Author: markt
Date: Thu Jun 23 19:11:56 2016
New Revision: 1749978
URL: http://svn.apache.org/viewvc?rev=1749978&view=rev
Log:
Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=59233
Add the ability to add TLS virtual hosts dynamically
Added:
tomcat/trunk/test/org/apache/tomcat/util/net/TestSSLHostConfigIntegration.java
(with props)
Modified:
tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java
tomcat/trunk/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java
tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfigCertificate.java
tomcat/trunk/webapps/docs/changelog.xml
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java?rev=1749978&r1=1749977&r2=1749978&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java Thu Jun
23 19:11:56 2016
@@ -22,9 +22,9 @@ import java.net.InetSocketAddress;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
-import java.util.Map;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
+import java.util.concurrent.ConcurrentMap;
import java.util.concurrent.Executor;
import java.util.concurrent.RejectedExecutionException;
import java.util.concurrent.TimeUnit;
@@ -197,23 +197,48 @@ public abstract class AbstractEndpoint<S
}
- protected Map<String,SSLHostConfig> sslHostConfigs = new
ConcurrentHashMap<>();
- public void addSslHostConfig(SSLHostConfig sslHostConfig) {
+ protected ConcurrentMap<String,SSLHostConfig> sslHostConfigs = new
ConcurrentHashMap<>();
+ public void addSslHostConfig(SSLHostConfig sslHostConfig) throws
IllegalArgumentException {
String key = sslHostConfig.getHostName();
if (key == null || key.length() == 0) {
throw new
IllegalArgumentException(sm.getString("endpoint.noSslHostName"));
}
- SSLHostConfig duplicate = sslHostConfigs.put(key, sslHostConfig);
+ sslHostConfig.setConfigType(getSslConfigType());
+ if (bindState != BindState.UNBOUND) {
+ try {
+ createSSLContext(sslHostConfig);
+ } catch (Exception e) {
+ throw new IllegalArgumentException(e);
+ }
+ }
+ SSLHostConfig duplicate = sslHostConfigs.putIfAbsent(key,
sslHostConfig);
if (duplicate != null) {
+ releaseSSLContext(sslHostConfig);
throw new
IllegalArgumentException(sm.getString("endpoint.duplicateSslHostName", key));
}
- sslHostConfig.setConfigType(getSslConfigType());
}
public SSLHostConfig[] findSslHostConfigs() {
return sslHostConfigs.values().toArray(new SSLHostConfig[0]);
}
+
protected abstract SSLHostConfig.Type getSslConfigType();
+ /**
+ * Create the SSLContextfor the the given SSLHostConfig.
+ *
+ * @param sslHostConfig The SSLHostConfig for which the SSLContext should
be
+ * created
+ */
+ protected abstract void createSSLContext(SSLHostConfig sslHostConfig)
throws Exception;
+
+ /**
+ * Release the SSLContext, if any, associated with the SSLHostConfig.
+ *
+ * @param sslHostConfig The SSLHostConfig for which the SSLContext should
be
+ * released
+ */
+ protected abstract void releaseSSLContext(SSLHostConfig sslHostConfig);
+
protected SSLHostConfig getSSLHostConfig(String sniHostName) {
SSLHostConfig result = null;
@@ -376,7 +401,7 @@ public abstract class AbstractEndpoint<S
private boolean bindOnInit = true;
public boolean getBindOnInit() { return bindOnInit; }
public void setBindOnInit(boolean b) { this.bindOnInit = b; }
- private BindState bindState = BindState.UNBOUND;
+ private volatile BindState bindState = BindState.UNBOUND;
/**
* Keepalive timeout, if not set the soTimeout is used.
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java?rev=1749978&r1=1749977&r2=1749978&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java Thu
Jun 23 19:11:56 2016
@@ -77,26 +77,36 @@ public abstract class AbstractJsseEndpoi
sslImplementation =
SSLImplementation.getInstance(getSslImplementationName());
for (SSLHostConfig sslHostConfig : sslHostConfigs.values()) {
- boolean firstCertificate = true;
- for (SSLHostConfigCertificate certificate :
sslHostConfig.getCertificates(true)) {
- SSLUtil sslUtil =
sslImplementation.getSSLUtil(certificate);
- if (firstCertificate) {
- firstCertificate = false;
-
sslHostConfig.setEnabledProtocols(sslUtil.getEnabledProtocols());
-
sslHostConfig.setEnabledCiphers(sslUtil.getEnabledCiphers());
- }
-
- SSLContext sslContext =
sslUtil.createSSLContext(negotiableProtocols);
- sslContext.init(sslUtil.getKeyManagers(),
sslUtil.getTrustManagers(), null);
-
- SSLSessionContext sessionContext =
sslContext.getServerSessionContext();
- if (sessionContext != null) {
- sslUtil.configureSessionContext(sessionContext);
- }
- certificate.setSslContext(sslContext);
- }
+ createSSLContext(sslHostConfig);
+ }
+ }
+ }
+
+
+ @Override
+ protected void createSSLContext(SSLHostConfig sslHostConfig) throws
IllegalArgumentException {
+ boolean firstCertificate = true;
+ for (SSLHostConfigCertificate certificate :
sslHostConfig.getCertificates(true)) {
+ SSLUtil sslUtil = sslImplementation.getSSLUtil(certificate);
+ if (firstCertificate) {
+ firstCertificate = false;
+
sslHostConfig.setEnabledProtocols(sslUtil.getEnabledProtocols());
+ sslHostConfig.setEnabledCiphers(sslUtil.getEnabledCiphers());
+ }
+
+ SSLContext sslContext;
+ try {
+ sslContext = sslUtil.createSSLContext(negotiableProtocols);
+ sslContext.init(sslUtil.getKeyManagers(),
sslUtil.getTrustManagers(), null);
+ } catch (Exception e) {
+ throw new IllegalArgumentException(e);
}
+ SSLSessionContext sessionContext =
sslContext.getServerSessionContext();
+ if (sessionContext != null) {
+ sslUtil.configureSessionContext(sessionContext);
+ }
+ certificate.setSslContext(sslContext);
}
}
@@ -104,18 +114,25 @@ public abstract class AbstractJsseEndpoi
protected void destroySsl() throws Exception {
if (isSSLEnabled()) {
for (SSLHostConfig sslHostConfig : sslHostConfigs.values()) {
- for (SSLHostConfigCertificate certificate :
sslHostConfig.getCertificates(true)) {
- if (certificate.getSslContext() != null) {
- SSLContext sslContext = certificate.getSslContext();
- if (sslContext != null) {
- sslContext.destroy();
- }
- }
+ releaseSSLContext(sslHostConfig);
+ }
+ }
+ }
+
+
+ @Override
+ protected void releaseSSLContext(SSLHostConfig sslHostConfig) {
+ for (SSLHostConfigCertificate certificate :
sslHostConfig.getCertificates(true)) {
+ if (certificate.getSslContext() != null) {
+ SSLContext sslContext = certificate.getSslContext();
+ if (sslContext != null) {
+ sslContext.destroy();
}
}
}
}
+
protected SSLEngine createSSLEngine(String sniHostName, List<Cipher>
clientRequestedCiphers) {
SSLHostConfig sslHostConfig = getSSLHostConfig(sniHostName);
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java?rev=1749978&r1=1749977&r2=1749978&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java Thu Jun 23
19:11:56 2016
@@ -347,167 +347,182 @@ public class AprEndpoint extends Abstrac
// Initialize SSL if needed
if (isSSLEnabled()) {
for (SSLHostConfig sslHostConfig : sslHostConfigs.values()) {
+ createSSLContext(sslHostConfig);
+ }
+ SSLHostConfig defaultSSLHostConfig =
sslHostConfigs.get(getDefaultSSLHostConfigName());
+ Long defaultSSLContext = defaultSSLHostConfig.getOpenSslContext();
+ sslContext = defaultSSLContext.longValue();
+ SSLContext.registerDefault(defaultSSLContext, this);
+ }
+ }
- Set<SSLHostConfigCertificate> certificates =
sslHostConfig.getCertificates(true);
- boolean firstCertificate = true;
- for (SSLHostConfigCertificate certificate : certificates) {
- if
(SSLHostConfig.adjustRelativePath(certificate.getCertificateFile()) == null) {
- // This is required
- throw new
Exception(sm.getString("endpoint.apr.noSslCertFile"));
- }
- if (firstCertificate) {
- // TODO: Duplicates code in SSLUtilBase. Consider
- // refactoring to reduce duplication
- firstCertificate = false;
- // Configure the enabled protocols
- List<String> enabledProtocols =
SSLUtilBase.getEnabled("protocols", log,
- true, sslHostConfig.getProtocols(),
- OpenSSLEngine.IMPLEMENTED_PROTOCOLS_SET);
- sslHostConfig.setEnabledProtocols(
- enabledProtocols.toArray(new
String[enabledProtocols.size()]));
- // Configure the enabled ciphers
- List<String> enabledCiphers =
SSLUtilBase.getEnabled("ciphers", log,
- false, sslHostConfig.getJsseCipherNames(),
- OpenSSLEngine.AVAILABLE_CIPHER_SUITES);
- sslHostConfig.setEnabledCiphers(
- enabledCiphers.toArray(new
String[enabledCiphers.size()]));
- }
- }
- if (certificates.size() > 2) {
- // TODO: Can this limitation be removed?
- throw new
Exception(sm.getString("endpoint.apr.tooManyCertFiles"));
- }
- // SSL protocol
- int value = SSL.SSL_PROTOCOL_NONE;
- if (sslHostConfig.getProtocols().size() == 0) {
- // Native fallback used if protocols=""
- value = SSL.SSL_PROTOCOL_ALL;
- } else {
- for (String protocol :
sslHostConfig.getEnabledProtocols()) {
- if
(Constants.SSL_PROTO_SSLv2Hello.equalsIgnoreCase(protocol)) {
- // NO-OP. OpenSSL always supports SSLv2Hello
- } else if
(Constants.SSL_PROTO_SSLv2.equalsIgnoreCase(protocol)) {
- value |= SSL.SSL_PROTOCOL_SSLV2;
- } else if
(Constants.SSL_PROTO_SSLv3.equalsIgnoreCase(protocol)) {
- value |= SSL.SSL_PROTOCOL_SSLV3;
- } else if
(Constants.SSL_PROTO_TLSv1.equalsIgnoreCase(protocol)) {
- value |= SSL.SSL_PROTOCOL_TLSV1;
- } else if
(Constants.SSL_PROTO_TLSv1_1.equalsIgnoreCase(protocol)) {
- value |= SSL.SSL_PROTOCOL_TLSV1_1;
- } else if
(Constants.SSL_PROTO_TLSv1_2.equalsIgnoreCase(protocol)) {
- value |= SSL.SSL_PROTOCOL_TLSV1_2;
- } else {
- // Should not happen since filtering to build
- // enabled protocols removes invalid values.
- throw new Exception(sm.getString(
- "endpoint.apr.invalidSslProtocol",
protocol));
- }
- }
- }
- // Create SSL Context
- long ctx = 0;
- try {
- ctx = SSLContext.make(rootPool, value,
SSL.SSL_MODE_SERVER);
- } catch (Exception e) {
- // If the sslEngine is disabled on the AprLifecycleListener
- // there will be an Exception here but there is no way to
check
- // the AprLifecycleListener settings from here
- throw new Exception(
- sm.getString("endpoint.apr.failSslContextMake"),
e);
- }
+ @Override
+ protected void createSSLContext(SSLHostConfig sslHostConfig) throws
Exception {
+ Set<SSLHostConfigCertificate> certificates =
sslHostConfig.getCertificates(true);
+ boolean firstCertificate = true;
+ for (SSLHostConfigCertificate certificate : certificates) {
+ if
(SSLHostConfig.adjustRelativePath(certificate.getCertificateFile()) == null) {
+ // This is required
+ throw new
Exception(sm.getString("endpoint.apr.noSslCertFile"));
+ }
+ if (firstCertificate) {
+ // TODO: Duplicates code in SSLUtilBase. Consider
+ // refactoring to reduce duplication
+ firstCertificate = false;
+ // Configure the enabled protocols
+ List<String> enabledProtocols =
SSLUtilBase.getEnabled("protocols", log,
+ true, sslHostConfig.getProtocols(),
+ OpenSSLEngine.IMPLEMENTED_PROTOCOLS_SET);
+ sslHostConfig.setEnabledProtocols(
+ enabledProtocols.toArray(new
String[enabledProtocols.size()]));
+ // Configure the enabled ciphers
+ List<String> enabledCiphers =
SSLUtilBase.getEnabled("ciphers", log,
+ false, sslHostConfig.getJsseCipherNames(),
+ OpenSSLEngine.AVAILABLE_CIPHER_SUITES);
+ sslHostConfig.setEnabledCiphers(
+ enabledCiphers.toArray(new
String[enabledCiphers.size()]));
+ }
+ }
+ if (certificates.size() > 2) {
+ // TODO: Can this limitation be removed?
+ throw new Exception(sm.getString("endpoint.apr.tooManyCertFiles"));
+ }
- if (sslHostConfig.getInsecureRenegotiation()) {
- SSLContext.setOptions(ctx,
SSL.SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
+ // SSL protocol
+ int value = SSL.SSL_PROTOCOL_NONE;
+ if (sslHostConfig.getProtocols().size() == 0) {
+ // Native fallback used if protocols=""
+ value = SSL.SSL_PROTOCOL_ALL;
+ } else {
+ for (String protocol : sslHostConfig.getEnabledProtocols()) {
+ if (Constants.SSL_PROTO_SSLv2Hello.equalsIgnoreCase(protocol))
{
+ // NO-OP. OpenSSL always supports SSLv2Hello
+ } else if
(Constants.SSL_PROTO_SSLv2.equalsIgnoreCase(protocol)) {
+ value |= SSL.SSL_PROTOCOL_SSLV2;
+ } else if
(Constants.SSL_PROTO_SSLv3.equalsIgnoreCase(protocol)) {
+ value |= SSL.SSL_PROTOCOL_SSLV3;
+ } else if
(Constants.SSL_PROTO_TLSv1.equalsIgnoreCase(protocol)) {
+ value |= SSL.SSL_PROTOCOL_TLSV1;
+ } else if
(Constants.SSL_PROTO_TLSv1_1.equalsIgnoreCase(protocol)) {
+ value |= SSL.SSL_PROTOCOL_TLSV1_1;
+ } else if
(Constants.SSL_PROTO_TLSv1_2.equalsIgnoreCase(protocol)) {
+ value |= SSL.SSL_PROTOCOL_TLSV1_2;
} else {
- SSLContext.clearOptions(ctx,
SSL.SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
+ // Should not happen since filtering to build
+ // enabled protocols removes invalid values.
+ throw new Exception(sm.getString(
+ "endpoint.apr.invalidSslProtocol", protocol));
}
+ }
+ }
- // Use server's preference order for ciphers (rather than
- // client's)
- if (sslHostConfig.getHonorCipherOrder()) {
- SSLContext.setOptions(ctx,
SSL.SSL_OP_CIPHER_SERVER_PREFERENCE);
- } else {
- SSLContext.clearOptions(ctx,
SSL.SSL_OP_CIPHER_SERVER_PREFERENCE);
- }
+ // Create SSL Context
+ long ctx = 0;
+ try {
+ ctx = SSLContext.make(rootPool, value, SSL.SSL_MODE_SERVER);
+ } catch (Exception e) {
+ // If the sslEngine is disabled on the AprLifecycleListener
+ // there will be an Exception here but there is no way to check
+ // the AprLifecycleListener settings from here
+ throw new Exception(
+ sm.getString("endpoint.apr.failSslContextMake"), e);
+ }
- // Disable compression if requested
- if (sslHostConfig.getDisableCompression()) {
- SSLContext.setOptions(ctx, SSL.SSL_OP_NO_COMPRESSION);
- } else {
- SSLContext.clearOptions(ctx, SSL.SSL_OP_NO_COMPRESSION);
- }
+ if (sslHostConfig.getInsecureRenegotiation()) {
+ SSLContext.setOptions(ctx,
SSL.SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
+ } else {
+ SSLContext.clearOptions(ctx,
SSL.SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
+ }
- // Disable TLS Session Tickets (RFC4507) to protect perfect
forward secrecy
- if (sslHostConfig.getDisableSessionTickets()) {
- SSLContext.setOptions(ctx, SSL.SSL_OP_NO_TICKET);
- } else {
- SSLContext.clearOptions(ctx, SSL.SSL_OP_NO_TICKET);
- }
+ // Use server's preference order for ciphers (rather than client's)
+ if (sslHostConfig.getHonorCipherOrder()) {
+ SSLContext.setOptions(ctx, SSL.SSL_OP_CIPHER_SERVER_PREFERENCE);
+ } else {
+ SSLContext.clearOptions(ctx, SSL.SSL_OP_CIPHER_SERVER_PREFERENCE);
+ }
- // List the ciphers that the client is permitted to negotiate
- SSLContext.setCipherSuite(ctx, sslHostConfig.getCiphers());
- // Load Server key and certificate
- // TODO: Confirm assumption that idx is not specific to
- // key/certificate type
- int idx = 0;
- for (SSLHostConfigCertificate certificate :
sslHostConfig.getCertificates(true)) {
- SSLContext.setCertificate(ctx,
-
SSLHostConfig.adjustRelativePath(certificate.getCertificateFile()),
-
SSLHostConfig.adjustRelativePath(certificate.getCertificateKeyFile()),
- certificate.getCertificateKeyPassword(), idx++);
- // Set certificate chain file
- SSLContext.setCertificateChainFile(ctx,
-
SSLHostConfig.adjustRelativePath(certificate.getCertificateChainFile()), false);
- }
- // Support Client Certificates
- SSLContext.setCACertificate(ctx,
-
SSLHostConfig.adjustRelativePath(sslHostConfig.getCaCertificateFile()),
-
SSLHostConfig.adjustRelativePath(sslHostConfig.getCaCertificatePath()));
- // Set revocation
- SSLContext.setCARevocation(ctx,
- SSLHostConfig.adjustRelativePath(
-
sslHostConfig.getCertificateRevocationListFile()),
- SSLHostConfig.adjustRelativePath(
-
sslHostConfig.getCertificateRevocationListPath()));
- // Client certificate verification
- switch (sslHostConfig.getCertificateVerification()) {
- case NONE:
- value = SSL.SSL_CVERIFY_NONE;
- break;
- case OPTIONAL:
- value = SSL.SSL_CVERIFY_OPTIONAL;
- break;
- case OPTIONAL_NO_CA:
- value = SSL.SSL_CVERIFY_OPTIONAL_NO_CA;
- break;
- case REQUIRED:
- value = SSL.SSL_CVERIFY_REQUIRE;
- break;
- }
- SSLContext.setVerify(ctx, value,
sslHostConfig.getCertificateVerificationDepth());
- // For now, sendfile is not supported with SSL
- if (getUseSendfile()) {
- setUseSendfileInternal(false);
- if (useSendFileSet) {
-
log.warn(sm.getString("endpoint.apr.noSendfileWithSSL"));
- }
- }
+ // Disable compression if requested
+ if (sslHostConfig.getDisableCompression()) {
+ SSLContext.setOptions(ctx, SSL.SSL_OP_NO_COMPRESSION);
+ } else {
+ SSLContext.clearOptions(ctx, SSL.SSL_OP_NO_COMPRESSION);
+ }
- if (negotiableProtocols.size() > 0) {
- ArrayList<String> protocols = new ArrayList<>();
- protocols.addAll(negotiableProtocols);
- protocols.add("http/1.1");
- String[] protocolsArray = protocols.toArray(new String[0]);
- SSLContext.setAlpnProtos(ctx, protocolsArray,
SSL.SSL_SELECTOR_FAILURE_NO_ADVERTISE);
- }
- sslHostConfig.setOpenSslContext(Long.valueOf(ctx));
+ // Disable TLS Session Tickets (RFC4507) to protect perfect forward
secrecy
+ if (sslHostConfig.getDisableSessionTickets()) {
+ SSLContext.setOptions(ctx, SSL.SSL_OP_NO_TICKET);
+ } else {
+ SSLContext.clearOptions(ctx, SSL.SSL_OP_NO_TICKET);
+ }
+
+ // List the ciphers that the client is permitted to negotiate
+ SSLContext.setCipherSuite(ctx, sslHostConfig.getCiphers());
+ // Load Server key and certificate
+ // TODO: Confirm assumption that idx is not specific to
+ // key/certificate type
+ int idx = 0;
+ for (SSLHostConfigCertificate certificate :
sslHostConfig.getCertificates(true)) {
+ SSLContext.setCertificate(ctx,
+
SSLHostConfig.adjustRelativePath(certificate.getCertificateFile()),
+
SSLHostConfig.adjustRelativePath(certificate.getCertificateKeyFile()),
+ certificate.getCertificateKeyPassword(), idx++);
+ // Set certificate chain file
+ SSLContext.setCertificateChainFile(ctx,
+
SSLHostConfig.adjustRelativePath(certificate.getCertificateChainFile()), false);
+ }
+ // Support Client Certificates
+ SSLContext.setCACertificate(ctx,
+
SSLHostConfig.adjustRelativePath(sslHostConfig.getCaCertificateFile()),
+
SSLHostConfig.adjustRelativePath(sslHostConfig.getCaCertificatePath()));
+ // Set revocation
+ SSLContext.setCARevocation(ctx,
+ SSLHostConfig.adjustRelativePath(
+ sslHostConfig.getCertificateRevocationListFile()),
+ SSLHostConfig.adjustRelativePath(
+ sslHostConfig.getCertificateRevocationListPath()));
+ // Client certificate verification
+ switch (sslHostConfig.getCertificateVerification()) {
+ case NONE:
+ value = SSL.SSL_CVERIFY_NONE;
+ break;
+ case OPTIONAL:
+ value = SSL.SSL_CVERIFY_OPTIONAL;
+ break;
+ case OPTIONAL_NO_CA:
+ value = SSL.SSL_CVERIFY_OPTIONAL_NO_CA;
+ break;
+ case REQUIRED:
+ value = SSL.SSL_CVERIFY_REQUIRE;
+ break;
+ }
+ SSLContext.setVerify(ctx, value,
sslHostConfig.getCertificateVerificationDepth());
+ // For now, sendfile is not supported with SSL
+ if (getUseSendfile()) {
+ setUseSendfileInternal(false);
+ if (useSendFileSet) {
+ log.warn(sm.getString("endpoint.apr.noSendfileWithSSL"));
}
- SSLHostConfig defaultSSLHostConfig =
sslHostConfigs.get(getDefaultSSLHostConfigName());
- Long defaultSSLContext = defaultSSLHostConfig.getOpenSslContext();
- sslContext = defaultSSLContext.longValue();
- SSLContext.registerDefault(defaultSSLContext, this);
+ }
+
+ if (negotiableProtocols.size() > 0) {
+ ArrayList<String> protocols = new ArrayList<>();
+ protocols.addAll(negotiableProtocols);
+ protocols.add("http/1.1");
+ String[] protocolsArray = protocols.toArray(new String[0]);
+ SSLContext.setAlpnProtos(ctx, protocolsArray,
SSL.SSL_SELECTOR_FAILURE_NO_ADVERTISE);
+ }
+ sslHostConfig.setOpenSslContext(Long.valueOf(ctx));
+ }
+
+
+ @Override
+ protected void releaseSSLContext(SSLHostConfig sslHostConfig) {
+ Long ctx = sslHostConfig.getOpenSslContext();
+ if (ctx != null) {
+ SSLContext.free(ctx.longValue());
+ sslHostConfig.setOpenSslContext(null);
}
}
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java?rev=1749978&r1=1749977&r2=1749978&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java Thu Jun 23
19:11:56 2016
@@ -18,6 +18,7 @@ package org.apache.tomcat.util.net;
import java.io.File;
import java.io.IOException;
+import java.io.Serializable;
import java.security.KeyStore;
import java.security.UnrecoverableKeyException;
import java.util.HashMap;
@@ -39,7 +40,9 @@ import org.apache.tomcat.util.res.String
/**
* Represents the TLS configuration for a virtual host.
*/
-public class SSLHostConfig {
+public class SSLHostConfig implements Serializable {
+
+ private static final long serialVersionUID = 1L;
private static final Log log = LogFactory.getLog(SSLHostConfig.class);
private static final StringManager sm =
StringManager.getManager(SSLHostConfig.class);
@@ -69,7 +72,7 @@ public class SSLHostConfig {
// OpenSSL can handle multiple certs in a single config so the reference to
// the context is here at the virtual host level. JSSE can't so the
// reference is held on the certificate.
- private Long openSslContext;
+ private transient Long openSslContext;
// Configuration properties
@@ -99,7 +102,7 @@ public class SSLHostConfig {
private String truststorePassword =
System.getProperty("javax.net.ssl.trustStorePassword");
private String truststoreProvider =
System.getProperty("javax.net.ssl.trustStoreProvider");
private String truststoreType =
System.getProperty("javax.net.ssl.trustStoreType");
- private KeyStore truststore = null;
+ private transient KeyStore truststore = null;
// OpenSSL
private String certificateRevocationListPath;
private String caCertificateFile;
Modified:
tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfigCertificate.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfigCertificate.java?rev=1749978&r1=1749977&r2=1749978&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfigCertificate.java
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfigCertificate.java
Thu Jun 23 19:11:56 2016
@@ -17,6 +17,7 @@
package org.apache.tomcat.util.net;
import java.io.IOException;
+import java.io.Serializable;
import java.security.KeyStore;
import java.util.HashSet;
import java.util.Set;
@@ -26,8 +27,9 @@ import org.apache.juli.logging.LogFactor
import org.apache.tomcat.util.net.openssl.ciphers.Authentication;
import org.apache.tomcat.util.res.StringManager;
+public class SSLHostConfigCertificate implements Serializable {
-public class SSLHostConfigCertificate {
+ private static final long serialVersionUID = 1L;
private static final Log log =
LogFactory.getLog(SSLHostConfigCertificate.class);
private static final StringManager sm =
StringManager.getManager(SSLHostConfigCertificate.class);
@@ -42,7 +44,7 @@ public class SSLHostConfigCertificate {
// OpenSSL can handle multiple certs in a single config so the reference to
// the context is at the virtual host level. JSSE can't so the reference is
// held here on the certificate.
- private SSLContext sslContext;
+ private transient SSLContext sslContext;
// Common
private final SSLHostConfig sslHostConfig;
@@ -55,7 +57,7 @@ public class SSLHostConfigCertificate {
private String certificateKeystoreFile =
System.getProperty("user.home")+"/.keystore";
private String certificateKeystoreProvider = DEFAULT_KEYSTORE_PROVIDER;
private String certificateKeystoreType = DEFAULT_KEYSTORE_TYPE;
- private KeyStore certificateKeystore = null;
+ private transient KeyStore certificateKeystore = null;
// OpenSSL
private String certificateChainFile;
Added:
tomcat/trunk/test/org/apache/tomcat/util/net/TestSSLHostConfigIntegration.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/tomcat/util/net/TestSSLHostConfigIntegration.java?rev=1749978&view=auto
==============================================================================
---
tomcat/trunk/test/org/apache/tomcat/util/net/TestSSLHostConfigIntegration.java
(added)
+++
tomcat/trunk/test/org/apache/tomcat/util/net/TestSSLHostConfigIntegration.java
Thu Jun 23 19:11:56 2016
@@ -0,0 +1,61 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.tomcat.util.net;
+
+import java.io.File;
+import java.io.ObjectOutputStream;
+
+import org.apache.catalina.startup.Tomcat;
+import org.apache.catalina.startup.TomcatBaseTest;
+import org.apache.tomcat.util.http.fileupload.ByteArrayOutputStream;
+import org.apache.tomcat.websocket.server.WsContextListener;
+import org.junit.Assert;
+import org.junit.Test;
+
+public class TestSSLHostConfigIntegration extends TomcatBaseTest {
+
+ @Test
+ public void testSslHostConfigIsSerializable() throws Exception {
+ TesterSupport.configureClientSsl();
+
+ Tomcat tomcat = getTomcatInstance();
+
+ File appDir = new File(getBuildDirectory(), "webapps/examples");
+ org.apache.catalina.Context ctxt = tomcat.addWebapp(
+ null, "/examples", appDir.getAbsolutePath());
+ ctxt.addApplicationListener(WsContextListener.class.getName());
+
+ TesterSupport.initSsl(tomcat);
+
+ tomcat.start();
+
+ SSLHostConfig[] sslHostConfigs =
+
tomcat.getConnector().getProtocolHandler().findSslHostConfigs();
+
+ boolean written = false;
+
+ ByteArrayOutputStream baos = new ByteArrayOutputStream();
+ try (ObjectOutputStream oos = new ObjectOutputStream(baos)) {
+ for (SSLHostConfig sslHostConfig : sslHostConfigs) {
+ oos.writeObject(sslHostConfig);
+ written = true;
+ }
+ }
+
+ Assert.assertTrue(written);
+ }
+}
Propchange:
tomcat/trunk/test/org/apache/tomcat/util/net/TestSSLHostConfigIntegration.java
------------------------------------------------------------------------------
svn:eol-style = native
Modified: tomcat/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1749978&r1=1749977&r2=1749978&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Thu Jun 23 19:11:56 2016
@@ -101,6 +101,10 @@
that are being executed in a single connection. The default is to
not limit it. (remm)
</update>
+ <add>
+ <bug>59233</bug>: Add the ability to add TLS virtual hosts dynamically.
+ (markt)
+ </add>
</changelog>
</subsection>
<subsection name="WebSocket">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
