Author: markt
Date: Thu Nov 19 18:00:09 2009
New Revision: 882231
URL: http://svn.apache.org/viewvc?rev=882231&view=rev
Log:
Fix SSL for BIO post refactoring
Make attribute names consistent
Endpoints are now responsible for configuring the SSL "engine"
Basics work but still needs more testing
NIO & APR to follow
Modified:
tomcat/trunk/java/org/apache/catalina/connector/Connector.java
tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java
tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java
tomcat/trunk/java/org/apache/tomcat/util/net/JIoEndpoint.java
tomcat/trunk/java/org/apache/tomcat/util/net/NioEndpoint.java
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
tomcat/trunk/webapps/docs/config/http.xml
Modified: tomcat/trunk/java/org/apache/catalina/connector/Connector.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/connector/Connector.java?rev=882231&r1=882230&r2=882231&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/connector/Connector.java (original)
+++ tomcat/trunk/java/org/apache/catalina/connector/Connector.java Thu Nov 19
18:00:09 2009
@@ -284,12 +284,8 @@
replacements.put("connectionLinger", "soLinger");
replacements.put("connectionTimeout", "soTimeout");
replacements.put("connectionUploadTimeout", "timeout");
- replacements.put("clientAuth", "clientauth");
- replacements.put("keystoreFile", "keystore");
replacements.put("randomFile", "randomfile");
replacements.put("rootFile", "rootfile");
- replacements.put("keystorePass", "keypass");
- replacements.put("keystoreType", "keytype");
replacements.put("sslProtocols", "protocols");
}
Modified: tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java?rev=882231&r1=882230&r2=882231&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java
(original)
+++ tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java Thu
Nov 19 18:00:09 2009
@@ -325,49 +325,68 @@
public int getSoLinger() { return endpoint.getSoLinger(); }
public void setSoLinger(int soLinger) { endpoint.setSoLinger(soLinger); }
+ // JSSE SSL attrbutes
+ public String getAlgorithm() { return endpoint.getAlgorithm();}
+ public void setAlgorithm(String s ) { endpoint.setAlgorithm(s);}
+ public String getClientAuth() { return endpoint.getClientAuth();}
+ public void setClientAuth(String s ) { endpoint.setClientAuth(s);}
+
public String getKeystoreFile() { return endpoint.getKeystoreFile();}
public void setKeystoreFile(String s ) { endpoint.setKeystoreFile(s);}
- public void setKeystore(String s) { setKeystoreFile(s);}
- public String getKeystore(){ return getKeystoreFile();}
- public String getKeyAlias() { return (endpoint).getKeyAlias();}
- public void setKeyAlias(String s ) { (endpoint).setKeyAlias(s);}
-
-
- public String getAlgorithm() { return (endpoint).getAlgorithm();}
- public void setAlgorithm(String s ) { (endpoint).setAlgorithm(s);}
-
- public void setClientauth(String s) {setClientAuth(s);}
- public String getClientauth(){ return getClientAuth();}
- public String getClientAuth() { return (endpoint).getClientAuth();}
- public void setClientAuth(String s ) { (endpoint).setClientAuth(s);}
-
- public String getKeystorePass() { return (endpoint).getKeystorePass();}
- public void setKeystorePass(String s ) { (endpoint).setKeystorePass(s);}
- public void setKeypass(String s) { setKeystorePass(s);}
- public String getKeypass() { return getKeystorePass();}
- public String getKeystoreType() { return (endpoint).getKeystoreType();}
- public void setKeystoreType(String s ) { (endpoint).setKeystoreType(s);}
- public String getKeytype() { return getKeystoreType();}
- public void setKeytype(String s ) { setKeystoreType(s);}
-
- public void setTruststoreFile(String f){(endpoint).setTruststoreFile(f);}
- public String getTruststoreFile(){return (endpoint).getTruststoreFile();}
- public void setTruststorePass(String p){(endpoint).setTruststorePass(p);}
- public String getTruststorePass(){return (endpoint).getTruststorePass();}
- public void setTruststoreType(String t){(endpoint).setTruststoreType(t);}
- public String getTruststoreType(){ return (endpoint).getTruststoreType();}
+
+ public String getKeystorePass() { return endpoint.getKeystorePass();}
+ public void setKeystorePass(String s ) { endpoint.setKeystorePass(s);}
+ public String getKeystoreType() { return endpoint.getKeystoreType();}
+ public void setKeystoreType(String s ) { endpoint.setKeystoreType(s);}
+
+ public String getKeystoreProvider() { return
endpoint.getKeystoreProvider();}
+ public void setKeystoreProvider(String s ) {
endpoint.setKeystoreProvider(s);}
+
+ public String getSslProtocol() { return endpoint.getSslProtocol();}
+ public void setSslProtocol(String s) { endpoint.setSslProtocol(s);}
- public String getSslProtocol() { return (endpoint).getSslProtocol();}
- public void setSslProtocol(String s) { (endpoint).setSslProtocol(s);}
+ public String getCiphers() { return endpoint.getCiphers();}
+ public void setCiphers(String s) { endpoint.setCiphers(s);}
+
+ public String getKeyAlias() { return endpoint.getKeyAlias();}
+ public void setKeyAlias(String s ) { endpoint.setKeyAlias(s);}
+
+ public String getKeyPass() { return endpoint.getKeyPass();}
+ public void setKeyPass(String s ) { endpoint.setKeyPass(s);}
- public String getCiphers() { return (endpoint).getCiphers();}
- public void setCiphers(String s) { (endpoint).setCiphers(s);}
+ public void setTruststoreFile(String f){ endpoint.setTruststoreFile(f);}
+ public String getTruststoreFile(){ return endpoint.getTruststoreFile();}
+
+ public void setTruststorePass(String p){ endpoint.setTruststorePass(p);}
+ public String getTruststorePass(){return endpoint.getTruststorePass();}
+
+ public void setTruststoreType(String t){ endpoint.setTruststoreType(t);}
+ public String getTruststoreType(){ return endpoint.getTruststoreType();}
+
+ public void setTruststoreProvider(String
t){endpoint.setTruststoreProvider(t);}
+ public String getTruststoreProvider(){ return
endpoint.getTruststoreProvider();}
+
+ public void setTruststoreAlgorithm(String
a){endpoint.setTruststoreAlgorithm(a);}
+ public String getTruststoreAlgorithm(){ return
endpoint.getTruststoreAlgorithm();}
+
+ public void setTrustMaxCertLength(String
s){endpoint.setTrustMaxCertLength(s);}
+ public String getTrustMaxCertLength(){ return
endpoint.getTrustMaxCertLength();}
+
+ public void setCrlFile(String s){endpoint.setCrlFile(s);}
+ public String getCrlFile(){ return endpoint.getCrlFile();}
+ public void setSessionCacheSize(String s){endpoint.setSessionCacheSize(s);}
+ public String getSessionCacheSize(){ return
endpoint.getTruststoreAlgorithm();}
+ public void setSessionTimeout(String
s){endpoint.setTruststoreAlgorithm(s);}
+ public String getSessionTimeout(){ return
endpoint.getTruststoreAlgorithm();}
+
+
public abstract void init() throws Exception;
public abstract void start() throws Exception;
+
// -------------------- JMX related methods --------------------
// *
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java?rev=882231&r1=882230&r2=882231&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java Thu Nov
19 18:00:09 2009
@@ -77,7 +77,40 @@
public enum SocketState {
OPEN, CLOSED, LONG
}
- }
+ }
+
+ // Standard SSL Configuration attributes
+ // JSSE
+ // Standard configuration attribute names
+ public static final String SSL_ATTR_ALGORITHM = "algorithm";
+ public static final String SSL_ATTR_CLIENT_AUTH = "clientAuth";
+ public static final String SSL_ATTR_KEYSTORE_FILE = "keystoreFile";
+ public static final String SSL_ATTR_KEYSTORE_PASS = "keystorePass";
+ public static final String SSL_ATTR_KEYSTORE_TYPE = "keystoreType";
+ public static final String SSL_ATTR_KEYSTORE_PROVIDER = "keystoreProvider";
+ public static final String SSL_ATTR_SSL_PROTOCOL = "sslProtocol";
+ public static final String SSL_ATTR_CIPHERS = "ciphers";
+ public static final String SSL_ATTR_CIPHERS_ARRAY = "ciphersArray";
+ public static final String SSL_ATTR_KEY_ALIAS = "keyAlias";
+ public static final String SSL_ATTR_KEY_PASS = "keyPass";
+ public static final String SSL_ATTR_TRUSTSTORE_FILE = "truststoreFile";
+ public static final String SSL_ATTR_TRUSTSTORE_PASS = "truststorePass";
+ public static final String SSL_ATTR_TRUSTSTORE_TYPE = "truststoreType";
+ public static final String SSL_ATTR_TRUSTSTORE_PROVIDER =
+ "truststoreProvider";
+ public static final String SSL_ATTR_TRUSTSTORE_ALGORITHM =
+ "truststoreAlgorithm";
+ public static final String SSL_ATTR_CRL_FILE =
+ "crlFile";
+ public static final String SSL_ATTR_TRUST_MAX_CERT_LENGTH =
+ "trustMaxCertLength";
+ public static final String SSL_ATTR_SESSION_CACHE_SIZE =
+ "sessionCacheSize";
+ public static final String SSL_ATTR_SESSION_TIMEOUT =
+ "sessionTimeout";
+ public static final String SSL_ATTR_ALLOW_UNSAFE_RENEG =
+ "allowUnsafeLegacyRenegotiation";
+
// ----------------------------------------------------------------- Fields
@@ -414,36 +447,11 @@
public String defaultIfNull(String val, String defaultValue) {
if (val==null) return defaultValue;
- else return val;
+ return val;
}
+
// -------------------- SSL related properties --------------------
- private String truststoreFile =
System.getProperty("javax.net.ssl.trustStore");
- public void setTruststoreFile(String s) {
- s = adjustRelativePath(s,System.getProperty("catalina.base"));
- this.truststoreFile = s;
- }
- public String getTruststoreFile() {return truststoreFile;}
- private String truststorePass =
System.getProperty("javax.net.ssl.trustStorePassword");
- public void setTruststorePass(String truststorePass) {this.truststorePass
= truststorePass;}
- public String getTruststorePass() {return truststorePass;}
- private String truststoreType =
System.getProperty("javax.net.ssl.trustStoreType");
- public void setTruststoreType(String truststoreType) {this.truststoreType
= truststoreType;}
- public String getTruststoreType() {return truststoreType;}
- private String keystoreFile = System.getProperty("user.home")+"/.keystore";
- public String getKeystoreFile() { return keystoreFile;}
- public void setKeystoreFile(String s ) {
- s = adjustRelativePath(s,System.getProperty("catalina.base"));
- this.keystoreFile = s;
- }
- public void setKeystore(String s ) { setKeystoreFile(s);}
- public String getKeystore() { return getKeystoreFile();}
-
- private String keyAlias = null;
- public String getKeyAlias() { return keyAlias;}
- public void setKeyAlias(String s ) { keyAlias = s;}
-
-
private String algorithm = "SunX509";
public String getAlgorithm() { return algorithm;}
public void setAlgorithm(String s ) { this.algorithm = s;}
@@ -452,7 +460,14 @@
public String getClientAuth() { return clientAuth;}
public void setClientAuth(String s ) { this.clientAuth = s;}
- private String keystorePass = "changeit";
+ private String keystoreFile = System.getProperty("user.home")+"/.keystore";
+ public String getKeystoreFile() { return keystoreFile;}
+ public void setKeystoreFile(String s ) {
+ String file =
adjustRelativePath(s,System.getProperty("catalina.base"));
+ this.keystoreFile = file;
+ }
+
+ private String keystorePass = null;
public String getKeystorePass() { return keystorePass;}
public void setKeystorePass(String s ) { this.keystorePass = s;}
@@ -460,20 +475,16 @@
public String getKeystoreType() { return keystoreType;}
public void setKeystoreType(String s ) { this.keystoreType = s;}
+ private String keystoreProvider = null;
+ public String getKeystoreProvider() { return keystoreProvider;}
+ public void setKeystoreProvider(String s ) { this.keystoreProvider = s;}
+
private String sslProtocol = "TLS";
public String getSslProtocol() { return sslProtocol;}
public void setSslProtocol(String s) { sslProtocol = s;}
- private String sslEnabledProtocols=null; //"TLSv1,SSLv3,SSLv2Hello"
- private String[] sslEnabledProtocolsarr = new String[0];
- public String[] getSslEnabledProtocolsArray() { return
this.sslEnabledProtocolsarr;}
- public void setSslEnabledProtocols(String s) {
- this.sslEnabledProtocols = s;
- StringTokenizer t = new StringTokenizer(s,",");
- sslEnabledProtocolsarr = new String[t.countTokens()];
- for (int i=0; i<sslEnabledProtocolsarr.length; i++ )
sslEnabledProtocolsarr[i] = t.nextToken();
- }
-
+ // Note: Some implementations use the comma separated string, some use
+ // the array
private String ciphers = null;
private String[] ciphersarr = new String[0];
public String[] getCiphersArray() { return this.ciphersarr;}
@@ -488,15 +499,86 @@
}
}
- private int sessionCacheSize = 0;
- public int getSessionCacheSize() { return sessionCacheSize;}
- public void setSessionCacheSize(int i) { sessionCacheSize = i;}
-
- private int sessionCacheTimeout = 86400;
- public int getSessionCacheTimeout() { return sessionCacheTimeout;}
- public void setSessionCacheTimeout(int i) { sessionCacheTimeout = i;}
+ private String keyAlias = null;
+ public String getKeyAlias() { return keyAlias;}
+ public void setKeyAlias(String s ) { keyAlias = s;}
+
+ private String keyPass = "changeit";
+ public String getKeyPass() { return keyPass;}
+ public void setKeyPass(String s ) { this.keyPass = s;}
+ private String truststoreFile =
System.getProperty("javax.net.ssl.trustStore");
+ public String getTruststoreFile() {return truststoreFile;}
+ public void setTruststoreFile(String s) {
+ String file =
adjustRelativePath(s,System.getProperty("catalina.base"));
+ this.truststoreFile = file;
+ }
+ private String truststorePass =
+ System.getProperty("javax.net.ssl.trustStorePassword");
+ public String getTruststorePass() {return truststorePass;}
+ public void setTruststorePass(String truststorePass) {
+ this.truststorePass = truststorePass;
+ }
+ private String truststoreType =
+ System.getProperty("javax.net.ssl.trustStoreType");
+ public String getTruststoreType() {return truststoreType;}
+ public void setTruststoreType(String truststoreType) {
+ this.truststoreType = truststoreType;
+ }
+
+ private String truststoreProvider = null;
+ public String getTruststoreProvider() {return truststoreProvider;}
+ public void setTruststoreProvider(String truststoreProvider) {
+ this.truststoreProvider = truststoreProvider;
+ }
+
+ private String truststoreAlgorithm = null;
+ public String getTruststoreAlgorithm() {return truststoreAlgorithm;}
+ public void setTruststoreAlgorithm(String truststoreAlgorithm) {
+ this.truststoreAlgorithm = truststoreAlgorithm;
+ }
+
+ private String crlFile = null;
+ public String getCrlFile() {return crlFile;}
+ public void setCrlFile(String crlFile) {
+ this.crlFile = crlFile;
+ }
+
+ private String trustMaxCertLength = null;
+ public String getTrustMaxCertLength() {return trustMaxCertLength;}
+ public void setTrustMaxCertLength(String trustMaxCertLength) {
+ this.trustMaxCertLength = trustMaxCertLength;
+ }
+
+ private String sessionCacheSize = null;
+ public String getSessionCacheSize() { return sessionCacheSize;}
+ public void setSessionCacheSize(String s) { sessionCacheSize = s;}
+
+ private String sessionCacheTimeout = "86400";
+ public String getSessionCacheTimeout() { return sessionCacheTimeout;}
+ public void setSessionCacheTimeout(String s) { sessionCacheTimeout = s;}
+
+ private String allowUnsafeLegacyRenegotiation = null;
+ public String getAllowUnsafeLegacyRenegotiation() {
+ return allowUnsafeLegacyRenegotiation;
+ }
+ public void setAllowUnsafeLegacyRenegotiation(String s) {
+ allowUnsafeLegacyRenegotiation = s;
+ }
+
+
+
+ private String sslEnabledProtocols=null; //"TLSv1,SSLv3,SSLv2Hello"
+ private String[] sslEnabledProtocolsarr = new String[0];
+ public String[] getSslEnabledProtocolsArray() { return
this.sslEnabledProtocolsarr;}
+ public void setSslEnabledProtocols(String s) {
+ this.sslEnabledProtocols = s;
+ StringTokenizer t = new StringTokenizer(s,",");
+ sslEnabledProtocolsarr = new String[t.countTokens()];
+ for (int i=0; i<sslEnabledProtocolsarr.length; i++ )
sslEnabledProtocolsarr[i] = t.nextToken();
+ }
+
}
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/JIoEndpoint.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/JIoEndpoint.java?rev=882231&r1=882230&r2=882231&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/JIoEndpoint.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/JIoEndpoint.java Thu Nov 19
18:00:09 2009
@@ -62,7 +62,7 @@
// ------------------------------------------------------------- Properties
/**
- * Generic properties - currently only socket.XXX properties
+ * Generic properties - currently only socket.xxx properties
*/
@Override
public boolean setProperty(String name, String value) {
@@ -70,10 +70,9 @@
try {
if (name.startsWith(socketName)) {
return IntrospectionUtils.setProperty(socketProperties,
name.substring(socketName.length()), value);
- } else {
- return IntrospectionUtils.setProperty(this,name,value);
}
- }catch ( Exception x ) {
+ return IntrospectionUtils.setProperty(this,name,value);
+ } catch ( Exception x ) {
log.error("Unable to set attribute \""+name+"\" to
\""+value+"\"",x);
return false;
}
@@ -85,16 +84,6 @@
protected int acceptorThreadCount = 0;
public void setAcceptorThreadCount(int acceptorThreadCount) {
this.acceptorThreadCount = acceptorThreadCount; }
public int getAcceptorThreadCount() { return acceptorThreadCount; }
-
- /**
- * Priority of the acceptor and poller threads.
- */
- protected int threadPriority = Thread.NORM_PRIORITY;
- @Override
- public void setThreadPriority(int threadPriority) { this.threadPriority =
threadPriority; }
- @Override
- public int getThreadPriority() { return threadPriority; }
-
/**
* Handling of accepted sockets.
@@ -211,6 +200,7 @@
try {
socket.getSocket().close();
} catch (IOException e) {
+ // Ignore
}
} else {
//keepalive connection
@@ -226,6 +216,7 @@
// -------------------- Public methods --------------------
+ @Override
public void init()
throws Exception {
@@ -239,6 +230,49 @@
if (serverSocketFactory == null) {
serverSocketFactory = ServerSocketFactory.getDefault();
}
+ if (isSSLEnabled()) {
+ serverSocketFactory.setAttribute(SSL_ATTR_ALGORITHM,
+ getAlgorithm());
+ serverSocketFactory.setAttribute(SSL_ATTR_CLIENT_AUTH,
+ getClientAuth());
+ serverSocketFactory.setAttribute(SSL_ATTR_KEYSTORE_FILE,
+ getKeystoreFile());
+ serverSocketFactory.setAttribute(SSL_ATTR_KEYSTORE_PASS,
+ getKeystorePass());
+ serverSocketFactory.setAttribute(SSL_ATTR_KEYSTORE_TYPE,
+ getKeystoreType());
+ serverSocketFactory.setAttribute(SSL_ATTR_KEYSTORE_PROVIDER,
+ getKeystoreProvider());
+ serverSocketFactory.setAttribute(SSL_ATTR_SSL_PROTOCOL,
+ getSslProtocol());
+ serverSocketFactory.setAttribute(SSL_ATTR_CIPHERS,
+ getCiphers());
+ serverSocketFactory.setAttribute(SSL_ATTR_KEY_ALIAS,
+ getKeyAlias());
+ serverSocketFactory.setAttribute(SSL_ATTR_KEY_PASS,
+ getKeyPass());
+ serverSocketFactory.setAttribute(SSL_ATTR_TRUSTSTORE_FILE,
+ getTruststoreFile());
+ serverSocketFactory.setAttribute(SSL_ATTR_TRUSTSTORE_PASS,
+ getTruststorePass());
+ serverSocketFactory.setAttribute(SSL_ATTR_TRUSTSTORE_TYPE,
+ getTruststoreType());
+ serverSocketFactory.setAttribute(SSL_ATTR_TRUSTSTORE_PROVIDER,
+ getTruststoreProvider());
+ serverSocketFactory.setAttribute(SSL_ATTR_TRUSTSTORE_ALGORITHM,
+ getTruststoreAlgorithm());
+ serverSocketFactory.setAttribute(SSL_ATTR_CRL_FILE,
+ getCrlFile());
+ serverSocketFactory.setAttribute(SSL_ATTR_TRUST_MAX_CERT_LENGTH,
+ getTrustMaxCertLength());
+ serverSocketFactory.setAttribute(SSL_ATTR_SESSION_CACHE_SIZE,
+ getSessionCacheSize());
+ serverSocketFactory.setAttribute(SSL_ATTR_SESSION_TIMEOUT,
+ getSessionCacheTimeout());
+ serverSocketFactory.setAttribute(SSL_ATTR_ALLOW_UNSAFE_RENEG,
+ getAllowUnsafeLegacyRenegotiation());
+ }
+
if (serverSocket == null) {
try {
if (getAddress() == null) {
@@ -265,8 +299,8 @@
}
- public void start()
- throws Exception {
+ @Override
+ public void start() throws Exception {
// Initialize socket if not done before
if (!initialized) {
init();
@@ -290,6 +324,7 @@
}
}
+ @Override
public void pause() {
if (running && !paused) {
paused = true;
@@ -297,6 +332,7 @@
}
}
+ @Override
public void resume() {
if (running) {
paused = false;
@@ -314,6 +350,7 @@
/**
* Deallocate APR memory pools, and close server socket.
*/
+ @Override
public void destroy() throws Exception {
if (running) {
stop();
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/NioEndpoint.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/NioEndpoint.java?rev=882231&r1=882230&r2=882231&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/NioEndpoint.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/NioEndpoint.java Thu Nov 19
18:00:09 2009
@@ -530,8 +530,14 @@
SSLSessionContext sessionContext =
sslContext.getServerSessionContext();
if (sessionContext != null) {
- sessionContext.setSessionCacheSize(getSessionCacheSize());
- sessionContext.setSessionTimeout(getSessionCacheTimeout());
+ if (getSessionCacheSize() != null) {
+ sessionContext.setSessionCacheSize(
+ Integer.parseInt(getSessionCacheSize()));
+ }
+ if (getSessionCacheTimeout() != null) {
+ sessionContext.setSessionTimeout(
+ Integer.parseInt(getSessionCacheTimeout()));
+ }
}
}
Modified:
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java?rev=882231&r1=882230&r2=882231&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
Thu Nov 19 18:00:09 2009
@@ -58,6 +58,7 @@
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509KeyManager;
+import org.apache.tomcat.util.net.AbstractEndpoint;
import org.apache.tomcat.util.res.StringManager;
/*
@@ -276,11 +277,13 @@
* Gets the SSL server's keystore password.
*/
protected String getKeystorePassword() {
- String keyPass = (String)attributes.get("keypass");
+ String keyPass = (String)attributes.get(
+ AbstractEndpoint.SSL_ATTR_KEY_PASS);
if (keyPass == null) {
keyPass = defaultKeyPass;
}
- String keystorePass = (String)attributes.get("keystorePass");
+ String keystorePass = (String)attributes.get(
+ AbstractEndpoint.SSL_ATTR_KEYSTORE_PASS);
if (keystorePass == null) {
keystorePass = keyPass;
}
@@ -293,7 +296,8 @@
protected KeyStore getKeystore(String type, String provider, String pass)
throws IOException {
- String keystoreFile = (String)attributes.get("keystore");
+ String keystoreFile = (String)attributes.get(
+ AbstractEndpoint.SSL_ATTR_KEYSTORE_FILE);
if (keystoreFile == null)
keystoreFile = defaultKeystoreFile;
@@ -307,7 +311,8 @@
String keystoreProvider) throws IOException {
KeyStore trustStore = null;
- String truststoreFile = (String)attributes.get("truststoreFile");
+ String truststoreFile = (String)attributes.get(
+ AbstractEndpoint.SSL_ATTR_TRUSTSTORE_FILE);
if(truststoreFile == null) {
truststoreFile = System.getProperty("javax.net.ssl.trustStore");
}
@@ -315,7 +320,8 @@
log.debug("Truststore = " + truststoreFile);
}
- String truststorePassword = (String)attributes.get("truststorePass");
+ String truststorePassword = (String)attributes.get(
+ AbstractEndpoint.SSL_ATTR_TRUSTSTORE_PASS);
if( truststorePassword == null) {
truststorePassword =
System.getProperty("javax.net.ssl.trustStorePassword");
@@ -327,7 +333,8 @@
log.debug("TrustPass = " + truststorePassword);
}
- String truststoreType = (String)attributes.get("truststoreType");
+ String truststoreType = (String)attributes.get(
+ AbstractEndpoint.SSL_ATTR_TRUSTSTORE_TYPE);
if( truststoreType == null) {
truststoreType =
System.getProperty("javax.net.ssl.trustStoreType");
}
@@ -339,7 +346,8 @@
}
String truststoreProvider =
- (String)attributes.get("truststoreProvider");
+ (String)attributes.get(
+ AbstractEndpoint.SSL_ATTR_TRUSTSTORE_PROVIDER);
if( truststoreProvider == null) {
truststoreProvider =
System.getProperty("javax.net.ssl.trustStoreProvider");
@@ -416,7 +424,8 @@
void init() throws IOException {
try {
- String clientAuthStr = (String) attributes.get("clientauth");
+ String clientAuthStr = (String) attributes.get(
+ AbstractEndpoint.SSL_ATTR_CLIENT_AUTH);
if("true".equalsIgnoreCase(clientAuthStr) ||
"yes".equalsIgnoreCase(clientAuthStr)) {
requireClientAuth = true;
@@ -425,27 +434,32 @@
}
// SSL protocol variant (e.g., TLS, SSL v3, etc.)
- String protocol = (String) attributes.get("protocol");
+ String protocol = (String) attributes.get(
+ AbstractEndpoint.SSL_ATTR_SSL_PROTOCOL);
if (protocol == null) {
protocol = defaultProtocol;
}
// Certificate encoding algorithm (e.g., SunX509)
- String algorithm = (String) attributes.get("algorithm");
+ String algorithm = (String) attributes.get(
+ AbstractEndpoint.SSL_ATTR_ALGORITHM);
if (algorithm == null) {
algorithm = KeyManagerFactory.getDefaultAlgorithm();
}
- String keystoreType = (String) attributes.get("keystoreType");
+ String keystoreType = (String) attributes.get(
+ AbstractEndpoint.SSL_ATTR_KEYSTORE_TYPE);
if (keystoreType == null) {
keystoreType = defaultKeystoreType;
}
String keystoreProvider =
- (String) attributes.get("keystoreProvider");
+ (String) attributes.get(
+ AbstractEndpoint.SSL_ATTR_KEYSTORE_PROVIDER);
String trustAlgorithm =
- (String)attributes.get("truststoreAlgorithm");
+ (String)attributes.get(
+ AbstractEndpoint.SSL_ATTR_TRUSTSTORE_ALGORITHM);
if( trustAlgorithm == null ) {
trustAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
}
@@ -453,24 +467,28 @@
// Create and init SSLContext
SSLContext context = SSLContext.getInstance(protocol);
context.init(getKeyManagers(keystoreType, keystoreProvider,
- algorithm,
- (String) attributes.get("keyAlias")),
- getTrustManagers(keystoreType, keystoreProvider,
- trustAlgorithm),
- new SecureRandom());
+ algorithm,
+ (String)
attributes.get(AbstractEndpoint.SSL_ATTR_KEY_ALIAS)),
+ getTrustManagers(keystoreType, keystoreProvider,
+ trustAlgorithm),
+ new SecureRandom());
// Configure SSL session cache
int sessionCacheSize;
- if (attributes.get("sessionCacheSize") != null) {
+ if (attributes.get(
+ AbstractEndpoint.SSL_ATTR_SESSION_CACHE_SIZE) != null) {
sessionCacheSize = Integer.parseInt(
- (String)attributes.get("sessionCacheSize"));
+ (String)attributes.get(
+ AbstractEndpoint.SSL_ATTR_SESSION_CACHE_SIZE));
} else {
sessionCacheSize = defaultSessionCacheSize;
}
int sessionCacheTimeout;
- if (attributes.get("sessionCacheTimeout") != null) {
+ if (attributes.get(
+ AbstractEndpoint.SSL_ATTR_SESSION_TIMEOUT) != null) {
sessionCacheTimeout = Integer.parseInt(
- (String)attributes.get("sessionCacheTimeout"));
+ (String)attributes.get(
+ AbstractEndpoint.SSL_ATTR_SESSION_TIMEOUT));
} else {
sessionCacheTimeout = defaultSessionTimeout;
}
@@ -485,13 +503,14 @@
sslProxy = context.getServerSocketFactory();
// Determine which cipher suites to enable
- String requestedCiphers = (String)attributes.get("ciphers");
- enabledCiphers =
- getEnabledCiphers(requestedCiphers,
- sslProxy.getSupportedCipherSuites());
+ String requestedCiphers = (String)attributes.get(
+ AbstractEndpoint.SSL_ATTR_CIPHERS);
+ enabledCiphers = getEnabledCiphers(requestedCiphers,
+ sslProxy.getSupportedCipherSuites());
allowUnsafeLegacyRenegotiation =
-
"true".equals(attributes.get("allowUnsafeLegacyRenegotiation"));
+ "true".equals(attributes.get(
+ AbstractEndpoint.SSL_ATTR_ALLOW_UNSAFE_RENEG));
// Check the SSL config is OK
checkConfig();
@@ -545,7 +564,8 @@
protected TrustManager[] getTrustManagers(String keystoreType,
String keystoreProvider, String algorithm)
throws Exception {
- String crlf = (String) attributes.get("crlFile");
+ String crlf = (String) attributes.get(
+ AbstractEndpoint.SSL_ATTR_CRL_FILE);
TrustManager[] tms = null;
@@ -593,7 +613,8 @@
CertStore store = CertStore.getInstance("Collection", csp);
xparams.addCertStore(store);
xparams.setRevocationEnabled(true);
- String trustLength = (String)attributes.get("trustMaxCertLength");
+ String trustLength = (String)attributes.get(
+ AbstractEndpoint.SSL_ATTR_TRUST_MAX_CERT_LENGTH);
if(trustLength != null) {
try {
xparams.setMaxPathLength(Integer.parseInt(trustLength));
Modified: tomcat/trunk/webapps/docs/config/http.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/http.xml?rev=882231&r1=882230&r2=882231&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/config/http.xml (original)
+++ tomcat/trunk/webapps/docs/config/http.xml Thu Nov 19 18:00:09 2009
@@ -714,8 +714,8 @@
</attribute>
<attribute name="keystorePass" required="false">
- <p>The password used to access the server certificate from the
- specified keystore file. The default value is "<code>changeit</code>".
+ <p>The password used to access the specified keystore file. The default
+ value is the value of the <code>keyPass</code> attribute.
</p>
</attribute>
@@ -750,6 +750,12 @@
specified the first key read in the keystore will be used.</p>
</attribute>
+ <attribute name="keyPass" required="false">
+ <p>The password used to access the server certificate from the
+ specified keystore file. The default value is "<code>changeit</code>".
+ </p>
+ </attribute>
+
<attribute name="truststoreFile" required="false">
<p>The TrustStore file to use to validate client certificates.</p>
</attribute>
@@ -772,6 +778,25 @@
</p>
</attribute>
+ <attribute name="truststoreAlgorithm" required="false">
+ <p>The algorithm to use for truststore. If not specified, the default
+ value returned by
+ <code>javax.net.ssl.TrustManagerFactory.getDefaultAlgorithm()</code> is
+ used.</p>
+ </attribute>
+
+ <attribute name="crlFile" required="false">
+ <p>The certificate revocation list to be used to verify client
+ certificates. If not defined, client certificates will not be checked
+ against a certificate revocation list.</p>
+ </attribute>
+
+ <attribute name="trustMaxCertLength" required="false">
+ <p>The maximum number of intermediate certificates that will be allowed
+ when validating client certificates. If not specified, the default value
+ of 5 will be used.</p>
+ </attribute>
+
<attribute name="sessionCacheSize" required="false">
<p>The number of SSL sessions to maintain in the session cache. Use 0 to
specify an unlimited cache size. If not specified, a default of 0 is
@@ -784,11 +809,6 @@
default of 86400 (24 hours) is used.</p>
</attribute>
- <attribute name="crlFile" required="false">
- <p>The certificate revocation list file to use to validate client
- certificates.</p>
- </attribute>
-
<attribute name="allowUnsafeLegacyRenegotiation" required="false">
<p>Is unsafe legacy TLS renegotiation allowed which is likely to expose
users to CVE-2009-3555, a man-in-the-middle vulnerability in the TLS
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
