Hakky54 opened a new pull request, #805: URL: https://github.com/apache/tomcat/pull/805
This PR is a followup of the following earlier PR https://github.com/apache/tomcat/pull/673 Although that pull request didn't get merged, the code changes has been comitted to the main branch by the main developer, see here for the specific commit: https://github.com/apache/tomcat/commit/b0df9819c8d130adab0490b89dce1ab4ca6a3448 **Context** With the earlier commit it is now possible to programatically configure the ssl configuration of tomcat instead of using properties and delegating to tomcat to construct the ssl configuration. This opens the possibility of reloading the ssl configuration or other customizations as shown also here: [sslcontext-kickstart](https://github.com/Hakky54/sslcontext-kickstart) **Problem statement** Boilerplate code is needed by the end-user to provide a custom ssl configuration. Tomcat takes a custom SSLContext, the full name is `org.apache.tomcat.util.net.SSLContext` while the end-user has `javax.net.ssl.SSLContext`. So the end-user is required to create an implementation of `org.apache.tomcat.util.net.SSLContext` which acts as a wrapper. This sslcontext needs to be passed to `SSLHostConfigCertificate` to further configure the server. **Solution** Provide a helper class which acts as a wrapper to reduce the boilerplate code. The utility interface is able to provide a method to wrap the required objects, in this case `javax.net.ssl.SSLContext`, KeyManager, TrustManager in a `org.apache.tomcat.util.net.SSLContext` **Example usage** ```java import org.apache.catalina.connector.Connector; import org.apache.coyote.http11.AbstractHttp11Protocol; import org.apache.tomcat.util.net.SSLHostConfig; import org.apache.tomcat.util.net.SSLHostConfigCertificate; import org.apache.tomcat.util.net.SSLHostConfigCertificate.Type; import org.apache.tomcat.util.net.SSLUtil; import org.springframework.beans.factory.annotation.Value; import org.springframework.boot.web.embedded.tomcat.TomcatConnectorCustomizer; import org.springframework.context.annotation.Configuration; import javax.net.ssl.SSLContext; import javax.net.ssl.X509KeyManager; import javax.net.ssl.X509TrustManager; @Configuration public class SSLConnectorCustomizer implements TomcatConnectorCustomizer { private final int port; public SSLConnectorCustomizer(@Value("${server.port}") int port) { this.port = port; } @Override public void customize(Connector connector) { X509KeyManager keyManager = ...; // initialized keyManager X509TrustManager trustManager = ...; // initialized trustManager SSLContext sslContext = ...; // initialized sslContext connector.setScheme("https"); connector.setSecure(true); connector.setPort(port); AbstractHttp11Protocol<?> protocol = (AbstractHttp11Protocol<?>) connector.getProtocolHandler(); protocol.setSSLEnabled(true); org.apache.tomcat.util.net.SSLContext context = SSLUtil.createSSLContext(sslContext, keyManager, trustManager); SSLHostConfig sslHostConfig = new SSLHostConfig(); SSLHostConfigCertificate certificate = new SSLHostConfigCertificate(sslHostConfig, Type.UNDEFINED); certificate.setSslContext(context); sslHostConfig.addCertificate(certificate); protocol.addSslHostConfig(sslHostConfig); } } ``` In the past I created the same PR, but I assumed it would not get merged and therefor I gave up and closed the PR. But I still think it is useful and decided the recreate the PR to give it another shot. Looking forward to your feedback and decision for this PR. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
