Author: rjung
Date: Sat Aug 19 21:32:23 2017
New Revision: 1805528
URL: http://svn.apache.org/viewvc?rev=1805528&view=rev
Log:
Add support for the OpenSSL SSL_CONF API when
using TLS with OpenSSL implementation.
This will need tcnative 1.2.13.
It can be used by adding OpenSSLConf elements
underneath SSLHostConfig. The new element
contains a list of OpenSSLConfCmd elements,
each with the attributes "name" and "value".
Example:
<SSLHostConfig>
<OpenSSLConf>
<OpenSSLConfCmd name="Protocol" value="-SSLv3,-TLSv1,TLSv1.1,TLSv1.2"/>
<OpenSSLConfCmd name="CipherString" value="ECDHE-RSA-AES128-SHA"/>
<OpenSSLConfCmd name="Options"
value="-SessionTicket,-Compression,ServerPreference"/>
</OpenSSLConf>
</SSLHostConfig>
Added:
tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLConf.java
(with props)
tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLConfCmd.java
(with props)
Modified:
tomcat/trunk/java/org/apache/catalina/startup/Catalina.java
tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
tomcat/trunk/java/org/apache/tomcat/util/net/LocalStrings.properties
tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java
tomcat/trunk/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties
tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
tomcat/trunk/webapps/docs/changelog.xml
Modified: tomcat/trunk/java/org/apache/catalina/startup/Catalina.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/startup/Catalina.java?rev=1805528&r1=1805527&r2=1805528&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/startup/Catalina.java (original)
+++ tomcat/trunk/java/org/apache/catalina/startup/Catalina.java Sat Aug 19
21:32:23 2017
@@ -354,6 +354,20 @@ public class Catalina {
"addCertificate",
"org.apache.tomcat.util.net.SSLHostConfigCertificate");
+
digester.addObjectCreate("Server/Service/Connector/SSLHostConfig/OpenSSLConf",
+
"org.apache.tomcat.util.net.openssl.OpenSSLConf");
+
digester.addSetProperties("Server/Service/Connector/SSLHostConfig/OpenSSLConf");
+
digester.addSetNext("Server/Service/Connector/SSLHostConfig/OpenSSLConf",
+ "setOpenSslConf",
+ "org.apache.tomcat.util.net.openssl.OpenSSLConf");
+
+
digester.addObjectCreate("Server/Service/Connector/SSLHostConfig/OpenSSLConf/OpenSSLConfCmd",
+
"org.apache.tomcat.util.net.openssl.OpenSSLConfCmd");
+
digester.addSetProperties("Server/Service/Connector/SSLHostConfig/OpenSSLConf/OpenSSLConfCmd");
+
digester.addSetNext("Server/Service/Connector/SSLHostConfig/OpenSSLConf/OpenSSLConfCmd",
+ "addCmd",
+
"org.apache.tomcat.util.net.openssl.OpenSSLConfCmd");
+
digester.addObjectCreate("Server/Service/Connector/Listener",
null, // MUST be specified in the element
"className");
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java?rev=1805528&r1=1805527&r2=1805528&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java Sat Aug 19
21:32:23 2017
@@ -43,6 +43,7 @@ import org.apache.tomcat.jni.OS;
import org.apache.tomcat.jni.Poll;
import org.apache.tomcat.jni.Pool;
import org.apache.tomcat.jni.SSL;
+import org.apache.tomcat.jni.SSLConf;
import org.apache.tomcat.jni.SSLContext;
import org.apache.tomcat.jni.SSLContext.SNICallBack;
import org.apache.tomcat.jni.SSLSocket;
@@ -55,6 +56,7 @@ import org.apache.tomcat.util.collection
import org.apache.tomcat.util.net.AbstractEndpoint.Handler.SocketState;
import org.apache.tomcat.util.net.Acceptor.AcceptorState;
import org.apache.tomcat.util.net.SSLHostConfig.Type;
+import org.apache.tomcat.util.net.openssl.OpenSSLConf;
import org.apache.tomcat.util.net.openssl.OpenSSLEngine;
@@ -540,6 +542,51 @@ public class AprEndpoint extends Abstrac
String[] protocolsArray = protocols.toArray(new String[0]);
SSLContext.setAlpnProtos(ctx, protocolsArray,
SSL.SSL_SELECTOR_FAILURE_NO_ADVERTISE);
}
+
+ long cctx;
+ OpenSSLConf openSslConf = sslHostConfig.getOpenSslConf();
+ if (openSslConf != null) {
+ // Create OpenSSLConfCmd context if used
+ try {
+ log.info(sm.getString("endpoint.apr.makeConf"));
+ cctx = SSLConf.make(rootPool,
+ SSL.SSL_CONF_FLAG_FILE |
+ SSL.SSL_CONF_FLAG_SERVER |
+ SSL.SSL_CONF_FLAG_CERTIFICATE |
+ SSL.SSL_CONF_FLAG_SHOW_ERRORS);
+ } catch (UnsatisfiedLinkError e) {
+
log.warn(sm.getString("endpoint.apr.missingOpenSSLConfSupport"), e);
+ throw new Exception(sm.getString("endpoint.apr.errMakeConf"),
e);
+ } catch (Exception e) {
+ throw new Exception(sm.getString("endpoint.apr.errMakeConf"),
e);
+ }
+ if (cctx != 0) {
+ // Check OpenSSLConfCmd if used
+ log.info(sm.getString("endpoint.apr.checkConf"));
+ try {
+ if (!openSslConf.check(cctx)) {
+ log.error(sm.getString("endpoint.apr.errCheckConf"));
+ throw new
Exception(sm.getString("endpoint.apr.errCheckConf"));
+ }
+ } catch (Exception e) {
+ throw new
Exception(sm.getString("endpoint.apr.errCheckConf"), e);
+ }
+ // Apply OpenSSLConfCmd if used
+ log.info(sm.getString("endpoint.apr.applyConf"));
+ try {
+ if (!openSslConf.apply(cctx, ctx)) {
+ log.error(sm.getString("endpoint.apr.errApplyConf"));
+ throw new
Exception(sm.getString("endpoint.apr.errApplyConf"));
+ }
+ } catch (Exception e) {
+ throw new
Exception(sm.getString("endpoint.apr.errApplyConf"), e);
+ }
+ }
+ } else {
+ cctx = 0;
+ }
+
+ sslHostConfig.setOpenSslConfContext(Long.valueOf(cctx));
sslHostConfig.setOpenSslContext(Long.valueOf(ctx));
}
@@ -551,6 +598,15 @@ public class AprEndpoint extends Abstrac
SSLContext.free(ctx.longValue());
sslHostConfig.setOpenSslContext(null);
}
+ Long cctx = sslHostConfig.getOpenSslConfContext();
+ if (cctx != null) {
+ try {
+ SSLConf.free(cctx.longValue());
+ } catch (UnsatisfiedLinkError e) {
+
log.warn(sm.getString("endpoint.apr.missingOpenSSLConfSupport"), e);
+ }
+ sslHostConfig.setOpenSslConfContext(null);
+ }
}
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/LocalStrings.properties
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/LocalStrings.properties?rev=1805528&r1=1805527&r2=1805528&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/LocalStrings.properties
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/LocalStrings.properties Sat
Aug 19 21:32:23 2017
@@ -74,6 +74,14 @@ endpoint.apr.pollMergeEvents=Merge polle
endpoint.apr.pollUnknownEvent=A socket was returned from the poller with an
unrecognized event [{0}]
endpoint.apr.tooManyCertFiles=More certificate files were configured than the
AprEndpoint can handle
endpoint.apr.remoteport=APR socket [{0}] opened with remote port [{1}]
+endpoint.apr.makeConf=Creating OpenSSLConf context
+endpoint.apr.errMakeConf=Could not create OpenSSLConf context
+endpoint.apr.checkConf=Checking OpenSSLConf
+endpoint.apr.errCheckConf=Error during OpenSSLConf check
+endpoint.apr.assignConf=Assigning SSL context to OpenSSLConfCmd context
+endpoint.apr.applyConf=Applying OpenSSLConfCmd to SSL context
+endpoint.apr.errApplyConf=Could not apply OpenSSLConf to SSL context
+endpoint.apr.missingOpenSSLConfSupport=Your tcnative library has no support
for OpenSSLConf, version 1.2.13 or higher is required.
endpoint.jsse.noSslContext=No SSLContext could be found for the host name [{0}]
endpoint.nio.registerFail=Failed to register socket with selector from poller
endpoint.nio.selectorCloseFail=Failed to close selector when closing the poller
@@ -130,6 +138,8 @@ sslHostConfig.certificate.notype=Multipl
sslHostConfig.mismatch=The property [{0}] was set on the SSLHostConfig named
[{1}] and is for connectors of type [{2}] but the SSLHostConfig is being used
with a connector of type [{3}]
sslHostConfig.prefix_missing=The protocol [{0}] was added to the list of
protocols on the SSLHostConfig named [{1}]. Check if a +/- prefix is missing.
sslHostConfigCertificate.mismatch=The property [{0}] was set on the
SSLHostConfigCertificate named [{1}] and is for certificate storage type [{2}]
but the certificate is being used with a storage of type [{3}]
+sslHostConfig.opensslconf.null=Attempt to set null OpenSSLConf ignored
+sslHostConfig.opensslconf.alreadyset=Attempt to set another OpenSSLConf ignored
sslImplementation.cnfe= Unable to create SSLImplementation for class [{0}]
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java?rev=1805528&r1=1805527&r2=1805528&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java Sat Aug 19
21:32:23 2017
@@ -33,6 +33,7 @@ import javax.net.ssl.TrustManagerFactory
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
+import org.apache.tomcat.util.net.openssl.OpenSSLConf;
import org.apache.tomcat.util.net.openssl.ciphers.Cipher;
import
org.apache.tomcat.util.net.openssl.ciphers.OpenSSLCipherConfigurationParser;
import org.apache.tomcat.util.res.StringManager;
@@ -66,10 +67,11 @@ public class SSLHostConfig implements Se
private String hostName = DEFAULT_SSL_HOST_NAME;
+ private transient Long openSslConfContext = new Long(0);
// OpenSSL can handle multiple certs in a single config so the reference to
// the context is here at the virtual host level. JSSE can't so the
// reference is held on the certificate.
- private transient Long openSslContext;
+ private transient Long openSslContext = new Long(0);
// Configuration properties
@@ -110,6 +112,7 @@ public class SSLHostConfig implements Se
private boolean disableCompression = true;
private boolean disableSessionTickets = false;
private boolean insecureRenegotiation = false;
+ private OpenSSLConf openSslConf = null;
public SSLHostConfig() {
// Set defaults that can't be (easily) set when defining the fields.
@@ -117,6 +120,16 @@ public class SSLHostConfig implements Se
}
+ public Long getOpenSslConfContext() {
+ return openSslConfContext;
+ }
+
+
+ public void setOpenSslConfContext(Long openSslConfContext) {
+ this.openSslConfContext = openSslConfContext;
+ }
+
+
public Long getOpenSslContext() {
return openSslContext;
}
@@ -235,6 +248,22 @@ public class SSLHostConfig implements Se
}
+ public OpenSSLConf getOpenSslConf() {
+ return openSslConf;
+ }
+
+
+ public void setOpenSslConf(OpenSSLConf conf) {
+ if (conf == null) {
+ throw new
IllegalArgumentException(sm.getString("sslHostConfig.opensslconf.null"));
+ } else if (openSslConf != null) {
+ throw new
IllegalArgumentException(sm.getString("sslHostConfig.opensslconf.alreadySet"));
+ }
+ setProperty("<OpenSSLConf>", Type.OPENSSL);
+ openSslConf = conf;
+ }
+
+
public Set<SSLHostConfigCertificate> getCertificates() {
return getCertificates(false);
}
Modified:
tomcat/trunk/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties?rev=1805528&r1=1805527&r2=1805528&view=diff
==============================================================================
---
tomcat/trunk/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties
(original)
+++
tomcat/trunk/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties
Sat Aug 19 21:32:23 2017
@@ -21,6 +21,24 @@ openssl.keyManagerMissing=No key manager
openssl.incompleteClientCASupport=Incomplete support for client CAs, please
update your tcnative version
openssl.trustManagerMissing=No trust manager found
openssl.addedClientCaCert=Added client CA cert: [{0}]
+openssl.makeConf=Creating OpenSSLConf context
+openssl.errMakeConf=Could not create OpenSSLConf context
+openssl.checkConf=Checking OpenSSLConf
+openssl.errCheckConf=Error during OpenSSLConf check
+openssl.assignConf=Assigning SSL context to OpenSSLConfCmd context
+openssl.applyConf=Applying OpenSSLConfCmd to SSL context
+openssl.errApplyConf=Could not apply OpenSSLConf to SSL context
+openssl.missingOpenSSLConfSupport=Your tcnative library has no support for
OpenSSLConf, version 1.2.13 or higher is required.
+
+opensslconf.checkCommand=OpenSSLConf checking command (name [{0}], value [{1}])
+opensslconf.checkFailed=Failure while checking OpenSSLConf
+opensslconf.applyCommand=OpenSSLConf applying command (name [{0}], value [{1}])
+opensslconf.applyFailed=Failure while applying OpenSSLConf to SSL context
+opensslconf.failedCommand=OpenSSLConf failed command (name [{0}], value [{1}])
with result [{2}] - will be ignored
+opensslconf.failedFinish=OpenSSLConf finish failed with result [{2}]
+opensslconf.noCommandName=OpenSSLConf no command name - will be ignored
(command value [{0}])
+opensslconf.resultCommand=OpenSSLConf command (name [{0}], value [{1}])
returned [{2}]
+opensslconf.missingOpenSSLConfSupport=Your tcnative library has no support for
OpenSSLConf, version 1.2.13 or higher is required.
engine.engineClosed=Engine is closed
engine.renegotiationUnsupported=Renegotiation is not supported
Added: tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLConf.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLConf.java?rev=1805528&view=auto
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLConf.java
(added)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLConf.java Sat
Aug 19 21:32:23 2017
@@ -0,0 +1,131 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.tomcat.util.net.openssl;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import org.apache.juli.logging.Log;
+import org.apache.juli.logging.LogFactory;
+import org.apache.tomcat.jni.SSLConf;
+import org.apache.tomcat.util.res.StringManager;
+
+public class OpenSSLConf {
+
+ private static final Log log = LogFactory.getLog(OpenSSLConf.class);
+ private static final StringManager sm =
StringManager.getManager(OpenSSLConf.class);
+
+ private final List<OpenSSLConfCmd> commands = new
ArrayList<OpenSSLConfCmd>();
+
+ public void addCmd(OpenSSLConfCmd cmd) {
+ commands.add(cmd);
+ }
+
+ public boolean check(long cctx) throws Exception {
+ boolean result = true;
+ OpenSSLConfCmd cmd;
+ String name;
+ String value;
+ int rc;
+ for (int i = 0; i < commands.size(); i++) {
+ cmd = commands.get(i);
+ name = cmd.getName();
+ value = cmd.getValue();
+ if (name == null) {
+ log.error(sm.getString("opensslconf.noCommandName", value));
+ result = false;
+ continue;
+ }
+ if (log.isDebugEnabled()) {
+ log.debug(sm.getString("opensslconf.checkCommand", name,
value));
+ }
+ try {
+ rc = SSLConf.check(cctx, name, value);
+ } catch (UnsatisfiedLinkError e) {
+
log.warn(sm.getString("opensslconf.missingOpenSSLConfSupport"), e);
+ log.error(sm.getString("opensslconf.checkFailed"));
+ return false;
+ }
+ if (rc <= 0) {
+ log.error(sm.getString("opensslconf.failedCommand", name,
value, rc));
+ result = false;
+ } else if (log.isDebugEnabled()) {
+ log.debug(sm.getString("opensslconf.resultCommand", name,
value, rc));
+ }
+ }
+ if (!result) {
+ log.error(sm.getString("opensslconf.checkFailed"));
+ }
+ return result;
+ }
+
+ public boolean apply(long cctx, long ctx) throws Exception {
+ boolean result = true;
+ try {
+ SSLConf.assign(cctx, ctx);
+ } catch (UnsatisfiedLinkError e) {
+ log.warn(sm.getString("opensslconf.missingOpenSSLConfSupport"), e);
+ log.error(sm.getString("opensslconf.applyFailed"));
+ return false;
+ }
+ OpenSSLConfCmd cmd;
+ String name;
+ String value;
+ int rc;
+ for (int i = 0; i < commands.size(); i++) {
+ cmd = commands.get(i);
+ name = cmd.getName();
+ value = cmd.getValue();
+ if (name == null) {
+ log.error(sm.getString("opensslconf.noCommandName", value));
+ result = false;
+ continue;
+ }
+ if (log.isDebugEnabled()) {
+ log.debug(sm.getString("opensslconf.applyCommand", name,
value));
+ }
+ try {
+ rc = SSLConf.apply(cctx, name, value);
+ } catch (UnsatisfiedLinkError e) {
+
log.warn(sm.getString("opensslconf.missingOpenSSLConfSupport"), e);
+ log.error(sm.getString("opensslconf.applyFailed"));
+ return false;
+ }
+ if (rc <= 0) {
+ log.error(sm.getString("opensslconf.failedCommand", name,
value, rc));
+ result = false;
+ } else if (log.isDebugEnabled()) {
+ log.debug(sm.getString("opensslconf.resultCommand", name,
value, rc));
+ }
+ }
+ try {
+ rc = SSLConf.finish(cctx);
+ } catch (UnsatisfiedLinkError e) {
+ log.warn(sm.getString("opensslconf.missingOpenSSLConfSupport"), e);
+ log.error(sm.getString("opensslconf.applyFailed"));
+ return false;
+ }
+ if (rc <= 0) {
+ log.error(sm.getString("opensslconf.finishFailed", rc));
+ result = false;
+ }
+ if (!result) {
+ log.error(sm.getString("opensslconf.applyFailed"));
+ }
+ return result;
+ }
+}
Propchange:
tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLConf.java
------------------------------------------------------------------------------
svn:eol-style = native
Propchange:
tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLConf.java
------------------------------------------------------------------------------
svn:keywords = Author Date Id Revision
Added: tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLConfCmd.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLConfCmd.java?rev=1805528&view=auto
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLConfCmd.java
(added)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLConfCmd.java
Sat Aug 19 21:32:23 2017
@@ -0,0 +1,39 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.tomcat.util.net.openssl;
+
+public class OpenSSLConfCmd {
+
+ private String name = null;
+ private String value = null;
+
+ public String getName() {
+ return name;
+ }
+
+ public void setName(String name) {
+ this.name = name;
+ }
+
+ public String getValue() {
+ return value;
+ }
+
+ public void setValue(String value) {
+ this.value = value;
+ }
+}
Propchange:
tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLConfCmd.java
------------------------------------------------------------------------------
svn:eol-style = native
Propchange:
tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLConfCmd.java
------------------------------------------------------------------------------
svn:keywords = Author Date Id Revision
Modified:
tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java?rev=1805528&r1=1805527&r2=1805528&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
Sat Aug 19 21:32:23 2017
@@ -44,6 +44,7 @@ import org.apache.juli.logging.LogFactor
import org.apache.tomcat.jni.CertificateVerifier;
import org.apache.tomcat.jni.Pool;
import org.apache.tomcat.jni.SSL;
+import org.apache.tomcat.jni.SSLConf;
import org.apache.tomcat.jni.SSLContext;
import org.apache.tomcat.util.net.AbstractEndpoint;
import org.apache.tomcat.util.net.Constants;
@@ -88,6 +89,9 @@ public class OpenSSLContext implements o
private final long aprPool;
private final AtomicInteger aprPoolDestroyed = new AtomicInteger(0);
+ // OpenSSLConfCmd context
+ protected final long cctx;
+ // SSL context
protected final long ctx;
static final CertificateFactory X509_CERT_FACTORY;
@@ -112,6 +116,27 @@ public class OpenSSLContext implements o
aprPool = Pool.create(0);
boolean success = false;
try {
+ // Create OpenSSLConfCmd context if used
+ OpenSSLConf openSslConf = sslHostConfig.getOpenSslConf();
+ if (openSslConf != null) {
+ try {
+ log.info(sm.getString("openssl.makeConf"));
+ cctx = SSLConf.make(aprPool,
+ SSL.SSL_CONF_FLAG_FILE |
+ SSL.SSL_CONF_FLAG_SERVER |
+ SSL.SSL_CONF_FLAG_CERTIFICATE |
+ SSL.SSL_CONF_FLAG_SHOW_ERRORS);
+ } catch (UnsatisfiedLinkError e) {
+
log.warn(sm.getString("openssl.missingOpenSSLConfSupport"), e);
+ throw new Exception(sm.getString("openssl.errMakeConf"),
e);
+ } catch (Exception e) {
+ throw new
SSLException(sm.getString("openssl.errMakeConf"), e);
+ }
+ } else {
+ cctx = 0;
+ }
+ sslHostConfig.setOpenSslConfContext(Long.valueOf(cctx));
+
// SSL protocol
int value = SSL.SSL_PROTOCOL_NONE;
for (String protocol : sslHostConfig.getEnabledProtocols()) {
@@ -168,6 +193,13 @@ public class OpenSSLContext implements o
if (ctx != 0) {
SSLContext.free(ctx);
}
+ if (cctx != 0) {
+ try {
+ SSLConf.free(cctx);
+ } catch (UnsatisfiedLinkError e) {
+
log.warn(sm.getString("openssl.missingOpenSSLConfSupport"), e);
+ }
+ }
if (aprPool != 0) {
Pool.destroy(aprPool);
}
@@ -343,6 +375,30 @@ public class OpenSSLContext implements o
SSLContext.setNpnProtos(ctx, protocolsArray,
SSL.SSL_SELECTOR_FAILURE_NO_ADVERTISE);
}
+ // Apply OpenSSLConfCmd if used
+ OpenSSLConf openSslConf = sslHostConfig.getOpenSslConf();
+ if (openSslConf != null && cctx != 0) {
+ // Check OpenSSLConfCmd if used
+ log.info(sm.getString("openssl.checkConf"));
+ try {
+ if (!openSslConf.check(cctx)) {
+ log.error(sm.getString("openssl.errCheckConf"));
+ throw new
Exception(sm.getString("openssl.errCheckConf"));
+ }
+ } catch (Exception e) {
+ throw new Exception(sm.getString("openssl.errCheckConf"),
e);
+ }
+ log.info(sm.getString("openssl.applyConf"));
+ try {
+ if (!openSslConf.apply(cctx, ctx)) {
+ log.error(sm.getString("openssl.errApplyConf"));
+ throw new
SSLException(sm.getString("openssl.errApplyConf"));
+ }
+ } catch (Exception e) {
+ throw new
SSLException(sm.getString("openssl.errApplyConf"), e);
+ }
+ }
+
sessionContext = new OpenSSLSessionContext(ctx);
sslHostConfig.setOpenSslContext(Long.valueOf(ctx));
initialized = true;
Modified: tomcat/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1805528&r1=1805527&r2=1805528&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Sat Aug 19 21:32:23 2017
@@ -63,6 +63,14 @@
</subsection>
<subsection name="Coyote">
<changelog>
+ <add>
+ Add support for the OpenSSL SSL_CONF API when using TLS with
+ OpenSSL implementation. This will need tcnative 1.2.13.
+ It can be used by adding <code>OpenSSLConf</code> elements
+ underneath <code>SSLHostConfig</code>. The new element contains
+ a list of <code>OpenSSLConfCmd</code> elements, each with
+ the attributes <code>name</code> and <code>value</code>.
+ </add>
<fix>
When using JSSE TLS configuration with the OpenSSL implementation and
client certificates: include client CA subjects in the TLS handshake
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
