You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2018/06/18 19:35:18 UTC
svn commit: r1833757 - in /tomcat/trunk:
java/org/apache/tomcat/websocket/WsWebSocketContainer.java
webapps/docs/changelog.xml webapps/docs/web-socket-howto.xml
Author: markt
Date: Mon Jun 18 19:35:18 2018
New Revision: 1833757
URL: http://svn.apache.org/viewvc?rev=1833757&view=rev
Log:
Enable host name verification for secure WebSocket client connections by
default.
Modified:
tomcat/trunk/java/org/apache/tomcat/websocket/WsWebSocketContainer.java
tomcat/trunk/webapps/docs/changelog.xml
tomcat/trunk/webapps/docs/web-socket-howto.xml
Modified: tomcat/trunk/java/org/apache/tomcat/websocket/WsWebSocketContainer.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/websocket/WsWebSocketContainer.java?rev=1833757&r1=1833756&r2=1833757&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/websocket/WsWebSocketContainer.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/websocket/WsWebSocketContainer.java Mon Jun 18 19:35:18 2018
@@ -52,6 +52,7 @@ import java.util.concurrent.TimeoutExcep
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLException;
+import javax.net.ssl.SSLParameters;
import javax.net.ssl.TrustManagerFactory;
import javax.websocket.ClientEndpoint;
import javax.websocket.ClientEndpointConfig;
@@ -328,7 +329,7 @@ public class WsWebSocketContainer implem
// Regardless of whether a non-secure wrapper was created for a
// proxy CONNECT, need to use TLS from this point on so wrap the
// original AsynchronousSocketChannel
- SSLEngine sslEngine = createSSLEngine(userProperties);
+ SSLEngine sslEngine = createSSLEngine(userProperties, host, port);
channel = new AsyncChannelWrapperSecure(socketChannel, sslEngine);
} else if (channel == null) {
// Only need to wrap as this point if it wasn't wrapped to process a
@@ -866,7 +867,7 @@ public class WsWebSocketContainer implem
}
- private SSLEngine createSSLEngine(Map<String,Object> userProperties)
+ private SSLEngine createSSLEngine(Map<String,Object> userProperties, String host, int port)
throws DeploymentException {
try {
@@ -904,7 +905,7 @@ public class WsWebSocketContainer implem
}
}
- SSLEngine engine = sslContext.createSSLEngine();
+ SSLEngine engine = sslContext.createSSLEngine(host, port);
String sslProtocolsValue =
(String) userProperties.get(Constants.SSL_PROTOCOLS_PROPERTY);
@@ -914,6 +915,14 @@ public class WsWebSocketContainer implem
engine.setUseClientMode(true);
+ // Enable host verification
+ // Start with current settings (returns a copy)
+ SSLParameters sslParams = engine.getSSLParameters();
+ // Use HTTPS since WebSocket starts over HTTP(S)
+ sslParams.setEndpointIdentificationAlgorithm("HTTPS");
+ // Write the parameters back
+ engine.setSSLParameters(sslParams);
+
return engine;
} catch (Exception e) {
throw new DeploymentException(sm.getString(
Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1833757&r1=1833756&r2=1833757&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Mon Jun 18 19:35:18 2018
@@ -277,6 +277,10 @@
Improve the handling of exceptions during TLS handshakes for the
WebSocket client. (markt)
</fix>
+ <fix>
+ Enable host name verification when using TLS with the WebSocket client.
+ (markt)
+ </fix>
</changelog>
</subsection>
<subsection name="Web applications">
Modified: tomcat/trunk/webapps/docs/web-socket-howto.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/web-socket-howto.xml?rev=1833757&r1=1833756&r2=1833757&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/web-socket-howto.xml (original)
+++ tomcat/trunk/webapps/docs/web-socket-howto.xml Mon Jun 18 19:35:18 2018
@@ -110,10 +110,21 @@
<li><code>org.apache.tomcat.websocket.SSL_TRUSTSTORE_PWD</code></li>
</ul>
<p>The default truststore password is <code>changeit</code>.</p>
- <p>If the <code>org.apache.tomcat.websocket.SSL_CONTEXT</code> property is
- set then the <code>org.apache.tomcat.websocket.SSL_TRUSTSTORE</code> and
- <code>org.apache.tomcat.websocket.SSL_TRUSTSTORE_PWD</code> properties
- will be ignored.</p>
+
+<p>If the <code>org.apache.tomcat.websocket.SSL_CONTEXT</code> property is
+ set then the <code>org.apache.tomcat.websocket.SSL_TRUSTSTORE</code> and
+ <code>org.apache.tomcat.websocket.SSL_TRUSTSTORE_PWD</code> properties
+ will be ignored.</p>
+
+<p>For secure server end points, host name verification is enabled by default.
+ To bypass this verification (not recommended), it is necessary to provide a
+ custom <code>SSLContext</code> via the
+ <code>org.apache.tomcat.websocket.SSL_CONTEXT</code> user property. The
+ custom <code>SSLContext</code> must be configured with a custom
+ <code>TrustManager</code> that extends
+ <code>javax.net.ssl.X509ExtendedTrustManager</code>. The desired verification
+ (or lack of verification) can then be controlled by appropriate
+ implementations of the individual abstract methods.</p>
<p>When using the WebSocket client to connect to server endpoints, the number of
HTTP redirects that the client will follow is controlled by the
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org