Author: markt
Date: Fri Jan 20 00:12:16 2017
New Revision: 1779545
URL: http://svn.apache.org/viewvc?rev=1779545&view=rev
Log:
Adding ALPN support for JSSE with Java 9
Enable ALPN and also, therefore, HTTP/2 for the NIO and NIO2 HTTP connectors
when using the JSSE implementation for TLS when running on Java 9.
Modified:
tomcat/trunk/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
tomcat/trunk/java/org/apache/tomcat/util/net/SecureNio2Channel.java
tomcat/trunk/java/org/apache/tomcat/util/net/SecureNioChannel.java
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEImplementation.java
tomcat/trunk/webapps/docs/changelog.xml
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java?rev=1779545&r1=1779544&r2=1779545&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java Fri
Jan 20 00:12:16 2017
@@ -30,6 +30,7 @@ import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLParameters;
import javax.net.ssl.SSLSessionContext;
+import org.apache.tomcat.util.compat.JreCompat;
import org.apache.tomcat.util.net.SSLHostConfig.Type;
import org.apache.tomcat.util.net.openssl.OpenSSLImplementation;
import org.apache.tomcat.util.net.openssl.ciphers.Cipher;
@@ -169,6 +170,20 @@ public abstract class AbstractJsseEndpoi
SSLParameters sslParameters = engine.getSSLParameters();
sslParameters.setUseCipherSuitesOrder(sslHostConfig.getHonorCipherOrder());
+ if (JreCompat.isJre9Available() &&
clientRequestedApplicationProtocols.size() > 0 &&
+ negotiableProtocols.size() > 0) {
+ // Only try to negotiate if both client and server have at least
+ // one protocol in common
+ // Note: Tomcat does not explicitly negotiate http/1.1
+ // TODO: Is this correct? Should it change?
+ List<String> commonProtocols = new ArrayList<>();
+ commonProtocols.addAll(negotiableProtocols);
+ commonProtocols.retainAll(clientRequestedApplicationProtocols);
+ if (commonProtocols.size() > 0) {
+ String[] commonProtocolsArray = commonProtocols.toArray(new
String[commonProtocols.size()]);
+ JreCompat.getInstance().setApplicationProtocols(sslParameters,
commonProtocolsArray);
+ }
+ }
// In case the getter returns a defensive copy
engine.setSSLParameters(sslParameters);
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/SecureNio2Channel.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/SecureNio2Channel.java?rev=1779545&r1=1779544&r2=1779545&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/SecureNio2Channel.java
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/SecureNio2Channel.java Fri Jan
20 00:12:16 2017
@@ -38,6 +38,7 @@ import javax.net.ssl.SSLException;
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
import org.apache.tomcat.util.buf.ByteBufferUtils;
+import org.apache.tomcat.util.compat.JreCompat;
import org.apache.tomcat.util.net.TLSClientHelloExtractor.ExtractorResult;
import org.apache.tomcat.util.net.openssl.ciphers.Cipher;
import org.apache.tomcat.util.res.StringManager;
@@ -227,8 +228,14 @@ public class SecureNio2Channel extends N
throw new
IOException(sm.getString("channel.nio.ssl.notHandshaking"));
}
case FINISHED: {
- if (endpoint.hasNegotiableProtocols() && sslEngine
instanceof SSLUtil.ProtocolInfo) {
- socket.setNegotiatedProtocol(((SSLUtil.ProtocolInfo)
sslEngine).getNegotiatedProtocol());
+ if (endpoint.hasNegotiableProtocols()) {
+ if (sslEngine instanceof SSLUtil.ProtocolInfo) {
+ socket.setNegotiatedProtocol(
+ ((SSLUtil.ProtocolInfo)
sslEngine).getNegotiatedProtocol());
+ } else if (JreCompat.isJre9Available()) {
+ socket.setNegotiatedProtocol(
+
JreCompat.getInstance().getApplicationProtocol(sslEngine));
+ }
}
//we are complete if we have delivered the last package
handshakeComplete = !netOutBuffer.hasRemaining();
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/SecureNioChannel.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/SecureNioChannel.java?rev=1779545&r1=1779544&r2=1779545&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/SecureNioChannel.java
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/SecureNioChannel.java Fri Jan
20 00:12:16 2017
@@ -35,6 +35,7 @@ import javax.net.ssl.SSLException;
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
import org.apache.tomcat.util.buf.ByteBufferUtils;
+import org.apache.tomcat.util.compat.JreCompat;
import org.apache.tomcat.util.net.TLSClientHelloExtractor.ExtractorResult;
import org.apache.tomcat.util.net.openssl.ciphers.Cipher;
import org.apache.tomcat.util.res.StringManager;
@@ -190,9 +191,14 @@ public class SecureNioChannel extends Ni
throw new
IOException(sm.getString("channel.nio.ssl.notHandshaking"));
}
case FINISHED: {
- if (endpoint.hasNegotiableProtocols() && sslEngine
instanceof SSLUtil.ProtocolInfo) {
- socketWrapper.setNegotiatedProtocol(
- ((SSLUtil.ProtocolInfo)
sslEngine).getNegotiatedProtocol());
+ if (endpoint.hasNegotiableProtocols()) {
+ if (sslEngine instanceof SSLUtil.ProtocolInfo) {
+ socketWrapper.setNegotiatedProtocol(
+ ((SSLUtil.ProtocolInfo)
sslEngine).getNegotiatedProtocol());
+ } else if (JreCompat.isJre9Available()) {
+ socketWrapper.setNegotiatedProtocol(
+
JreCompat.getInstance().getApplicationProtocol(sslEngine));
+ }
}
//we are complete if we have delivered the last package
handshakeComplete = !netOutBuffer.hasRemaining();
Modified:
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEImplementation.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEImplementation.java?rev=1779545&r1=1779544&r2=1779545&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEImplementation.java
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEImplementation.java
Fri Jan 20 00:12:16 2017
@@ -18,6 +18,7 @@ package org.apache.tomcat.util.net.jsse;
import javax.net.ssl.SSLSession;
+import org.apache.tomcat.util.compat.JreCompat;
import org.apache.tomcat.util.net.SSLHostConfigCertificate;
import org.apache.tomcat.util.net.SSLImplementation;
import org.apache.tomcat.util.net.SSLSupport;
@@ -51,7 +52,6 @@ public class JSSEImplementation extends
@Override
public boolean isAlpnSupported() {
- // JSSE does not (yet) support ALPN
- return false;
+ return JreCompat.isJre9Available();
}
}
Modified: tomcat/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1779545&r1=1779544&r2=1779545&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Fri Jan 20 00:12:16 2017
@@ -55,6 +55,11 @@
Improve NIO2 look-ahead parsing of TLS client hello for SNI with large
client hello messages. (markt)
</fix>
+ <add>
+ Enable ALPN and also, therefore, HTTP/2 for the NIO and NIO2 HTTP
+ connectors when using the JSSE implementation for TLS when running on
+ Java 9. (markt)
+ </add>
</changelog>
</subsection>
<subsection name="Cluster">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
