svn commit: r1805528 - in /tomcat/trunk: java/org/apache/catalina/startup/ java/org/apache/tomcat/util/net/ java/org/apache/tomcat/util/net/openssl/ webapps/docs/

Sat, 19 Aug 2017 14:33:08 -0700 

Author: rjung
Date: Sat Aug 19 21:32:23 2017
New Revision: 1805528

URL: http://svn.apache.org/viewvc?rev=1805528&view=rev
Log:
Add support for the OpenSSL SSL_CONF API when
using TLS with OpenSSL implementation.

This will need tcnative 1.2.13.

It can be used by adding OpenSSLConf elements
underneath SSLHostConfig. The new element
contains a list of OpenSSLConfCmd elements,
each with the attributes "name" and "value".

Example:

<SSLHostConfig>
    <OpenSSLConf>
        <OpenSSLConfCmd name="Protocol" value="-SSLv3,-TLSv1,TLSv1.1,TLSv1.2"/>
        <OpenSSLConfCmd name="CipherString" value="ECDHE-RSA-AES128-SHA"/>
        <OpenSSLConfCmd name="Options" 
value="-SessionTicket,-Compression,ServerPreference"/>
    </OpenSSLConf>
</SSLHostConfig>

Added:
    tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLConf.java   
(with props)
    tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLConfCmd.java   
(with props)
Modified:
    tomcat/trunk/java/org/apache/catalina/startup/Catalina.java
    tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
    tomcat/trunk/java/org/apache/tomcat/util/net/LocalStrings.properties
    tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java
    tomcat/trunk/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties
    tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
    tomcat/trunk/webapps/docs/changelog.xml

Modified: tomcat/trunk/java/org/apache/catalina/startup/Catalina.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/startup/Catalina.java?rev=1805528&r1=1805527&r2=1805528&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/startup/Catalina.java (original)
+++ tomcat/trunk/java/org/apache/catalina/startup/Catalina.java Sat Aug 19 
21:32:23 2017
@@ -354,6 +354,20 @@ public class Catalina {
                             "addCertificate",
                             
"org.apache.tomcat.util.net.SSLHostConfigCertificate");
 
+        
digester.addObjectCreate("Server/Service/Connector/SSLHostConfig/OpenSSLConf",
+                                 
"org.apache.tomcat.util.net.openssl.OpenSSLConf");
+        
digester.addSetProperties("Server/Service/Connector/SSLHostConfig/OpenSSLConf");
+        
digester.addSetNext("Server/Service/Connector/SSLHostConfig/OpenSSLConf",
+                            "setOpenSslConf",
+                            "org.apache.tomcat.util.net.openssl.OpenSSLConf");
+
+        
digester.addObjectCreate("Server/Service/Connector/SSLHostConfig/OpenSSLConf/OpenSSLConfCmd",
+                                 
"org.apache.tomcat.util.net.openssl.OpenSSLConfCmd");
+        
digester.addSetProperties("Server/Service/Connector/SSLHostConfig/OpenSSLConf/OpenSSLConfCmd");
+        
digester.addSetNext("Server/Service/Connector/SSLHostConfig/OpenSSLConf/OpenSSLConfCmd",
+                            "addCmd",
+                            
"org.apache.tomcat.util.net.openssl.OpenSSLConfCmd");
+
         digester.addObjectCreate("Server/Service/Connector/Listener",
                                  null, // MUST be specified in the element
                                  "className");

Modified: tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java?rev=1805528&r1=1805527&r2=1805528&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java Sat Aug 19 
21:32:23 2017
@@ -43,6 +43,7 @@ import org.apache.tomcat.jni.OS;
 import org.apache.tomcat.jni.Poll;
 import org.apache.tomcat.jni.Pool;
 import org.apache.tomcat.jni.SSL;
+import org.apache.tomcat.jni.SSLConf;
 import org.apache.tomcat.jni.SSLContext;
 import org.apache.tomcat.jni.SSLContext.SNICallBack;
 import org.apache.tomcat.jni.SSLSocket;
@@ -55,6 +56,7 @@ import org.apache.tomcat.util.collection
 import org.apache.tomcat.util.net.AbstractEndpoint.Handler.SocketState;
 import org.apache.tomcat.util.net.Acceptor.AcceptorState;
 import org.apache.tomcat.util.net.SSLHostConfig.Type;
+import org.apache.tomcat.util.net.openssl.OpenSSLConf;
 import org.apache.tomcat.util.net.openssl.OpenSSLEngine;
 
 
@@ -540,6 +542,51 @@ public class AprEndpoint extends Abstrac
             String[] protocolsArray = protocols.toArray(new String[0]);
             SSLContext.setAlpnProtos(ctx, protocolsArray, 
SSL.SSL_SELECTOR_FAILURE_NO_ADVERTISE);
         }
+
+        long cctx;
+        OpenSSLConf openSslConf = sslHostConfig.getOpenSslConf();
+        if (openSslConf != null) {
+            // Create OpenSSLConfCmd context if used
+            try {
+                log.info(sm.getString("endpoint.apr.makeConf"));
+                cctx = SSLConf.make(rootPool,
+                                    SSL.SSL_CONF_FLAG_FILE |
+                                    SSL.SSL_CONF_FLAG_SERVER |
+                                    SSL.SSL_CONF_FLAG_CERTIFICATE |
+                                    SSL.SSL_CONF_FLAG_SHOW_ERRORS);
+            } catch (UnsatisfiedLinkError e) {
+                
log.warn(sm.getString("endpoint.apr.missingOpenSSLConfSupport"), e);
+                throw new Exception(sm.getString("endpoint.apr.errMakeConf"), 
e);
+            } catch (Exception e) {
+                throw new Exception(sm.getString("endpoint.apr.errMakeConf"), 
e);
+            }
+            if (cctx != 0) {
+                // Check OpenSSLConfCmd if used
+                log.info(sm.getString("endpoint.apr.checkConf"));
+                try {
+                    if (!openSslConf.check(cctx)) {
+                        log.error(sm.getString("endpoint.apr.errCheckConf"));
+                        throw new 
Exception(sm.getString("endpoint.apr.errCheckConf"));
+                    }
+                } catch (Exception e) {
+                    throw new 
Exception(sm.getString("endpoint.apr.errCheckConf"), e);
+                }
+                // Apply OpenSSLConfCmd if used
+                log.info(sm.getString("endpoint.apr.applyConf"));
+                try {
+                    if (!openSslConf.apply(cctx, ctx)) {
+                        log.error(sm.getString("endpoint.apr.errApplyConf"));
+                        throw new 
Exception(sm.getString("endpoint.apr.errApplyConf"));
+                    }
+                } catch (Exception e) {
+                    throw new 
Exception(sm.getString("endpoint.apr.errApplyConf"), e);
+                }
+            }
+        } else {
+            cctx = 0;
+        }
+
+        sslHostConfig.setOpenSslConfContext(Long.valueOf(cctx));
         sslHostConfig.setOpenSslContext(Long.valueOf(ctx));
     }
 
@@ -551,6 +598,15 @@ public class AprEndpoint extends Abstrac
             SSLContext.free(ctx.longValue());
             sslHostConfig.setOpenSslContext(null);
         }
+        Long cctx = sslHostConfig.getOpenSslConfContext();
+        if (cctx != null) {
+            try {
+                SSLConf.free(cctx.longValue());
+            } catch (UnsatisfiedLinkError e) {
+                
log.warn(sm.getString("endpoint.apr.missingOpenSSLConfSupport"), e);
+            }
+            sslHostConfig.setOpenSslConfContext(null);
+        }
     }
 
 

Modified: tomcat/trunk/java/org/apache/tomcat/util/net/LocalStrings.properties
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/LocalStrings.properties?rev=1805528&r1=1805527&r2=1805528&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/LocalStrings.properties 
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/LocalStrings.properties Sat 
Aug 19 21:32:23 2017
@@ -74,6 +74,14 @@ endpoint.apr.pollMergeEvents=Merge polle
 endpoint.apr.pollUnknownEvent=A socket was returned from the poller with an 
unrecognized event [{0}]
 endpoint.apr.tooManyCertFiles=More certificate files were configured than the 
AprEndpoint can handle
 endpoint.apr.remoteport=APR socket [{0}] opened with remote port [{1}]
+endpoint.apr.makeConf=Creating OpenSSLConf context
+endpoint.apr.errMakeConf=Could not create OpenSSLConf context
+endpoint.apr.checkConf=Checking OpenSSLConf
+endpoint.apr.errCheckConf=Error during OpenSSLConf check
+endpoint.apr.assignConf=Assigning SSL context to OpenSSLConfCmd context
+endpoint.apr.applyConf=Applying OpenSSLConfCmd to SSL context
+endpoint.apr.errApplyConf=Could not apply OpenSSLConf to SSL context
+endpoint.apr.missingOpenSSLConfSupport=Your tcnative library has no support 
for OpenSSLConf, version 1.2.13 or higher is required.
 endpoint.jsse.noSslContext=No SSLContext could be found for the host name [{0}]
 endpoint.nio.registerFail=Failed to register socket with selector from poller
 endpoint.nio.selectorCloseFail=Failed to close selector when closing the poller
@@ -130,6 +138,8 @@ sslHostConfig.certificate.notype=Multipl
 sslHostConfig.mismatch=The property [{0}] was set on the SSLHostConfig named 
[{1}] and is for connectors of type [{2}] but the SSLHostConfig is being used 
with a connector of type [{3}]
 sslHostConfig.prefix_missing=The protocol [{0}] was added to the list of 
protocols on the SSLHostConfig named [{1}]. Check if a +/- prefix is missing.
 sslHostConfigCertificate.mismatch=The property [{0}] was set on the 
SSLHostConfigCertificate named [{1}] and is for certificate storage type [{2}] 
but the certificate is being used with a storage of type [{3}]
+sslHostConfig.opensslconf.null=Attempt to set null OpenSSLConf ignored
+sslHostConfig.opensslconf.alreadyset=Attempt to set another OpenSSLConf ignored
 
 sslImplementation.cnfe= Unable to create SSLImplementation for class [{0}]
 

Modified: tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java?rev=1805528&r1=1805527&r2=1805528&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java Sat Aug 19 
21:32:23 2017
@@ -33,6 +33,7 @@ import javax.net.ssl.TrustManagerFactory
 
 import org.apache.juli.logging.Log;
 import org.apache.juli.logging.LogFactory;
+import org.apache.tomcat.util.net.openssl.OpenSSLConf;
 import org.apache.tomcat.util.net.openssl.ciphers.Cipher;
 import 
org.apache.tomcat.util.net.openssl.ciphers.OpenSSLCipherConfigurationParser;
 import org.apache.tomcat.util.res.StringManager;
@@ -66,10 +67,11 @@ public class SSLHostConfig implements Se
 
     private String hostName = DEFAULT_SSL_HOST_NAME;
 
+    private transient Long openSslConfContext = new Long(0);
     // OpenSSL can handle multiple certs in a single config so the reference to
     // the context is here at the virtual host level. JSSE can't so the
     // reference is held on the certificate.
-    private transient Long openSslContext;
+    private transient Long openSslContext = new Long(0);
 
     // Configuration properties
 
@@ -110,6 +112,7 @@ public class SSLHostConfig implements Se
     private boolean disableCompression = true;
     private boolean disableSessionTickets = false;
     private boolean insecureRenegotiation = false;
+    private OpenSSLConf openSslConf = null;
 
     public SSLHostConfig() {
         // Set defaults that can't be (easily) set when defining the fields.
@@ -117,6 +120,16 @@ public class SSLHostConfig implements Se
     }
 
 
+    public Long getOpenSslConfContext() {
+        return openSslConfContext;
+    }
+
+
+    public void setOpenSslConfContext(Long openSslConfContext) {
+        this.openSslConfContext = openSslConfContext;
+    }
+
+
     public Long getOpenSslContext() {
         return openSslContext;
     }
@@ -235,6 +248,22 @@ public class SSLHostConfig implements Se
     }
 
 
+    public OpenSSLConf getOpenSslConf() {
+        return openSslConf;
+    }
+
+
+    public void setOpenSslConf(OpenSSLConf conf) {
+        if (conf == null) {
+            throw new 
IllegalArgumentException(sm.getString("sslHostConfig.opensslconf.null"));
+        } else if (openSslConf != null) {
+            throw new 
IllegalArgumentException(sm.getString("sslHostConfig.opensslconf.alreadySet"));
+        }
+        setProperty("<OpenSSLConf>", Type.OPENSSL);
+        openSslConf = conf;
+    }
+
+
     public Set<SSLHostConfigCertificate> getCertificates() {
         return getCertificates(false);
     }

Modified: 
tomcat/trunk/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties?rev=1805528&r1=1805527&r2=1805528&view=diff
==============================================================================
--- 
tomcat/trunk/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties 
(original)
+++ 
tomcat/trunk/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties 
Sat Aug 19 21:32:23 2017
@@ -21,6 +21,24 @@ openssl.keyManagerMissing=No key manager
 openssl.incompleteClientCASupport=Incomplete support for client CAs, please 
update your tcnative version
 openssl.trustManagerMissing=No trust manager found
 openssl.addedClientCaCert=Added client CA cert: [{0}]
+openssl.makeConf=Creating OpenSSLConf context
+openssl.errMakeConf=Could not create OpenSSLConf context
+openssl.checkConf=Checking OpenSSLConf
+openssl.errCheckConf=Error during OpenSSLConf check
+openssl.assignConf=Assigning SSL context to OpenSSLConfCmd context
+openssl.applyConf=Applying OpenSSLConfCmd to SSL context
+openssl.errApplyConf=Could not apply OpenSSLConf to SSL context
+openssl.missingOpenSSLConfSupport=Your tcnative library has no support for 
OpenSSLConf, version 1.2.13 or higher is required.
+
+opensslconf.checkCommand=OpenSSLConf checking command (name [{0}], value [{1}])
+opensslconf.checkFailed=Failure while checking OpenSSLConf
+opensslconf.applyCommand=OpenSSLConf applying command (name [{0}], value [{1}])
+opensslconf.applyFailed=Failure while applying OpenSSLConf to SSL context
+opensslconf.failedCommand=OpenSSLConf failed command (name [{0}], value [{1}]) 
with result [{2}] - will be ignored
+opensslconf.failedFinish=OpenSSLConf finish failed with result [{2}]
+opensslconf.noCommandName=OpenSSLConf no command name - will be ignored 
(command value [{0}])
+opensslconf.resultCommand=OpenSSLConf command (name [{0}], value [{1}]) 
returned [{2}]
+opensslconf.missingOpenSSLConfSupport=Your tcnative library has no support for 
OpenSSLConf, version 1.2.13 or higher is required.
 
 engine.engineClosed=Engine is closed
 engine.renegotiationUnsupported=Renegotiation is not supported

Added: tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLConf.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLConf.java?rev=1805528&view=auto
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLConf.java 
(added)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLConf.java Sat 
Aug 19 21:32:23 2017
@@ -0,0 +1,131 @@
+/*
+ *  Licensed to the Apache Software Foundation (ASF) under one or more
+ *  contributor license agreements.  See the NOTICE file distributed with
+ *  this work for additional information regarding copyright ownership.
+ *  The ASF licenses this file to You under the Apache License, Version 2.0
+ *  (the "License"); you may not use this file except in compliance with
+ *  the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+package org.apache.tomcat.util.net.openssl;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import org.apache.juli.logging.Log;
+import org.apache.juli.logging.LogFactory;
+import org.apache.tomcat.jni.SSLConf;
+import org.apache.tomcat.util.res.StringManager;
+
+public class OpenSSLConf {
+
+    private static final Log log = LogFactory.getLog(OpenSSLConf.class);
+    private static final StringManager sm = 
StringManager.getManager(OpenSSLConf.class);
+
+    private final List<OpenSSLConfCmd> commands = new 
ArrayList<OpenSSLConfCmd>();
+
+    public void addCmd(OpenSSLConfCmd cmd) {
+        commands.add(cmd);
+    }
+
+    public boolean check(long cctx) throws Exception {
+        boolean result = true;
+        OpenSSLConfCmd cmd;
+        String name;
+        String value;
+        int rc;
+        for (int i = 0; i < commands.size(); i++) {
+            cmd = commands.get(i);
+            name = cmd.getName();
+            value = cmd.getValue();
+            if (name == null) {
+                log.error(sm.getString("opensslconf.noCommandName", value));
+                result = false;
+                continue;
+            }
+            if (log.isDebugEnabled()) {
+                log.debug(sm.getString("opensslconf.checkCommand", name, 
value));
+            }
+            try {
+                rc = SSLConf.check(cctx, name, value);
+            } catch (UnsatisfiedLinkError e) {
+                
log.warn(sm.getString("opensslconf.missingOpenSSLConfSupport"), e);
+                log.error(sm.getString("opensslconf.checkFailed"));
+                return false;
+            }
+            if (rc <= 0) {
+                log.error(sm.getString("opensslconf.failedCommand", name, 
value, rc));
+                result = false;
+            } else if (log.isDebugEnabled()) {
+                log.debug(sm.getString("opensslconf.resultCommand", name, 
value, rc));
+            }
+        }
+        if (!result) {
+            log.error(sm.getString("opensslconf.checkFailed"));
+        }
+        return result;
+    }
+
+    public boolean apply(long cctx, long ctx) throws Exception {
+        boolean result = true;
+        try {
+            SSLConf.assign(cctx, ctx);
+        } catch (UnsatisfiedLinkError e) {
+            log.warn(sm.getString("opensslconf.missingOpenSSLConfSupport"), e);
+            log.error(sm.getString("opensslconf.applyFailed"));
+            return false;
+        }
+        OpenSSLConfCmd cmd;
+        String name;
+        String value;
+        int rc;
+        for (int i = 0; i < commands.size(); i++) {
+            cmd = commands.get(i);
+            name = cmd.getName();
+            value = cmd.getValue();
+            if (name == null) {
+                log.error(sm.getString("opensslconf.noCommandName", value));
+                result = false;
+                continue;
+            }
+            if (log.isDebugEnabled()) {
+                log.debug(sm.getString("opensslconf.applyCommand", name, 
value));
+            }
+            try {
+                rc = SSLConf.apply(cctx, name, value);
+            } catch (UnsatisfiedLinkError e) {
+                
log.warn(sm.getString("opensslconf.missingOpenSSLConfSupport"), e);
+                log.error(sm.getString("opensslconf.applyFailed"));
+                return false;
+            }
+            if (rc <= 0) {
+                log.error(sm.getString("opensslconf.failedCommand", name, 
value, rc));
+                result = false;
+            } else if (log.isDebugEnabled()) {
+                log.debug(sm.getString("opensslconf.resultCommand", name, 
value, rc));
+            }
+        }
+        try {
+            rc = SSLConf.finish(cctx);
+        } catch (UnsatisfiedLinkError e) {
+            log.warn(sm.getString("opensslconf.missingOpenSSLConfSupport"), e);
+            log.error(sm.getString("opensslconf.applyFailed"));
+            return false;
+        }
+        if (rc <= 0) {
+            log.error(sm.getString("opensslconf.finishFailed", rc));
+            result = false;
+        }
+        if (!result) {
+            log.error(sm.getString("opensslconf.applyFailed"));
+        }
+        return result;
+    }
+}

Propchange: 
tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLConf.java
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: 
tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLConf.java
------------------------------------------------------------------------------
    svn:keywords = Author Date Id Revision

Added: tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLConfCmd.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLConfCmd.java?rev=1805528&view=auto
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLConfCmd.java 
(added)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLConfCmd.java 
Sat Aug 19 21:32:23 2017
@@ -0,0 +1,39 @@
+/*
+ *  Licensed to the Apache Software Foundation (ASF) under one or more
+ *  contributor license agreements.  See the NOTICE file distributed with
+ *  this work for additional information regarding copyright ownership.
+ *  The ASF licenses this file to You under the Apache License, Version 2.0
+ *  (the "License"); you may not use this file except in compliance with
+ *  the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+package org.apache.tomcat.util.net.openssl;
+
+public class OpenSSLConfCmd {
+
+    private String name = null;
+    private String value = null;
+
+    public String getName() {
+        return name;
+    }
+
+    public void setName(String name) {
+        this.name = name;
+    }
+
+    public String getValue() {
+        return value;
+    }
+
+    public void setValue(String value) {
+        this.value = value;
+    }
+}

Propchange: 
tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLConfCmd.java
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: 
tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLConfCmd.java
------------------------------------------------------------------------------
    svn:keywords = Author Date Id Revision

Modified: 
tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java?rev=1805528&r1=1805527&r2=1805528&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java 
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java 
Sat Aug 19 21:32:23 2017
@@ -44,6 +44,7 @@ import org.apache.juli.logging.LogFactor
 import org.apache.tomcat.jni.CertificateVerifier;
 import org.apache.tomcat.jni.Pool;
 import org.apache.tomcat.jni.SSL;
+import org.apache.tomcat.jni.SSLConf;
 import org.apache.tomcat.jni.SSLContext;
 import org.apache.tomcat.util.net.AbstractEndpoint;
 import org.apache.tomcat.util.net.Constants;
@@ -88,6 +89,9 @@ public class OpenSSLContext implements o
     private final long aprPool;
     private final AtomicInteger aprPoolDestroyed = new AtomicInteger(0);
 
+    // OpenSSLConfCmd context
+    protected final long cctx;
+    // SSL context
     protected final long ctx;
 
     static final CertificateFactory X509_CERT_FACTORY;
@@ -112,6 +116,27 @@ public class OpenSSLContext implements o
         aprPool = Pool.create(0);
         boolean success = false;
         try {
+            // Create OpenSSLConfCmd context if used
+            OpenSSLConf openSslConf = sslHostConfig.getOpenSslConf();
+            if (openSslConf != null) {
+                try {
+                    log.info(sm.getString("openssl.makeConf"));
+                    cctx = SSLConf.make(aprPool,
+                                        SSL.SSL_CONF_FLAG_FILE |
+                                        SSL.SSL_CONF_FLAG_SERVER |
+                                        SSL.SSL_CONF_FLAG_CERTIFICATE |
+                                        SSL.SSL_CONF_FLAG_SHOW_ERRORS);
+                } catch (UnsatisfiedLinkError e) {
+                    
log.warn(sm.getString("openssl.missingOpenSSLConfSupport"), e);
+                    throw new Exception(sm.getString("openssl.errMakeConf"), 
e);
+                } catch (Exception e) {
+                    throw new 
SSLException(sm.getString("openssl.errMakeConf"), e);
+                }
+            } else {
+                cctx = 0;
+            }
+            sslHostConfig.setOpenSslConfContext(Long.valueOf(cctx));
+
             // SSL protocol
             int value = SSL.SSL_PROTOCOL_NONE;
             for (String protocol : sslHostConfig.getEnabledProtocols()) {
@@ -168,6 +193,13 @@ public class OpenSSLContext implements o
             if (ctx != 0) {
                 SSLContext.free(ctx);
             }
+            if (cctx != 0) {
+                try {
+                    SSLConf.free(cctx);
+                } catch (UnsatisfiedLinkError e) {
+                    
log.warn(sm.getString("openssl.missingOpenSSLConfSupport"), e);
+                }
+            }
             if (aprPool != 0) {
                 Pool.destroy(aprPool);
             }
@@ -343,6 +375,30 @@ public class OpenSSLContext implements o
                 SSLContext.setNpnProtos(ctx, protocolsArray, 
SSL.SSL_SELECTOR_FAILURE_NO_ADVERTISE);
             }
 
+            // Apply OpenSSLConfCmd if used
+            OpenSSLConf openSslConf = sslHostConfig.getOpenSslConf();
+            if (openSslConf != null && cctx != 0) {
+                // Check OpenSSLConfCmd if used
+                log.info(sm.getString("openssl.checkConf"));
+                try {
+                    if (!openSslConf.check(cctx)) {
+                        log.error(sm.getString("openssl.errCheckConf"));
+                        throw new 
Exception(sm.getString("openssl.errCheckConf"));
+                    }
+                } catch (Exception e) {
+                    throw new Exception(sm.getString("openssl.errCheckConf"), 
e);
+                }
+                log.info(sm.getString("openssl.applyConf"));
+                try {
+                    if (!openSslConf.apply(cctx, ctx)) {
+                        log.error(sm.getString("openssl.errApplyConf"));
+                        throw new 
SSLException(sm.getString("openssl.errApplyConf"));
+                    }
+                } catch (Exception e) {
+                    throw new 
SSLException(sm.getString("openssl.errApplyConf"), e);
+                }
+            }
+
             sessionContext = new OpenSSLSessionContext(ctx);
             sslHostConfig.setOpenSslContext(Long.valueOf(ctx));
             initialized = true;

Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1805528&r1=1805527&r2=1805528&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Sat Aug 19 21:32:23 2017
@@ -63,6 +63,14 @@
   </subsection>
   <subsection name="Coyote">
     <changelog>
+      <add>
+        Add support for the OpenSSL SSL_CONF API when using TLS with
+        OpenSSL implementation. This will need tcnative 1.2.13.
+        It can be used by adding <code>OpenSSLConf</code> elements
+        underneath <code>SSLHostConfig</code>. The new element contains
+        a list of <code>OpenSSLConfCmd</code> elements, each with
+        the attributes <code>name</code> and <code>value</code>.
+      </add>
       <fix>
         When using JSSE TLS configuration with the OpenSSL implementation and
         client certificates: include client CA subjects in the TLS handshake



---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to