Author: markt
Date: Tue Apr 14 11:07:41 2015
New Revision: 1673408
URL: http://svn.apache.org/r1673408
Log:
Move SSLProtocols config to common property for JSSE and
APR/native
Modified:
tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java
tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java
tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java
tomcat/trunk/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java
tomcat/trunk/java/org/apache/tomcat/util/net/SSLImplementation.java
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEImplementation.java
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
tomcat/trunk/test/org/apache/tomcat/util/net/jsse/TesterBug50640SslImpl.java
Modified: tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java?rev=1673408&r1=1673407&r2=1673408&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java
(original)
+++ tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java Tue
Apr 14 11:07:41 2015
@@ -37,6 +37,7 @@ import org.apache.coyote.http11.upgrade.
import org.apache.coyote.http11.upgrade.UpgradeProcessorExternal;
import org.apache.coyote.http11.upgrade.UpgradeProcessorInternal;
import org.apache.tomcat.util.net.AbstractEndpoint;
+import org.apache.tomcat.util.net.SSLHostConfig;
import org.apache.tomcat.util.net.SocketWrapperBase;
public abstract class AbstractHttp11Protocol<S> extends AbstractProtocol<S> {
@@ -323,6 +324,29 @@ public abstract class AbstractHttp11Prot
}
+ // ----------------------------------------------- HTTPS specific
properties
+ // -------------------------------------------- Handled via an
SSLHostConfig
+
+ private SSLHostConfig defaultSSLHostConfig = null;
+ private void registerDefaultSSLHostConfig() {
+ if (defaultSSLHostConfig == null) {
+ defaultSSLHostConfig = new SSLHostConfig();
+
defaultSSLHostConfig.setHostName(SSLHostConfig.DEFAULT_SSL_HOST_NAME);
+ getEndpoint().addHostConfig(defaultSSLHostConfig);
+ }
+ }
+
+
+ public void setSslEnabledProtocols(String enabledProtocols) {
+ registerDefaultSSLHostConfig();
+ defaultSSLHostConfig.setProtocols(enabledProtocols);
+ }
+ public void setSSLProtocol(String sslProtocol) {
+ registerDefaultSSLHostConfig();
+ defaultSSLHostConfig.setProtocols(sslProtocol);
+ }
+
+
// ------------------------------------------------------------- Common
code
// Common configuration required for all new HTTP11 processors
Modified: tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java?rev=1673408&r1=1673407&r2=1673408&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java (original)
+++ tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java Tue Apr
14 11:07:41 2015
@@ -70,14 +70,8 @@ public class Http11AprProtocol extends A
public boolean getDeferAccept() { return
((AprEndpoint)getEndpoint()).getDeferAccept(); }
public void setDeferAccept(boolean deferAccept) {
((AprEndpoint)getEndpoint()).setDeferAccept(deferAccept); }
- // -------------------- SSL related properties --------------------
-
- /**
- * SSL protocol.
- */
- public String getSSLProtocol() { return
((AprEndpoint)getEndpoint()).getSSLProtocol(); }
- public void setSSLProtocol(String SSLProtocol) {
((AprEndpoint)getEndpoint()).setSSLProtocol(SSLProtocol); }
+ // -------------------- SSL related properties --------------------
/**
* SSL password (if a cert is encrypted, and no password has been
provided, a callback
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java?rev=1673408&r1=1673407&r2=1673408&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java Tue Apr
14 11:07:41 2015
@@ -25,6 +25,7 @@ import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
+import java.util.Map;
import java.util.Set;
import java.util.StringTokenizer;
import java.util.concurrent.ConcurrentHashMap;
@@ -214,6 +215,21 @@ public abstract class AbstractEndpoint<S
// -----------------------------------------------------------------
Properties
+ protected Map<String,SSLHostConfig> sslHostConfigs = new
ConcurrentHashMap<>();
+ public void addHostConfig(SSLHostConfig sslHostConfig) {
+ String key = sslHostConfig.getHostName();
+ if (key == null || key.length() == 0) {
+ // TODO i18n
+ throw new IllegalArgumentException();
+ }
+ SSLHostConfig duplicate = sslHostConfigs.put(key, sslHostConfig);
+ if (duplicate != null) {
+ // TODO i18n
+ throw new IllegalArgumentException();
+ }
+ }
+
+
/**
* Has the user requested that send file be used where possible?
*/
@@ -226,8 +242,6 @@ public abstract class AbstractEndpoint<S
}
-
-
/**
* Time to wait for the internal executor (if used) to terminate when the
* endpoint is stopped in milliseconds. Defaults to 5000 (5 seconds).
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java?rev=1673408&r1=1673407&r2=1673408&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java Tue
Apr 14 11:07:41 2015
@@ -42,19 +42,20 @@ public abstract class AbstractJsseEndpoi
if (isSSLEnabled()) {
sslImplementation =
SSLImplementation.getInstance(getSslImplementationName());
- // TODO: Create multiple SSLContexts based on SSLHostConfig(s)
- SSLUtil sslUtil = sslImplementation.getSSLUtil(this);
- SSLContext sslContext = sslUtil.createSSLContext();
- sslContext.init(wrap(sslUtil.getKeyManagers()),
- sslUtil.getTrustManagers(), null);
+ for (SSLHostConfig sslHostConfig : sslHostConfigs.values()) {
+ SSLUtil sslUtil = sslImplementation.getSSLUtil(this,
sslHostConfig);
+ SSLContext sslContext = sslUtil.createSSLContext();
+ sslContext.init(wrap(sslUtil.getKeyManagers()),
+ sslUtil.getTrustManagers(), null);
- SSLSessionContext sessionContext =
- sslContext.getServerSessionContext();
- if (sessionContext != null) {
- sslUtil.configureSessionContext(sessionContext);
+ SSLSessionContext sessionContext =
+ sslContext.getServerSessionContext();
+ if (sessionContext != null) {
+ sslUtil.configureSessionContext(sessionContext);
+ }
+ SSLContextWrapper sslContextWrapper = new
SSLContextWrapper(sslContext, sslUtil);
+ sslContexts.put(sslHostConfig.getHostName(),
sslContextWrapper);
}
- SSLContextWrapper sslContextWrapper = new
SSLContextWrapper(sslContext, sslUtil);
- sslContexts.put(SSLHostConfig.DEFAULT_SSL_HOST_NAME,
sslContextWrapper);
}
}
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java?rev=1673408&r1=1673407&r2=1673408&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java Tue Apr 14
11:07:41 2015
@@ -199,14 +199,6 @@ public class AprEndpoint extends Abstrac
/**
- * SSL protocols.
- */
- protected String SSLProtocol = "all";
- public String getSSLProtocol() { return SSLProtocol; }
- public void setSSLProtocol(String SSLProtocol) { this.SSLProtocol =
SSLProtocol; }
-
-
- /**
* SSL password (if a cert is encrypted, and no password has been
provided, a callback
* will ask for a password).
*/
@@ -486,151 +478,159 @@ public class AprEndpoint extends Abstrac
// Initialize SSL if needed
if (isSSLEnabled()) {
- if (SSLCertificateFile == null) {
- // This is required
- throw new
Exception(sm.getString("endpoint.apr.noSslCertFile"));
- }
+ for (SSLHostConfig sslHostConfig : sslHostConfigs.values()) {
- // SSL protocol
- int value = SSL.SSL_PROTOCOL_NONE;
- if (SSLProtocol == null || SSLProtocol.length() == 0) {
- value = SSL.SSL_PROTOCOL_ALL;
- } else {
- for (String protocol : SSLProtocol.split("\\+")) {
- protocol = protocol.trim();
- if ("SSLv2".equalsIgnoreCase(protocol)) {
- value |= SSL.SSL_PROTOCOL_SSLV2;
- } else if ("SSLv3".equalsIgnoreCase(protocol)) {
- value |= SSL.SSL_PROTOCOL_SSLV3;
- } else if ("TLSv1".equalsIgnoreCase(protocol)) {
- value |= SSL.SSL_PROTOCOL_TLSV1;
- } else if ("TLSv1.1".equalsIgnoreCase(protocol)) {
- value |= SSL.SSL_PROTOCOL_TLSV1_1;
- } else if ("TLSv1.2".equalsIgnoreCase(protocol)) {
- value |= SSL.SSL_PROTOCOL_TLSV1_2;
- } else if ("all".equalsIgnoreCase(protocol)) {
- value |= SSL.SSL_PROTOCOL_ALL;
- } else {
- // Protocol not recognized, fail to start as it is
safer than
- // continuing with the default which might enable more
than the
- // is required
- throw new Exception(sm.getString(
- "endpoint.apr.invalidSslProtocol",
SSLProtocol));
+ // TODO: No SNI support in APR/native so only process the
+ // default host.
+ if
(!SSLHostConfig.DEFAULT_SSL_HOST_NAME.equals(sslHostConfig.getHostName())) {
+ continue;
+ }
+
+ if (SSLCertificateFile == null) {
+ // This is required
+ throw new
Exception(sm.getString("endpoint.apr.noSslCertFile"));
+ }
+
+ // SSL protocol
+ int value = SSL.SSL_PROTOCOL_NONE;
+ if (sslHostConfig.getSslProtocols().size() == 0) {
+ value = SSL.SSL_PROTOCOL_ALL;
+ } else {
+ for (String protocol : sslHostConfig.getSslProtocols()) {
+ if ("SSLv2".equalsIgnoreCase(protocol)) {
+ value |= SSL.SSL_PROTOCOL_SSLV2;
+ } else if ("SSLv3".equalsIgnoreCase(protocol)) {
+ value |= SSL.SSL_PROTOCOL_SSLV3;
+ } else if ("TLSv1".equalsIgnoreCase(protocol)) {
+ value |= SSL.SSL_PROTOCOL_TLSV1;
+ } else if ("TLSv1.1".equalsIgnoreCase(protocol)) {
+ value |= SSL.SSL_PROTOCOL_TLSV1_1;
+ } else if ("TLSv1.2".equalsIgnoreCase(protocol)) {
+ value |= SSL.SSL_PROTOCOL_TLSV1_2;
+ } else if ("all".equalsIgnoreCase(protocol)) {
+ value |= SSL.SSL_PROTOCOL_ALL;
+ } else {
+ // Protocol not recognized, fail to start as it is
safer than
+ // continuing with the default which might enable
more than the
+ // is required
+ throw new Exception(sm.getString(
+ "endpoint.apr.invalidSslProtocol",
protocol));
+ }
}
}
- }
- // Create SSL Context
- try {
- sslContext = SSLContext.make(rootPool, value,
SSL.SSL_MODE_SERVER);
- } catch (Exception e) {
- // If the sslEngine is disabled on the AprLifecycleListener
- // there will be an Exception here but there is no way to check
- // the AprLifecycleListener settings from here
- throw new Exception(
- sm.getString("endpoint.apr.failSslContextMake"), e);
- }
-
- if (SSLInsecureRenegotiation) {
- boolean legacyRenegSupported = false;
+ // Create SSL Context
try {
- legacyRenegSupported =
SSL.hasOp(SSL.SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
- if (legacyRenegSupported)
- SSLContext.setOptions(sslContext,
SSL.SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
- } catch (UnsatisfiedLinkError e) {
- // Ignore
- }
- if (!legacyRenegSupported) {
- // OpenSSL does not support unsafe legacy renegotiation.
- log.warn(sm.getString("endpoint.warn.noInsecureReneg",
- SSL.versionString()));
+ sslContext = SSLContext.make(rootPool, value,
SSL.SSL_MODE_SERVER);
+ } catch (Exception e) {
+ // If the sslEngine is disabled on the AprLifecycleListener
+ // there will be an Exception here but there is no way to
check
+ // the AprLifecycleListener settings from here
+ throw new Exception(
+ sm.getString("endpoint.apr.failSslContextMake"),
e);
+ }
+
+ if (SSLInsecureRenegotiation) {
+ boolean legacyRenegSupported = false;
+ try {
+ legacyRenegSupported =
SSL.hasOp(SSL.SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
+ if (legacyRenegSupported)
+ SSLContext.setOptions(sslContext,
SSL.SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
+ } catch (UnsatisfiedLinkError e) {
+ // Ignore
+ }
+ if (!legacyRenegSupported) {
+ // OpenSSL does not support unsafe legacy
renegotiation.
+ log.warn(sm.getString("endpoint.warn.noInsecureReneg",
+ SSL.versionString()));
+ }
}
- }
- // Set cipher order: client (default) or server
- if (SSLHonorCipherOrder) {
- boolean orderCiphersSupported = false;
- try {
- orderCiphersSupported =
SSL.hasOp(SSL.SSL_OP_CIPHER_SERVER_PREFERENCE);
- if (orderCiphersSupported)
- SSLContext.setOptions(sslContext,
SSL.SSL_OP_CIPHER_SERVER_PREFERENCE);
- } catch (UnsatisfiedLinkError e) {
- // Ignore
- }
- if (!orderCiphersSupported) {
- // OpenSSL does not support ciphers ordering.
- log.warn(sm.getString("endpoint.warn.noHonorCipherOrder",
- SSL.versionString()));
+ // Set cipher order: client (default) or server
+ if (SSLHonorCipherOrder) {
+ boolean orderCiphersSupported = false;
+ try {
+ orderCiphersSupported =
SSL.hasOp(SSL.SSL_OP_CIPHER_SERVER_PREFERENCE);
+ if (orderCiphersSupported)
+ SSLContext.setOptions(sslContext,
SSL.SSL_OP_CIPHER_SERVER_PREFERENCE);
+ } catch (UnsatisfiedLinkError e) {
+ // Ignore
+ }
+ if (!orderCiphersSupported) {
+ // OpenSSL does not support ciphers ordering.
+
log.warn(sm.getString("endpoint.warn.noHonorCipherOrder",
+ SSL.versionString()));
+ }
}
- }
- // Disable compression if requested
- if (SSLDisableCompression) {
- boolean disableCompressionSupported = false;
- try {
- disableCompressionSupported =
SSL.hasOp(SSL.SSL_OP_NO_COMPRESSION);
- if (disableCompressionSupported)
- SSLContext.setOptions(sslContext,
SSL.SSL_OP_NO_COMPRESSION);
- } catch (UnsatisfiedLinkError e) {
- // Ignore
- }
- if (!disableCompressionSupported) {
- // OpenSSL does not support ciphers ordering.
- log.warn(sm.getString("endpoint.warn.noDisableCompression",
- SSL.versionString()));
+ // Disable compression if requested
+ if (SSLDisableCompression) {
+ boolean disableCompressionSupported = false;
+ try {
+ disableCompressionSupported =
SSL.hasOp(SSL.SSL_OP_NO_COMPRESSION);
+ if (disableCompressionSupported)
+ SSLContext.setOptions(sslContext,
SSL.SSL_OP_NO_COMPRESSION);
+ } catch (UnsatisfiedLinkError e) {
+ // Ignore
+ }
+ if (!disableCompressionSupported) {
+ // OpenSSL does not support ciphers ordering.
+
log.warn(sm.getString("endpoint.warn.noDisableCompression",
+ SSL.versionString()));
+ }
}
- }
- // Disable TLS Session Tickets (RFC4507) to protect perfect
forward secrecy
- if (SSLDisableSessionTickets) {
- boolean disableSessionTicketsSupported = false;
- try {
- disableSessionTicketsSupported =
SSL.hasOp(SSL.SSL_OP_NO_TICKET);
- if (disableSessionTicketsSupported)
- SSLContext.setOptions(sslContext,
SSL.SSL_OP_NO_TICKET);
- } catch (UnsatisfiedLinkError e) {
- // Ignore
- }
+ // Disable TLS Session Tickets (RFC4507) to protect perfect
forward secrecy
+ if (SSLDisableSessionTickets) {
+ boolean disableSessionTicketsSupported = false;
+ try {
+ disableSessionTicketsSupported =
SSL.hasOp(SSL.SSL_OP_NO_TICKET);
+ if (disableSessionTicketsSupported)
+ SSLContext.setOptions(sslContext,
SSL.SSL_OP_NO_TICKET);
+ } catch (UnsatisfiedLinkError e) {
+ // Ignore
+ }
- if (!disableSessionTicketsSupported) {
- // OpenSSL is too old to support TLS Session Tickets.
-
log.warn(sm.getString("endpoint.warn.noDisableSessionTickets",
- SSL.versionString()));
+ if (!disableSessionTicketsSupported) {
+ // OpenSSL is too old to support TLS Session Tickets.
+
log.warn(sm.getString("endpoint.warn.noDisableSessionTickets",
+ SSL.versionString()));
+ }
}
- }
- // List the ciphers that the client is permitted to negotiate
- SSLContext.setCipherSuite(sslContext, SSLCipherSuite);
- // Load Server key and certificate
- SSLContext.setCertificate(sslContext, SSLCertificateFile,
SSLCertificateKeyFile, SSLPassword, SSL.SSL_AIDX_RSA);
- // Set certificate chain file
- SSLContext.setCertificateChainFile(sslContext,
SSLCertificateChainFile, false);
- // Support Client Certificates
- SSLContext.setCACertificate(sslContext, SSLCACertificateFile,
SSLCACertificatePath);
- // Set revocation
- SSLContext.setCARevocation(sslContext, SSLCARevocationFile,
SSLCARevocationPath);
- // Client certificate verification
- value = SSL.SSL_CVERIFY_NONE;
- if ("optional".equalsIgnoreCase(SSLVerifyClient)) {
- value = SSL.SSL_CVERIFY_OPTIONAL;
- } else if ("require".equalsIgnoreCase(SSLVerifyClient)) {
- value = SSL.SSL_CVERIFY_REQUIRE;
- } else if ("optionalNoCA".equalsIgnoreCase(SSLVerifyClient)) {
- value = SSL.SSL_CVERIFY_OPTIONAL_NO_CA;
- }
- SSLContext.setVerify(sslContext, value, SSLVerifyDepth);
- // For now, sendfile is not supported with SSL
- if (getUseSendfile()) {
- setUseSendfileInternal(false);
- if (useSendFileSet) {
- log.warn(sm.getString("endpoint.apr.noSendfileWithSSL"));
+ // List the ciphers that the client is permitted to negotiate
+ SSLContext.setCipherSuite(sslContext, SSLCipherSuite);
+ // Load Server key and certificate
+ SSLContext.setCertificate(sslContext, SSLCertificateFile,
SSLCertificateKeyFile, SSLPassword, SSL.SSL_AIDX_RSA);
+ // Set certificate chain file
+ SSLContext.setCertificateChainFile(sslContext,
SSLCertificateChainFile, false);
+ // Support Client Certificates
+ SSLContext.setCACertificate(sslContext, SSLCACertificateFile,
SSLCACertificatePath);
+ // Set revocation
+ SSLContext.setCARevocation(sslContext, SSLCARevocationFile,
SSLCARevocationPath);
+ // Client certificate verification
+ value = SSL.SSL_CVERIFY_NONE;
+ if ("optional".equalsIgnoreCase(SSLVerifyClient)) {
+ value = SSL.SSL_CVERIFY_OPTIONAL;
+ } else if ("require".equalsIgnoreCase(SSLVerifyClient)) {
+ value = SSL.SSL_CVERIFY_REQUIRE;
+ } else if ("optionalNoCA".equalsIgnoreCase(SSLVerifyClient)) {
+ value = SSL.SSL_CVERIFY_OPTIONAL_NO_CA;
+ }
+ SSLContext.setVerify(sslContext, value, SSLVerifyDepth);
+ // For now, sendfile is not supported with SSL
+ if (getUseSendfile()) {
+ setUseSendfileInternal(false);
+ if (useSendFileSet) {
+
log.warn(sm.getString("endpoint.apr.noSendfileWithSSL"));
+ }
}
- }
- if (negotiableProtocols.size() > 0) {
- byte[] protocols = buildAlpnConfig(negotiableProtocols);
- if (SSLContext.setALPN(sslContext, protocols,
protocols.length) != 0) {
- log.warn(sm.getString("endpoint.alpn.fail",
negotiableProtocols));
+ if (negotiableProtocols.size() > 0) {
+ byte[] protocols = buildAlpnConfig(negotiableProtocols);
+ if (SSLContext.setALPN(sslContext, protocols,
protocols.length) != 0) {
+ log.warn(sm.getString("endpoint.alpn.fail",
negotiableProtocols));
+ }
}
}
} else if (negotiableProtocols.size() > 0) {
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java?rev=1673408&r1=1673407&r2=1673408&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java Tue Apr 14
11:07:41 2015
@@ -16,7 +16,46 @@
*/
package org.apache.tomcat.util.net;
+import java.util.HashSet;
+import java.util.Set;
+
public class SSLHostConfig {
- static final String DEFAULT_SSL_HOST_NAME = "*DEFAULT*";
+ public static final String DEFAULT_SSL_HOST_NAME = "*DEFAULT*";
+
+ private String hostName;
+
+ private Set<String> sslProtocols = new HashSet<>();
+
+
+ public void setHostName(String hostName) {
+ this.hostName = hostName;
+ }
+
+
+ public String getHostName() {
+ return hostName;
+ }
+
+
+ public void setProtocols(String protocols) {
+ // OpenSSL and JSSE use the same names.
+ if (protocols.trim().equalsIgnoreCase("all")) {
+ protocols = "TLSv1+TLSv1.1+TLSv1.2";
+ }
+
+ String[] values = protocols.split(",|\\+");
+
+ for (String value: values) {
+ String trimmed = value.trim();
+ if (trimmed.length() > 0) {
+ sslProtocols.add(trimmed);
+ }
+ }
+ }
+
+
+ public Set<String> getSslProtocols() {
+ return sslProtocols;
+ }
}
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/SSLImplementation.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/SSLImplementation.java?rev=1673408&r1=1673407&r2=1673408&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/SSLImplementation.java
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/SSLImplementation.java Tue Apr
14 11:07:41 2015
@@ -71,5 +71,5 @@ public abstract class SSLImplementation
public abstract SSLSupport getSSLSupport(SSLSession session);
- public abstract SSLUtil getSSLUtil(AbstractEndpoint<?> ep);
+ public abstract SSLUtil getSSLUtil(AbstractEndpoint<?> ep, SSLHostConfig
sslHostConfig);
}
Modified:
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEImplementation.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEImplementation.java?rev=1673408&r1=1673407&r2=1673408&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEImplementation.java
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEImplementation.java
Tue Apr 14 11:07:41 2015
@@ -19,6 +19,7 @@ package org.apache.tomcat.util.net.jsse;
import javax.net.ssl.SSLSession;
import org.apache.tomcat.util.net.AbstractEndpoint;
+import org.apache.tomcat.util.net.SSLHostConfig;
import org.apache.tomcat.util.net.SSLImplementation;
import org.apache.tomcat.util.net.SSLSupport;
import org.apache.tomcat.util.net.SSLUtil;
@@ -50,7 +51,7 @@ public class JSSEImplementation extends
}
@Override
- public SSLUtil getSSLUtil(AbstractEndpoint<?> endpoint) {
- return new JSSESocketFactory(endpoint);
+ public SSLUtil getSSLUtil(AbstractEndpoint<?> endpoint, SSLHostConfig
sslHostConfig) {
+ return new JSSESocketFactory(endpoint, sslHostConfig);
}
}
Modified:
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java?rev=1673408&r1=1673407&r2=1673408&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
Tue Apr 14 11:07:41 2015
@@ -58,6 +58,7 @@ import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
import org.apache.tomcat.util.net.AbstractEndpoint;
import org.apache.tomcat.util.net.Constants;
+import org.apache.tomcat.util.net.SSLHostConfig;
import org.apache.tomcat.util.net.SSLUtil;
import
org.apache.tomcat.util.net.jsse.openssl.OpenSSLCipherConfigurationParser;
import org.apache.tomcat.util.res.StringManager;
@@ -90,14 +91,16 @@ public class JSSESocketFactory implement
private static final String ALLOW_ALL_SUPPORTED_CIPHERS = "ALL";
public static final String DEFAULT_KEY_PASS = "changeit";
- private AbstractEndpoint<?> endpoint;
+ private final AbstractEndpoint<?> endpoint;
+ private final SSLHostConfig sslHostConfig;
private final String[] defaultServerProtocols;
private final String[] defaultServerCipherSuites;
- public JSSESocketFactory (AbstractEndpoint<?> endpoint) {
+ public JSSESocketFactory (AbstractEndpoint<?> endpoint, SSLHostConfig
sslHostConfig) {
this.endpoint = endpoint;
+ this.sslHostConfig = sslHostConfig;
String sslProtocol = endpoint.getSslProtocol();
if (sslProtocol == null) {
@@ -591,25 +594,24 @@ public class JSSESocketFactory implement
@Override
public String[] getEnableableProtocols(SSLContext context) {
- String[] requestedProtocols = endpoint.getSslEnabledProtocolsArray();
- if ((requestedProtocols == null) || (requestedProtocols.length == 0)) {
+ if (sslHostConfig.getSslProtocols().size() == 0) {
return defaultServerProtocols;
}
- List<String> protocols = new ArrayList<>(
- Arrays.asList(requestedProtocols));
+ List<String> protocols = new ArrayList<>();
+ protocols.addAll(sslHostConfig.getSslProtocols());
protocols.retainAll(Arrays.asList(context.getSupportedSSLParameters()
.getProtocols()));
if (protocols.isEmpty()) {
log.warn(sm.getString("jsse.requested_protocols_not_supported",
- Arrays.asList(requestedProtocols)));
+ sslHostConfig.getSslProtocols()));
}
if (log.isDebugEnabled()) {
log.debug(sm.getString("jsse.enableable_protocols", protocols));
- if (protocols.size() != requestedProtocols.length) {
- List<String> skipped = new ArrayList<>(
- Arrays.asList(requestedProtocols));
+ if (protocols.size() != sslHostConfig.getSslProtocols().size()) {
+ List<String> skipped = new ArrayList<>();
+ skipped.addAll(sslHostConfig.getSslProtocols());
skipped.removeAll(protocols);
log.debug(sm.getString("jsse.unsupported_protocols", skipped));
}
Modified:
tomcat/trunk/test/org/apache/tomcat/util/net/jsse/TesterBug50640SslImpl.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/tomcat/util/net/jsse/TesterBug50640SslImpl.java?rev=1673408&r1=1673407&r2=1673408&view=diff
==============================================================================
---
tomcat/trunk/test/org/apache/tomcat/util/net/jsse/TesterBug50640SslImpl.java
(original)
+++
tomcat/trunk/test/org/apache/tomcat/util/net/jsse/TesterBug50640SslImpl.java
Tue Apr 14 11:07:41 2015
@@ -17,6 +17,7 @@
package org.apache.tomcat.util.net.jsse;
import org.apache.tomcat.util.net.AbstractEndpoint;
+import org.apache.tomcat.util.net.SSLHostConfig;
import org.apache.tomcat.util.net.SSLUtil;
public class TesterBug50640SslImpl extends JSSEImplementation {
@@ -26,10 +27,10 @@ public class TesterBug50640SslImpl exten
@Override
- public SSLUtil getSSLUtil(AbstractEndpoint<?> endpoint) {
+ public SSLUtil getSSLUtil(AbstractEndpoint<?> endpoint, SSLHostConfig
sslHostConfig) {
String flag = endpoint.getProperty(PROPERTY_NAME);
if (PROPERTY_VALUE.equals(flag)) {
- return super.getSSLUtil(endpoint);
+ return super.getSSLUtil(endpoint, sslHostConfig);
} else {
return null;
}
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
