You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2020/01/15 15:37:02 UTC
[tomcat] branch master updated (9b328a6 -> 973b0a3)
This is an automated email from the ASF dual-hosted git repository.
markt pushed a change to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat.git.
from 9b328a6 Skip setting attribute that is neither supported nor required for APR
new c64ccf3 Update tests to use SSLHostConfig for TLS configuration
new 973b0a3 Remove support for deprecated TLS configuration style
The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
.../storeconfig/ConnectorStoreAppender.java | 9 +-
.../catalina/storeconfig/server-registry.xml | 53 ---
.../coyote/http11/AbstractHttp11Protocol.java | 377 ---------------------
.../apache/tomcat/util/net/AbstractEndpoint.java | 2 +-
.../tomcat/util/net/AbstractJsseEndpoint.java | 2 +-
java/org/apache/tomcat/util/net/SSLHostConfig.java | 126 -------
.../coyote/http11/TestAbstractHttp11Protocol.java | 28 --
test/org/apache/tomcat/util/net/TestCustomSsl.java | 35 +-
test/org/apache/tomcat/util/net/TesterSupport.java | 49 ++-
.../util/net/jsse/TesterBug50640SslImpl.java | 1 -
webapps/docs/config/http.xml | 346 -------------------
webapps/docs/ssl-howto.xml | 63 ++--
12 files changed, 81 insertions(+), 1010 deletions(-)
delete mode 100644 test/org/apache/coyote/http11/TestAbstractHttp11Protocol.java
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[tomcat] 02/02: Remove support for deprecated TLS configuration
style
Posted by ma...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 973b0a304532a1d5a63b36ff88842e933cc91b82
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Wed Jan 15 15:36:40 2020 +0000
Remove support for deprecated TLS configuration style
---
.../storeconfig/ConnectorStoreAppender.java | 9 +-
.../catalina/storeconfig/server-registry.xml | 53 ---
.../coyote/http11/AbstractHttp11Protocol.java | 377 ---------------------
.../apache/tomcat/util/net/AbstractEndpoint.java | 2 +-
.../tomcat/util/net/AbstractJsseEndpoint.java | 2 +-
java/org/apache/tomcat/util/net/SSLHostConfig.java | 126 -------
.../coyote/http11/TestAbstractHttp11Protocol.java | 28 --
webapps/docs/config/http.xml | 346 -------------------
webapps/docs/ssl-howto.xml | 63 ++--
9 files changed, 41 insertions(+), 965 deletions(-)
diff --git a/java/org/apache/catalina/storeconfig/ConnectorStoreAppender.java b/java/org/apache/catalina/storeconfig/ConnectorStoreAppender.java
index cfb5d32..c48416a 100644
--- a/java/org/apache/catalina/storeconfig/ConnectorStoreAppender.java
+++ b/java/org/apache/catalina/storeconfig/ConnectorStoreAppender.java
@@ -38,8 +38,7 @@ import org.apache.tomcat.util.net.SocketProperties;
* Store the Connector attributes. Connector has really special design. A
* Connector is only a startup Wrapper for a ProtocolHandler. This meant that
* ProtocolHandler get all there attributes from the Connector attribute map.
- * Strange is that some attributes change there name and the attribute
- * sslProtocol need a special handling
+ * Strange is that some attributes change their name.
*/
public class ConnectorStoreAppender extends StoreAppender {
@@ -47,13 +46,7 @@ public class ConnectorStoreAppender extends StoreAppender {
protected static final Set<String> internalExecutorAttributes = new HashSet<>();
static {
replacements.put("timeout", "connectionUploadTimeout");
- replacements.put("clientauth", "clientAuth");
- replacements.put("keystore", "keystoreFile");
replacements.put("randomfile", "randomFile");
- replacements.put("keypass", "keystorePass");
- replacements.put("keytype", "keystoreType");
- replacements.put("protocol", "sslProtocol");
- replacements.put("protocols", "sslProtocols");
internalExecutorAttributes.add("maxThreads");
internalExecutorAttributes.add("minSpareThreads");
diff --git a/java/org/apache/catalina/storeconfig/server-registry.xml b/java/org/apache/catalina/storeconfig/server-registry.xml
index 124ad9d..2b8279a 100644
--- a/java/org/apache/catalina/storeconfig/server-registry.xml
+++ b/java/org/apache/catalina/storeconfig/server-registry.xml
@@ -102,49 +102,6 @@
<TransientAttribute>URIEncoding</TransientAttribute>
<TransientAttribute>maxProcessor</TransientAttribute>
<TransientAttribute>minProcessor</TransientAttribute>
- <!-- All attribute duplicated from the SSLHostConfig, removed in Tomcat 10 -->
- <TransientAttribute>SSLProtocol</TransientAttribute>
- <TransientAttribute>sslEnabledProtocols</TransientAttribute>
- <TransientAttribute>SSLCipherSuite</TransientAttribute>
- <TransientAttribute>ciphers</TransientAttribute>
- <TransientAttribute>SSLCertificateChainFile</TransientAttribute>
- <TransientAttribute>SSLCertificateFile</TransientAttribute>
- <TransientAttribute>keyAlias</TransientAttribute>
- <TransientAttribute>SSLCertificateKeyFile</TransientAttribute>
- <TransientAttribute>keyPass</TransientAttribute>
- <TransientAttribute>SSLPassword</TransientAttribute>
- <TransientAttribute>keystoreFile</TransientAttribute>
- <TransientAttribute>keystorePass</TransientAttribute>
- <TransientAttribute>keystoreProvider</TransientAttribute>
- <TransientAttribute>keystoreType</TransientAttribute>
- <TransientAttribute>SSLCACertificateFile</TransientAttribute>
- <TransientAttribute>SSLCACertificatePath</TransientAttribute>
- <TransientAttribute>crlFile</TransientAttribute>
- <TransientAttribute>SSLCARevocationFile</TransientAttribute>
- <TransientAttribute>SSLCARevocationPath</TransientAttribute>
- <TransientAttribute>SSLDisableCompression</TransientAttribute>
- <TransientAttribute>SSLDisableSessionTickets</TransientAttribute>
- <TransientAttribute>SSLDisableCompression</TransientAttribute>
- <TransientAttribute>SSLHonorCipherOrder</TransientAttribute>
- <TransientAttribute>useServerCipherSuitesOrder</TransientAttribute>
- <TransientAttribute>algorithm</TransientAttribute>
- <TransientAttribute>sslContext</TransientAttribute>
- <TransientAttribute>sessionCacheSize</TransientAttribute>
- <TransientAttribute>sessionTimeout</TransientAttribute>
- <TransientAttribute>sslProtocol</TransientAttribute>
- <TransientAttribute>trustManagerClassName</TransientAttribute>
- <TransientAttribute>truststoreAlgorithm</TransientAttribute>
- <TransientAttribute>truststoreFile</TransientAttribute>
- <TransientAttribute>truststorePass</TransientAttribute>
- <TransientAttribute>truststoreProvider</TransientAttribute>
- <TransientAttribute>truststoreType</TransientAttribute>
- <!-- All attribute duplicated from the AbstractHttp11Protocol, removed in Tomcat 10 -->
- <TransientAttribute>clientAuth</TransientAttribute>
- <TransientAttribute>SSLVerifyClient</TransientAttribute>
- <TransientAttribute>trustMaxCertLength</TransientAttribute>
- <TransientAttribute>SSLVerifyDepth</TransientAttribute>
- <TransientAttribute>useServerCipherSuitesOrder</TransientAttribute>
- <TransientAttribute>SSLHonorCipherOrder</TransientAttribute>
</Description>
<Description
tag="UpgradeProtocol"
@@ -163,16 +120,6 @@
storeFactoryClass="org.apache.catalina.storeconfig.SSLHostConfigSF">
<TransientAttribute>openSslContext</TransientAttribute>
<TransientAttribute>openSslConfContext</TransientAttribute>
- <!-- All attribute duplicated from the Certificate, may be removed in Tomcat 10 -->
- <TransientAttribute>certificateChainFile</TransientAttribute>
- <TransientAttribute>certificateFile</TransientAttribute>
- <TransientAttribute>certificateKeyAlias</TransientAttribute>
- <TransientAttribute>certificateKeyFile</TransientAttribute>
- <TransientAttribute>certificateKeyPassword</TransientAttribute>
- <TransientAttribute>certificateKeystoreFile</TransientAttribute>
- <TransientAttribute>certificateKeystorePassword</TransientAttribute>
- <TransientAttribute>certificateKeystoreProvider</TransientAttribute>
- <TransientAttribute>certificateKeystoreType</TransientAttribute>
</Description>
<Description
tag="Certificate"
diff --git a/java/org/apache/coyote/http11/AbstractHttp11Protocol.java b/java/org/apache/coyote/http11/AbstractHttp11Protocol.java
index c40e1b3..58b05a3 100644
--- a/java/org/apache/coyote/http11/AbstractHttp11Protocol.java
+++ b/java/org/apache/coyote/http11/AbstractHttp11Protocol.java
@@ -542,9 +542,6 @@ public abstract class AbstractHttp11Protocol<S> extends AbstractProtocol<S> {
}
public void setDefaultSSLHostConfigName(String defaultSSLHostConfigName) {
getEndpoint().setDefaultSSLHostConfigName(defaultSSLHostConfigName);
- if (defaultSSLHostConfig != null) {
- defaultSSLHostConfig.setHostName(defaultSSLHostConfigName);
- }
}
@@ -570,380 +567,6 @@ public abstract class AbstractHttp11Protocol<S> extends AbstractProtocol<S> {
}
- // ----------------------------------------------- HTTPS specific properties
- // -------------------------------------------- Handled via an SSLHostConfig
-
- private SSLHostConfig defaultSSLHostConfig = null;
- private void registerDefaultSSLHostConfig() {
- if (defaultSSLHostConfig == null) {
- for (SSLHostConfig sslHostConfig : findSslHostConfigs()) {
- if (getDefaultSSLHostConfigName().equals(sslHostConfig.getHostName())) {
- defaultSSLHostConfig = sslHostConfig;
- break;
- }
- }
- if (defaultSSLHostConfig == null) {
- defaultSSLHostConfig = new SSLHostConfig();
- defaultSSLHostConfig.setHostName(getDefaultSSLHostConfigName());
- getEndpoint().addSslHostConfig(defaultSSLHostConfig);
- }
- }
- }
-
-
- // TODO: All of these SSL getters and setters can be removed once it is no
- // longer necessary to support the old configuration attributes (Tomcat 10?)
-
- public String getSslEnabledProtocols() {
- registerDefaultSSLHostConfig();
- return StringUtils.join(defaultSSLHostConfig.getEnabledProtocols());
- }
- public void setSslEnabledProtocols(String enabledProtocols) {
- registerDefaultSSLHostConfig();
- defaultSSLHostConfig.setProtocols(enabledProtocols);
- }
- public String getSSLProtocol() {
- registerDefaultSSLHostConfig();
- return StringUtils.join(defaultSSLHostConfig.getEnabledProtocols());
- }
- public void setSSLProtocol(String sslProtocol) {
- registerDefaultSSLHostConfig();
- defaultSSLHostConfig.setProtocols(sslProtocol);
- }
-
-
- public String getKeystoreFile() {
- registerDefaultSSLHostConfig();
- return defaultSSLHostConfig.getCertificateKeystoreFile();
- }
- public void setKeystoreFile(String keystoreFile) {
- registerDefaultSSLHostConfig();
- defaultSSLHostConfig.setCertificateKeystoreFile(keystoreFile);
- }
- public String getSSLCertificateChainFile() {
- registerDefaultSSLHostConfig();
- return defaultSSLHostConfig.getCertificateChainFile();
- }
- public void setSSLCertificateChainFile(String certificateChainFile) {
- registerDefaultSSLHostConfig();
- defaultSSLHostConfig.setCertificateChainFile(certificateChainFile);
- }
- public String getSSLCertificateFile() {
- registerDefaultSSLHostConfig();
- return defaultSSLHostConfig.getCertificateFile();
- }
- public void setSSLCertificateFile(String certificateFile) {
- registerDefaultSSLHostConfig();
- defaultSSLHostConfig.setCertificateFile(certificateFile);
- }
- public String getSSLCertificateKeyFile() {
- registerDefaultSSLHostConfig();
- return defaultSSLHostConfig.getCertificateKeyFile();
- }
- public void setSSLCertificateKeyFile(String certificateKeyFile) {
- registerDefaultSSLHostConfig();
- defaultSSLHostConfig.setCertificateKeyFile(certificateKeyFile);
- }
-
-
- public String getAlgorithm() {
- registerDefaultSSLHostConfig();
- return defaultSSLHostConfig.getKeyManagerAlgorithm();
- }
- public void setAlgorithm(String keyManagerAlgorithm) {
- registerDefaultSSLHostConfig();
- defaultSSLHostConfig.setKeyManagerAlgorithm(keyManagerAlgorithm);
- }
-
-
- public String getClientAuth() {
- registerDefaultSSLHostConfig();
- return defaultSSLHostConfig.getCertificateVerificationAsString();
- }
- public void setClientAuth(String certificateVerification) {
- registerDefaultSSLHostConfig();
- defaultSSLHostConfig.setCertificateVerification(certificateVerification);
- }
-
-
- public String getSSLVerifyClient() {
- registerDefaultSSLHostConfig();
- return defaultSSLHostConfig.getCertificateVerificationAsString();
- }
- public void setSSLVerifyClient(String certificateVerification) {
- registerDefaultSSLHostConfig();
- defaultSSLHostConfig.setCertificateVerification(certificateVerification);
- }
-
-
- public int getTrustMaxCertLength(){
- registerDefaultSSLHostConfig();
- return defaultSSLHostConfig.getCertificateVerificationDepth();
- }
- public void setTrustMaxCertLength(int certificateVerificationDepth){
- registerDefaultSSLHostConfig();
- defaultSSLHostConfig.setCertificateVerificationDepth(certificateVerificationDepth);
- }
- public int getSSLVerifyDepth() {
- registerDefaultSSLHostConfig();
- return defaultSSLHostConfig.getCertificateVerificationDepth();
- }
- public void setSSLVerifyDepth(int certificateVerificationDepth) {
- registerDefaultSSLHostConfig();
- defaultSSLHostConfig.setCertificateVerificationDepth(certificateVerificationDepth);
- }
-
-
- public boolean getUseServerCipherSuitesOrder() {
- registerDefaultSSLHostConfig();
- return defaultSSLHostConfig.getHonorCipherOrder();
- }
- public void setUseServerCipherSuitesOrder(boolean honorCipherOrder) {
- registerDefaultSSLHostConfig();
- defaultSSLHostConfig.setHonorCipherOrder(honorCipherOrder);
- }
- public boolean getSSLHonorCipherOrder() {
- registerDefaultSSLHostConfig();
- return defaultSSLHostConfig.getHonorCipherOrder();
- }
- public void setSSLHonorCipherOrder(boolean honorCipherOrder) {
- registerDefaultSSLHostConfig();
- defaultSSLHostConfig.setHonorCipherOrder(honorCipherOrder);
- }
-
-
- public String getCiphers() {
- registerDefaultSSLHostConfig();
- return defaultSSLHostConfig.getCiphers();
- }
- public void setCiphers(String ciphers) {
- registerDefaultSSLHostConfig();
- defaultSSLHostConfig.setCiphers(ciphers);
- }
- public String getSSLCipherSuite() {
- registerDefaultSSLHostConfig();
- return defaultSSLHostConfig.getCiphers();
- }
- public void setSSLCipherSuite(String ciphers) {
- registerDefaultSSLHostConfig();
- defaultSSLHostConfig.setCiphers(ciphers);
- }
-
-
- public String getKeystorePass() {
- registerDefaultSSLHostConfig();
- return defaultSSLHostConfig.getCertificateKeystorePassword();
- }
- public void setKeystorePass(String certificateKeystorePassword) {
- registerDefaultSSLHostConfig();
- defaultSSLHostConfig.setCertificateKeystorePassword(certificateKeystorePassword);
- }
-
-
- public String getKeyPass() {
- registerDefaultSSLHostConfig();
- return defaultSSLHostConfig.getCertificateKeyPassword();
- }
- public void setKeyPass(String certificateKeyPassword) {
- registerDefaultSSLHostConfig();
- defaultSSLHostConfig.setCertificateKeyPassword(certificateKeyPassword);
- }
- public String getSSLPassword() {
- registerDefaultSSLHostConfig();
- return defaultSSLHostConfig.getCertificateKeyPassword();
- }
- public void setSSLPassword(String certificateKeyPassword) {
- registerDefaultSSLHostConfig();
- defaultSSLHostConfig.setCertificateKeyPassword(certificateKeyPassword);
- }
-
-
- public String getCrlFile(){
- registerDefaultSSLHostConfig();
- return defaultSSLHostConfig.getCertificateRevocationListFile();
- }
- public void setCrlFile(String certificateRevocationListFile){
- registerDefaultSSLHostConfig();
- defaultSSLHostConfig.setCertificateRevocationListFile(certificateRevocationListFile);
- }
- public String getSSLCARevocationFile() {
- registerDefaultSSLHostConfig();
- return defaultSSLHostConfig.getCertificateRevocationListFile();
- }
- public void setSSLCARevocationFile(String certificateRevocationListFile) {
- registerDefaultSSLHostConfig();
- defaultSSLHostConfig.setCertificateRevocationListFile(certificateRevocationListFile);
- }
- public String getSSLCARevocationPath() {
- registerDefaultSSLHostConfig();
- return defaultSSLHostConfig.getCertificateRevocationListPath();
- }
- public void setSSLCARevocationPath(String certificateRevocationListPath) {
- registerDefaultSSLHostConfig();
- defaultSSLHostConfig.setCertificateRevocationListPath(certificateRevocationListPath);
- }
-
-
- public String getKeystoreType() {
- registerDefaultSSLHostConfig();
- return defaultSSLHostConfig.getCertificateKeystoreType();
- }
- public void setKeystoreType(String certificateKeystoreType) {
- registerDefaultSSLHostConfig();
- defaultSSLHostConfig.setCertificateKeystoreType(certificateKeystoreType);
- }
-
-
- public String getKeystoreProvider() {
- registerDefaultSSLHostConfig();
- return defaultSSLHostConfig.getCertificateKeystoreProvider();
- }
- public void setKeystoreProvider(String certificateKeystoreProvider) {
- registerDefaultSSLHostConfig();
- defaultSSLHostConfig.setCertificateKeystoreProvider(certificateKeystoreProvider);
- }
-
-
- public String getKeyAlias() {
- registerDefaultSSLHostConfig();
- return defaultSSLHostConfig.getCertificateKeyAlias();
- }
- public void setKeyAlias(String certificateKeyAlias) {
- registerDefaultSSLHostConfig();
- defaultSSLHostConfig.setCertificateKeyAlias(certificateKeyAlias);
- }
-
-
- public String getTruststoreAlgorithm(){
- registerDefaultSSLHostConfig();
- return defaultSSLHostConfig.getTruststoreAlgorithm();
- }
- public void setTruststoreAlgorithm(String truststoreAlgorithm){
- registerDefaultSSLHostConfig();
- defaultSSLHostConfig.setTruststoreAlgorithm(truststoreAlgorithm);
- }
-
-
- public String getTruststoreFile(){
- registerDefaultSSLHostConfig();
- return defaultSSLHostConfig.getTruststoreFile();
- }
- public void setTruststoreFile(String truststoreFile){
- registerDefaultSSLHostConfig();
- defaultSSLHostConfig.setTruststoreFile(truststoreFile);
- }
-
-
- public String getTruststorePass(){
- registerDefaultSSLHostConfig();
- return defaultSSLHostConfig.getTruststorePassword();
- }
- public void setTruststorePass(String truststorePassword){
- registerDefaultSSLHostConfig();
- defaultSSLHostConfig.setTruststorePassword(truststorePassword);
- }
-
-
- public String getTruststoreType(){
- registerDefaultSSLHostConfig();
- return defaultSSLHostConfig.getTruststoreType();
- }
- public void setTruststoreType(String truststoreType){
- registerDefaultSSLHostConfig();
- defaultSSLHostConfig.setTruststoreType(truststoreType);
- }
-
-
- public String getTruststoreProvider(){
- registerDefaultSSLHostConfig();
- return defaultSSLHostConfig.getTruststoreProvider();
- }
- public void setTruststoreProvider(String truststoreProvider){
- registerDefaultSSLHostConfig();
- defaultSSLHostConfig.setTruststoreProvider(truststoreProvider);
- }
-
-
- public String getSslProtocol() {
- registerDefaultSSLHostConfig();
- return defaultSSLHostConfig.getSslProtocol();
- }
- public void setSslProtocol(String sslProtocol) {
- registerDefaultSSLHostConfig();
- defaultSSLHostConfig.setSslProtocol(sslProtocol);
- }
-
-
- public int getSessionCacheSize(){
- registerDefaultSSLHostConfig();
- return defaultSSLHostConfig.getSessionCacheSize();
- }
- public void setSessionCacheSize(int sessionCacheSize){
- registerDefaultSSLHostConfig();
- defaultSSLHostConfig.setSessionCacheSize(sessionCacheSize);
- }
-
-
- public int getSessionTimeout(){
- registerDefaultSSLHostConfig();
- return defaultSSLHostConfig.getSessionTimeout();
- }
- public void setSessionTimeout(int sessionTimeout){
- registerDefaultSSLHostConfig();
- defaultSSLHostConfig.setSessionTimeout(sessionTimeout);
- }
-
-
- public String getSSLCACertificatePath() {
- registerDefaultSSLHostConfig();
- return defaultSSLHostConfig.getCaCertificatePath();
- }
- public void setSSLCACertificatePath(String caCertificatePath) {
- registerDefaultSSLHostConfig();
- defaultSSLHostConfig.setCaCertificatePath(caCertificatePath);
- }
-
-
- public String getSSLCACertificateFile() {
- registerDefaultSSLHostConfig();
- return defaultSSLHostConfig.getCaCertificateFile();
- }
- public void setSSLCACertificateFile(String caCertificateFile) {
- registerDefaultSSLHostConfig();
- defaultSSLHostConfig.setCaCertificateFile(caCertificateFile);
- }
-
-
- public boolean getSSLDisableCompression() {
- registerDefaultSSLHostConfig();
- return defaultSSLHostConfig.getDisableCompression();
- }
- public void setSSLDisableCompression(boolean disableCompression) {
- registerDefaultSSLHostConfig();
- defaultSSLHostConfig.setDisableCompression(disableCompression);
- }
-
-
- public boolean getSSLDisableSessionTickets() {
- registerDefaultSSLHostConfig();
- return defaultSSLHostConfig.getDisableSessionTickets();
- }
- public void setSSLDisableSessionTickets(boolean disableSessionTickets) {
- registerDefaultSSLHostConfig();
- defaultSSLHostConfig.setDisableSessionTickets(disableSessionTickets);
- }
-
-
- public String getTrustManagerClassName() {
- registerDefaultSSLHostConfig();
- return defaultSSLHostConfig.getTrustManagerClassName();
- }
- public void setTrustManagerClassName(String trustManagerClassName) {
- registerDefaultSSLHostConfig();
- defaultSSLHostConfig.setTrustManagerClassName(trustManagerClassName);
- }
-
-
// ------------------------------------------------------------- Common code
@Override
diff --git a/java/org/apache/tomcat/util/net/AbstractEndpoint.java b/java/org/apache/tomcat/util/net/AbstractEndpoint.java
index 2a60011..8740af1 100644
--- a/java/org/apache/tomcat/util/net/AbstractEndpoint.java
+++ b/java/org/apache/tomcat/util/net/AbstractEndpoint.java
@@ -340,7 +340,7 @@ public abstract class AbstractEndpoint<S,U> {
* released
*/
protected void releaseSSLContext(SSLHostConfig sslHostConfig) {
- for (SSLHostConfigCertificate certificate : sslHostConfig.getCertificates(true)) {
+ for (SSLHostConfigCertificate certificate : sslHostConfig.getCertificates()) {
if (certificate.getSslContext() != null) {
SSLContext sslContext = certificate.getSslContext();
if (sslContext != null) {
diff --git a/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java b/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
index fe94206..91702c6 100644
--- a/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
+++ b/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
@@ -214,7 +214,7 @@ public abstract class AbstractJsseEndpoint<S,U> extends AbstractEndpoint<S,U> {
@Override
public void unbind() throws Exception {
for (SSLHostConfig sslHostConfig : sslHostConfigs.values()) {
- for (SSLHostConfigCertificate certificate : sslHostConfig.getCertificates(true)) {
+ for (SSLHostConfigCertificate certificate : sslHostConfig.getCertificates()) {
certificate.setSslContext(null);
}
}
diff --git a/java/org/apache/tomcat/util/net/SSLHostConfig.java b/java/org/apache/tomcat/util/net/SSLHostConfig.java
index 0d817bf..4a8549d 100644
--- a/java/org/apache/tomcat/util/net/SSLHostConfig.java
+++ b/java/org/apache/tomcat/util/net/SSLHostConfig.java
@@ -267,22 +267,6 @@ public class SSLHostConfig implements Serializable {
// ----------------------------------------- Common configuration properties
- // TODO: This certificate setter can be removed once it is no longer
- // necessary to support the old configuration attributes (Tomcat 10?).
-
- public String getCertificateKeyPassword() {
- if (defaultCertificate == null) {
- return null;
- } else {
- return defaultCertificate.getCertificateKeyPassword();
- }
- }
- public void setCertificateKeyPassword(String certificateKeyPassword) {
- registerDefaultCertificate();
- defaultCertificate.setCertificateKeyPassword(certificateKeyPassword);
- }
-
-
public void setCertificateRevocationListFile(String certificateRevocationListFile) {
this.certificateRevocationListFile = certificateRevocationListFile;
}
@@ -512,74 +496,6 @@ public class SSLHostConfig implements Serializable {
// ---------------------------------- JSSE specific configuration properties
- // TODO: These certificate setters can be removed once it is no longer
- // necessary to support the old configuration attributes (Tomcat 10?).
-
- public String getCertificateKeyAlias() {
- if (defaultCertificate == null) {
- return null;
- } else {
- return defaultCertificate.getCertificateKeyAlias();
- }
- }
- public void setCertificateKeyAlias(String certificateKeyAlias) {
- registerDefaultCertificate();
- defaultCertificate.setCertificateKeyAlias(certificateKeyAlias);
- }
-
-
- public String getCertificateKeystoreFile() {
- if (defaultCertificate == null) {
- return null;
- } else {
- return defaultCertificate.getCertificateKeystoreFile();
- }
- }
- public void setCertificateKeystoreFile(String certificateKeystoreFile) {
- registerDefaultCertificate();
- defaultCertificate.setCertificateKeystoreFile(certificateKeystoreFile);
- }
-
-
- public String getCertificateKeystorePassword() {
- if (defaultCertificate == null) {
- return null;
- } else {
- return defaultCertificate.getCertificateKeystorePassword();
- }
- }
- public void setCertificateKeystorePassword(String certificateKeystorePassword) {
- registerDefaultCertificate();
- defaultCertificate.setCertificateKeystorePassword(certificateKeystorePassword);
- }
-
-
- public String getCertificateKeystoreProvider() {
- if (defaultCertificate == null) {
- return null;
- } else {
- return defaultCertificate.getCertificateKeystoreProvider();
- }
- }
- public void setCertificateKeystoreProvider(String certificateKeystoreProvider) {
- registerDefaultCertificate();
- defaultCertificate.setCertificateKeystoreProvider(certificateKeystoreProvider);
- }
-
-
- public String getCertificateKeystoreType() {
- if (defaultCertificate == null) {
- return null;
- } else {
- return defaultCertificate.getCertificateKeystoreType();
- }
- }
- public void setCertificateKeystoreType(String certificateKeystoreType) {
- registerDefaultCertificate();
- defaultCertificate.setCertificateKeystoreType(certificateKeystoreType);
- }
-
-
public void setKeyManagerAlgorithm(String keyManagerAlgorithm) {
setProperty("keyManagerAlgorithm", Type.JSSE);
this.keyManagerAlgorithm = keyManagerAlgorithm;
@@ -734,48 +650,6 @@ public class SSLHostConfig implements Serializable {
// ------------------------------- OpenSSL specific configuration properties
- // TODO: These certificate setters can be removed once it is no longer
- // necessary to support the old configuration attributes (Tomcat 10?).
-
- public String getCertificateChainFile() {
- if (defaultCertificate == null) {
- return null;
- } else {
- return defaultCertificate.getCertificateChainFile();
- }
- }
- public void setCertificateChainFile(String certificateChainFile) {
- registerDefaultCertificate();
- defaultCertificate.setCertificateChainFile(certificateChainFile);
- }
-
-
- public String getCertificateFile() {
- if (defaultCertificate == null) {
- return null;
- } else {
- return defaultCertificate.getCertificateFile();
- }
- }
- public void setCertificateFile(String certificateFile) {
- registerDefaultCertificate();
- defaultCertificate.setCertificateFile(certificateFile);
- }
-
-
- public String getCertificateKeyFile() {
- if (defaultCertificate == null) {
- return null;
- } else {
- return defaultCertificate.getCertificateKeyFile();
- }
- }
- public void setCertificateKeyFile(String certificateKeyFile) {
- registerDefaultCertificate();
- defaultCertificate.setCertificateKeyFile(certificateKeyFile);
- }
-
-
public void setCertificateRevocationListPath(String certificateRevocationListPath) {
setProperty("certificateRevocationListPath", Type.OPENSSL);
this.certificateRevocationListPath = certificateRevocationListPath;
diff --git a/test/org/apache/coyote/http11/TestAbstractHttp11Protocol.java b/test/org/apache/coyote/http11/TestAbstractHttp11Protocol.java
deleted file mode 100644
index 80023d9..0000000
--- a/test/org/apache/coyote/http11/TestAbstractHttp11Protocol.java
+++ /dev/null
@@ -1,28 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.coyote.http11;
-
-import org.junit.Test;
-
-public class TestAbstractHttp11Protocol {
-
- @Test
- public void testGetSslProtocol() {
- Http11Nio2Protocol protocol = new Http11Nio2Protocol();
- protocol.getSSLProtocol();
- }
-}
diff --git a/webapps/docs/config/http.xml b/webapps/docs/config/http.xml
index eb7e1b4..f3c868d 100644
--- a/webapps/docs/config/http.xml
+++ b/webapps/docs/config/http.xml
@@ -1537,352 +1537,6 @@
</subsection>
- <subsection name="SSL Support - Connector - NIO and NIO2 (deprecated)">
-
- <p>The following NIO and NIO2 SSL configuration attributes have been
- deprecated in favor of the default
- <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a> element with
- the <code>hostName</code> of <code>_default_</code>. If this
- <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a> element is not
- explicitly defined, it will be created..
- </p>
-
- <attributes>
-
- <attribute name="algorithm" required="false">
- <p>This is an alias for the <code>keyManagerAlgorithm</code> attribute of
- the <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a> element with
- the <code>hostName</code> of <code>_default_</code>. If this
- <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a> element is not
- explicitly defined, it will be created.</p>
- </attribute>
-
- <attribute name="ciphers" required="false">
- <p>This is an alias for the <code>ciphers</code> attribute of the
- <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a> element with the
- <code>hostName</code> of <code>_default_</code>. If this
- <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a> element is not
- explicitly defined, it will be created.</p>
- </attribute>
-
- <attribute name="clientAuth" required="false">
- <p>This is an alias for the <code>certificateVerification</code> attribute
- of the <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a> element
- with the <code>hostName</code> of <code>_default_</code>. If this
- <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a> element is not
- explicitly defined, it will be created.</p>
- </attribute>
-
- <attribute name="crlFile" required="false">
- <p>This is an alias for the <code>certificateRevocationListFile</code>
- attribute of the <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a>
- element with the <code>hostName</code> of <code>_default_</code>. If this
- <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a> element is not
- explicitly defined, it will be created.</p>
- </attribute>
-
- <attribute name="keyAlias" required="false">
- <p>This is an alias for the <code>certificateKeyAlias</code> attribute of
- the first <a href="#SSL_Support_-_Certificate">Certificate</a> element
- nested in the <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a>
- element with the <code>hostName</code> of <code>_default_</code>. If this
- <a href="#SSL_Support_-_Certificate">Certificate</a> and/or
- <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a> element is not
- explicitly defined, they will be created.</p>
- </attribute>
-
- <attribute name="keyPass" required="false">
- <p>This is an alias for the <code>certificateKeyPassword</code> attribute
- of the first <a href="#SSL_Support_-_Certificate">Certificate</a> element
- nested in the <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a>
- element with the <code>hostName</code> of <code>_default_</code>. If this
- <a href="#SSL_Support_-_Certificate">Certificate</a> and/or
- <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a> element is not
- explicitly defined, they will be created.</p>
- </attribute>
-
- <attribute name="keystoreFile" required="false">
- <p>This is an alias for the <code>certificateKeystoreFile</code> attribute
- of the first <a href="#SSL_Support_-_Certificate">Certificate</a> element
- nested in the <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a>
- element with the <code>hostName</code> of <code>_default_</code>. If this
- <a href="#SSL_Support_-_Certificate">Certificate</a> and/or
- <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a> element is not
- explicitly defined, they will be created.</p>
- </attribute>
-
- <attribute name="keystorePass" required="false">
- <p>This is an alias for the <code>certificateKeystorePassword</code>
- attribute of the first
- <a href="#SSL_Support_-_Certificate">Certificate</a> element nested in the
- <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a>
- element with the <code>hostName</code> of <code>_default_</code>. If this
- <a href="#SSL_Support_-_Certificate">Certificate</a> and/or
- <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a> element is not
- explicitly defined, they will be created.</p>
- </attribute>
-
- <attribute name="keystoreProvider" required="false">
- <p>This is an alias for the <code>certificateKeystoreProvider</code>
- attribute of the first
- <a href="#SSL_Support_-_Certificate">Certificate</a> element nested in the
- <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a>
- element with the <code>hostName</code> of <code>_default_</code>. If this
- <a href="#SSL_Support_-_Certificate">Certificate</a> and/or
- <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a> element is not
- explicitly defined, they will be created.</p>
- </attribute>
-
- <attribute name="keystoreType" required="false">
- <p>This is an alias for the <code>certificateKeystoreType</code> attribute
- of the first <a href="#SSL_Support_-_Certificate">Certificate</a> element
- nested in the <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a>
- element with the <code>hostName</code> of <code>_default_</code>. If this
- <a href="#SSL_Support_-_Certificate">Certificate</a> and/or
- <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a> element is not
- explicitly defined, they will be created.</p>
- </attribute>
-
- <attribute name="sessionCacheSize" required="false">
- <p>This is an alias for the <code>sessionCacheSize</code> attribute of the
- <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a> element with
- the <code>hostName</code> of <code>_default_</code>. If this
- <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a> element is not
- explicitly defined, it will be created.</p>
- </attribute>
-
- <attribute name="sessionTimeout" required="false">
- <p>This is an alias for the <code>sessionTimeout</code> attribute of the
- <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a> element with
- the <code>hostName</code> of <code>_default_</code>. If this
- <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a> element is not
- explicitly defined, it will be created.</p>
- </attribute>
-
- <attribute name="sslEnabledProtocols" required="false">
- <p>This is an alias for the <code>protocols</code> attribute of the
- <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a> element with
- the <code>hostName</code> of <code>_default_</code>. If this
- <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a> element is not
- explicitly defined, it will be created.</p>
- </attribute>
-
- <attribute name="sslProtocol" required="false">
- <p>This is an alias for the <code>sslProtocol</code> attribute of the
- <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a> element with
- the <code>hostName</code> of <code>_default_</code>. If this
- <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a> element is not
- explicitly defined, it will be created.</p>
- </attribute>
-
- <attribute name="trustManagerClassName" required="false">
- <p>This is an alias for the <code>trustManagerClassName</code> attribute
- of the <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a> element
- with the <code>hostName</code> of <code>_default_</code>. If this
- <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a> element is not
- explicitly defined, it will be created.</p>
- </attribute>
-
- <attribute name="trustMaxCertLength" required="false">
- <p>This is an alias for the <code>certificateVerificationDepth</code>
- attribute of the <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a>
- element with the <code>hostName</code> of <code>_default_</code>. If this
- <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a> element is not
- explicitly defined, it will be created.</p>
- </attribute>
-
- <attribute name="truststoreAlgorithm" required="false">
- <p>This is an alias for the <code>truststoreAlgorithm</code> attribute of
- <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a> element with
- the <code>hostName</code> of <code>_default_</code>. If this
- <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a> element is not
- explicitly defined, it will be created.</p>
- </attribute>
-
- <attribute name="truststoreFile" required="false">
- <p>This is an alias for the <code>truststoreFile</code> attribute of
- <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a> element with
- the <code>hostName</code> of <code>_default_</code>. If this
- <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a> element is not
- explicitly defined, it will be created.</p>
- </attribute>
-
- <attribute name="truststorePass" required="false">
- <p>This is an alias for the <code>truststorePassword</code> attribute of
- <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a> element with
- the <code>hostName</code> of <code>_default_</code>. If this
- <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a> element is not
- explicitly defined, it will be created.</p>
- </attribute>
-
- <attribute name="truststoreProvider" required="false">
- <p>This is an alias for the <code>truststoreProvider</code> attribute of
- <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a> element with
- the <code>hostName</code> of <code>_default_</code>. If this
- <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a> element is not
- explicitly defined, it will be created.</p>
- </attribute>
-
- <attribute name="truststoreType" required="false">
- <p>This is an alias for the <code>truststoreType</code> attribute of
- <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a> element with
- the <code>hostName</code> of <code>_default_</code>. If this
- <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a> element is not
- explicitly defined, it will be created.</p>
- </attribute>
-
- <attribute name="useServerCipherSuitesOrder" required="false">
- <p>This is an alias for the <code>honorCipherOrder</code> attribute of the
- <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a> element with
- <code>hostName</code> of <code>_default_</code>. If this
- <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a> element is not
- explicitly defined, it will be created.</p>
- </attribute>
-
- </attributes>
-
- </subsection>
-
- <subsection name="SSL Support - Connector - APR/Native (deprecated)">
-
- <p>When APR/native is enabled, the HTTPS connector will use a socket poller
- for keep-alive, increasing scalability of the server. It also uses OpenSSL,
- which may be more optimized than JSSE depending on the processor being used,
- and can be complemented with many commercial accelerator components. Unlike
- the HTTP connector, the HTTPS connector cannot use sendfile to optimize static
- file processing.</p>
-
- <p>The HTTPS APR/native connector has the same attributes than the HTTP
- APR/native connector, but adds OpenSSL specific ones. For the full details on
- using OpenSSL, please refer to OpenSSL documentations and the many books
- available for it (see the <a href="http://www.openssl.org">Official OpenSSL
- website</a>). The SSL specific attributes for the APR/native connector are:
- </p>
-
- <attributes>
-
- <attribute name="SSLCACertificateFile" required="false">
- <p>This is an alias for the <code>caCertificateFile</code> attribute of
- the <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a> element with
- the <code>hostName</code> of <code>_default_</code>. If this
- <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a> element is not
- explicitly defined, it will be created.</p>
- </attribute>
-
- <attribute name="SSLCACertificatePath" required="false">
- <p>This is an alias for the <code>caCertificatePath</code> attribute of
- the <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a> element with
- the <code>hostName</code> of <code>_default_</code>. If this
- <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a> element is not
- explicitly defined, it will be created.</p>
- </attribute>
-
- <attribute name="SSLCARevocationFile" required="false">
- <p>This is an alias for the <code>certificateRevocationListFile</code>
- attribute of the <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a>
- element with the <code>hostName</code> of <code>_default_</code>. If this
- <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a> element is not
- explicitly defined, it will be created.</p>
- </attribute>
-
- <attribute name="SSLCARevocationPath" required="false">
- <p>This is an alias for the <code>certificateRevocationListPath</code>
- attribute of the <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a>
- element with the <code>hostName</code> of <code>_default_</code>. If this
- <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a> element is not
- explicitly defined, it will be created.</p>
- </attribute>
-
- <attribute name="SSLCertificateFile" required="true">
- <p>This is an alias for the <code>certificateFile</code> attribute of the
- first <a href="#SSL_Support_-_Certificate">Certificate</a> element nested
- in the <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a> element
- with the <code>hostName</code> of <code>_default_</code>. If this
- <a href="#SSL_Support_-_Certificate">Certificate</a> and/or
- <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a> element is not
- explicitly defined, they will be created.</p>
- </attribute>
-
- <attribute name="SSLCertificateKeyFile" required="false">
- <p>This is an alias for the <code>certificateKeyFile</code> attribute of
- the first <a href="#SSL_Support_-_Certificate">Certificate</a> element
- nested in the <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a>
- element with the <code>hostName</code> of <code>_default_</code>. If this
- <a href="#SSL_Support_-_Certificate">Certificate</a> and/or
- <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a> element is not
- explicitly defined, they will be created.</p>
- </attribute>
-
- <attribute name="SSLCipherSuite" required="false">
- <p>This is an alias for the <code>ciphers</code> attribute of the
- <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a> element with the
- <code>hostName</code> of <code>_default_</code>. If this
- <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a> element is not
- explicitly defined, it will be created.</p>
- </attribute>
-
- <attribute name="SSLDisableCompression" required="false">
- <p>This is an alias for the <code>disableCompression</code> attribute of
- the <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a> element with
- the <code>hostName</code> of <code>_default_</code>. If this
- <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a> element is not
- explicitly defined, it will be created.</p>
- </attribute>
-
- <attribute name="SSLHonorCipherOrder" required="false">
- <p>This is an alias for the <code>honorCipherOrder</code> attribute of the
- <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a> element with the
- <code>hostName</code> of <code>_default_</code>. If this
- <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a> element is not
- explicitly defined, it will be created.</p>
- </attribute>
-
- <attribute name="SSLPassword" required="false">
- <p>This is an alias for the <code>certificateKeyPassword</code> attribute
- of the first <a href="#SSL_Support_-_Certificate">Certificate</a> element
- nested in the <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a>
- element with the <code>hostName</code> of <code>_default_</code>. If this
- <a href="#SSL_Support_-_Certificate">Certificate</a> and/or
- <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a> element is not
- explicitly defined, they will be created.</p>
- </attribute>
-
- <attribute name="SSLProtocol" required="false">
- <p>This is an alias for the <code>protocols</code> attribute of the
- <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a> element with the
- <code>hostName</code> of <code>_default_</code>. If this
- <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a> element is not
- explicitly defined, it will be created.</p>
- </attribute>
-
- <attribute name="SSLVerifyClient" required="false">
- <p>This is an alias for the <code>certificateVerification</code> attribute
- of the <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a> element
- with the <code>hostName</code> of <code>_default_</code>. If this
- <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a> element is not
- explicitly defined, it will be created.</p>
- </attribute>
-
- <attribute name="SSLVerifyDepth" required="false">
- <p>This is an alias for the <code>certificateVerificationDepth</code>
- attribute of the <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a>
- element with the <code>hostName</code> of <code>_default_</code>. If this
- <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a> element is not
- explicitly defined, it will be created.</p>
- </attribute>
-
- <attribute name="SSLDisableSessionTickets" required="false">
- <p>This is an alias for the <code>disableSessionTickets</code> attribute
- of the <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a> element
- with the <code>hostName</code> of <code>_default_</code>. If this
- <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a> element is not
- explicitly defined, it will be created.</p>
- </attribute>
-
- </attributes>
-
- </subsection>
-
<subsection name="Connector Comparison">
<p>Below is a small chart that shows how the connectors differ.</p>
diff --git a/webapps/docs/ssl-howto.xml b/webapps/docs/ssl-howto.xml
index a7a3a88..4262c4c 100644
--- a/webapps/docs/ssl-howto.xml
+++ b/webapps/docs/ssl-howto.xml
@@ -330,40 +330,52 @@ sources like "/dev/urandom" that will allow quicker starts of Tomcat.
<code>$CATALINA_BASE</code> represents the base directory for the
Tomcat instance. An example <code><Connector></code> element
for an SSL connector is included in the default <code>server.xml</code>
-file installed with Tomcat. To configure an SSL connector that uses JSSE, you
-will need to remove the comments and edit it so it looks something like
-this:</p>
+file installed with Tomcat. To configure an SSL connector that uses JSSE with
+the JSSE configuration style, you will need to remove the comments and edit it
+so it looks something like this:</p>
<source><![CDATA[<!-- Define an SSL Coyote HTTP/1.1 Connector on port 8443 -->
<Connector
- protocol="org.apache.coyote.http11.Http11NioProtocol"
- port="8443" maxThreads="200"
- scheme="https" secure="true" SSLEnabled="true"
- keystoreFile="${user.home}/.keystore" keystorePass="changeit"
- clientAuth="false" sslProtocol="TLS"/>]]></source>
+ protocol="org.apache.coyote.http11.Http11NioProtocol"
+ port="8443"
+ maxThreads="150"
+ SSLEnabled="true">
+ <SSLHostConfig>
+ <Certificate
+ certificateKeystoreFile="${user.home}/.keystore"
+ certificateKeystorePassword="changeit"
+ type="RSA"
+ />
+ </SSLHostConfig>
+</Connector>]]></source>
<p>
Note: If tomcat-native is installed, the configuration will use JSSE with
- an OpenSSL implementation, which supports either this configuration or the APR
- configuration example given below.</p>
+ an OpenSSL implementation.</p>
<p>
- The APR connector uses different attributes for many SSL settings,
- particularly keys and certificates. An example of an APR configuration is:</p>
+ The APR configuration style uses different attributes for many SSL settings,
+ particularly keys and certificates. An example of an APR configuration style
+ is:</p>
<source><![CDATA[<!-- Define an SSL Coyote HTTP/1.1 Connector on port 8443 -->
<Connector
- protocol="org.apache.coyote.http11.Http11AprProtocol"
- port="8443" maxThreads="200"
- scheme="https" secure="true" SSLEnabled="true"
- SSLCertificateFile="/usr/local/ssl/server.crt"
- SSLCertificateKeyFile="/usr/local/ssl/server.pem"
- SSLVerifyClient="optional" SSLProtocol="TLSv1+TLSv1.1+TLSv1.2"/>]]></source>
+ protocol="org.apache.coyote.http11.Http11AprProtocol"
+ port="8443"
+ maxThreads="150"
+ SSLEnabled="true" >
+ <SSLHostConfig>
+ <Certificate
+ certificateKeyFile="conf/localhost-rsa-key.pem"
+ certificateFile="conf/localhost-rsa-cert.pem"
+ certificateChainFile="conf/localhost-rsa-chain.pem"
+ type="RSA"
+ />
+ </SSLHostConfig>
+</Connector>]]></source>
<p>The configuration options and information on which attributes
are mandatory, are documented in the SSL Support section of the
<a href="config/http.html#SSL_Support">HTTP connector</a> configuration
-reference. Make sure that you use the correct attributes for the connector you
-are using. The NIO and NIO2 connectors use JSSE unless the JSSE OpenSSL implementation is
-installed (in which case it supports either the JSSE or OpenSSL configuration styles),
-whereas the APR/native connector uses APR.</p>
+reference. Tomcat supports either configuration style (JSSE or OpenSSL) with all
+TLS connectors.</p>
<p>The <code>port</code> attribute is the TCP/IP
port number on which Tomcat will listen for secure connections. You can
@@ -568,7 +580,8 @@ SSL communications, and what to do about them.</p>
be named <code>.keystore</code> in the user home directory under which
Tomcat is running (which may or may not be the same as yours :-). If
the keystore file is anywhere else, you will need to add a
- <code>keystoreFile</code> attribute to the <code><Connector></code>
+ <code>certificateKeystoreFile</code> attribute to the
+ <code><Certificate></code>
element in the <a href="#Edit_the_Tomcat_Configuration_File">Tomcat
configuration file</a>.</p>
</li>
@@ -595,8 +608,8 @@ SSL communications, and what to do about them.</p>
<p>A likely explanation is that Tomcat cannot find the alias for the server
key within the specified keystore. Check that the correct
- <code>keystoreFile</code> and <code>keyAlias</code> are specified in the
- <code><Connector></code> element in the
+ <code>certificateKeystoreFile</code> and <code>certificateKeyAlias</code>
+ are specified in the <code><Certificate></code> element in the
<a href="#Edit_the_Tomcat_Configuration_File">Tomcat configuration file</a>.
<strong>REMINDER</strong> - <code>keyAlias</code> values may be case
sensitive!</p>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [tomcat] 01/02: Update tests to use SSLHostConfig for TLS
configuration
Posted by Mark Thomas <ma...@apache.org>.
On 15/01/2020 16:41, Rémy Maucherat wrote:
> On Wed, Jan 15, 2020 at 5:35 PM Mark Thomas <markt@apache.org
> <ma...@apache.org>> wrote:
<snip/>
> While I was doing this I did wonder about deprecating/removing
> [get|set]Attribute on Connector (and any other element where we have
> both [get|set]Attribute() and [get|set]Property(). Thoughts? Something
> to add to the TODO list?
>
>
> Ok, I forgot the real use of that [get|set]Attribute() to be honest.
I've figured it out.
[get|set]Property() (sort of) expects that the property exists. If it
doesn't, setProperty() is a NO-OP and getProperty() returns null, 0 or
equivalent.
[get|set]Attribute allows arbitrary properties to be set on the
Endpoint. I think this was to support TLS implementations that needed
additional properties. But we have moved away from that.
I think we are still OK to deprecate this in 9.x and remove in 10.x but
I'll leave it a few days before doing anything in case.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [tomcat] 01/02: Update tests to use SSLHostConfig for TLS configuration
Posted by Rémy Maucherat <re...@apache.org>.
On Wed, Jan 15, 2020 at 5:35 PM Mark Thomas <ma...@apache.org> wrote:
> On 15/01/2020 16:01, Rémy Maucherat wrote:
> > On Wed, Jan 15, 2020 at 4:37 PM <markt@apache.org
> > <ma...@apache.org>> wrote:
> >
> > This is an automated email from the ASF dual-hosted git repository.
> >
> > markt pushed a commit to branch master
> > in repository https://gitbox.apache.org/repos/asf/tomcat.git
> >
> > commit c64ccf3fd2bd58949360ab05b2f20da610b2c999
> > Author: Mark Thomas <markt@apache.org <ma...@apache.org>>
> > AuthorDate: Wed Jan 15 15:36:05 2020 +0000
> >
> > Update tests to use SSLHostConfig for TLS configuration
> >
> >
> > I was doing this removal as well at the same time, predictably it has a
> > large impact on embedded TLS (which was already quite nightmarish). Oh
> > well, it had to happen.
>
> Sorry if I caused you to waste time on this.
>
No problem, you did it better.
>
> While I was doing this I did wonder about deprecating/removing
> [get|set]Attribute on Connector (and any other element where we have
> both [get|set]Attribute() and [get|set]Property(). Thoughts? Something
> to add to the TODO list?
>
Ok, I forgot the real use of that [get|set]Attribute() to be honest.
>
> I'm currently working on ensuring master, 9.0.x and 8.5.x are as aligned
> as possible (with a view to keeping them that way). Hopefully that won't
> conflict.
>
Rémy
>
>
> >
> > Rémy
> >
> >
> > ---
> > test/org/apache/tomcat/util/net/TestCustomSsl.java | 35
> > +++++++++-------
> > test/org/apache/tomcat/util/net/TesterSupport.java | 49
> > ++++++++++------------
> > .../util/net/jsse/TesterBug50640SslImpl.java | 1 -
> > 3 files changed, 40 insertions(+), 45 deletions(-)
> >
> > diff --git a/test/org/apache/tomcat/util/net/TestCustomSsl.java
> > b/test/org/apache/tomcat/util/net/TestCustomSsl.java
> > index 60dbf00..f036931 100644
> > --- a/test/org/apache/tomcat/util/net/TestCustomSsl.java
> > +++ b/test/org/apache/tomcat/util/net/TestCustomSsl.java
> > @@ -32,6 +32,7 @@ import org.apache.catalina.startup.TomcatBaseTest;
> > import org.apache.coyote.ProtocolHandler;
> > import org.apache.coyote.http11.AbstractHttp11JsseProtocol;
> > import org.apache.tomcat.util.buf.ByteChunk;
> > +import org.apache.tomcat.util.net
> > <http://org.apache.tomcat.util.net>.SSLHostConfigCertificate.Type;
> > import org.apache.tomcat.util.net
> > <http://org.apache.tomcat.util.net>.jsse.TesterBug50640SslImpl;
> > import org.apache.tomcat.websocket.server.WsContextListener;
> >
> > @@ -59,20 +60,22 @@ public class TestCustomSsl extends
> TomcatBaseTest {
> > Assume.assumeFalse("This test is only for JSSE based SSL
> > connectors",
> >
> > connector.getProtocolHandlerClassName().contains("Apr"));
> >
> > + SSLHostConfig sslHostConfig = new SSLHostConfig();
> > + SSLHostConfigCertificate certificate = new
> > SSLHostConfigCertificate(sslHostConfig, Type.UNDEFINED);
> > + sslHostConfig.addCertificate(certificate);
> > + connector.addSslHostConfig(sslHostConfig);
> > +
> > Assert.assertTrue(connector.setProperty(
> > "sslImplementationName",
> > "org.apache.tomcat.util.net
> > <http://org.apache.tomcat.util.net>.jsse.TesterBug50640SslImpl"));
> >
> > // This setting will break ssl configuration unless the
> custom
> > // implementation is used.
> > - Assert.assertTrue(connector.setProperty(
> > - TesterBug50640SslImpl.PROPERTY_NAME,
> > TesterBug50640SslImpl.PROPERTY_VALUE));
> > +
> > sslHostConfig.setProtocols(TesterBug50640SslImpl.PROPERTY_VALUE);
> >
> > - Assert.assertTrue(connector.setProperty("sslProtocol",
> "tls"));
> > + sslHostConfig.setSslProtocol("tls");
> >
> > - File keystoreFile =
> > - new File(TesterSupport.LOCALHOST_RSA_JKS);
> > - connector.setAttribute(
> > - "keystoreFile", keystoreFile.getAbsolutePath());
> > + File keystoreFile = new
> File(TesterSupport.LOCALHOST_RSA_JKS);
> > +
> >
> certificate.setCertificateKeystoreFile(keystoreFile.getAbsolutePath());
> >
> > connector.setSecure(true);
> > Assert.assertTrue(connector.setProperty("SSLEnabled",
> "true"));
> > @@ -109,23 +112,25 @@ public class TestCustomSsl extends
> > TomcatBaseTest {
> > Tomcat tomcat = getTomcatInstance();
> >
> > Assume.assumeTrue("SSL renegotiation has to be supported
> > for this test",
> > -
> > TesterSupport.isRenegotiationSupported(getTomcatInstance()));
> > + TesterSupport.isRenegotiationSupported(tomcat));
> >
> > TesterSupport.configureClientCertContext(tomcat);
> >
> > + Connector connector = tomcat.getConnector();
> > +
> > // Override the defaults
> > - ProtocolHandler handler =
> > tomcat.getConnector().getProtocolHandler();
> > + ProtocolHandler handler = connector.getProtocolHandler();
> > if (handler instanceof AbstractHttp11JsseProtocol) {
> > - ((AbstractHttp11JsseProtocol<?>)
> > handler).setTruststoreFile(null);
> > +
> connector.findSslHostConfigs()[0].setTruststoreFile(null);
> > } else {
> > // Unexpected
> > Assert.fail("Unexpected handler type");
> > }
> > if (trustType.equals(TrustType.ALL)) {
> > -
> tomcat.getConnector().setAttribute("trustManagerClassName",
> > +
> connector.findSslHostConfigs()[0].setTrustManagerClassName(
> > "org.apache.tomcat.util.net
> > <http://org.apache.tomcat.util.net>.TesterSupport$TrustAllCerts");
> > } else if (trustType.equals(TrustType.CA)) {
> > -
> tomcat.getConnector().setAttribute("trustManagerClassName",
> > +
> connector.findSslHostConfigs()[0].setTrustManagerClassName(
> > "org.apache.tomcat.util.net
> > <http://org.apache.tomcat.util.net
> >.TesterSupport$SequentialTrustManager");
> > }
> >
> > @@ -135,16 +140,14 @@ public class TestCustomSsl extends
> > TomcatBaseTest {
> > TesterSupport.configureClientSsl();
> >
> > // Unprotected resource
> > - ByteChunk res =
> > - getUrl("https://localhost:" + getPort() +
> > "/unprotected");
> > + ByteChunk res = getUrl("https://localhost:" + getPort() +
> > "/unprotected");
> > Assert.assertEquals("OK", res.toString());
> >
> > // Protected resource
> > res.recycle();
> > int rc = -1;
> > try {
> > - rc = getUrl("https://localhost:" + getPort() +
> > "/protected", res,
> > - null, null);
> > + rc = getUrl("https://localhost:" + getPort() +
> > "/protected", res, null, null);
> > } catch (SocketException se) {
> > if (!trustType.equals(TrustType.NONE)) {
> > Assert.fail(se.getMessage());
> > diff --git a/test/org/apache/tomcat/util/net/TesterSupport.java
> > b/test/org/apache/tomcat/util/net/TesterSupport.java
> > index 49b8de7..37d69c8 100644
> > --- a/test/org/apache/tomcat/util/net/TesterSupport.java
> > +++ b/test/org/apache/tomcat/util/net/TesterSupport.java
> > @@ -64,6 +64,7 @@ import org.apache.tomcat.util.compat.JrePlatform;
> > import org.apache.tomcat.util.descriptor.web.LoginConfig;
> > import org.apache.tomcat.util.descriptor.web.SecurityCollection;
> > import org.apache.tomcat.util.descriptor.web.SecurityConstraint;
> > +import org.apache.tomcat.util.net
> > <http://org.apache.tomcat.util.net>.SSLHostConfigCertificate.Type;
> >
> > public final class TesterSupport {
> >
> > @@ -137,47 +138,39 @@ public final class TesterSupport {
> > protected static void initSsl(Tomcat tomcat, String keystore,
> > String keystorePass, String keyPass) {
> >
> > + Connector connector = tomcat.getConnector();
> > + connector.setSecure(true);
> > + Assert.assertTrue(connector.setProperty("SSLEnabled",
> "true"));
> > +
> > + SSLHostConfig sslHostConfig = new SSLHostConfig();
> > + SSLHostConfigCertificate certificate = new
> > SSLHostConfigCertificate(sslHostConfig, Type.UNDEFINED);
> > + sslHostConfig.addCertificate(certificate);
> > + connector.addSslHostConfig(sslHostConfig);
> > +
> > String protocol =
> > tomcat.getConnector().getProtocolHandlerClassName();
> > if (!protocol.contains("Apr")) {
> > - Connector connector = tomcat.getConnector();
> > String sslImplementation =
> > System.getProperty("tomcat.test.sslImplementation");
> > if (sslImplementation != null &&
> > !"${test.sslImplementation}".equals(sslImplementation)) {
> > StandardServer server = (StandardServer)
> > tomcat.getServer();
> > AprLifecycleListener listener = new
> > AprLifecycleListener();
> > listener.setSSLRandomSeed("/dev/urandom");
> > server.addLifecycleListener(listener);
> > -
> > tomcat.getConnector().setAttribute("sslImplementationName",
> > sslImplementation);
> > + connector.setAttribute("sslImplementationName",
> > sslImplementation);
> > }
> > - Assert.assertTrue(connector.setProperty("sslProtocol",
> > "tls"));
> > - File keystoreFile =
> > - new File(keystore);
> > - connector.setAttribute("keystoreFile",
> > - keystoreFile.getAbsolutePath());
> > - File truststoreFile = new File(CA_JKS);
> > - connector.setAttribute("truststoreFile",
> > - truststoreFile.getAbsolutePath());
> > + sslHostConfig.setSslProtocol("tls");
> > + certificate.setCertificateKeystoreFile(new
> > File(keystore).getAbsolutePath());
> > + sslHostConfig.setTruststoreFile(new
> > File(CA_JKS).getAbsolutePath());
> > if (keystorePass != null) {
> > - connector.setAttribute("keystorePass",
> keystorePass);
> > +
> > certificate.setCertificateKeystorePassword(keystorePass);
> > }
> > if (keyPass != null) {
> > - connector.setAttribute("keyPass", keyPass);
> > + certificate.setCertificateKeyPassword(keyPass);
> > }
> > } else {
> > - File keystoreFile = new File(
> > - LOCALHOST_RSA_CERT_PEM);
> > - tomcat.getConnector().setAttribute("SSLCertificateFile",
> > - keystoreFile.getAbsolutePath());
> > - keystoreFile = new File(
> > - LOCALHOST_RSA_KEY_PEM);
> > -
> tomcat.getConnector().setAttribute("SSLCertificateKeyFile",
> > - keystoreFile.getAbsolutePath());
> > - keystoreFile = new File(
> > - CA_CERT_PEM);
> > -
> tomcat.getConnector().setAttribute("SSLCACertificateFile",
> > - keystoreFile.getAbsolutePath());
> > - }
> > - tomcat.getConnector().setSecure(true);
> > -
> > Assert.assertTrue(tomcat.getConnector().setProperty("SSLEnabled",
> > "true"));
> > + certificate.setCertificateFile(new
> > File(LOCALHOST_RSA_CERT_PEM).getAbsolutePath());
> > + certificate.setCertificateKeyFile(new
> > File(LOCALHOST_RSA_KEY_PEM).getAbsolutePath());
> > + sslHostConfig.setCaCertificateFile(new
> > File(CA_CERT_PEM).getAbsolutePath());
> > + }
> > }
> >
> > protected static KeyManager[] getUser1KeyManagers() throws
> > Exception {
> > @@ -266,7 +259,7 @@ public final class TesterSupport {
> > * depend. Therefore, force these tests to use TLSv1.2 so
> > that they pass
> > * when running on TLSv1.3.
> > */
> > -
> >
> Assert.assertTrue(tomcat.getConnector().setProperty("sslEnabledProtocols",
> > Constants.SSL_PROTO_TLSv1_2));
> > +
> >
> tomcat.getConnector().findSslHostConfigs()[0].setProtocols(Constants.SSL_PROTO_TLSv1_2);
> >
> > // Need a web application with a protected and unprotected
> URL
> > // No file system docBase required
> > diff --git
> > a/test/org/apache/tomcat/util/net/jsse/TesterBug50640SslImpl.java
> > b/test/org/apache/tomcat/util/net/jsse/TesterBug50640SslImpl.java
> > index 6865b9d..478bbfa 100644
> > --- a/test/org/apache/tomcat/util/net/jsse/TesterBug50640SslImpl.java
> > +++ b/test/org/apache/tomcat/util/net/jsse/TesterBug50640SslImpl.java
> > @@ -23,7 +23,6 @@ import org.apache.tomcat.util.net
> > <http://org.apache.tomcat.util.net>.SSLUtil;
> >
> > public class TesterBug50640SslImpl extends JSSEImplementation {
> >
> > - public static final String PROPERTY_NAME =
> "sslEnabledProtocols";
> > public static final String PROPERTY_VALUE = "magic";
> >
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> > <ma...@tomcat.apache.org>
> > For additional commands, e-mail: dev-help@tomcat.apache.org
> > <ma...@tomcat.apache.org>
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>
Re: [tomcat] 01/02: Update tests to use SSLHostConfig for TLS
configuration
Posted by Mark Thomas <ma...@apache.org>.
On 15/01/2020 16:01, Rémy Maucherat wrote:
> On Wed, Jan 15, 2020 at 4:37 PM <markt@apache.org
> <ma...@apache.org>> wrote:
>
> This is an automated email from the ASF dual-hosted git repository.
>
> markt pushed a commit to branch master
> in repository https://gitbox.apache.org/repos/asf/tomcat.git
>
> commit c64ccf3fd2bd58949360ab05b2f20da610b2c999
> Author: Mark Thomas <markt@apache.org <ma...@apache.org>>
> AuthorDate: Wed Jan 15 15:36:05 2020 +0000
>
> Update tests to use SSLHostConfig for TLS configuration
>
>
> I was doing this removal as well at the same time, predictably it has a
> large impact on embedded TLS (which was already quite nightmarish). Oh
> well, it had to happen.
Sorry if I caused you to waste time on this.
While I was doing this I did wonder about deprecating/removing
[get|set]Attribute on Connector (and any other element where we have
both [get|set]Attribute() and [get|set]Property(). Thoughts? Something
to add to the TODO list?
I'm currently working on ensuring master, 9.0.x and 8.5.x are as aligned
as possible (with a view to keeping them that way). Hopefully that won't
conflict.
>
> Rémy
>
>
> ---
> test/org/apache/tomcat/util/net/TestCustomSsl.java | 35
> +++++++++-------
> test/org/apache/tomcat/util/net/TesterSupport.java | 49
> ++++++++++------------
> .../util/net/jsse/TesterBug50640SslImpl.java | 1 -
> 3 files changed, 40 insertions(+), 45 deletions(-)
>
> diff --git a/test/org/apache/tomcat/util/net/TestCustomSsl.java
> b/test/org/apache/tomcat/util/net/TestCustomSsl.java
> index 60dbf00..f036931 100644
> --- a/test/org/apache/tomcat/util/net/TestCustomSsl.java
> +++ b/test/org/apache/tomcat/util/net/TestCustomSsl.java
> @@ -32,6 +32,7 @@ import org.apache.catalina.startup.TomcatBaseTest;
> import org.apache.coyote.ProtocolHandler;
> import org.apache.coyote.http11.AbstractHttp11JsseProtocol;
> import org.apache.tomcat.util.buf.ByteChunk;
> +import org.apache.tomcat.util.net
> <http://org.apache.tomcat.util.net>.SSLHostConfigCertificate.Type;
> import org.apache.tomcat.util.net
> <http://org.apache.tomcat.util.net>.jsse.TesterBug50640SslImpl;
> import org.apache.tomcat.websocket.server.WsContextListener;
>
> @@ -59,20 +60,22 @@ public class TestCustomSsl extends TomcatBaseTest {
> Assume.assumeFalse("This test is only for JSSE based SSL
> connectors",
>
> connector.getProtocolHandlerClassName().contains("Apr"));
>
> + SSLHostConfig sslHostConfig = new SSLHostConfig();
> + SSLHostConfigCertificate certificate = new
> SSLHostConfigCertificate(sslHostConfig, Type.UNDEFINED);
> + sslHostConfig.addCertificate(certificate);
> + connector.addSslHostConfig(sslHostConfig);
> +
> Assert.assertTrue(connector.setProperty(
> "sslImplementationName",
> "org.apache.tomcat.util.net
> <http://org.apache.tomcat.util.net>.jsse.TesterBug50640SslImpl"));
>
> // This setting will break ssl configuration unless the custom
> // implementation is used.
> - Assert.assertTrue(connector.setProperty(
> - TesterBug50640SslImpl.PROPERTY_NAME,
> TesterBug50640SslImpl.PROPERTY_VALUE));
> +
> sslHostConfig.setProtocols(TesterBug50640SslImpl.PROPERTY_VALUE);
>
> - Assert.assertTrue(connector.setProperty("sslProtocol", "tls"));
> + sslHostConfig.setSslProtocol("tls");
>
> - File keystoreFile =
> - new File(TesterSupport.LOCALHOST_RSA_JKS);
> - connector.setAttribute(
> - "keystoreFile", keystoreFile.getAbsolutePath());
> + File keystoreFile = new File(TesterSupport.LOCALHOST_RSA_JKS);
> +
> certificate.setCertificateKeystoreFile(keystoreFile.getAbsolutePath());
>
> connector.setSecure(true);
> Assert.assertTrue(connector.setProperty("SSLEnabled", "true"));
> @@ -109,23 +112,25 @@ public class TestCustomSsl extends
> TomcatBaseTest {
> Tomcat tomcat = getTomcatInstance();
>
> Assume.assumeTrue("SSL renegotiation has to be supported
> for this test",
> -
> TesterSupport.isRenegotiationSupported(getTomcatInstance()));
> + TesterSupport.isRenegotiationSupported(tomcat));
>
> TesterSupport.configureClientCertContext(tomcat);
>
> + Connector connector = tomcat.getConnector();
> +
> // Override the defaults
> - ProtocolHandler handler =
> tomcat.getConnector().getProtocolHandler();
> + ProtocolHandler handler = connector.getProtocolHandler();
> if (handler instanceof AbstractHttp11JsseProtocol) {
> - ((AbstractHttp11JsseProtocol<?>)
> handler).setTruststoreFile(null);
> + connector.findSslHostConfigs()[0].setTruststoreFile(null);
> } else {
> // Unexpected
> Assert.fail("Unexpected handler type");
> }
> if (trustType.equals(TrustType.ALL)) {
> - tomcat.getConnector().setAttribute("trustManagerClassName",
> + connector.findSslHostConfigs()[0].setTrustManagerClassName(
> "org.apache.tomcat.util.net
> <http://org.apache.tomcat.util.net>.TesterSupport$TrustAllCerts");
> } else if (trustType.equals(TrustType.CA)) {
> - tomcat.getConnector().setAttribute("trustManagerClassName",
> + connector.findSslHostConfigs()[0].setTrustManagerClassName(
> "org.apache.tomcat.util.net
> <http://org.apache.tomcat.util.net>.TesterSupport$SequentialTrustManager");
> }
>
> @@ -135,16 +140,14 @@ public class TestCustomSsl extends
> TomcatBaseTest {
> TesterSupport.configureClientSsl();
>
> // Unprotected resource
> - ByteChunk res =
> - getUrl("https://localhost:" + getPort() +
> "/unprotected");
> + ByteChunk res = getUrl("https://localhost:" + getPort() +
> "/unprotected");
> Assert.assertEquals("OK", res.toString());
>
> // Protected resource
> res.recycle();
> int rc = -1;
> try {
> - rc = getUrl("https://localhost:" + getPort() +
> "/protected", res,
> - null, null);
> + rc = getUrl("https://localhost:" + getPort() +
> "/protected", res, null, null);
> } catch (SocketException se) {
> if (!trustType.equals(TrustType.NONE)) {
> Assert.fail(se.getMessage());
> diff --git a/test/org/apache/tomcat/util/net/TesterSupport.java
> b/test/org/apache/tomcat/util/net/TesterSupport.java
> index 49b8de7..37d69c8 100644
> --- a/test/org/apache/tomcat/util/net/TesterSupport.java
> +++ b/test/org/apache/tomcat/util/net/TesterSupport.java
> @@ -64,6 +64,7 @@ import org.apache.tomcat.util.compat.JrePlatform;
> import org.apache.tomcat.util.descriptor.web.LoginConfig;
> import org.apache.tomcat.util.descriptor.web.SecurityCollection;
> import org.apache.tomcat.util.descriptor.web.SecurityConstraint;
> +import org.apache.tomcat.util.net
> <http://org.apache.tomcat.util.net>.SSLHostConfigCertificate.Type;
>
> public final class TesterSupport {
>
> @@ -137,47 +138,39 @@ public final class TesterSupport {
> protected static void initSsl(Tomcat tomcat, String keystore,
> String keystorePass, String keyPass) {
>
> + Connector connector = tomcat.getConnector();
> + connector.setSecure(true);
> + Assert.assertTrue(connector.setProperty("SSLEnabled", "true"));
> +
> + SSLHostConfig sslHostConfig = new SSLHostConfig();
> + SSLHostConfigCertificate certificate = new
> SSLHostConfigCertificate(sslHostConfig, Type.UNDEFINED);
> + sslHostConfig.addCertificate(certificate);
> + connector.addSslHostConfig(sslHostConfig);
> +
> String protocol =
> tomcat.getConnector().getProtocolHandlerClassName();
> if (!protocol.contains("Apr")) {
> - Connector connector = tomcat.getConnector();
> String sslImplementation =
> System.getProperty("tomcat.test.sslImplementation");
> if (sslImplementation != null &&
> !"${test.sslImplementation}".equals(sslImplementation)) {
> StandardServer server = (StandardServer)
> tomcat.getServer();
> AprLifecycleListener listener = new
> AprLifecycleListener();
> listener.setSSLRandomSeed("/dev/urandom");
> server.addLifecycleListener(listener);
> -
> tomcat.getConnector().setAttribute("sslImplementationName",
> sslImplementation);
> + connector.setAttribute("sslImplementationName",
> sslImplementation);
> }
> - Assert.assertTrue(connector.setProperty("sslProtocol",
> "tls"));
> - File keystoreFile =
> - new File(keystore);
> - connector.setAttribute("keystoreFile",
> - keystoreFile.getAbsolutePath());
> - File truststoreFile = new File(CA_JKS);
> - connector.setAttribute("truststoreFile",
> - truststoreFile.getAbsolutePath());
> + sslHostConfig.setSslProtocol("tls");
> + certificate.setCertificateKeystoreFile(new
> File(keystore).getAbsolutePath());
> + sslHostConfig.setTruststoreFile(new
> File(CA_JKS).getAbsolutePath());
> if (keystorePass != null) {
> - connector.setAttribute("keystorePass", keystorePass);
> +
> certificate.setCertificateKeystorePassword(keystorePass);
> }
> if (keyPass != null) {
> - connector.setAttribute("keyPass", keyPass);
> + certificate.setCertificateKeyPassword(keyPass);
> }
> } else {
> - File keystoreFile = new File(
> - LOCALHOST_RSA_CERT_PEM);
> - tomcat.getConnector().setAttribute("SSLCertificateFile",
> - keystoreFile.getAbsolutePath());
> - keystoreFile = new File(
> - LOCALHOST_RSA_KEY_PEM);
> - tomcat.getConnector().setAttribute("SSLCertificateKeyFile",
> - keystoreFile.getAbsolutePath());
> - keystoreFile = new File(
> - CA_CERT_PEM);
> - tomcat.getConnector().setAttribute("SSLCACertificateFile",
> - keystoreFile.getAbsolutePath());
> - }
> - tomcat.getConnector().setSecure(true);
> -
> Assert.assertTrue(tomcat.getConnector().setProperty("SSLEnabled",
> "true"));
> + certificate.setCertificateFile(new
> File(LOCALHOST_RSA_CERT_PEM).getAbsolutePath());
> + certificate.setCertificateKeyFile(new
> File(LOCALHOST_RSA_KEY_PEM).getAbsolutePath());
> + sslHostConfig.setCaCertificateFile(new
> File(CA_CERT_PEM).getAbsolutePath());
> + }
> }
>
> protected static KeyManager[] getUser1KeyManagers() throws
> Exception {
> @@ -266,7 +259,7 @@ public final class TesterSupport {
> * depend. Therefore, force these tests to use TLSv1.2 so
> that they pass
> * when running on TLSv1.3.
> */
> -
> Assert.assertTrue(tomcat.getConnector().setProperty("sslEnabledProtocols",
> Constants.SSL_PROTO_TLSv1_2));
> +
> tomcat.getConnector().findSslHostConfigs()[0].setProtocols(Constants.SSL_PROTO_TLSv1_2);
>
> // Need a web application with a protected and unprotected URL
> // No file system docBase required
> diff --git
> a/test/org/apache/tomcat/util/net/jsse/TesterBug50640SslImpl.java
> b/test/org/apache/tomcat/util/net/jsse/TesterBug50640SslImpl.java
> index 6865b9d..478bbfa 100644
> --- a/test/org/apache/tomcat/util/net/jsse/TesterBug50640SslImpl.java
> +++ b/test/org/apache/tomcat/util/net/jsse/TesterBug50640SslImpl.java
> @@ -23,7 +23,6 @@ import org.apache.tomcat.util.net
> <http://org.apache.tomcat.util.net>.SSLUtil;
>
> public class TesterBug50640SslImpl extends JSSEImplementation {
>
> - public static final String PROPERTY_NAME = "sslEnabledProtocols";
> public static final String PROPERTY_VALUE = "magic";
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> <ma...@tomcat.apache.org>
> For additional commands, e-mail: dev-help@tomcat.apache.org
> <ma...@tomcat.apache.org>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [tomcat] 01/02: Update tests to use SSLHostConfig for TLS configuration
Posted by Rémy Maucherat <re...@apache.org>.
On Wed, Jan 15, 2020 at 4:37 PM <ma...@apache.org> wrote:
> This is an automated email from the ASF dual-hosted git repository.
>
> markt pushed a commit to branch master
> in repository https://gitbox.apache.org/repos/asf/tomcat.git
>
> commit c64ccf3fd2bd58949360ab05b2f20da610b2c999
> Author: Mark Thomas <ma...@apache.org>
> AuthorDate: Wed Jan 15 15:36:05 2020 +0000
>
> Update tests to use SSLHostConfig for TLS configuration
>
I was doing this removal as well at the same time, predictably it has a
large impact on embedded TLS (which was already quite nightmarish). Oh
well, it had to happen.
Rémy
> ---
> test/org/apache/tomcat/util/net/TestCustomSsl.java | 35 +++++++++-------
> test/org/apache/tomcat/util/net/TesterSupport.java | 49
> ++++++++++------------
> .../util/net/jsse/TesterBug50640SslImpl.java | 1 -
> 3 files changed, 40 insertions(+), 45 deletions(-)
>
> diff --git a/test/org/apache/tomcat/util/net/TestCustomSsl.java
> b/test/org/apache/tomcat/util/net/TestCustomSsl.java
> index 60dbf00..f036931 100644
> --- a/test/org/apache/tomcat/util/net/TestCustomSsl.java
> +++ b/test/org/apache/tomcat/util/net/TestCustomSsl.java
> @@ -32,6 +32,7 @@ import org.apache.catalina.startup.TomcatBaseTest;
> import org.apache.coyote.ProtocolHandler;
> import org.apache.coyote.http11.AbstractHttp11JsseProtocol;
> import org.apache.tomcat.util.buf.ByteChunk;
> +import org.apache.tomcat.util.net.SSLHostConfigCertificate.Type;
> import org.apache.tomcat.util.net.jsse.TesterBug50640SslImpl;
> import org.apache.tomcat.websocket.server.WsContextListener;
>
> @@ -59,20 +60,22 @@ public class TestCustomSsl extends TomcatBaseTest {
> Assume.assumeFalse("This test is only for JSSE based SSL
> connectors",
> connector.getProtocolHandlerClassName().contains("Apr"));
>
> + SSLHostConfig sslHostConfig = new SSLHostConfig();
> + SSLHostConfigCertificate certificate = new
> SSLHostConfigCertificate(sslHostConfig, Type.UNDEFINED);
> + sslHostConfig.addCertificate(certificate);
> + connector.addSslHostConfig(sslHostConfig);
> +
> Assert.assertTrue(connector.setProperty(
> "sslImplementationName", "org.apache.tomcat.util.net
> .jsse.TesterBug50640SslImpl"));
>
> // This setting will break ssl configuration unless the custom
> // implementation is used.
> - Assert.assertTrue(connector.setProperty(
> - TesterBug50640SslImpl.PROPERTY_NAME,
> TesterBug50640SslImpl.PROPERTY_VALUE));
> + sslHostConfig.setProtocols(TesterBug50640SslImpl.PROPERTY_VALUE);
>
> - Assert.assertTrue(connector.setProperty("sslProtocol", "tls"));
> + sslHostConfig.setSslProtocol("tls");
>
> - File keystoreFile =
> - new File(TesterSupport.LOCALHOST_RSA_JKS);
> - connector.setAttribute(
> - "keystoreFile", keystoreFile.getAbsolutePath());
> + File keystoreFile = new File(TesterSupport.LOCALHOST_RSA_JKS);
> +
> certificate.setCertificateKeystoreFile(keystoreFile.getAbsolutePath());
>
> connector.setSecure(true);
> Assert.assertTrue(connector.setProperty("SSLEnabled", "true"));
> @@ -109,23 +112,25 @@ public class TestCustomSsl extends TomcatBaseTest {
> Tomcat tomcat = getTomcatInstance();
>
> Assume.assumeTrue("SSL renegotiation has to be supported for this
> test",
> -
> TesterSupport.isRenegotiationSupported(getTomcatInstance()));
> + TesterSupport.isRenegotiationSupported(tomcat));
>
> TesterSupport.configureClientCertContext(tomcat);
>
> + Connector connector = tomcat.getConnector();
> +
> // Override the defaults
> - ProtocolHandler handler =
> tomcat.getConnector().getProtocolHandler();
> + ProtocolHandler handler = connector.getProtocolHandler();
> if (handler instanceof AbstractHttp11JsseProtocol) {
> - ((AbstractHttp11JsseProtocol<?>)
> handler).setTruststoreFile(null);
> + connector.findSslHostConfigs()[0].setTruststoreFile(null);
> } else {
> // Unexpected
> Assert.fail("Unexpected handler type");
> }
> if (trustType.equals(TrustType.ALL)) {
> - tomcat.getConnector().setAttribute("trustManagerClassName",
> + connector.findSslHostConfigs()[0].setTrustManagerClassName(
> "org.apache.tomcat.util.net
> .TesterSupport$TrustAllCerts");
> } else if (trustType.equals(TrustType.CA)) {
> - tomcat.getConnector().setAttribute("trustManagerClassName",
> + connector.findSslHostConfigs()[0].setTrustManagerClassName(
> "org.apache.tomcat.util.net
> .TesterSupport$SequentialTrustManager");
> }
>
> @@ -135,16 +140,14 @@ public class TestCustomSsl extends TomcatBaseTest {
> TesterSupport.configureClientSsl();
>
> // Unprotected resource
> - ByteChunk res =
> - getUrl("https://localhost:" + getPort() +
> "/unprotected");
> + ByteChunk res = getUrl("https://localhost:" + getPort() +
> "/unprotected");
> Assert.assertEquals("OK", res.toString());
>
> // Protected resource
> res.recycle();
> int rc = -1;
> try {
> - rc = getUrl("https://localhost:" + getPort() + "/protected",
> res,
> - null, null);
> + rc = getUrl("https://localhost:" + getPort() + "/protected",
> res, null, null);
> } catch (SocketException se) {
> if (!trustType.equals(TrustType.NONE)) {
> Assert.fail(se.getMessage());
> diff --git a/test/org/apache/tomcat/util/net/TesterSupport.java
> b/test/org/apache/tomcat/util/net/TesterSupport.java
> index 49b8de7..37d69c8 100644
> --- a/test/org/apache/tomcat/util/net/TesterSupport.java
> +++ b/test/org/apache/tomcat/util/net/TesterSupport.java
> @@ -64,6 +64,7 @@ import org.apache.tomcat.util.compat.JrePlatform;
> import org.apache.tomcat.util.descriptor.web.LoginConfig;
> import org.apache.tomcat.util.descriptor.web.SecurityCollection;
> import org.apache.tomcat.util.descriptor.web.SecurityConstraint;
> +import org.apache.tomcat.util.net.SSLHostConfigCertificate.Type;
>
> public final class TesterSupport {
>
> @@ -137,47 +138,39 @@ public final class TesterSupport {
> protected static void initSsl(Tomcat tomcat, String keystore,
> String keystorePass, String keyPass) {
>
> + Connector connector = tomcat.getConnector();
> + connector.setSecure(true);
> + Assert.assertTrue(connector.setProperty("SSLEnabled", "true"));
> +
> + SSLHostConfig sslHostConfig = new SSLHostConfig();
> + SSLHostConfigCertificate certificate = new
> SSLHostConfigCertificate(sslHostConfig, Type.UNDEFINED);
> + sslHostConfig.addCertificate(certificate);
> + connector.addSslHostConfig(sslHostConfig);
> +
> String protocol =
> tomcat.getConnector().getProtocolHandlerClassName();
> if (!protocol.contains("Apr")) {
> - Connector connector = tomcat.getConnector();
> String sslImplementation =
> System.getProperty("tomcat.test.sslImplementation");
> if (sslImplementation != null &&
> !"${test.sslImplementation}".equals(sslImplementation)) {
> StandardServer server = (StandardServer)
> tomcat.getServer();
> AprLifecycleListener listener = new
> AprLifecycleListener();
> listener.setSSLRandomSeed("/dev/urandom");
> server.addLifecycleListener(listener);
> -
> tomcat.getConnector().setAttribute("sslImplementationName",
> sslImplementation);
> + connector.setAttribute("sslImplementationName",
> sslImplementation);
> }
> - Assert.assertTrue(connector.setProperty("sslProtocol",
> "tls"));
> - File keystoreFile =
> - new File(keystore);
> - connector.setAttribute("keystoreFile",
> - keystoreFile.getAbsolutePath());
> - File truststoreFile = new File(CA_JKS);
> - connector.setAttribute("truststoreFile",
> - truststoreFile.getAbsolutePath());
> + sslHostConfig.setSslProtocol("tls");
> + certificate.setCertificateKeystoreFile(new
> File(keystore).getAbsolutePath());
> + sslHostConfig.setTruststoreFile(new
> File(CA_JKS).getAbsolutePath());
> if (keystorePass != null) {
> - connector.setAttribute("keystorePass", keystorePass);
> + certificate.setCertificateKeystorePassword(keystorePass);
> }
> if (keyPass != null) {
> - connector.setAttribute("keyPass", keyPass);
> + certificate.setCertificateKeyPassword(keyPass);
> }
> } else {
> - File keystoreFile = new File(
> - LOCALHOST_RSA_CERT_PEM);
> - tomcat.getConnector().setAttribute("SSLCertificateFile",
> - keystoreFile.getAbsolutePath());
> - keystoreFile = new File(
> - LOCALHOST_RSA_KEY_PEM);
> - tomcat.getConnector().setAttribute("SSLCertificateKeyFile",
> - keystoreFile.getAbsolutePath());
> - keystoreFile = new File(
> - CA_CERT_PEM);
> - tomcat.getConnector().setAttribute("SSLCACertificateFile",
> - keystoreFile.getAbsolutePath());
> - }
> - tomcat.getConnector().setSecure(true);
> - Assert.assertTrue(tomcat.getConnector().setProperty("SSLEnabled",
> "true"));
> + certificate.setCertificateFile(new
> File(LOCALHOST_RSA_CERT_PEM).getAbsolutePath());
> + certificate.setCertificateKeyFile(new
> File(LOCALHOST_RSA_KEY_PEM).getAbsolutePath());
> + sslHostConfig.setCaCertificateFile(new
> File(CA_CERT_PEM).getAbsolutePath());
> + }
> }
>
> protected static KeyManager[] getUser1KeyManagers() throws Exception {
> @@ -266,7 +259,7 @@ public final class TesterSupport {
> * depend. Therefore, force these tests to use TLSv1.2 so that
> they pass
> * when running on TLSv1.3.
> */
> -
> Assert.assertTrue(tomcat.getConnector().setProperty("sslEnabledProtocols",
> Constants.SSL_PROTO_TLSv1_2));
> +
> tomcat.getConnector().findSslHostConfigs()[0].setProtocols(Constants.SSL_PROTO_TLSv1_2);
>
> // Need a web application with a protected and unprotected URL
> // No file system docBase required
> diff --git
> a/test/org/apache/tomcat/util/net/jsse/TesterBug50640SslImpl.java
> b/test/org/apache/tomcat/util/net/jsse/TesterBug50640SslImpl.java
> index 6865b9d..478bbfa 100644
> --- a/test/org/apache/tomcat/util/net/jsse/TesterBug50640SslImpl.java
> +++ b/test/org/apache/tomcat/util/net/jsse/TesterBug50640SslImpl.java
> @@ -23,7 +23,6 @@ import org.apache.tomcat.util.net.SSLUtil;
>
> public class TesterBug50640SslImpl extends JSSEImplementation {
>
> - public static final String PROPERTY_NAME = "sslEnabledProtocols";
> public static final String PROPERTY_VALUE = "magic";
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>
[tomcat] 01/02: Update tests to use SSLHostConfig for TLS
configuration
Posted by ma...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit c64ccf3fd2bd58949360ab05b2f20da610b2c999
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Wed Jan 15 15:36:05 2020 +0000
Update tests to use SSLHostConfig for TLS configuration
---
test/org/apache/tomcat/util/net/TestCustomSsl.java | 35 +++++++++-------
test/org/apache/tomcat/util/net/TesterSupport.java | 49 ++++++++++------------
.../util/net/jsse/TesterBug50640SslImpl.java | 1 -
3 files changed, 40 insertions(+), 45 deletions(-)
diff --git a/test/org/apache/tomcat/util/net/TestCustomSsl.java b/test/org/apache/tomcat/util/net/TestCustomSsl.java
index 60dbf00..f036931 100644
--- a/test/org/apache/tomcat/util/net/TestCustomSsl.java
+++ b/test/org/apache/tomcat/util/net/TestCustomSsl.java
@@ -32,6 +32,7 @@ import org.apache.catalina.startup.TomcatBaseTest;
import org.apache.coyote.ProtocolHandler;
import org.apache.coyote.http11.AbstractHttp11JsseProtocol;
import org.apache.tomcat.util.buf.ByteChunk;
+import org.apache.tomcat.util.net.SSLHostConfigCertificate.Type;
import org.apache.tomcat.util.net.jsse.TesterBug50640SslImpl;
import org.apache.tomcat.websocket.server.WsContextListener;
@@ -59,20 +60,22 @@ public class TestCustomSsl extends TomcatBaseTest {
Assume.assumeFalse("This test is only for JSSE based SSL connectors",
connector.getProtocolHandlerClassName().contains("Apr"));
+ SSLHostConfig sslHostConfig = new SSLHostConfig();
+ SSLHostConfigCertificate certificate = new SSLHostConfigCertificate(sslHostConfig, Type.UNDEFINED);
+ sslHostConfig.addCertificate(certificate);
+ connector.addSslHostConfig(sslHostConfig);
+
Assert.assertTrue(connector.setProperty(
"sslImplementationName", "org.apache.tomcat.util.net.jsse.TesterBug50640SslImpl"));
// This setting will break ssl configuration unless the custom
// implementation is used.
- Assert.assertTrue(connector.setProperty(
- TesterBug50640SslImpl.PROPERTY_NAME, TesterBug50640SslImpl.PROPERTY_VALUE));
+ sslHostConfig.setProtocols(TesterBug50640SslImpl.PROPERTY_VALUE);
- Assert.assertTrue(connector.setProperty("sslProtocol", "tls"));
+ sslHostConfig.setSslProtocol("tls");
- File keystoreFile =
- new File(TesterSupport.LOCALHOST_RSA_JKS);
- connector.setAttribute(
- "keystoreFile", keystoreFile.getAbsolutePath());
+ File keystoreFile = new File(TesterSupport.LOCALHOST_RSA_JKS);
+ certificate.setCertificateKeystoreFile(keystoreFile.getAbsolutePath());
connector.setSecure(true);
Assert.assertTrue(connector.setProperty("SSLEnabled", "true"));
@@ -109,23 +112,25 @@ public class TestCustomSsl extends TomcatBaseTest {
Tomcat tomcat = getTomcatInstance();
Assume.assumeTrue("SSL renegotiation has to be supported for this test",
- TesterSupport.isRenegotiationSupported(getTomcatInstance()));
+ TesterSupport.isRenegotiationSupported(tomcat));
TesterSupport.configureClientCertContext(tomcat);
+ Connector connector = tomcat.getConnector();
+
// Override the defaults
- ProtocolHandler handler = tomcat.getConnector().getProtocolHandler();
+ ProtocolHandler handler = connector.getProtocolHandler();
if (handler instanceof AbstractHttp11JsseProtocol) {
- ((AbstractHttp11JsseProtocol<?>) handler).setTruststoreFile(null);
+ connector.findSslHostConfigs()[0].setTruststoreFile(null);
} else {
// Unexpected
Assert.fail("Unexpected handler type");
}
if (trustType.equals(TrustType.ALL)) {
- tomcat.getConnector().setAttribute("trustManagerClassName",
+ connector.findSslHostConfigs()[0].setTrustManagerClassName(
"org.apache.tomcat.util.net.TesterSupport$TrustAllCerts");
} else if (trustType.equals(TrustType.CA)) {
- tomcat.getConnector().setAttribute("trustManagerClassName",
+ connector.findSslHostConfigs()[0].setTrustManagerClassName(
"org.apache.tomcat.util.net.TesterSupport$SequentialTrustManager");
}
@@ -135,16 +140,14 @@ public class TestCustomSsl extends TomcatBaseTest {
TesterSupport.configureClientSsl();
// Unprotected resource
- ByteChunk res =
- getUrl("https://localhost:" + getPort() + "/unprotected");
+ ByteChunk res = getUrl("https://localhost:" + getPort() + "/unprotected");
Assert.assertEquals("OK", res.toString());
// Protected resource
res.recycle();
int rc = -1;
try {
- rc = getUrl("https://localhost:" + getPort() + "/protected", res,
- null, null);
+ rc = getUrl("https://localhost:" + getPort() + "/protected", res, null, null);
} catch (SocketException se) {
if (!trustType.equals(TrustType.NONE)) {
Assert.fail(se.getMessage());
diff --git a/test/org/apache/tomcat/util/net/TesterSupport.java b/test/org/apache/tomcat/util/net/TesterSupport.java
index 49b8de7..37d69c8 100644
--- a/test/org/apache/tomcat/util/net/TesterSupport.java
+++ b/test/org/apache/tomcat/util/net/TesterSupport.java
@@ -64,6 +64,7 @@ import org.apache.tomcat.util.compat.JrePlatform;
import org.apache.tomcat.util.descriptor.web.LoginConfig;
import org.apache.tomcat.util.descriptor.web.SecurityCollection;
import org.apache.tomcat.util.descriptor.web.SecurityConstraint;
+import org.apache.tomcat.util.net.SSLHostConfigCertificate.Type;
public final class TesterSupport {
@@ -137,47 +138,39 @@ public final class TesterSupport {
protected static void initSsl(Tomcat tomcat, String keystore,
String keystorePass, String keyPass) {
+ Connector connector = tomcat.getConnector();
+ connector.setSecure(true);
+ Assert.assertTrue(connector.setProperty("SSLEnabled", "true"));
+
+ SSLHostConfig sslHostConfig = new SSLHostConfig();
+ SSLHostConfigCertificate certificate = new SSLHostConfigCertificate(sslHostConfig, Type.UNDEFINED);
+ sslHostConfig.addCertificate(certificate);
+ connector.addSslHostConfig(sslHostConfig);
+
String protocol = tomcat.getConnector().getProtocolHandlerClassName();
if (!protocol.contains("Apr")) {
- Connector connector = tomcat.getConnector();
String sslImplementation = System.getProperty("tomcat.test.sslImplementation");
if (sslImplementation != null && !"${test.sslImplementation}".equals(sslImplementation)) {
StandardServer server = (StandardServer) tomcat.getServer();
AprLifecycleListener listener = new AprLifecycleListener();
listener.setSSLRandomSeed("/dev/urandom");
server.addLifecycleListener(listener);
- tomcat.getConnector().setAttribute("sslImplementationName", sslImplementation);
+ connector.setAttribute("sslImplementationName", sslImplementation);
}
- Assert.assertTrue(connector.setProperty("sslProtocol", "tls"));
- File keystoreFile =
- new File(keystore);
- connector.setAttribute("keystoreFile",
- keystoreFile.getAbsolutePath());
- File truststoreFile = new File(CA_JKS);
- connector.setAttribute("truststoreFile",
- truststoreFile.getAbsolutePath());
+ sslHostConfig.setSslProtocol("tls");
+ certificate.setCertificateKeystoreFile(new File(keystore).getAbsolutePath());
+ sslHostConfig.setTruststoreFile(new File(CA_JKS).getAbsolutePath());
if (keystorePass != null) {
- connector.setAttribute("keystorePass", keystorePass);
+ certificate.setCertificateKeystorePassword(keystorePass);
}
if (keyPass != null) {
- connector.setAttribute("keyPass", keyPass);
+ certificate.setCertificateKeyPassword(keyPass);
}
} else {
- File keystoreFile = new File(
- LOCALHOST_RSA_CERT_PEM);
- tomcat.getConnector().setAttribute("SSLCertificateFile",
- keystoreFile.getAbsolutePath());
- keystoreFile = new File(
- LOCALHOST_RSA_KEY_PEM);
- tomcat.getConnector().setAttribute("SSLCertificateKeyFile",
- keystoreFile.getAbsolutePath());
- keystoreFile = new File(
- CA_CERT_PEM);
- tomcat.getConnector().setAttribute("SSLCACertificateFile",
- keystoreFile.getAbsolutePath());
- }
- tomcat.getConnector().setSecure(true);
- Assert.assertTrue(tomcat.getConnector().setProperty("SSLEnabled", "true"));
+ certificate.setCertificateFile(new File(LOCALHOST_RSA_CERT_PEM).getAbsolutePath());
+ certificate.setCertificateKeyFile(new File(LOCALHOST_RSA_KEY_PEM).getAbsolutePath());
+ sslHostConfig.setCaCertificateFile(new File(CA_CERT_PEM).getAbsolutePath());
+ }
}
protected static KeyManager[] getUser1KeyManagers() throws Exception {
@@ -266,7 +259,7 @@ public final class TesterSupport {
* depend. Therefore, force these tests to use TLSv1.2 so that they pass
* when running on TLSv1.3.
*/
- Assert.assertTrue(tomcat.getConnector().setProperty("sslEnabledProtocols", Constants.SSL_PROTO_TLSv1_2));
+ tomcat.getConnector().findSslHostConfigs()[0].setProtocols(Constants.SSL_PROTO_TLSv1_2);
// Need a web application with a protected and unprotected URL
// No file system docBase required
diff --git a/test/org/apache/tomcat/util/net/jsse/TesterBug50640SslImpl.java b/test/org/apache/tomcat/util/net/jsse/TesterBug50640SslImpl.java
index 6865b9d..478bbfa 100644
--- a/test/org/apache/tomcat/util/net/jsse/TesterBug50640SslImpl.java
+++ b/test/org/apache/tomcat/util/net/jsse/TesterBug50640SslImpl.java
@@ -23,7 +23,6 @@ import org.apache.tomcat.util.net.SSLUtil;
public class TesterBug50640SslImpl extends JSSEImplementation {
- public static final String PROPERTY_NAME = "sslEnabledProtocols";
public static final String PROPERTY_VALUE = "magic";
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org