ specify an unlimited cache size. If not specified, a default of 0 is
+ used.</p>
+ </attribute>
+
+ <attribute name="sessionTimeout" required="false">
+ <p>The time, in seconds, after the creation of an SSL session that it will
+ timeout. Use 0 to specify an unlimited timeout. If not specified, a
+ default of 86400 (24 hours) is used.</p>
+ </attribute>
+
</attributes>
<p>For more information, see the
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org