This is an automated email from the ASF dual-hosted git repository.
remm pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new 081ef1674c Add lifecycle listener for OpenSSL
081ef1674c is described below
commit 081ef1674cfbbc62f737a159deb8f7c1a3a9f9ca
Author: remm <[email protected]>
AuthorDate: Tue Oct 24 11:35:02 2023 +0200
Add lifecycle listener for OpenSSL
Using reflection unfortunately.
Add the switch to OpenSSL if loaded in the connector, similar to the APR
switch.
---
java/org/apache/catalina/connector/Connector.java | 12 +-
.../apache/catalina/core/LocalStrings.properties | 5 +
.../catalina/core/OpenSSLLifecycleListener.java | 191 +++++++++++++++++++++
webapps/docs/config/listeners.xml | 54 ++++++
4 files changed, 261 insertions(+), 1 deletion(-)
diff --git a/java/org/apache/catalina/connector/Connector.java
b/java/org/apache/catalina/connector/Connector.java
index 9202c0aa8b..5ef50ca140 100644
--- a/java/org/apache/catalina/connector/Connector.java
+++ b/java/org/apache/catalina/connector/Connector.java
@@ -41,8 +41,10 @@ import org.apache.tomcat.util.IntrospectionUtils;
import org.apache.tomcat.util.buf.B2CConverter;
import org.apache.tomcat.util.buf.CharsetUtil;
import org.apache.tomcat.util.buf.EncodedSolidusHandling;
+import org.apache.tomcat.util.compat.JreCompat;
import org.apache.tomcat.util.net.SSLHostConfig;
import org.apache.tomcat.util.net.openssl.OpenSSLImplementation;
+import org.apache.tomcat.util.net.openssl.OpenSSLStatus;
import org.apache.tomcat.util.res.StringManager;
@@ -1006,7 +1008,15 @@ public class Connector extends LifecycleMBeanBase {
setParseBodyMethods(getParseBodyMethods());
}
- if (AprStatus.isAprAvailable() && AprStatus.getUseOpenSSL() &&
+ if (JreCompat.isJre22Available() && OpenSSLStatus.isAvailable()
+ && protocolHandler instanceof AbstractHttp11Protocol) {
+ AbstractHttp11Protocol<?> jsseProtocolHandler =
(AbstractHttp11Protocol<?>) protocolHandler;
+ if (jsseProtocolHandler.isSSLEnabled() &&
jsseProtocolHandler.getSslImplementationName() == null) {
+ // OpenSSL is compatible with the JSSE configuration, so use
it if it is available
+ jsseProtocolHandler.setSslImplementationName
+
("org.apache.tomcat.util.net.openssl.panama.OpenSSLImplementation");
+ }
+ } else if (AprStatus.isAprAvailable() && AprStatus.getUseOpenSSL() &&
protocolHandler instanceof AbstractHttp11Protocol) {
AbstractHttp11Protocol<?> jsseProtocolHandler =
(AbstractHttp11Protocol<?>) protocolHandler;
if (jsseProtocolHandler.isSSLEnabled() &&
jsseProtocolHandler.getSslImplementationName() == null) {
diff --git a/java/org/apache/catalina/core/LocalStrings.properties
b/java/org/apache/catalina/core/LocalStrings.properties
index e737d23ff8..d4c6acb2e7 100644
--- a/java/org/apache/catalina/core/LocalStrings.properties
+++ b/java/org/apache/catalina/core/LocalStrings.properties
@@ -160,6 +160,11 @@ naming.wsdlFailed=Failed to find wsdl file: [{0}]
noPluggabilityServletContext.notAllowed=Section 4.4 of the Servlet 3.0
specification does not permit this method to be called from a
ServletContextListener that was not defined in web.xml, a web-fragment.xml file
nor annotated with @WebListener
+openssllistener.destroy=Failed shutdown of OpenSSL
+openssllistener.initializeFIPSFailed=Failed to enter FIPS mode
+openssllistener.java22=Tomcat OpenSSL support requires the FFM API which is
available in Java 22 and newer, tomcat-native should be used instead
+openssllistener.sslInit=Failed to initialize the SSLEngine.
+
propertiesRoleMappingListener.roleMappingFileNull=Role mapping file cannot be
null
propertiesRoleMappingListener.roleMappingFileEmpty=Role mapping file cannot be
empty
propertiesRoleMappingListener.roleMappingFileFail=Failed to load role mapping
file [{0}]
diff --git a/java/org/apache/catalina/core/OpenSSLLifecycleListener.java
b/java/org/apache/catalina/core/OpenSSLLifecycleListener.java
new file mode 100644
index 0000000000..c5bb8f7e6f
--- /dev/null
+++ b/java/org/apache/catalina/core/OpenSSLLifecycleListener.java
@@ -0,0 +1,191 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.catalina.core;
+
+
+import org.apache.catalina.Lifecycle;
+import org.apache.catalina.LifecycleEvent;
+import org.apache.catalina.LifecycleListener;
+import org.apache.catalina.Server;
+import org.apache.juli.logging.Log;
+import org.apache.juli.logging.LogFactory;
+import org.apache.tomcat.util.ExceptionUtils;
+import org.apache.tomcat.util.compat.JreCompat;
+import org.apache.tomcat.util.res.StringManager;
+
+
+
+/**
+ * Implementation of <code>LifecycleListener</code> that will do the global
+ * initialization of OpenSSL according to specified configuration parameters.
+ * Using the listener is completely optional, but is needed for configuration
+ * and full cleanup of a few native memory allocations.
+ */
+public class OpenSSLLifecycleListener implements LifecycleListener {
+
+ private static final Log log =
LogFactory.getLog(OpenSSLLifecycleListener.class);
+
+ /**
+ * The string manager for this package.
+ */
+ protected static final StringManager sm =
StringManager.getManager(OpenSSLLifecycleListener.class);
+
+
+ // ---------------------------------------------- LifecycleListener Methods
+
+ /**
+ * Primary entry point for startup and shutdown events.
+ *
+ * @param event The event that has occurred
+ */
+ @Override
+ public void lifecycleEvent(LifecycleEvent event) {
+
+ boolean initError = false;
+ if (Lifecycle.BEFORE_INIT_EVENT.equals(event.getType())) {
+ if (!(event.getLifecycle() instanceof Server)) {
+ log.warn(sm.getString("listener.notServer",
+ event.getLifecycle().getClass().getSimpleName()));
+ }
+ if (!JreCompat.isJre22Available()) {
+ log.info(sm.getString("openssllistener.java22"));
+ return;
+ }
+ try {
+ Class<?> openSSLLibraryClass =
Class.forName("org.apache.tomcat.util.net.openssl.panama.OpenSSLLibrary");
+ openSSLLibraryClass.getMethod("init").invoke(null);
+ } catch (Throwable t) {
+ t = ExceptionUtils.unwrapInvocationTargetException(t);
+ ExceptionUtils.handleThrowable(t);
+ log.error(sm.getString("openssllistener.sslInit"), t);
+ initError = true;
+ }
+ // Failure to initialize FIPS mode is fatal
+ if (!(null == getFIPSMode() ||
"off".equalsIgnoreCase(getFIPSMode())) && !isFIPSModeActive()) {
+ String errorMessage =
sm.getString("openssllistener.initializeFIPSFailed");
+ Error e = new Error(errorMessage);
+ // Log here, because thrown error might be not logged
+ log.fatal(errorMessage, e);
+ initError = true;
+ }
+ }
+ if (initError ||
Lifecycle.AFTER_DESTROY_EVENT.equals(event.getType())) {
+ if (!JreCompat.isJre22Available()) {
+ return;
+ }
+ // Note: Without the listener, destroy will never be called (which
is not a significant problem)
+ try {
+ Class<?> openSSLLibraryClass =
Class.forName("org.apache.tomcat.util.net.openssl.panama.OpenSSLLibrary");
+ openSSLLibraryClass.getMethod("destroy").invoke(null);
+ } catch (Throwable t) {
+ t = ExceptionUtils.unwrapInvocationTargetException(t);
+ ExceptionUtils.handleThrowable(t);
+ log.info(sm.getString("openssllistener.destroy"));
+ }
+ }
+
+ }
+
+ public String getSSLEngine() {
+ if (JreCompat.isJre22Available()) {
+ try {
+ Class<?> openSSLLibraryClass =
Class.forName("org.apache.tomcat.util.net.openssl.panama.OpenSSLLibrary");
+ return (String)
openSSLLibraryClass.getMethod("getSSLEngine").invoke(null);
+ } catch (Throwable t) {
+ t = ExceptionUtils.unwrapInvocationTargetException(t);
+ ExceptionUtils.handleThrowable(t);
+ }
+ }
+ return null;
+ }
+
+ public void setSSLEngine(String SSLEngine) {
+ if (JreCompat.isJre22Available()) {
+ try {
+ Class<?> openSSLLibraryClass =
Class.forName("org.apache.tomcat.util.net.openssl.panama.OpenSSLLibrary");
+ openSSLLibraryClass.getMethod("setSSLEngine").invoke(null,
SSLEngine);
+ } catch (Throwable t) {
+ t = ExceptionUtils.unwrapInvocationTargetException(t);
+ ExceptionUtils.handleThrowable(t);
+ }
+ }
+ }
+
+ public String getSSLRandomSeed() {
+ if (JreCompat.isJre22Available()) {
+ try {
+ Class<?> openSSLLibraryClass =
Class.forName("org.apache.tomcat.util.net.openssl.panama.OpenSSLLibrary");
+ return (String)
openSSLLibraryClass.getMethod("getSSLRandomSeed").invoke(null);
+ } catch (Throwable t) {
+ t = ExceptionUtils.unwrapInvocationTargetException(t);
+ ExceptionUtils.handleThrowable(t);
+ }
+ }
+ return null;
+ }
+
+ public void setSSLRandomSeed(String SSLRandomSeed) {
+ if (JreCompat.isJre22Available()) {
+ try {
+ Class<?> openSSLLibraryClass =
Class.forName("org.apache.tomcat.util.net.openssl.panama.OpenSSLLibrary");
+ openSSLLibraryClass.getMethod("setSSLRandomSeed").invoke(null,
SSLRandomSeed);
+ } catch (Throwable t) {
+ t = ExceptionUtils.unwrapInvocationTargetException(t);
+ ExceptionUtils.handleThrowable(t);
+ }
+ }
+ }
+
+ public String getFIPSMode() {
+ if (JreCompat.isJre22Available()) {
+ try {
+ Class<?> openSSLLibraryClass =
Class.forName("org.apache.tomcat.util.net.openssl.panama.OpenSSLLibrary");
+ return (String)
openSSLLibraryClass.getMethod("getFIPSMode").invoke(null);
+ } catch (Throwable t) {
+ t = ExceptionUtils.unwrapInvocationTargetException(t);
+ ExceptionUtils.handleThrowable(t);
+ }
+ }
+ return null;
+ }
+
+ public void setFIPSMode(String FIPSMode) {
+ if (JreCompat.isJre22Available()) {
+ try {
+ Class<?> openSSLLibraryClass =
Class.forName("org.apache.tomcat.util.net.openssl.panama.OpenSSLLibrary");
+ openSSLLibraryClass.getMethod("setFIPSMode").invoke(null,
FIPSMode);
+ } catch (Throwable t) {
+ t = ExceptionUtils.unwrapInvocationTargetException(t);
+ ExceptionUtils.handleThrowable(t);
+ }
+ }
+ }
+
+ public boolean isFIPSModeActive() {
+ if (JreCompat.isJre22Available()) {
+ try {
+ Class<?> openSSLLibraryClass =
Class.forName("org.apache.tomcat.util.net.openssl.panama.OpenSSLLibrary");
+ return ((Boolean)
openSSLLibraryClass.getMethod("isFIPSModeActive").invoke(null)).booleanValue();
+ } catch (Throwable t) {
+ t = ExceptionUtils.unwrapInvocationTargetException(t);
+ ExceptionUtils.handleThrowable(t);
+ }
+ }
+ return false;
+ }
+
+}
diff --git a/webapps/docs/config/listeners.xml
b/webapps/docs/config/listeners.xml
index a34b62d515..df2999e7bd 100644
--- a/webapps/docs/config/listeners.xml
+++ b/webapps/docs/config/listeners.xml
@@ -295,6 +295,60 @@
</subsection>
+ <subsection name="OpenSSL Lifecycle Listener -
org.apache.catalina.core.OpenSSLLifecycleListener">
+
+ <p>The <strong>OpenSSL Lifecycle Listener</strong> checks for the presence
+ of the OpenSSL library and loads the library if it is present. This
+ uses the FFM API and requires Java 22 or newer. When enabled and
+ successfully loaded, NIO and NIO2 connector will then make use of OpenSSL
+ for TLS functionality.</p>
+
+ <p>This listener must only be nested within <a
href="server.html">Server</a>
+ elements.</p>
+
+ <p>The following additional attributes are supported by the <strong>APR
+ Lifecycle Listener</strong>:</p>
+
+ <attributes>
+
+ <attribute name="SSLEngine" required="false">
+ <p>Name of the SSLEngine to use, for OpenSSL 1.x.</p>
+ <p>See the <a href="http://www.openssl.org/";>Official OpenSSL
website</a>
+ for more details on supported SSL hardware engines and manufacturers.
+ </p>
+ </attribute>
+
+ <attribute name="SSLRandomSeed" required="false">
+ <p>Entropy source used to seed the SSLEngine's PRNG. The default value
+ is <code>builtin</code>. On development systems, you may want to set
+ this to <code>/dev/urandom</code> to allow quicker start times.</p>
+ </attribute>
+
+ <attribute name="FIPSMode" required="false">
+ <p>The behaviour of this attribute depends on whether Tomcat Native has
+ been compiled against OpenSSL 1.x or OpenSSL 3.x.</p>
+ <p>For OpenSSL 1.x: Set to <code>on</code> to request that OpenSSL be
in
+ FIPS mode (if OpenSSL is already in FIPS mode, it will remain in FIPS
+ mode).
+ Set to <code>enter</code> to force OpenSSL to enter FIPS mode (an
+ error will occur if OpenSSL is already in FIPS mode).
+ Set to <code>require</code> to require that OpenSSL <i>already</i> be
+ in FIPS mode (an error will occur if OpenSSL is not already in FIPS
+ mode).</p>
+ <p>For OpenSSL 3.x: <code>on</code>, <code>enter</code> and
+ <code>require</code> all behave the same way. If the FIPS provider is
+ the default provider, it will be used. If the FIPS provider is not the
+ default provider, an error will occur.</p>
+ <p>FIPS mode <em>requires you to have a FIPS-capable OpenSSL
library</em>.
+ If this attribute is set to anything other than <code>off</code>, the
+ <b>SSLEngine</b> must be enabled as well.</p>
+ <p>The default value is <code>off</code>.</p>
+ </attribute>
+
+ </attributes>
+
+ </subsection>
+
<subsection name="Properties Role Mapping Listener -
org.apache.catalina.core.PropertiesRoleMappingListener">
<p>The <strong>Properties Role Mapping Listener</strong> populates the
context's role mapping
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
