Author: markt
Date: Thu Apr 30 14:33:58 2015
New Revision: 1677006
URL: http://svn.apache.org/r1677006
Log:
Move clientAuth/verifyClient to SSLHostConfig
Modified:
tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11JsseProtocol.java
tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java
tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java
tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java
tomcat/trunk/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
tomcat/trunk/java/org/apache/tomcat/util/net/LocalStrings.properties
tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java
tomcat/trunk/webapps/docs/config/http.xml
Modified:
tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11JsseProtocol.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11JsseProtocol.java?rev=1677006&r1=1677005&r2=1677006&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11JsseProtocol.java
(original)
+++ tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11JsseProtocol.java
Thu Apr 30 14:33:58 2015
@@ -25,9 +25,6 @@ public abstract class AbstractHttp11Jsse
super(endpoint);
}
- public String getClientAuth() { return getEndpoint().getClientAuth();}
- public void setClientAuth(String s ) { getEndpoint().setClientAuth(s);}
-
public String getKeystorePass() { return getEndpoint().getKeystorePass();}
public void setKeystorePass(String s ) { getEndpoint().setKeystorePass(s);}
Modified: tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java?rev=1677006&r1=1677005&r2=1677006&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java
(original)
+++ tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java Thu
Apr 30 14:33:58 2015
@@ -356,6 +356,9 @@ public abstract class AbstractHttp11Prot
}
+ // TODO: All of these SSL setters can be removed once it is no longer
+ // necessary to support the old configuration attributes (Tomcat 10?).
+
public void setSslEnabledProtocols(String enabledProtocols) {
registerDefaultSSLHostConfig();
defaultSSLHostConfig.setProtocols(enabledProtocols);
@@ -384,6 +387,16 @@ public abstract class AbstractHttp11Prot
defaultSSLHostConfig.setKeyManagerAlgorithm(keyManagerAlgorithm);
}
+ public void setClientAuth(String certificateVerification) {
+ registerDefaultSSLHostConfig();
+
defaultSSLHostConfig.setCertificateVerification(certificateVerification);
+ }
+
+ public void setSSLVerifyClient(String certificateVerification) {
+ registerDefaultSSLHostConfig();
+
defaultSSLHostConfig.setCertificateVerification(certificateVerification);
+ }
+
// ------------------------------------------------------------- Common
code
Modified: tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java?rev=1677006&r1=1677005&r2=1677006&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java (original)
+++ tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java Thu Apr
30 14:33:58 2015
@@ -133,13 +133,6 @@ public class Http11AprProtocol extends A
/**
- * SSL verify client.
- */
- public String getSSLVerifyClient() { return
((AprEndpoint)getEndpoint()).getSSLVerifyClient(); }
- public void setSSLVerifyClient(String SSLVerifyClient) {
((AprEndpoint)getEndpoint()).setSSLVerifyClient(SSLVerifyClient); }
-
-
- /**
* SSL verify depth.
*/
public int getSSLVerifyDepth() { return
((AprEndpoint)getEndpoint()).getSSLVerifyDepth(); }
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java?rev=1677006&r1=1677005&r2=1677006&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java Thu Apr
30 14:33:58 2015
@@ -984,10 +984,6 @@ public abstract class AbstractEndpoint<S
this.sslImplementationName = s;
}
- private String clientAuth = "false";
- public String getClientAuth() { return clientAuth;}
- public void setClientAuth(String s ) { this.clientAuth = s;}
-
private String keystorePass = null;
public String getKeystorePass() { return keystorePass;}
public void setKeystorePass(String s ) { this.keystorePass = s;}
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java?rev=1677006&r1=1677005&r2=1677006&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java Thu
Apr 30 14:33:58 2015
@@ -81,13 +81,18 @@ public abstract class AbstractJsseEndpoi
}
SSLEngine engine = sslContextWrapper.getSSLContext().createSSLEngine();
- if ("false".equals(getClientAuth())) {
+ switch (sslHostConfig.getCertificateVerification()) {
+ case NONE:
engine.setNeedClientAuth(false);
engine.setWantClientAuth(false);
- } else if ("true".equals(getClientAuth()) ||
"yes".equals(getClientAuth())){
- engine.setNeedClientAuth(true);
- } else if ("want".equals(getClientAuth())) {
+ break;
+ case OPTIONAL:
+ case OPTIONAL_NO_CA:
engine.setWantClientAuth(true);
+ break;
+ case REQUIRED:
+ engine.setNeedClientAuth(true);
+ break;
}
engine.setUseClientMode(false);
engine.setEnabledCipherSuites(sslContextWrapper.getEnabledCiphers());
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java?rev=1677006&r1=1677005&r2=1677006&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java Thu Apr 30
14:33:58 2015
@@ -272,14 +272,6 @@ public class AprEndpoint extends Abstrac
public void setSSLDisableSessionTickets(boolean SSLDisableSessionTickets)
{ this.SSLDisableSessionTickets = SSLDisableSessionTickets; }
/**
- * SSL verify client.
- */
- protected String SSLVerifyClient = "none";
- public String getSSLVerifyClient() { return SSLVerifyClient; }
- public void setSSLVerifyClient(String SSLVerifyClient) {
this.SSLVerifyClient = SSLVerifyClient; }
-
-
- /**
* SSL verify depth.
*/
protected int SSLVerifyDepth = 10;
@@ -611,13 +603,19 @@ public class AprEndpoint extends Abstrac
// Set revocation
SSLContext.setCARevocation(ctx, SSLCARevocationFile,
SSLCARevocationPath);
// Client certificate verification
- value = SSL.SSL_CVERIFY_NONE;
- if ("optional".equalsIgnoreCase(SSLVerifyClient)) {
+ switch (sslHostConfig.getCertificateVerification()) {
+ case NONE:
+ value = SSL.SSL_CVERIFY_NONE;
+ break;
+ case OPTIONAL:
value = SSL.SSL_CVERIFY_OPTIONAL;
- } else if ("require".equalsIgnoreCase(SSLVerifyClient)) {
- value = SSL.SSL_CVERIFY_REQUIRE;
- } else if ("optionalNoCA".equalsIgnoreCase(SSLVerifyClient)) {
+ break;
+ case OPTIONAL_NO_CA:
value = SSL.SSL_CVERIFY_OPTIONAL_NO_CA;
+ break;
+ case REQUIRED:
+ value = SSL.SSL_CVERIFY_REQUIRE;
+ break;
}
SSLContext.setVerify(ctx, value, SSLVerifyDepth);
// For now, sendfile is not supported with SSL
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/LocalStrings.properties
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/LocalStrings.properties?rev=1677006&r1=1677005&r2=1677006&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/LocalStrings.properties
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/LocalStrings.properties Thu
Apr 30 14:33:58 2015
@@ -110,4 +110,5 @@ socket.apr.read.sslGeneralError=An APR g
socket.apr.write.error=Unexpected error [{0}] writing data to the APR/native
socket [{1}] with wrapper [{2}].
socket.apr.closed=The socket [{0}] associated with this connection has been
closed.
+sslHostConfig.certificateVerificationInvalid=The certificate verification
value [{0}] is not recognised
sslHostConfig.mismatch=The property [{0}] was set on the SSLHostConfig named
[{1}] but this property is for connectors of type [{2}] by the SSLHostConfig is
being used with a connector of type [{3}]
\ No newline at end of file
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java?rev=1677006&r1=1677005&r2=1677006&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java Thu Apr 30
14:33:58 2015
@@ -44,6 +44,8 @@ public class SSLHostConfig {
// Configuration properties
// Common
+ private CertificateVerification certificateVerification =
CertificateVerification.NONE;
+
private Set<String> protocols = new HashSet<>();
// JSSE
private String keyManagerAlgorithm =
KeyManagerFactory.getDefaultAlgorithm();
@@ -99,6 +101,16 @@ public class SSLHostConfig {
// ----------------------------------------- Common configuration
properties
+ public void setCertificateVerification(String certificateVerification) {
+ this.certificateVerification =
CertificateVerification.fromString(certificateVerification);
+ }
+
+
+ public CertificateVerification getCertificateVerification() {
+ return certificateVerification;
+ }
+
+
public void setHostName(String hostName) {
this.hostName = hostName;
}
@@ -189,4 +201,37 @@ public class SSLHostConfig {
JSSE,
OPENSSL
}
+
+
+ public static enum CertificateVerification {
+ NONE,
+ OPTIONAL_NO_CA,
+ OPTIONAL,
+ REQUIRED;
+
+ public static CertificateVerification fromString(String value) {
+ if ("true".equalsIgnoreCase(value) ||
+ "yes".equalsIgnoreCase(value) ||
+ "require".equalsIgnoreCase(value) ||
+ "required".equalsIgnoreCase(value)) {
+ return REQUIRED;
+ } else if ("optional".equalsIgnoreCase(value) ||
+ "want".equalsIgnoreCase(value)) {
+ return OPTIONAL;
+ } else if ("optionalNoCA".equalsIgnoreCase(value) ||
+ "optional_no_ca".equalsIgnoreCase(value)) {
+ return OPTIONAL_NO_CA;
+ } else if ("false".equalsIgnoreCase(value) ||
+ "no".equalsIgnoreCase(value) ||
+ "none".equalsIgnoreCase(value)) {
+ return NONE;
+ } else {
+ // Could be a typo. Don't default to NONE since that is not
+ // secure. Force user to fix config. Could default to REQUIRED
+ // instead.
+ throw new IllegalArgumentException(
+
sm.getString("sslHostConfig.certificateVerificationInvalid", value));
+ }
+ }
+ }
}
Modified: tomcat/trunk/webapps/docs/config/http.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/http.xml?rev=1677006&r1=1677005&r2=1677006&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/config/http.xml (original)
+++ tomcat/trunk/webapps/docs/config/http.xml Thu Apr 30 14:33:58 2015
@@ -1065,6 +1065,20 @@
RECOMMENDED).</p>
</attribute>
+ <attribute name="certificateVerification" required="false">
+ <p>Set to <code>required</code> if you want the SSL stack to require a
+ valid certificate chain from the client before accepting a connection.
+ Set to <code>optional</code> if you want the SSL stack to request a
client
+ Certificate, but not fail if one isn't presented. Set to
+ <code>optionalNoCA</code> if you want client certificates to be optional
+ and you don't want Tomcat to check them against the list of trusted CAs.
+ If the TLS provider doesn't support this option (OpenSSL does, JSSE does
+ not) it is treated as if <code>optional</code> was specified. A
+ <code>none</code> value (which is the default) will not require a
+ certificate chain unless the client requests a resource protected by a
+ security constraint that uses <code>CLIENT-CERT</code>
authentication.</p>
+ </attribute>
+
<attribute name="hostName" required="false">
<p>The name of the SSL Host. This should either be the fully qualified
domain name (e.g. <code>tomcat.apache.org</code>) or a wild card domain
@@ -1142,13 +1156,9 @@
</attribute>
<attribute name="clientAuth" required="false">
- <p>Set to <code>true</code> if you want the SSL stack to require a
- valid certificate chain from the client before accepting a connection.
- Set to <code>want</code> if you want the SSL stack to request a client
- Certificate, but not fail if one isn't presented. A <code>false</code>
- value (which is the default) will not require a certificate chain
- unless the client requests a resource protected by a security
- constraint that uses <code>CLIENT-CERT</code> authentication.</p>
+ <p>This is an alias for the <code>certificateValidation</code> attribute
+ of the default <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a>
+ element.</p>
</attribute>
<attribute name="clientCertProvider" required="false">
@@ -1425,9 +1435,9 @@
</attribute>
<attribute name="SSLVerifyClient" required="false">
- <p>Ask client for certificate. The default is "none", meaning the client
- will not have the opportunity to submit a certificate. Other acceptable
- values include "optional", "require" and "optionalNoCA".</p>
+ <p>This is an alias for the <code>certificateValidation</code> attribute
+ of the default <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a>
+ element.</p>
</attribute>
<attribute name="SSLVerifyDepth" required="false">
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
