You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2015/04/14 13:07:38 UTC
svn commit: r1673407 - in /tomcat/trunk/java/org/apache: coyote/http11/
tomcat/util/net/
Author: markt
Date: Tue Apr 14 11:07:38 2015
New Revision: 1673407
URL: http://svn.apache.org/r1673407
Log:
Remove getCiphersUsed from endpoint since it will now vary by SSL host
config
Create a Map (currently only populated with a single default) for SNI
host names to SSLContexts.
Added:
tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java (with props)
Modified:
tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11JsseProtocol.java
tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java
tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java
tomcat/trunk/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
Modified: tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11JsseProtocol.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11JsseProtocol.java?rev=1673407&r1=1673406&r2=1673407&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11JsseProtocol.java (original)
+++ tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11JsseProtocol.java Tue Apr 14 11:07:38 2015
@@ -52,7 +52,6 @@ public abstract class AbstractHttp11Jsse
public String getCiphers() { return getEndpoint().getCiphers();}
public void setCiphers(String s) { getEndpoint().setCiphers(s);}
- public String[] getCiphersUsed() { return getEndpoint().getCiphersUsed();}
public String getKeyAlias() { return getEndpoint().getKeyAlias();}
public void setKeyAlias(String s ) { getEndpoint().setKeyAlias(s);}
Modified: tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java?rev=1673407&r1=1673406&r2=1673407&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java (original)
+++ tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java Tue Apr 14 11:07:38 2015
@@ -92,7 +92,6 @@ public class Http11AprProtocol extends A
*/
public String getSSLCipherSuite() { return ((AprEndpoint)getEndpoint()).getSSLCipherSuite(); }
public void setSSLCipherSuite(String SSLCipherSuite) { ((AprEndpoint)getEndpoint()).setSSLCipherSuite(SSLCipherSuite); }
- public String[] getCiphersUsed() { return getEndpoint().getCiphersUsed();}
/**
* SSL honor cipher order.
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java?rev=1673407&r1=1673406&r2=1673407&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java Tue Apr 14 11:07:38 2015
@@ -963,10 +963,6 @@ public abstract class AbstractEndpoint<S
public void setCiphers(String s) {
ciphers = s;
}
- /**
- * @return The ciphers in use by this Endpoint
- */
- public abstract String[] getCiphersUsed();
private String useServerCipherSuitesOrder = "false";
public String getUseServerCipherSuitesOrder() { return useServerCipherSuitesOrder;}
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java?rev=1673407&r1=1673406&r2=1673407&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java Tue Apr 14 11:07:38 2015
@@ -16,6 +16,9 @@
*/
package org.apache.tomcat.util.net;
+import java.util.HashMap;
+import java.util.Map;
+
import javax.net.ssl.KeyManager;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
@@ -28,29 +31,20 @@ import org.apache.tomcat.util.net.jsse.N
public abstract class AbstractJsseEndpoint<S> extends AbstractEndpoint<S> {
private SSLImplementation sslImplementation = null;
+ private Map<String,SSLContextWrapper> sslContexts = new HashMap<>();
+
public SSLImplementation getSslImplementation() {
return sslImplementation;
}
- private String[] enabledCiphers;
- @Override
- public String[] getCiphersUsed() {
- return enabledCiphers;
- }
-
- private String[] enabledProtocols;
-
- private SSLContext sslContext = null;
- public SSLContext getSSLContext() { return sslContext;}
- public void setSSLContext(SSLContext c) { sslContext = c;}
-
protected void initialiseSsl() throws Exception {
if (isSSLEnabled()) {
sslImplementation = SSLImplementation.getInstance(getSslImplementationName());
- SSLUtil sslUtil = sslImplementation.getSSLUtil(this);
- sslContext = sslUtil.createSSLContext();
+ // TODO: Create multiple SSLContexts based on SSLHostConfig(s)
+ SSLUtil sslUtil = sslImplementation.getSSLUtil(this);
+ SSLContext sslContext = sslUtil.createSSLContext();
sslContext.init(wrap(sslUtil.getKeyManagers()),
sslUtil.getTrustManagers(), null);
@@ -59,15 +53,16 @@ public abstract class AbstractJsseEndpoi
if (sessionContext != null) {
sslUtil.configureSessionContext(sessionContext);
}
- // Determine which cipher suites and protocols to enable
- enabledCiphers = sslUtil.getEnableableCiphers(sslContext);
- enabledProtocols = sslUtil.getEnableableProtocols(sslContext);
+ SSLContextWrapper sslContextWrapper = new SSLContextWrapper(sslContext, sslUtil);
+ sslContexts.put(SSLHostConfig.DEFAULT_SSL_HOST_NAME, sslContextWrapper);
}
}
protected SSLEngine createSSLEngine(String sniHostName) {
- SSLEngine engine = sslContext.createSSLEngine();
+ SSLContextWrapper sslContextWrapper = getSSLContextWrapper(sniHostName);
+
+ SSLEngine engine = sslContextWrapper.getSSLContext().createSSLEngine();
if ("false".equals(getClientAuth())) {
engine.setNeedClientAuth(false);
engine.setWantClientAuth(false);
@@ -77,8 +72,8 @@ public abstract class AbstractJsseEndpoi
engine.setWantClientAuth(true);
}
engine.setUseClientMode(false);
- engine.setEnabledCipherSuites(enabledCiphers);
- engine.setEnabledProtocols(enabledProtocols);
+ engine.setEnabledCipherSuites(sslContextWrapper.getEnabledCiphers());
+ engine.setEnabledProtocols(sslContextWrapper.getEnabledProtocols());
configureUseServerCipherSuitesOrder(engine);
@@ -89,7 +84,7 @@ public abstract class AbstractJsseEndpoi
@Override
public void unbind() throws Exception {
- sslContext = null;
+ sslContexts.clear();
}
@@ -123,4 +118,46 @@ public abstract class AbstractJsseEndpoi
}
return result;
}
+
+
+ private SSLContextWrapper getSSLContextWrapper(String sniHostName) {
+ // First choice - direct match
+ SSLContextWrapper result = sslContexts.get(sniHostName);
+ if (result != null) {
+ return result;
+ }
+ // Second choice, wildcard match
+ int indexOfDot = sniHostName.indexOf('.');
+ if (indexOfDot > -1) {
+ result = sslContexts.get("*" + sniHostName.substring(indexOfDot));
+ }
+ // Fall-back. Use the default
+ if (result == null) {
+ result = sslContexts.get(SSLHostConfig.DEFAULT_SSL_HOST_NAME);
+ }
+ if (result == null) {
+ // Should never happen.
+ throw new IllegalStateException();
+ }
+ return result;
+ }
+
+
+ private static class SSLContextWrapper {
+
+ private final SSLContext sslContext;
+ private final String[] enabledCiphers;
+ private final String[] enabledProtocols;
+
+ public SSLContextWrapper(SSLContext sslContext, SSLUtil sslUtil) {
+ this.sslContext = sslContext;
+ // Determine which cipher suites and protocols to enable
+ enabledCiphers = sslUtil.getEnableableCiphers(sslContext);
+ enabledProtocols = sslUtil.getEnableableProtocols(sslContext);
+ }
+
+ public SSLContext getSSLContext() { return sslContext;}
+ public String[] getEnabledCiphers() { return enabledCiphers; }
+ public String[] getEnabledProtocols() { return enabledProtocols; }
+ }
}
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java?rev=1673407&r1=1673406&r2=1673407&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java Tue Apr 14 11:07:38 2015
@@ -353,14 +353,6 @@ public class AprEndpoint extends Abstrac
}
- @Override
- public String[] getCiphersUsed() {
- // TODO : Investigate if it is possible to extract the current list of
- // available ciphers. Native code changes will be required.
- return new String[] { getSSLCipherSuite() };
- }
-
-
/**
* This endpoint does not support <code>-1</code> for unlimited connections,
* nor does it support setting this attribute while the endpoint is running.
Added: tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java?rev=1673407&view=auto
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java (added)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java Tue Apr 14 11:07:38 2015
@@ -0,0 +1,22 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.tomcat.util.net;
+
+public class SSLHostConfig {
+
+ static final String DEFAULT_SSL_HOST_NAME = "*DEFAULT*";
+}
Propchange: tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java
------------------------------------------------------------------------------
svn:eol-style = native
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org