You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2015/04/14 13:07:42 UTC
svn commit: r1673408 - in /tomcat/trunk: java/org/apache/coyote/http11/
java/org/apache/tomcat/util/net/ java/org/apache/tomcat/util/net/jsse/
test/org/apache/tomcat/util/net/jsse/
Author: markt
Date: Tue Apr 14 11:07:41 2015
New Revision: 1673408
URL: http://svn.apache.org/r1673408
Log:
Move SSLProtocols config to common property for JSSE and
APR/native
Modified:
tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java
tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java
tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java
tomcat/trunk/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java
tomcat/trunk/java/org/apache/tomcat/util/net/SSLImplementation.java
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEImplementation.java
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
tomcat/trunk/test/org/apache/tomcat/util/net/jsse/TesterBug50640SslImpl.java
Modified: tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java?rev=1673408&r1=1673407&r2=1673408&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java (original)
+++ tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java Tue Apr 14 11:07:41 2015
@@ -37,6 +37,7 @@ import org.apache.coyote.http11.upgrade.
import org.apache.coyote.http11.upgrade.UpgradeProcessorExternal;
import org.apache.coyote.http11.upgrade.UpgradeProcessorInternal;
import org.apache.tomcat.util.net.AbstractEndpoint;
+import org.apache.tomcat.util.net.SSLHostConfig;
import org.apache.tomcat.util.net.SocketWrapperBase;
public abstract class AbstractHttp11Protocol<S> extends AbstractProtocol<S> {
@@ -323,6 +324,29 @@ public abstract class AbstractHttp11Prot
}
+ // ----------------------------------------------- HTTPS specific properties
+ // -------------------------------------------- Handled via an SSLHostConfig
+
+ private SSLHostConfig defaultSSLHostConfig = null;
+ private void registerDefaultSSLHostConfig() {
+ if (defaultSSLHostConfig == null) {
+ defaultSSLHostConfig = new SSLHostConfig();
+ defaultSSLHostConfig.setHostName(SSLHostConfig.DEFAULT_SSL_HOST_NAME);
+ getEndpoint().addHostConfig(defaultSSLHostConfig);
+ }
+ }
+
+
+ public void setSslEnabledProtocols(String enabledProtocols) {
+ registerDefaultSSLHostConfig();
+ defaultSSLHostConfig.setProtocols(enabledProtocols);
+ }
+ public void setSSLProtocol(String sslProtocol) {
+ registerDefaultSSLHostConfig();
+ defaultSSLHostConfig.setProtocols(sslProtocol);
+ }
+
+
// ------------------------------------------------------------- Common code
// Common configuration required for all new HTTP11 processors
Modified: tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java?rev=1673408&r1=1673407&r2=1673408&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java (original)
+++ tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java Tue Apr 14 11:07:41 2015
@@ -70,14 +70,8 @@ public class Http11AprProtocol extends A
public boolean getDeferAccept() { return ((AprEndpoint)getEndpoint()).getDeferAccept(); }
public void setDeferAccept(boolean deferAccept) { ((AprEndpoint)getEndpoint()).setDeferAccept(deferAccept); }
- // -------------------- SSL related properties --------------------
-
- /**
- * SSL protocol.
- */
- public String getSSLProtocol() { return ((AprEndpoint)getEndpoint()).getSSLProtocol(); }
- public void setSSLProtocol(String SSLProtocol) { ((AprEndpoint)getEndpoint()).setSSLProtocol(SSLProtocol); }
+ // -------------------- SSL related properties --------------------
/**
* SSL password (if a cert is encrypted, and no password has been provided, a callback
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java?rev=1673408&r1=1673407&r2=1673408&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java Tue Apr 14 11:07:41 2015
@@ -25,6 +25,7 @@ import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
+import java.util.Map;
import java.util.Set;
import java.util.StringTokenizer;
import java.util.concurrent.ConcurrentHashMap;
@@ -214,6 +215,21 @@ public abstract class AbstractEndpoint<S
// ----------------------------------------------------------------- Properties
+ protected Map<String,SSLHostConfig> sslHostConfigs = new ConcurrentHashMap<>();
+ public void addHostConfig(SSLHostConfig sslHostConfig) {
+ String key = sslHostConfig.getHostName();
+ if (key == null || key.length() == 0) {
+ // TODO i18n
+ throw new IllegalArgumentException();
+ }
+ SSLHostConfig duplicate = sslHostConfigs.put(key, sslHostConfig);
+ if (duplicate != null) {
+ // TODO i18n
+ throw new IllegalArgumentException();
+ }
+ }
+
+
/**
* Has the user requested that send file be used where possible?
*/
@@ -226,8 +242,6 @@ public abstract class AbstractEndpoint<S
}
-
-
/**
* Time to wait for the internal executor (if used) to terminate when the
* endpoint is stopped in milliseconds. Defaults to 5000 (5 seconds).
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java?rev=1673408&r1=1673407&r2=1673408&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java Tue Apr 14 11:07:41 2015
@@ -42,19 +42,20 @@ public abstract class AbstractJsseEndpoi
if (isSSLEnabled()) {
sslImplementation = SSLImplementation.getInstance(getSslImplementationName());
- // TODO: Create multiple SSLContexts based on SSLHostConfig(s)
- SSLUtil sslUtil = sslImplementation.getSSLUtil(this);
- SSLContext sslContext = sslUtil.createSSLContext();
- sslContext.init(wrap(sslUtil.getKeyManagers()),
- sslUtil.getTrustManagers(), null);
+ for (SSLHostConfig sslHostConfig : sslHostConfigs.values()) {
+ SSLUtil sslUtil = sslImplementation.getSSLUtil(this, sslHostConfig);
+ SSLContext sslContext = sslUtil.createSSLContext();
+ sslContext.init(wrap(sslUtil.getKeyManagers()),
+ sslUtil.getTrustManagers(), null);
- SSLSessionContext sessionContext =
- sslContext.getServerSessionContext();
- if (sessionContext != null) {
- sslUtil.configureSessionContext(sessionContext);
+ SSLSessionContext sessionContext =
+ sslContext.getServerSessionContext();
+ if (sessionContext != null) {
+ sslUtil.configureSessionContext(sessionContext);
+ }
+ SSLContextWrapper sslContextWrapper = new SSLContextWrapper(sslContext, sslUtil);
+ sslContexts.put(sslHostConfig.getHostName(), sslContextWrapper);
}
- SSLContextWrapper sslContextWrapper = new SSLContextWrapper(sslContext, sslUtil);
- sslContexts.put(SSLHostConfig.DEFAULT_SSL_HOST_NAME, sslContextWrapper);
}
}
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java?rev=1673408&r1=1673407&r2=1673408&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java Tue Apr 14 11:07:41 2015
@@ -199,14 +199,6 @@ public class AprEndpoint extends Abstrac
/**
- * SSL protocols.
- */
- protected String SSLProtocol = "all";
- public String getSSLProtocol() { return SSLProtocol; }
- public void setSSLProtocol(String SSLProtocol) { this.SSLProtocol = SSLProtocol; }
-
-
- /**
* SSL password (if a cert is encrypted, and no password has been provided, a callback
* will ask for a password).
*/
@@ -486,151 +478,159 @@ public class AprEndpoint extends Abstrac
// Initialize SSL if needed
if (isSSLEnabled()) {
- if (SSLCertificateFile == null) {
- // This is required
- throw new Exception(sm.getString("endpoint.apr.noSslCertFile"));
- }
+ for (SSLHostConfig sslHostConfig : sslHostConfigs.values()) {
- // SSL protocol
- int value = SSL.SSL_PROTOCOL_NONE;
- if (SSLProtocol == null || SSLProtocol.length() == 0) {
- value = SSL.SSL_PROTOCOL_ALL;
- } else {
- for (String protocol : SSLProtocol.split("\\+")) {
- protocol = protocol.trim();
- if ("SSLv2".equalsIgnoreCase(protocol)) {
- value |= SSL.SSL_PROTOCOL_SSLV2;
- } else if ("SSLv3".equalsIgnoreCase(protocol)) {
- value |= SSL.SSL_PROTOCOL_SSLV3;
- } else if ("TLSv1".equalsIgnoreCase(protocol)) {
- value |= SSL.SSL_PROTOCOL_TLSV1;
- } else if ("TLSv1.1".equalsIgnoreCase(protocol)) {
- value |= SSL.SSL_PROTOCOL_TLSV1_1;
- } else if ("TLSv1.2".equalsIgnoreCase(protocol)) {
- value |= SSL.SSL_PROTOCOL_TLSV1_2;
- } else if ("all".equalsIgnoreCase(protocol)) {
- value |= SSL.SSL_PROTOCOL_ALL;
- } else {
- // Protocol not recognized, fail to start as it is safer than
- // continuing with the default which might enable more than the
- // is required
- throw new Exception(sm.getString(
- "endpoint.apr.invalidSslProtocol", SSLProtocol));
+ // TODO: No SNI support in APR/native so only process the
+ // default host.
+ if (!SSLHostConfig.DEFAULT_SSL_HOST_NAME.equals(sslHostConfig.getHostName())) {
+ continue;
+ }
+
+ if (SSLCertificateFile == null) {
+ // This is required
+ throw new Exception(sm.getString("endpoint.apr.noSslCertFile"));
+ }
+
+ // SSL protocol
+ int value = SSL.SSL_PROTOCOL_NONE;
+ if (sslHostConfig.getSslProtocols().size() == 0) {
+ value = SSL.SSL_PROTOCOL_ALL;
+ } else {
+ for (String protocol : sslHostConfig.getSslProtocols()) {
+ if ("SSLv2".equalsIgnoreCase(protocol)) {
+ value |= SSL.SSL_PROTOCOL_SSLV2;
+ } else if ("SSLv3".equalsIgnoreCase(protocol)) {
+ value |= SSL.SSL_PROTOCOL_SSLV3;
+ } else if ("TLSv1".equalsIgnoreCase(protocol)) {
+ value |= SSL.SSL_PROTOCOL_TLSV1;
+ } else if ("TLSv1.1".equalsIgnoreCase(protocol)) {
+ value |= SSL.SSL_PROTOCOL_TLSV1_1;
+ } else if ("TLSv1.2".equalsIgnoreCase(protocol)) {
+ value |= SSL.SSL_PROTOCOL_TLSV1_2;
+ } else if ("all".equalsIgnoreCase(protocol)) {
+ value |= SSL.SSL_PROTOCOL_ALL;
+ } else {
+ // Protocol not recognized, fail to start as it is safer than
+ // continuing with the default which might enable more than the
+ // is required
+ throw new Exception(sm.getString(
+ "endpoint.apr.invalidSslProtocol", protocol));
+ }
}
}
- }
- // Create SSL Context
- try {
- sslContext = SSLContext.make(rootPool, value, SSL.SSL_MODE_SERVER);
- } catch (Exception e) {
- // If the sslEngine is disabled on the AprLifecycleListener
- // there will be an Exception here but there is no way to check
- // the AprLifecycleListener settings from here
- throw new Exception(
- sm.getString("endpoint.apr.failSslContextMake"), e);
- }
-
- if (SSLInsecureRenegotiation) {
- boolean legacyRenegSupported = false;
+ // Create SSL Context
try {
- legacyRenegSupported = SSL.hasOp(SSL.SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
- if (legacyRenegSupported)
- SSLContext.setOptions(sslContext, SSL.SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
- } catch (UnsatisfiedLinkError e) {
- // Ignore
- }
- if (!legacyRenegSupported) {
- // OpenSSL does not support unsafe legacy renegotiation.
- log.warn(sm.getString("endpoint.warn.noInsecureReneg",
- SSL.versionString()));
+ sslContext = SSLContext.make(rootPool, value, SSL.SSL_MODE_SERVER);
+ } catch (Exception e) {
+ // If the sslEngine is disabled on the AprLifecycleListener
+ // there will be an Exception here but there is no way to check
+ // the AprLifecycleListener settings from here
+ throw new Exception(
+ sm.getString("endpoint.apr.failSslContextMake"), e);
+ }
+
+ if (SSLInsecureRenegotiation) {
+ boolean legacyRenegSupported = false;
+ try {
+ legacyRenegSupported = SSL.hasOp(SSL.SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
+ if (legacyRenegSupported)
+ SSLContext.setOptions(sslContext, SSL.SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
+ } catch (UnsatisfiedLinkError e) {
+ // Ignore
+ }
+ if (!legacyRenegSupported) {
+ // OpenSSL does not support unsafe legacy renegotiation.
+ log.warn(sm.getString("endpoint.warn.noInsecureReneg",
+ SSL.versionString()));
+ }
}
- }
- // Set cipher order: client (default) or server
- if (SSLHonorCipherOrder) {
- boolean orderCiphersSupported = false;
- try {
- orderCiphersSupported = SSL.hasOp(SSL.SSL_OP_CIPHER_SERVER_PREFERENCE);
- if (orderCiphersSupported)
- SSLContext.setOptions(sslContext, SSL.SSL_OP_CIPHER_SERVER_PREFERENCE);
- } catch (UnsatisfiedLinkError e) {
- // Ignore
- }
- if (!orderCiphersSupported) {
- // OpenSSL does not support ciphers ordering.
- log.warn(sm.getString("endpoint.warn.noHonorCipherOrder",
- SSL.versionString()));
+ // Set cipher order: client (default) or server
+ if (SSLHonorCipherOrder) {
+ boolean orderCiphersSupported = false;
+ try {
+ orderCiphersSupported = SSL.hasOp(SSL.SSL_OP_CIPHER_SERVER_PREFERENCE);
+ if (orderCiphersSupported)
+ SSLContext.setOptions(sslContext, SSL.SSL_OP_CIPHER_SERVER_PREFERENCE);
+ } catch (UnsatisfiedLinkError e) {
+ // Ignore
+ }
+ if (!orderCiphersSupported) {
+ // OpenSSL does not support ciphers ordering.
+ log.warn(sm.getString("endpoint.warn.noHonorCipherOrder",
+ SSL.versionString()));
+ }
}
- }
- // Disable compression if requested
- if (SSLDisableCompression) {
- boolean disableCompressionSupported = false;
- try {
- disableCompressionSupported = SSL.hasOp(SSL.SSL_OP_NO_COMPRESSION);
- if (disableCompressionSupported)
- SSLContext.setOptions(sslContext, SSL.SSL_OP_NO_COMPRESSION);
- } catch (UnsatisfiedLinkError e) {
- // Ignore
- }
- if (!disableCompressionSupported) {
- // OpenSSL does not support ciphers ordering.
- log.warn(sm.getString("endpoint.warn.noDisableCompression",
- SSL.versionString()));
+ // Disable compression if requested
+ if (SSLDisableCompression) {
+ boolean disableCompressionSupported = false;
+ try {
+ disableCompressionSupported = SSL.hasOp(SSL.SSL_OP_NO_COMPRESSION);
+ if (disableCompressionSupported)
+ SSLContext.setOptions(sslContext, SSL.SSL_OP_NO_COMPRESSION);
+ } catch (UnsatisfiedLinkError e) {
+ // Ignore
+ }
+ if (!disableCompressionSupported) {
+ // OpenSSL does not support ciphers ordering.
+ log.warn(sm.getString("endpoint.warn.noDisableCompression",
+ SSL.versionString()));
+ }
}
- }
- // Disable TLS Session Tickets (RFC4507) to protect perfect forward secrecy
- if (SSLDisableSessionTickets) {
- boolean disableSessionTicketsSupported = false;
- try {
- disableSessionTicketsSupported = SSL.hasOp(SSL.SSL_OP_NO_TICKET);
- if (disableSessionTicketsSupported)
- SSLContext.setOptions(sslContext, SSL.SSL_OP_NO_TICKET);
- } catch (UnsatisfiedLinkError e) {
- // Ignore
- }
+ // Disable TLS Session Tickets (RFC4507) to protect perfect forward secrecy
+ if (SSLDisableSessionTickets) {
+ boolean disableSessionTicketsSupported = false;
+ try {
+ disableSessionTicketsSupported = SSL.hasOp(SSL.SSL_OP_NO_TICKET);
+ if (disableSessionTicketsSupported)
+ SSLContext.setOptions(sslContext, SSL.SSL_OP_NO_TICKET);
+ } catch (UnsatisfiedLinkError e) {
+ // Ignore
+ }
- if (!disableSessionTicketsSupported) {
- // OpenSSL is too old to support TLS Session Tickets.
- log.warn(sm.getString("endpoint.warn.noDisableSessionTickets",
- SSL.versionString()));
+ if (!disableSessionTicketsSupported) {
+ // OpenSSL is too old to support TLS Session Tickets.
+ log.warn(sm.getString("endpoint.warn.noDisableSessionTickets",
+ SSL.versionString()));
+ }
}
- }
- // List the ciphers that the client is permitted to negotiate
- SSLContext.setCipherSuite(sslContext, SSLCipherSuite);
- // Load Server key and certificate
- SSLContext.setCertificate(sslContext, SSLCertificateFile, SSLCertificateKeyFile, SSLPassword, SSL.SSL_AIDX_RSA);
- // Set certificate chain file
- SSLContext.setCertificateChainFile(sslContext, SSLCertificateChainFile, false);
- // Support Client Certificates
- SSLContext.setCACertificate(sslContext, SSLCACertificateFile, SSLCACertificatePath);
- // Set revocation
- SSLContext.setCARevocation(sslContext, SSLCARevocationFile, SSLCARevocationPath);
- // Client certificate verification
- value = SSL.SSL_CVERIFY_NONE;
- if ("optional".equalsIgnoreCase(SSLVerifyClient)) {
- value = SSL.SSL_CVERIFY_OPTIONAL;
- } else if ("require".equalsIgnoreCase(SSLVerifyClient)) {
- value = SSL.SSL_CVERIFY_REQUIRE;
- } else if ("optionalNoCA".equalsIgnoreCase(SSLVerifyClient)) {
- value = SSL.SSL_CVERIFY_OPTIONAL_NO_CA;
- }
- SSLContext.setVerify(sslContext, value, SSLVerifyDepth);
- // For now, sendfile is not supported with SSL
- if (getUseSendfile()) {
- setUseSendfileInternal(false);
- if (useSendFileSet) {
- log.warn(sm.getString("endpoint.apr.noSendfileWithSSL"));
+ // List the ciphers that the client is permitted to negotiate
+ SSLContext.setCipherSuite(sslContext, SSLCipherSuite);
+ // Load Server key and certificate
+ SSLContext.setCertificate(sslContext, SSLCertificateFile, SSLCertificateKeyFile, SSLPassword, SSL.SSL_AIDX_RSA);
+ // Set certificate chain file
+ SSLContext.setCertificateChainFile(sslContext, SSLCertificateChainFile, false);
+ // Support Client Certificates
+ SSLContext.setCACertificate(sslContext, SSLCACertificateFile, SSLCACertificatePath);
+ // Set revocation
+ SSLContext.setCARevocation(sslContext, SSLCARevocationFile, SSLCARevocationPath);
+ // Client certificate verification
+ value = SSL.SSL_CVERIFY_NONE;
+ if ("optional".equalsIgnoreCase(SSLVerifyClient)) {
+ value = SSL.SSL_CVERIFY_OPTIONAL;
+ } else if ("require".equalsIgnoreCase(SSLVerifyClient)) {
+ value = SSL.SSL_CVERIFY_REQUIRE;
+ } else if ("optionalNoCA".equalsIgnoreCase(SSLVerifyClient)) {
+ value = SSL.SSL_CVERIFY_OPTIONAL_NO_CA;
+ }
+ SSLContext.setVerify(sslContext, value, SSLVerifyDepth);
+ // For now, sendfile is not supported with SSL
+ if (getUseSendfile()) {
+ setUseSendfileInternal(false);
+ if (useSendFileSet) {
+ log.warn(sm.getString("endpoint.apr.noSendfileWithSSL"));
+ }
}
- }
- if (negotiableProtocols.size() > 0) {
- byte[] protocols = buildAlpnConfig(negotiableProtocols);
- if (SSLContext.setALPN(sslContext, protocols, protocols.length) != 0) {
- log.warn(sm.getString("endpoint.alpn.fail", negotiableProtocols));
+ if (negotiableProtocols.size() > 0) {
+ byte[] protocols = buildAlpnConfig(negotiableProtocols);
+ if (SSLContext.setALPN(sslContext, protocols, protocols.length) != 0) {
+ log.warn(sm.getString("endpoint.alpn.fail", negotiableProtocols));
+ }
}
}
} else if (negotiableProtocols.size() > 0) {
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java?rev=1673408&r1=1673407&r2=1673408&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java Tue Apr 14 11:07:41 2015
@@ -16,7 +16,46 @@
*/
package org.apache.tomcat.util.net;
+import java.util.HashSet;
+import java.util.Set;
+
public class SSLHostConfig {
- static final String DEFAULT_SSL_HOST_NAME = "*DEFAULT*";
+ public static final String DEFAULT_SSL_HOST_NAME = "*DEFAULT*";
+
+ private String hostName;
+
+ private Set<String> sslProtocols = new HashSet<>();
+
+
+ public void setHostName(String hostName) {
+ this.hostName = hostName;
+ }
+
+
+ public String getHostName() {
+ return hostName;
+ }
+
+
+ public void setProtocols(String protocols) {
+ // OpenSSL and JSSE use the same names.
+ if (protocols.trim().equalsIgnoreCase("all")) {
+ protocols = "TLSv1+TLSv1.1+TLSv1.2";
+ }
+
+ String[] values = protocols.split(",|\\+");
+
+ for (String value: values) {
+ String trimmed = value.trim();
+ if (trimmed.length() > 0) {
+ sslProtocols.add(trimmed);
+ }
+ }
+ }
+
+
+ public Set<String> getSslProtocols() {
+ return sslProtocols;
+ }
}
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/SSLImplementation.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/SSLImplementation.java?rev=1673408&r1=1673407&r2=1673408&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/SSLImplementation.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/SSLImplementation.java Tue Apr 14 11:07:41 2015
@@ -71,5 +71,5 @@ public abstract class SSLImplementation
public abstract SSLSupport getSSLSupport(SSLSession session);
- public abstract SSLUtil getSSLUtil(AbstractEndpoint<?> ep);
+ public abstract SSLUtil getSSLUtil(AbstractEndpoint<?> ep, SSLHostConfig sslHostConfig);
}
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEImplementation.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEImplementation.java?rev=1673408&r1=1673407&r2=1673408&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEImplementation.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEImplementation.java Tue Apr 14 11:07:41 2015
@@ -19,6 +19,7 @@ package org.apache.tomcat.util.net.jsse;
import javax.net.ssl.SSLSession;
import org.apache.tomcat.util.net.AbstractEndpoint;
+import org.apache.tomcat.util.net.SSLHostConfig;
import org.apache.tomcat.util.net.SSLImplementation;
import org.apache.tomcat.util.net.SSLSupport;
import org.apache.tomcat.util.net.SSLUtil;
@@ -50,7 +51,7 @@ public class JSSEImplementation extends
}
@Override
- public SSLUtil getSSLUtil(AbstractEndpoint<?> endpoint) {
- return new JSSESocketFactory(endpoint);
+ public SSLUtil getSSLUtil(AbstractEndpoint<?> endpoint, SSLHostConfig sslHostConfig) {
+ return new JSSESocketFactory(endpoint, sslHostConfig);
}
}
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java?rev=1673408&r1=1673407&r2=1673408&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java Tue Apr 14 11:07:41 2015
@@ -58,6 +58,7 @@ import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
import org.apache.tomcat.util.net.AbstractEndpoint;
import org.apache.tomcat.util.net.Constants;
+import org.apache.tomcat.util.net.SSLHostConfig;
import org.apache.tomcat.util.net.SSLUtil;
import org.apache.tomcat.util.net.jsse.openssl.OpenSSLCipherConfigurationParser;
import org.apache.tomcat.util.res.StringManager;
@@ -90,14 +91,16 @@ public class JSSESocketFactory implement
private static final String ALLOW_ALL_SUPPORTED_CIPHERS = "ALL";
public static final String DEFAULT_KEY_PASS = "changeit";
- private AbstractEndpoint<?> endpoint;
+ private final AbstractEndpoint<?> endpoint;
+ private final SSLHostConfig sslHostConfig;
private final String[] defaultServerProtocols;
private final String[] defaultServerCipherSuites;
- public JSSESocketFactory (AbstractEndpoint<?> endpoint) {
+ public JSSESocketFactory (AbstractEndpoint<?> endpoint, SSLHostConfig sslHostConfig) {
this.endpoint = endpoint;
+ this.sslHostConfig = sslHostConfig;
String sslProtocol = endpoint.getSslProtocol();
if (sslProtocol == null) {
@@ -591,25 +594,24 @@ public class JSSESocketFactory implement
@Override
public String[] getEnableableProtocols(SSLContext context) {
- String[] requestedProtocols = endpoint.getSslEnabledProtocolsArray();
- if ((requestedProtocols == null) || (requestedProtocols.length == 0)) {
+ if (sslHostConfig.getSslProtocols().size() == 0) {
return defaultServerProtocols;
}
- List<String> protocols = new ArrayList<>(
- Arrays.asList(requestedProtocols));
+ List<String> protocols = new ArrayList<>();
+ protocols.addAll(sslHostConfig.getSslProtocols());
protocols.retainAll(Arrays.asList(context.getSupportedSSLParameters()
.getProtocols()));
if (protocols.isEmpty()) {
log.warn(sm.getString("jsse.requested_protocols_not_supported",
- Arrays.asList(requestedProtocols)));
+ sslHostConfig.getSslProtocols()));
}
if (log.isDebugEnabled()) {
log.debug(sm.getString("jsse.enableable_protocols", protocols));
- if (protocols.size() != requestedProtocols.length) {
- List<String> skipped = new ArrayList<>(
- Arrays.asList(requestedProtocols));
+ if (protocols.size() != sslHostConfig.getSslProtocols().size()) {
+ List<String> skipped = new ArrayList<>();
+ skipped.addAll(sslHostConfig.getSslProtocols());
skipped.removeAll(protocols);
log.debug(sm.getString("jsse.unsupported_protocols", skipped));
}
Modified: tomcat/trunk/test/org/apache/tomcat/util/net/jsse/TesterBug50640SslImpl.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/tomcat/util/net/jsse/TesterBug50640SslImpl.java?rev=1673408&r1=1673407&r2=1673408&view=diff
==============================================================================
--- tomcat/trunk/test/org/apache/tomcat/util/net/jsse/TesterBug50640SslImpl.java (original)
+++ tomcat/trunk/test/org/apache/tomcat/util/net/jsse/TesterBug50640SslImpl.java Tue Apr 14 11:07:41 2015
@@ -17,6 +17,7 @@
package org.apache.tomcat.util.net.jsse;
import org.apache.tomcat.util.net.AbstractEndpoint;
+import org.apache.tomcat.util.net.SSLHostConfig;
import org.apache.tomcat.util.net.SSLUtil;
public class TesterBug50640SslImpl extends JSSEImplementation {
@@ -26,10 +27,10 @@ public class TesterBug50640SslImpl exten
@Override
- public SSLUtil getSSLUtil(AbstractEndpoint<?> endpoint) {
+ public SSLUtil getSSLUtil(AbstractEndpoint<?> endpoint, SSLHostConfig sslHostConfig) {
String flag = endpoint.getProperty(PROPERTY_NAME);
if (PROPERTY_VALUE.equals(flag)) {
- return super.getSSLUtil(endpoint);
+ return super.getSSLUtil(endpoint, sslHostConfig);
} else {
return null;
}
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: svn commit: r1673408 - in /tomcat/trunk: java/org/apache/coyote/http11/
java/org/apache/tomcat/util/net/ java/org/apache/tomcat/util/net/jsse/ test/org/apache/tomcat/util/net/jsse/
Posted by Rémy Maucherat <re...@apache.org>.
2015-04-14 13:18 GMT+02:00 Mark Thomas <ma...@apache.org>:
> On 14/04/2015 06:07, markt@apache.org wrote:
> > Author: markt
> > Date: Tue Apr 14 11:07:41 2015
> > New Revision: 1673408
> >
> > URL: http://svn.apache.org/r1673408
> > Log:
> > Move SSLProtocols config to common property for JSSE and
> > APR/native
>
> My aim is to do this for all the SSL properties.
>
> Where a property is only used by one implementation (e.g. sslProtocol),
> it will be a NO-OP for the other implementation.
>
> I suspect some of the mappings between JSSE and OpenSSL will be a little
> trickier than this one was.
>
> In an ideal world, I'd like the same configuration to work for either
> connector. Of course, that assumes JKS keystores are not used.
>
> The next steps I have in mind are:
> - add the ability to create <SSLHostConfig> elements under a <Connector>
>
Yes, ok, I suppose putting it on the Host element wouldn't work well for a
variety of reasons.
> - add the ability to create <Alias> elements under a <SSLHostConfig>
> - test SNI allows selection of SSLHostConfig
> - expand SSLHostConfig to cover all the SSL attributes
> - update the docs
> - add SNI to APR/native
>
> Rémy
Re: svn commit: r1673408 - in /tomcat/trunk: java/org/apache/coyote/http11/
java/org/apache/tomcat/util/net/ java/org/apache/tomcat/util/net/jsse/ test/org/apache/tomcat/util/net/jsse/
Posted by Mark Thomas <ma...@apache.org>.
On 14/04/2015 06:07, markt@apache.org wrote:
> Author: markt
> Date: Tue Apr 14 11:07:41 2015
> New Revision: 1673408
>
> URL: http://svn.apache.org/r1673408
> Log:
> Move SSLProtocols config to common property for JSSE and
> APR/native
My aim is to do this for all the SSL properties.
Where a property is only used by one implementation (e.g. sslProtocol),
it will be a NO-OP for the other implementation.
I suspect some of the mappings between JSSE and OpenSSL will be a little
trickier than this one was.
In an ideal world, I'd like the same configuration to work for either
connector. Of course, that assumes JKS keystores are not used.
The next steps I have in mind are:
- add the ability to create <SSLHostConfig> elements under a <Connector>
- add the ability to create <Alias> elements under a <SSLHostConfig>
- test SNI allows selection of SSLHostConfig
- expand SSLHostConfig to cover all the SSL attributes
- update the docs
- add SNI to APR/native
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org