You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2019/11/04 14:45:40 UTC
[tomcat] branch 8.5.x updated (c5e531a -> 0a986a1)
This is an automated email from the ASF dual-hosted git repository.
markt pushed a change to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git.
from c5e531a Remove unused code
new 31f324a Refactor to align better with 9.0.x
new f7c8b94 Refactor to (slightly) reduce native calls when using OpenSSL
new 0a986a1 OpenSSLEngine to differentiate between optional and optionalNoCA
The 3 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
java/org/apache/tomcat/util/compat/Jre8Compat.java | 5 +---
java/org/apache/tomcat/util/compat/JreCompat.java | 2 +-
.../tomcat/util/net/AbstractJsseEndpoint.java | 35 +++++++++++-----------
.../tomcat/util/net/openssl/OpenSSLContext.java | 5 +++-
.../tomcat/util/net/openssl/OpenSSLEngine.java | 18 ++++++++---
webapps/docs/changelog.xml | 6 ++++
6 files changed, 43 insertions(+), 28 deletions(-)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[tomcat] 02/03: Refactor to (slightly) reduce native calls when
using OpenSSL
Posted by ma...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit f7c8b948998107c47621655f83029ccb292df5f1
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Mon Nov 4 14:22:27 2019 +0000
Refactor to (slightly) reduce native calls when using OpenSSL
---
.../tomcat/util/net/AbstractJsseEndpoint.java | 28 +++++++++++-----------
1 file changed, 14 insertions(+), 14 deletions(-)
diff --git a/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java b/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
index 984b493..76f1cb0 100644
--- a/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
+++ b/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
@@ -118,19 +118,6 @@ public abstract class AbstractJsseEndpoint<S> extends AbstractEndpoint<S> {
}
SSLEngine engine = sslContext.createSSLEngine();
- switch (sslHostConfig.getCertificateVerification()) {
- case NONE:
- engine.setNeedClientAuth(false);
- engine.setWantClientAuth(false);
- break;
- case OPTIONAL:
- case OPTIONAL_NO_CA:
- engine.setWantClientAuth(true);
- break;
- case REQUIRED:
- engine.setNeedClientAuth(true);
- break;
- }
engine.setUseClientMode(false);
engine.setEnabledCipherSuites(sslHostConfig.getEnabledCiphers());
engine.setEnabledProtocols(sslHostConfig.getEnabledProtocols());
@@ -157,7 +144,20 @@ public abstract class AbstractJsseEndpoint<S> extends AbstractEndpoint<S> {
JreCompat.getInstance().setApplicationProtocols(sslParameters, commonProtocolsArray);
}
}
- // In case the getter returns a defensive copy
+ switch (sslHostConfig.getCertificateVerification()) {
+ case NONE:
+ sslParameters.setNeedClientAuth(false);
+ sslParameters.setWantClientAuth(false);
+ break;
+ case OPTIONAL:
+ case OPTIONAL_NO_CA:
+ sslParameters.setWantClientAuth(true);
+ break;
+ case REQUIRED:
+ sslParameters.setNeedClientAuth(true);
+ break;
+ }
+ // The getter (at least in OpenJDK and derivatives) returns a defensive copy
engine.setSSLParameters(sslParameters);
return engine;
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[tomcat] 03/03: OpenSSLEngine to differentiate between optional and
optionalNoCA
Posted by ma...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 0a986a161726dcbef236cd2f8cbc3ba804275b54
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Mon Nov 4 14:26:43 2019 +0000
OpenSSLEngine to differentiate between optional and optionalNoCA
Patch by remm
---
.../apache/tomcat/util/net/openssl/OpenSSLContext.java | 5 ++++-
.../apache/tomcat/util/net/openssl/OpenSSLEngine.java | 18 ++++++++++++++----
webapps/docs/changelog.xml | 6 ++++++
3 files changed, 24 insertions(+), 5 deletions(-)
diff --git a/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java b/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
index 5cf17be..19bc06b 100644
--- a/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
+++ b/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
@@ -49,6 +49,7 @@ import org.apache.tomcat.util.codec.binary.Base64;
import org.apache.tomcat.util.net.AbstractEndpoint;
import org.apache.tomcat.util.net.Constants;
import org.apache.tomcat.util.net.SSLHostConfig;
+import org.apache.tomcat.util.net.SSLHostConfig.CertificateVerification;
import org.apache.tomcat.util.net.SSLHostConfigCertificate;
import org.apache.tomcat.util.net.SSLHostConfigCertificate.Type;
import org.apache.tomcat.util.res.StringManager;
@@ -498,7 +499,9 @@ public class OpenSSLContext implements org.apache.tomcat.util.net.SSLContext {
@Override
public SSLEngine createSSLEngine() {
return new OpenSSLEngine(ctx, defaultProtocol, false, sessionContext,
- (negotiableProtocols != null && negotiableProtocols.size() > 0), initialized);
+ (negotiableProtocols != null && negotiableProtocols.size() > 0), initialized,
+ sslHostConfig.getCertificateVerificationDepth(),
+ sslHostConfig.getCertificateVerification() == CertificateVerification.OPTIONAL_NO_CA);
}
@Override
diff --git a/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java b/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
index 7ae6fe8..ede30a8 100644
--- a/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
+++ b/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
@@ -165,6 +165,8 @@ public final class OpenSSLEngine extends SSLEngine implements SSLUtil.ProtocolIn
private final OpenSSLSessionContext sessionContext;
private final boolean alpn;
private final boolean initialized;
+ private final int certificateVerificationDepth;
+ private final boolean certificateVerificationOptionalNoCA;
private String selectedProtocol = null;
@@ -183,10 +185,14 @@ public final class OpenSSLEngine extends SSLEngine implements SSLUtil.ProtocolIn
* otherwise
* @param initialized {@code true} if this instance gets its protocol,
* cipher and client verification from the {@code SSL_CTX} {@code sslCtx}
+ * @param certificateVerificationDepth Certificate verification depth
+ * @param certificateVerificationOptionalNoCA Skip CA verification in
+ * optional mode
*/
OpenSSLEngine(long sslCtx, String fallbackApplicationProtocol,
boolean clientMode, OpenSSLSessionContext sessionContext, boolean alpn,
- boolean initialized) {
+ boolean initialized, int certificateVerificationDepth,
+ boolean certificateVerificationOptionalNoCA) {
if (sslCtx == 0) {
throw new IllegalArgumentException(sm.getString("engine.noSSLContext"));
}
@@ -200,6 +206,8 @@ public final class OpenSSLEngine extends SSLEngine implements SSLUtil.ProtocolIn
this.sessionContext = sessionContext;
this.alpn = alpn;
this.initialized = initialized;
+ this.certificateVerificationDepth = certificateVerificationDepth;
+ this.certificateVerificationOptionalNoCA = certificateVerificationOptionalNoCA;
}
@Override
@@ -1092,13 +1100,15 @@ public final class OpenSSLEngine extends SSLEngine implements SSLUtil.ProtocolIn
}
switch (mode) {
case NONE:
- SSL.setVerify(ssl, SSL.SSL_CVERIFY_NONE, VERIFY_DEPTH);
+ SSL.setVerify(ssl, SSL.SSL_CVERIFY_NONE, certificateVerificationDepth);
break;
case REQUIRE:
- SSL.setVerify(ssl, SSL.SSL_CVERIFY_REQUIRE, VERIFY_DEPTH);
+ SSL.setVerify(ssl, SSL.SSL_CVERIFY_REQUIRE, certificateVerificationDepth);
break;
case OPTIONAL:
- SSL.setVerify(ssl, SSL.SSL_CVERIFY_OPTIONAL, VERIFY_DEPTH);
+ SSL.setVerify(ssl,
+ certificateVerificationOptionalNoCA ? SSL.SSL_CVERIFY_OPTIONAL_NO_CA : SSL.SSL_CVERIFY_OPTIONAL,
+ certificateVerificationDepth);
break;
}
clientAuth = mode;
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index ec97e0b..91cc103 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -98,6 +98,12 @@
and pass through <code>None</code> value if set by user. Patch provided
by John Kelly. (markt)
</fix>
+ <fix>
+ <bug>63894</bug>: Ensure that the configured values for
+ <code>certificateVerification</code> and
+ <code>certificateVerificationDepth</code> are correctly based to the
+ OpenSSL based SSLEngine implementation. (remm)
+ </fix>
</changelog>
</subsection>
<subsection name="Web applications">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[tomcat] 01/03: Refactor to align better with 9.0.x
Posted by ma...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 31f324ae82bd25158b884c3c2a8e9e1de95dbdd4
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Mon Nov 4 14:43:15 2019 +0000
Refactor to align better with 9.0.x
---
java/org/apache/tomcat/util/compat/Jre8Compat.java | 5 +----
java/org/apache/tomcat/util/compat/JreCompat.java | 2 +-
java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java | 9 ++++-----
3 files changed, 6 insertions(+), 10 deletions(-)
diff --git a/java/org/apache/tomcat/util/compat/Jre8Compat.java b/java/org/apache/tomcat/util/compat/Jre8Compat.java
index e76ac35..dfc2c87 100644
--- a/java/org/apache/tomcat/util/compat/Jre8Compat.java
+++ b/java/org/apache/tomcat/util/compat/Jre8Compat.java
@@ -24,7 +24,6 @@ import java.security.KeyStore.LoadStoreParameter;
import java.util.Collections;
import java.util.Map;
-import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLParameters;
import org.apache.juli.logging.Log;
@@ -81,13 +80,11 @@ class Jre8Compat extends JreCompat {
@Override
- public void setUseServerCipherSuitesOrder(SSLEngine engine,
+ public void setUseServerCipherSuitesOrder(SSLParameters sslParameters,
boolean useCipherSuitesOrder) {
- SSLParameters sslParameters = engine.getSSLParameters();
try {
setUseCipherSuitesOrderMethod.invoke(sslParameters,
Boolean.valueOf(useCipherSuitesOrder));
- engine.setSSLParameters(sslParameters);
} catch (IllegalArgumentException e) {
throw new UnsupportedOperationException(e);
} catch (IllegalAccessException e) {
diff --git a/java/org/apache/tomcat/util/compat/JreCompat.java b/java/org/apache/tomcat/util/compat/JreCompat.java
index 4deb72c..814dfae 100644
--- a/java/org/apache/tomcat/util/compat/JreCompat.java
+++ b/java/org/apache/tomcat/util/compat/JreCompat.java
@@ -81,7 +81,7 @@ public class JreCompat {
@SuppressWarnings("unused")
- public void setUseServerCipherSuitesOrder(SSLEngine engine, boolean useCipherSuitesOrder) {
+ public void setUseServerCipherSuitesOrder(SSLParameters engine, boolean useCipherSuitesOrder) {
throw new UnsupportedOperationException(sm.getString("jreCompat.noServerCipherSuiteOrder"));
}
diff --git a/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java b/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
index 5f95cfa..984b493 100644
--- a/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
+++ b/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
@@ -135,16 +135,16 @@ public abstract class AbstractJsseEndpoint<S> extends AbstractEndpoint<S> {
engine.setEnabledCipherSuites(sslHostConfig.getEnabledCiphers());
engine.setEnabledProtocols(sslHostConfig.getEnabledProtocols());
+ SSLParameters sslParameters = engine.getSSLParameters();
String honorCipherOrderStr = sslHostConfig.getHonorCipherOrder();
if (honorCipherOrderStr != null) {
boolean honorCipherOrder = Boolean.parseBoolean(honorCipherOrderStr);
- JreCompat.getInstance().setUseServerCipherSuitesOrder(engine, honorCipherOrder);
+ JreCompat.getInstance().setUseServerCipherSuitesOrder(sslParameters, honorCipherOrder);
}
if (JreCompat.isJre9Available() && clientRequestedApplicationProtocols != null
&& clientRequestedApplicationProtocols.size() > 0
&& negotiableProtocols.size() > 0) {
- SSLParameters sslParameters = engine.getSSLParameters();
// Only try to negotiate if both client and server have at least
// one protocol in common
// Note: Tomcat does not explicitly negotiate http/1.1
@@ -156,10 +156,9 @@ public abstract class AbstractJsseEndpoint<S> extends AbstractEndpoint<S> {
String[] commonProtocolsArray = commonProtocols.toArray(new String[commonProtocols.size()]);
JreCompat.getInstance().setApplicationProtocols(sslParameters, commonProtocolsArray);
}
-
- // In case the getter returns a defensive copy
- engine.setSSLParameters(sslParameters);
}
+ // In case the getter returns a defensive copy
+ engine.setSSLParameters(sslParameters);
return engine;
}
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org