[Bug 61289] NullPointerException in Response.generateCookieString()
https://bz.apache.org/bugzilla/show_bug.cgi?id=61289 hugo changed: What|Removed |Added Status|RESOLVED|REOPENED Resolution|INVALID |--- --- Comment #3 from hugo --- I got the same exception when I create a spring boot application, the version of tomcat is 8.5.16. I has debug it, and found that the getContext() method got a null, so the exception occured. My english is pool,all of you can the exceprion detail, as follow: java.lang.NullPointerException: null at org.apache.catalina.connector.Response.generateCookieString(Response.java:1019) ~[tomcat-embed-core-8.5.16.jar:8.5.16] at org.apache.catalina.connector.Response.addCookie(Response.java:967) ~[tomcat-embed-core-8.5.16.jar:8.5.16] at org.apache.catalina.connector.ResponseFacade.addCookie(ResponseFacade.java:386) ~[tomcat-embed-core-8.5.16.jar:8.5.16] at com.easyedm.common.utils.CookieUtil.addCookie(CookieUtil.java:37) ~[classes/:na] at com.easyedm.common.utils.CookieUtil.addCookie(CookieUtil.java:49) ~[classes/:na] at com.easyedm.admin.service.impl.AdminInfoServiceImpl.userLoginRecord(AdminInfoServiceImpl.java:63) ~[classes/:na] at com.easyedm.admin.service.impl.AdminInfoServiceImpl.login(AdminInfoServiceImpl.java:52) ~[classes/:na] at com.easyedm.admin.controller.AdminInfoController.adminLogin(AdminInfoController.java:59) ~[classes/:na] at com.easyedm.admin.controller.AdminInfoController$$FastClassBySpringCGLIB$$e2440cb5.invoke() ~[classes/:na] at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204) ~[spring-core-4.3.10.RELEASE.jar:4.3.10.RELEASE] at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:738) ~[spring-aop-4.3.10.RELEASE.jar:4.3.10.RELEASE] at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157) ~[spring-aop-4.3.10.RELEASE.jar:4.3.10.RELEASE] at org.springframework.aop.framework.adapter.MethodBeforeAdviceInterceptor.invoke(MethodBeforeAdviceInterceptor.java:52) ~[spring-aop-4.3.10.RELEASE.jar:4.3.10.RELEASE] at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179) ~[spring-aop-4.3.10.RELEASE.jar:4.3.10.RELEASE] at org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:92) ~[spring-aop-4.3.10.RELEASE.jar:4.3.10.RELEASE] at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179) ~[spring-aop-4.3.10.RELEASE.jar:4.3.10.RELEASE] at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:673) ~[spring-aop-4.3.10.RELEASE.jar:4.3.10.RELEASE] at com.easyedm.admin.controller.AdminInfoController$$EnhancerBySpringCGLIB$$242ca14c.adminLogin() ~[classes/:na] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.8.0_91] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:1.8.0_91] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_91] at java.lang.reflect.Method.invoke(Method.java:498) ~[na:1.8.0_91] at org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:205) ~[spring-web-4.3.10.RELEASE.jar:4.3.10.RELEASE] at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:133) ~[spring-web-4.3.10.RELEASE.jar:4.3.10.RELEASE] at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:97) ~[spring-webmvc-4.3.10.RELEASE.jar:4.3.10.RELEASE] at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:827) ~[spring-webmvc-4.3.10.RELEASE.jar:4.3.10.RELEASE] at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:738) ~[spring-webmvc-4.3.10.RELEASE.jar:4.3.10.RELEASE] at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:85) ~[spring-webmvc-4.3.10.RELEASE.jar:4.3.10.RELEASE] at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:967) ~[spring-webmvc-4.3.10.RELEASE.jar:4.3.10.RELEASE] at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:901) ~[spring-webmvc-4.3.10.RELEASE.jar:4.3.10.RELEASE] at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:970)
[Bug 61289] NullPointerException in Response.generateCookieString()
https://bz.apache.org/bugzilla/show_bug.cgi?id=61289 Chuck Caldarale changed: What|Removed |Added Resolution|--- |INVALID Status|REOPENED|RESOLVED --- Comment #4 from Chuck Caldarale --- As Mark stated, the cause is almost always incorrect response object handling in the application, and that this should be pursued on the Tomcat Users' mailing list. Bugzilla is not a support forum. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1805521 - in /tomcat/native/trunk: native/src/sslcontext.c xdocs/miscellaneous/changelog.xml
Author: rjung
Date: Sat Aug 19 20:07:54 2017
New Revision: 1805521
URL: http://svn.apache.org/viewvc?rev=1805521&view=rev
Log:
Add SSLContext.getCiphers().
Note that for OpenSSL < 1.1.0 there is no
SSL_CTX_get_ciphers(), so we create a temporary
SSL from the SSL_CTX and use SSL_get_ciphers()
in this case.
Modified:
tomcat/native/trunk/native/src/sslcontext.c
tomcat/native/trunk/xdocs/miscellaneous/changelog.xml
Modified: tomcat/native/trunk/native/src/sslcontext.c
URL:
http://svn.apache.org/viewvc/tomcat/native/trunk/native/src/sslcontext.c?rev=1805521&r1=1805520&r2=1805521&view=diff
==
--- tomcat/native/trunk/native/src/sslcontext.c (original)
+++ tomcat/native/trunk/native/src/sslcontext.c Sat Aug 19 20:07:54 2017
@@ -27,6 +27,7 @@
#include "ssl_private.h"
static jclass byteArrayClass;
+static jclass stringClass;
static apr_status_t ssl_context_cleanup(void *data)
{
@@ -139,6 +140,7 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, ma
tcn_ssl_ctxt_t *c = NULL;
SSL_CTX *ctx = NULL;
jclass clazz;
+jclass sClazz;
#if OPENSSL_VERSION_NUMBER >= 0x1010L
jint prot;
#endif
@@ -346,6 +348,8 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, ma
/* Cache the byte[].class for performance reasons */
clazz = (*e)->FindClass(e, "[B");
byteArrayClass = (jclass) (*e)->NewGlobalRef(e, clazz);
+sClazz = (*e)->FindClass(e, "java/lang/String");
+stringClass = (jclass) (*e)->NewGlobalRef(e, sClazz);
return P2J(c);
init_failed:
@@ -489,6 +493,61 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext,
return rv;
}
+TCN_IMPLEMENT_CALL(jobjectArray, SSLContext, getCiphers)(TCN_STDARGS, jlong
ctx)
+{
+tcn_ssl_ctxt_t *c = J2P(ctx, tcn_ssl_ctxt_t *);
+STACK_OF(SSL_CIPHER) *sk;
+int len;
+jobjectArray array;
+SSL_CIPHER *cipher;
+const char *name;
+int i;
+jstring c_name;
+#if OPENSSL_VERSION_NUMBER < 0x1010L
+SSL *ssl;
+#endif
+
+UNREFERENCED_STDARGS;
+
+if (c->ctx == NULL) {
+tcn_ThrowException(e, "ssl context is null");
+return NULL;
+}
+
+/* Before OpenSSL 1.1.0, get_ciphers() was only available
+ * on an SSL, not for an SSL_CTX. */
+#if OPENSSL_VERSION_NUMBER < 0x1010L
+ssl = SSL_new(c->ctx);
+if (ssl == NULL) {
+tcn_ThrowException(e, "could not create temporary ssl from ssl
context");
+return NULL;
+}
+
+sk = SSL_get_ciphers(ssl);
+#else
+sk = SSL_CTX_get_ciphers(c->ctx);
+#endif
+len = sk_SSL_CIPHER_num(sk);
+
+if (len <= 0) {
+SSL_free(ssl);
+return NULL;
+}
+
+array = (*e)->NewObjectArray(e, len, stringClass, NULL);
+
+for (i = 0; i < len; i++) {
+cipher = (SSL_CIPHER*) sk_SSL_CIPHER_value(sk, i);
+name = SSL_CIPHER_get_name(cipher);
+
+c_name = (*e)->NewStringUTF(e, name);
+(*e)->SetObjectArrayElement(e, array, i, c_name);
+}
+SSL_free(ssl);
+return array;
+}
+
+
TCN_IMPLEMENT_CALL(jboolean, SSLContext, setCARevocation)(TCN_STDARGS, jlong
ctx,
jstring file,
jstring path)
Modified: tomcat/native/trunk/xdocs/miscellaneous/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/native/trunk/xdocs/miscellaneous/changelog.xml?rev=1805521&r1=1805520&r2=1805521&view=diff
==
--- tomcat/native/trunk/xdocs/miscellaneous/changelog.xml (original)
+++ tomcat/native/trunk/xdocs/miscellaneous/changelog.xml Sat Aug 19 20:07:54
2017
@@ -37,6 +37,9 @@
+ Add SSLContext.getCiphers(). (rjung)
+
+
Add method to add a single CA certificate to the list of CA certificates
which are accepted as issuers of client certificates. (rjung)
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1805522 - in /tomcat/native/trunk: native/include/ssl_private.h native/src/sslconf.c xdocs/miscellaneous/changelog.xml
Author: rjung
Date: Sat Aug 19 20:10:13 2017
New Revision: 1805522
URL: http://svn.apache.org/viewvc?rev=1805522&view=rev
Log:
Add support for the OpenSSL SSL_CONF API.
Added:
tomcat/native/trunk/native/src/sslconf.c (with props)
Modified:
tomcat/native/trunk/native/include/ssl_private.h
tomcat/native/trunk/xdocs/miscellaneous/changelog.xml
Modified: tomcat/native/trunk/native/include/ssl_private.h
URL:
http://svn.apache.org/viewvc/tomcat/native/trunk/native/include/ssl_private.h?rev=1805522&r1=1805521&r2=1805522&view=diff
==
--- tomcat/native/trunk/native/include/ssl_private.h (original)
+++ tomcat/native/trunk/native/include/ssl_private.h Sat Aug 19 20:10:13 2017
@@ -180,6 +180,11 @@
#define HAVE_TLSV1_2
#endif
+/* Check for SSL_CONF support */
+#if defined(SSL_CONF_FLAG_FILE)
+#define HAVE_SSL_CONF_CMD
+#endif
+
/**
* The following features all depend on TLS extension support.
* Within this block, check again for features (not version numbers).
@@ -306,6 +311,14 @@ struct tcn_ssl_ctxt_t {
/* End add from netty-tcnative */
};
+#ifdef HAVE_SSL_CONF_CMD
+typedef struct tcn_ssl_conf_ctxt_t tcn_ssl_conf_ctxt_t;
+
+struct tcn_ssl_conf_ctxt_t {
+apr_pool_t *pool;
+SSL_CONF_CTX*cctx;
+};
+#endif
typedef struct {
apr_pool_t *pool;
Added: tomcat/native/trunk/native/src/sslconf.c
URL:
http://svn.apache.org/viewvc/tomcat/native/trunk/native/src/sslconf.c?rev=1805522&view=auto
==
--- tomcat/native/trunk/native/src/sslconf.c (added)
+++ tomcat/native/trunk/native/src/sslconf.c Sat Aug 19 20:10:13 2017
@@ -0,0 +1,413 @@
+/* Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/** SSL Context wrapper
+ */
+
+#include "tcn.h"
+
+#ifdef HAVE_OPENSSL
+
+#include "ssl_private.h"
+
+#ifdef HAVE_SSL_CONF_CMD
+
+#define SSL_THROW_RETURN -9
+
+#include "apr_file_io.h"
+
+/**
+ * Define the Path Checking modes
+ */
+#define PCM_EXISTS 0x1
+#define PCM_ISREG 0x2
+#define PCM_ISDIR 0x4
+#define PCM_ISNONZERO 0x8
+
+#define FLAGS_CHECK_FILE (PCM_EXISTS|PCM_ISREG|PCM_ISNONZERO)
+#define FLAGS_CHECK_DIR (PCM_EXISTS|PCM_ISDIR)
+
+static int path_check(apr_pool_t *p, const char *path, int pcm)
+{
+apr_finfo_t finfo;
+
+if (path == NULL)
+return 1;
+if (pcm & PCM_EXISTS &&
+apr_stat(&finfo, path, APR_FINFO_TYPE|APR_FINFO_SIZE, p) != 0)
+return 1;
+if (pcm & PCM_ISREG && finfo.filetype != APR_REG)
+return 1;
+if (pcm & PCM_ISDIR && finfo.filetype != APR_DIR)
+return 1;
+if (pcm & PCM_ISNONZERO && finfo.size <= 0)
+return 1;
+return 0;
+}
+
+
+static int check_dir(apr_pool_t *p, const char *dir)
+{
+return path_check(p, dir, FLAGS_CHECK_DIR);
+}
+
+static int check_file(apr_pool_t *p, const char *file)
+{
+return path_check(p, file, FLAGS_CHECK_FILE);
+}
+
+static apr_status_t ssl_ctx_config_cleanup(void *data)
+{
+tcn_ssl_conf_ctxt_t *c = (tcn_ssl_conf_ctxt_t *)data;
+if (c != NULL && c->cctx != NULL) {
+SSL_CONF_CTX_free(c->cctx);
+c->cctx = NULL;
+c->pool = NULL;
+}
+return APR_SUCCESS;
+}
+
+/* Initialize an SSL_CONF context */
+TCN_IMPLEMENT_CALL(jlong, SSLConf, make)(TCN_STDARGS, jlong pool,
+ jint flags)
+{
+apr_pool_t *p = J2P(pool, apr_pool_t *);
+tcn_ssl_conf_ctxt_t *c = NULL;
+SSL_CONF_CTX *cctx;
+unsigned long ec;
+
+UNREFERENCED(o);
+
+SSL_ERR_clear();
+cctx = SSL_CONF_CTX_new();
+ec = SSL_ERR_get();
+if (!cctx || ec != 0) {
+if (ec != 0) {
+char err[256];
+ERR_error_string(ec, err);
+tcn_Throw(e, "Could not create SSL_CONF context (%s)", err);
+} else {
+tcn_Throw(e, "Could not create SSL_CONF context");
+}
+return 0;
+}
+
+SSL_CONF_CTX_set_flags(cctx, flags);
+
+if ((c = apr_pcalloc(p, sizeof(tcn_ssl_conf_ctxt_t))) == NULL) {
+tcn_ThrowAPRException(e, apr_get_os_error());
+return 0;
+}
+
+c->cctx = cctx;
+c->pool = p;
+
+/*
+
svn commit: r1805523 - /tomcat/trunk/java/org/apache/tomcat/jni/SSL.java
Author: rjung
Date: Sat Aug 19 20:14:48 2017
New Revision: 1805523
URL: http://svn.apache.org/viewvc?rev=1805523&view=rev
Log:
Fix a comment typo.
Modified:
tomcat/trunk/java/org/apache/tomcat/jni/SSL.java
Modified: tomcat/trunk/java/org/apache/tomcat/jni/SSL.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/jni/SSL.java?rev=1805523&r1=1805522&r2=1805523&view=diff
==
--- tomcat/trunk/java/org/apache/tomcat/jni/SSL.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/jni/SSL.java Sat Aug 19 20:14:48 2017
@@ -646,7 +646,7 @@ public final class SSL {
public static native int getOptions(long ssl);
/**
- * Returns all Returns the cipher suites that are available for
negotiation in an SSL handshake.
+ * Returns all cipher suites that are enabled for negotiation in an SSL
handshake.
* @param ssl the SSL instance (SSL *)
* @return ciphers
*/
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1805524 - /tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
Author: rjung
Date: Sat Aug 19 20:20:49 2017
New Revision: 1805524
URL: http://svn.apache.org/viewvc?rev=1805524&view=rev
Log:
AVAILABLE_CIPHER_SUITES contains the ciphers with
JSSE names, so the check needs to be done before
replacing with the OpenSSL name.
Modified:
tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
Modified:
tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java?rev=1805524&r1=1805523&r2=1805524&view=diff
==
--- tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java Sat
Aug 19 20:20:49 2017
@@ -709,12 +709,12 @@ public final class OpenSSLEngine extends
break;
}
String converted =
OpenSSLCipherConfigurationParser.jsseToOpenSSL(cipherSuite);
-if (converted != null) {
-cipherSuite = converted;
-}
if (!AVAILABLE_CIPHER_SUITES.contains(cipherSuite)) {
logger.debug(sm.getString("engine.unsupportedCipher",
cipherSuite, converted));
}
+if (converted != null) {
+cipherSuite = converted;
+}
buf.append(cipherSuite);
buf.append(':');
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1805525 - in /tomcat/trunk: java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java webapps/docs/changelog.xml
Author: rjung
Date: Sat Aug 19 20:31:31 2017
New Revision: 1805525
URL: http://svn.apache.org/viewvc?rev=1805525&view=rev
Log:
When using a Java connector in combination with
the OpenSSL TLS implementation, do not configure
each SSL connection object via the OpenSSLEngine.
For OpenSSL the SSL object inherits its settings
from the SSL_CTX which we have already configured.
Modified:
tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
tomcat/trunk/webapps/docs/changelog.xml
Modified:
tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java?rev=1805525&r1=1805524&r2=1805525&view=diff
==
--- tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
Sat Aug 19 20:31:31 2017
@@ -413,7 +413,7 @@ public class OpenSSLContext implements o
@Override
public SSLEngine createSSLEngine() {
return new OpenSSLEngine(ctx, defaultProtocol, false, sessionContext,
-(negotiableProtocols != null && negotiableProtocols.size() >
0));
+(negotiableProtocols != null && negotiableProtocols.size() >
0), initialized);
}
@Override
Modified:
tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java?rev=1805525&r1=1805524&r2=1805525&view=diff
==
--- tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java Sat
Aug 19 20:31:31 2017
@@ -164,6 +164,7 @@ public final class OpenSSLEngine extends
private final String fallbackApplicationProtocol;
private final OpenSSLSessionContext sessionContext;
private final boolean alpn;
+private final boolean initialized;
private String selectedProtocol = null;
@@ -173,15 +174,38 @@ public final class OpenSSLEngine extends
* Creates a new instance
*
* @param sslCtx an OpenSSL {@code SSL_CTX} object
- * @param alloc the {@link ByteBufAllocator} that will be used by this
- * engine
+ * @param fallbackApplicationProtocol the fallback application protocol
* @param clientMode {@code true} if this is used for clients, {@code
false}
* otherwise
* @param sessionContext the {@link OpenSslSessionContext} this
* {@link SSLEngine} belongs to.
+ * @param alpn {@code true} if alpn should be used, {@code false}
+ * otherwise
+ */
+OpenSSLEngine(long sslCtx, String fallbackApplicationProtocol,
+boolean clientMode, OpenSSLSessionContext sessionContext,
+boolean alpn) {
+this(sslCtx, fallbackApplicationProtocol, clientMode, sessionContext,
+ alpn, false);
+}
+
+/**
+ * Creates a new instance
+ *
+ * @param sslCtx an OpenSSL {@code SSL_CTX} object
+ * @param fallbackApplicationProtocol the fallback application protocol
+ * @param clientMode {@code true} if this is used for clients, {@code
false}
+ * otherwise
+ * @param sessionContext the {@link OpenSslSessionContext} this
+ * {@link SSLEngine} belongs to.
+ * @param alpn {@code true} if alpn should be used, {@code false}
+ * otherwise
+ * @param initialized {@code true} if this instance gets its protocol,
+ * cipher and client verification from the {@code SSL_CTX} {@code sslCtx}
*/
OpenSSLEngine(long sslCtx, String fallbackApplicationProtocol,
-boolean clientMode, OpenSSLSessionContext sessionContext, boolean
alpn) {
+boolean clientMode, OpenSSLSessionContext sessionContext, boolean
alpn,
+boolean initialized) {
if (sslCtx == 0) {
throw new
IllegalArgumentException(sm.getString("engine.noSSLContext"));
}
@@ -194,6 +218,7 @@ public final class OpenSSLEngine extends
this.clientMode = clientMode;
this.sessionContext = sessionContext;
this.alpn = alpn;
+this.initialized = initialized;
}
@Override
@@ -697,6 +722,9 @@ public final class OpenSSLEngine extends
@Override
public synchronized void setEnabledCipherSuites(String[] cipherSuites) {
+if (initialized) {
+return;
+}
if (cipherSuites == null) {
throw new
IllegalArgumentException(sm.getString("engine.nullCipherSuite"));
}
@@ -772,6 +800,9 @@ public final class OpenSSLEngine extends
@Override
public synchronized void setEnabledProtocols(String[] protocols) {
+
svn commit: r1805526 - /tomcat/trunk/java/org/apache/tomcat/jni/SSLContext.java
Author: rjung
Date: Sat Aug 19 20:49:09 2017
New Revision: 1805526
URL: http://svn.apache.org/viewvc?rev=1805526&view=rev
Log:
Add access to new native API SSLContext.getCiphers().
This needs tcnative 1.2.13 though.
Modified:
tomcat/trunk/java/org/apache/tomcat/jni/SSLContext.java
Modified: tomcat/trunk/java/org/apache/tomcat/jni/SSLContext.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/jni/SSLContext.java?rev=1805526&r1=1805525&r2=1805526&view=diff
==
--- tomcat/trunk/java/org/apache/tomcat/jni/SSLContext.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/jni/SSLContext.java Sat Aug 19 20:49:09
2017
@@ -111,6 +111,13 @@ public final class SSLContext {
public static native void clearOptions(long ctx, int options);
/**
+ * Returns all cipher suites that are enabled for negotiation in an SSL
handshake.
+ * @param ctx Server or Client context to use.
+ * @return ciphers
+ */
+public static native String[] getCiphers(long ctx);
+
+/**
* Sets the "quiet shutdown" flag for ctx to be
* mode. SSL objects created from ctx inherit the
* mode valid at the time and may be 0 or 1.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1805527 - in /tomcat/trunk/java/org/apache/tomcat/jni: SSL.java SSLConf.java
Author: rjung
Date: Sat Aug 19 20:50:13 2017
New Revision: 1805527
URL: http://svn.apache.org/viewvc?rev=1805527&view=rev
Log:
Add access to tcnative SSL_CONF API
and some constants used by it.
Using the new API needs tcnative 1.2.13 though.
Added:
tomcat/trunk/java/org/apache/tomcat/jni/SSLConf.java (with props)
Modified:
tomcat/trunk/java/org/apache/tomcat/jni/SSL.java
Modified: tomcat/trunk/java/org/apache/tomcat/jni/SSL.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/jni/SSL.java?rev=1805527&r1=1805526&r2=1805527&view=diff
==
--- tomcat/trunk/java/org/apache/tomcat/jni/SSL.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/jni/SSL.java Sat Aug 19 20:50:13 2017
@@ -172,6 +172,18 @@ public final class SSL {
public static final int SSL_MODE_SERVER = 1;
public static final int SSL_MODE_COMBINED = 2;
+public static final int SSL_CONF_FLAG_CMDLINE = 0x0001;
+public static final int SSL_CONF_FLAG_FILE = 0x0002;
+public static final int SSL_CONF_FLAG_CLIENT= 0x0004;
+public static final int SSL_CONF_FLAG_SERVER= 0x0008;
+public static final int SSL_CONF_FLAG_SHOW_ERRORS = 0x0010;
+public static final int SSL_CONF_FLAG_CERTIFICATE = 0x0020;
+
+public static final int SSL_CONF_TYPE_UNKNOWN = 0x;
+public static final int SSL_CONF_TYPE_STRING= 0x0001;
+public static final int SSL_CONF_TYPE_FILE = 0x0002;
+public static final int SSL_CONF_TYPE_DIR = 0x0003;
+
public static final int SSL_SHUTDOWN_TYPE_UNSET= 0;
public static final int SSL_SHUTDOWN_TYPE_STANDARD = 1;
public static final int SSL_SHUTDOWN_TYPE_UNCLEAN = 2;
Added: tomcat/trunk/java/org/apache/tomcat/jni/SSLConf.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/jni/SSLConf.java?rev=1805527&view=auto
==
--- tomcat/trunk/java/org/apache/tomcat/jni/SSLConf.java (added)
+++ tomcat/trunk/java/org/apache/tomcat/jni/SSLConf.java Sat Aug 19 20:50:13
2017
@@ -0,0 +1,113 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.tomcat.jni;
+
+/** SSL Conf
+ */
+public final class SSLConf {
+
+/**
+ * Create a new SSL_CONF context.
+ *
+ * @param pool The pool to use.
+ * @param flags The SSL_CONF flags to use. It can be any combination of
+ * the following:
+ *
+ * {@link SSL#SSL_CONF_FLAG_CMDLINE}
+ * {@link SSL#SSL_CONF_FLAG_FILE}
+ * {@link SSL#SSL_CONF_FLAG_CLIENT}
+ * {@link SSL#SSL_CONF_FLAG_SERVER}
+ * {@link SSL#SSL_CONF_FLAG_SHOW_ERRORS}
+ * {@link SSL#SSL_CONF_FLAG_CERTIFICATE}
+ *
+ *
+ * @return The Java representation of a pointer to the newly created
+ * SSL_CONF Context
+ *
+ * @throws Exception If the SSL_CONF context could not be created
+ *
+ * @see https://www.openssl.org/docs/man1.0.2/ssl/SSL_CONF_CTX_new.html";>OpenSSL
SSL_CONF_CTX_new
+ * @see https://www.openssl.org/docs/man1.0.2/ssl/SSL_CONF_CTX_set_flags.html";>OpenSSL
SSL_CONF_CTX_set_flags
+ */
+public static native long make(long pool, int flags) throws Exception;
+
+/**
+ * Free the resources used by the context
+ *
+ * @param cctx SSL_CONF context to free.
+ *
+ * @see https://www.openssl.org/docs/man1.0.2/ssl/SSL_CONF_CTX_new.html";>OpenSSL
SSL_CONF_CTX_free
+ */
+public static native void free(long cctx);
+
+/**
+ * Check a command with an SSL_CONF context.
+ *
+ * @param cctx SSL_CONF context to use.
+ * @param name command name.
+ * @param value command value.
+ *
+ * @return The result of the check based on the {@code
SSL_CONF_cmd_value_type}
+ * call. Unknown types will result in an exception, as well as
+ * file and directory types with invalid file or directory names.
+ *
+ * @throws Exception If the check fails.
+ *
+ * @see https://www.openssl.org/docs/man1.0.2/ssl/SSL_CONF_cmd.html";>OpenSSL
SSL_CONF_cmd_value_type
+ */
+public
svn commit: r1805528 - in /tomcat/trunk: java/org/apache/catalina/startup/ java/org/apache/tomcat/util/net/ java/org/apache/tomcat/util/net/openssl/ webapps/docs/
Author: rjung
Date: Sat Aug 19 21:32:23 2017
New Revision: 1805528
URL: http://svn.apache.org/viewvc?rev=1805528&view=rev
Log:
Add support for the OpenSSL SSL_CONF API when
using TLS with OpenSSL implementation.
This will need tcnative 1.2.13.
It can be used by adding OpenSSLConf elements
underneath SSLHostConfig. The new element
contains a list of OpenSSLConfCmd elements,
each with the attributes "name" and "value".
Example:
Added:
tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLConf.java
(with props)
tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLConfCmd.java
(with props)
Modified:
tomcat/trunk/java/org/apache/catalina/startup/Catalina.java
tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
tomcat/trunk/java/org/apache/tomcat/util/net/LocalStrings.properties
tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java
tomcat/trunk/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties
tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
tomcat/trunk/webapps/docs/changelog.xml
Modified: tomcat/trunk/java/org/apache/catalina/startup/Catalina.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/startup/Catalina.java?rev=1805528&r1=1805527&r2=1805528&view=diff
==
--- tomcat/trunk/java/org/apache/catalina/startup/Catalina.java (original)
+++ tomcat/trunk/java/org/apache/catalina/startup/Catalina.java Sat Aug 19
21:32:23 2017
@@ -354,6 +354,20 @@ public class Catalina {
"addCertificate",
"org.apache.tomcat.util.net.SSLHostConfigCertificate");
+
digester.addObjectCreate("Server/Service/Connector/SSLHostConfig/OpenSSLConf",
+
"org.apache.tomcat.util.net.openssl.OpenSSLConf");
+
digester.addSetProperties("Server/Service/Connector/SSLHostConfig/OpenSSLConf");
+
digester.addSetNext("Server/Service/Connector/SSLHostConfig/OpenSSLConf",
+"setOpenSslConf",
+"org.apache.tomcat.util.net.openssl.OpenSSLConf");
+
+
digester.addObjectCreate("Server/Service/Connector/SSLHostConfig/OpenSSLConf/OpenSSLConfCmd",
+
"org.apache.tomcat.util.net.openssl.OpenSSLConfCmd");
+
digester.addSetProperties("Server/Service/Connector/SSLHostConfig/OpenSSLConf/OpenSSLConfCmd");
+
digester.addSetNext("Server/Service/Connector/SSLHostConfig/OpenSSLConf/OpenSSLConfCmd",
+"addCmd",
+
"org.apache.tomcat.util.net.openssl.OpenSSLConfCmd");
+
digester.addObjectCreate("Server/Service/Connector/Listener",
null, // MUST be specified in the element
"className");
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java?rev=1805528&r1=1805527&r2=1805528&view=diff
==
--- tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java Sat Aug 19
21:32:23 2017
@@ -43,6 +43,7 @@ import org.apache.tomcat.jni.OS;
import org.apache.tomcat.jni.Poll;
import org.apache.tomcat.jni.Pool;
import org.apache.tomcat.jni.SSL;
+import org.apache.tomcat.jni.SSLConf;
import org.apache.tomcat.jni.SSLContext;
import org.apache.tomcat.jni.SSLContext.SNICallBack;
import org.apache.tomcat.jni.SSLSocket;
@@ -55,6 +56,7 @@ import org.apache.tomcat.util.collection
import org.apache.tomcat.util.net.AbstractEndpoint.Handler.SocketState;
import org.apache.tomcat.util.net.Acceptor.AcceptorState;
import org.apache.tomcat.util.net.SSLHostConfig.Type;
+import org.apache.tomcat.util.net.openssl.OpenSSLConf;
import org.apache.tomcat.util.net.openssl.OpenSSLEngine;
@@ -540,6 +542,51 @@ public class AprEndpoint extends Abstrac
String[] protocolsArray = protocols.toArray(new String[0]);
SSLContext.setAlpnProtos(ctx, protocolsArray,
SSL.SSL_SELECTOR_FAILURE_NO_ADVERTISE);
}
+
+long cctx;
+OpenSSLConf openSslConf = sslHostConfig.getOpenSslConf();
+if (openSslConf != null) {
+// Create OpenSSLConfCmd context if used
+try {
+log.info(sm.getString("endpoint.apr.makeConf"));
+cctx = SSLConf.make(rootPool,
+SSL.SSL_CONF_FLAG_FILE |
+SSL.SSL_CONF_FLAG_SERVER |
+SSL.SSL_CONF_FLAG_CERTIFICATE |
+SSL.SSL_CONF_FLAG_SHOW_ERRORS);
+} catch (UnsatisfiedLinkEr
svn commit: r1805529 - in /tomcat/trunk/java/org/apache/tomcat/util/net: AprEndpoint.java SSLHostConfig.java openssl/OpenSSLContext.java
Author: rjung
Date: Sat Aug 19 21:35:50 2017
New Revision: 1805529
URL: http://svn.apache.org/viewvc?rev=1805529&view=rev
Log:
Update enabledProtocols and enabledCiphers
in SSLHostConfig after OpenSSLConf has been
applied.
This is needed, because the Manager webapp
feature of listing the current enabled ciphers
relies on SSLHostConfig.
Unfortunately the setters in SSLHostConfig
are not public and OpenSSLContext which needs
to call it is in a sub package.
For now I made the two setters public, any
better suggestions welcome.
Modified:
tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java
tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java?rev=1805529&r1=1805528&r2=1805529&view=diff
==
--- tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java Sat Aug 19
21:35:50 2017
@@ -581,6 +581,31 @@ public class AprEndpoint extends Abstrac
} catch (Exception e) {
throw new
Exception(sm.getString("endpoint.apr.errApplyConf"), e);
}
+// Reconfigure the enabled protocols
+int opts = SSLContext.getOptions(ctx);
+List enabled = new ArrayList<>();
+// Seems like there is no way to explicitly disable SSLv2Hello
+// in OpenSSL so it is always enabled
+enabled.add(Constants.SSL_PROTO_SSLv2Hello);
+if ((opts & SSL.SSL_OP_NO_TLSv1) == 0) {
+enabled.add(Constants.SSL_PROTO_TLSv1);
+}
+if ((opts & SSL.SSL_OP_NO_TLSv1_1) == 0) {
+enabled.add(Constants.SSL_PROTO_TLSv1_1);
+}
+if ((opts & SSL.SSL_OP_NO_TLSv1_2) == 0) {
+enabled.add(Constants.SSL_PROTO_TLSv1_2);
+}
+if ((opts & SSL.SSL_OP_NO_SSLv2) == 0) {
+enabled.add(Constants.SSL_PROTO_SSLv2);
+}
+if ((opts & SSL.SSL_OP_NO_SSLv3) == 0) {
+enabled.add(Constants.SSL_PROTO_SSLv3);
+}
+sslHostConfig.setEnabledProtocols(
+enabled.toArray(new String[enabled.size()]));
+// Reconfigure the enabled ciphers
+sslHostConfig.setEnabledCiphers(SSLContext.getCiphers(ctx));
}
} else {
cctx = 0;
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java?rev=1805529&r1=1805528&r2=1805529&view=diff
==
--- tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java Sat Aug 19
21:35:50 2017
@@ -198,7 +198,7 @@ public class SSLHostConfig implements Se
}
-void setEnabledProtocols(String[] enabledProtocols) {
+public void setEnabledProtocols(String[] enabledProtocols) {
this.enabledProtocols = enabledProtocols;
}
@@ -213,7 +213,7 @@ public class SSLHostConfig implements Se
}
-void setEnabledCiphers(String[] enabledCiphers) {
+public void setEnabledCiphers(String[] enabledCiphers) {
this.enabledCiphers = enabledCiphers;
}
Modified:
tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java?rev=1805529&r1=1805528&r2=1805529&view=diff
==
--- tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
Sat Aug 19 21:35:50 2017
@@ -397,6 +397,31 @@ public class OpenSSLContext implements o
} catch (Exception e) {
throw new
SSLException(sm.getString("openssl.errApplyConf"), e);
}
+// Reconfigure the enabled protocols
+int opts = SSLContext.getOptions(ctx);
+List enabled = new ArrayList<>();
+// Seems like there is no way to explicitly disable SSLv2Hello
+// in OpenSSL so it is always enabled
+enabled.add(Constants.SSL_PROTO_SSLv2Hello);
+if ((opts & SSL.SSL_OP_NO_TLSv1) == 0) {
+enabled.add(Constants.SSL_PROTO_TLSv1);
+}
+if
Config warning when using OpenSSL config items and useOpenSSL=true
Assume tcantive and OpenSSL is available. When using the AprLifecycleListener with useOpenssl="true" (default) and useAprConnector="false" (also default) with a Java NIO or NIO2 connector and *not* setting the sslImplementationName one gets warnings for each config item which is OpenSSL only. Since with these (default) settings the connector uses OpenSSL the warnings doesn't make sense. The reason is, that the config is checked very early, especially before the AprLifecycleListener kicks in and sets the sslImplementationName to OpenSSL. I do not have a good idea how to fix this. It is not related to my commits of today. Example message: WARNING [main] org.apache.tomcat.util.net.SSLHostConfig.setConfigType The property [disableCompression] was set on the SSLHostConfig named [_default_] and is for connectors of type [OPENSSL] but the SSLHostConfig is being used with a connector of type [JSSE] Regards, Rainer - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: OpenSSL SSL_CONF_cmd API
Am 16.08.2017 um 23:38 schrieb Rainer Jung: Am 16.08.2017 um 14:45 schrieb Rainer Jung: Am 13.08.2017 um 19:37 schrieb Mark Thomas: On 13/08/17 16:42, Rainer Jung wrote: Hi, OpenSSl has an API named SSL_CONF_cmd. Te API allows application using OpenSSL to no longer implement an application specific configuration option per OpenSSL config feature the app wants to support, but instead use a more generic approach. The API can be seen here (it was added in 1.0.2, but also exists in 1.1.0): https://www.openssl.org/docs/man1.0.2/ssl/SSL_CONF_cmd.html mod_ssl in httpd already supports that API: http://httpd.apache.org/docs/2.4/en/mod/mod_ssl.html#sslopensslconfcmd The API can be fed with pairs of command names and values. If we would like to support this, we would have to find an appropriate approach of supporting name/value pairs in our config. I'd say server.xml (and every xml based file) isn't appropriate. Is there any interest in supporting SSL_CONF_cmd? If so, should we a) create a new file, e.g. conf/openssl.properties or b) pack new properties into catalina.properties, probably with a common prefix "openssl.conf.cmd."? And if catalina.properties, should we add the properties also to java system properties or filter them? Or maybe the other way round: extract all system properties named openssl.conf.cmd.* and use them? If we would want to support different setting per connector or SSLHostConfig, we would instead need a properties file per connector or SSLHostConfig, so probably an xml attribute opensslConfCmdFile="..." and read the properties form there. Any opinion? I like the idea of not having to replicate openssl setters and gettes in Java and C. I think the configuration needs to be per SSLHostConfig. I was thinking of something along the line of IntrosepctionUtils that was passed the attribute name and value from the XML and then called the appropriate API. If the attributes had a common prefix (openssl.cmd...) then ID'ing the name/value pairs should be fairly easy. Haven't thought about how this might integrate with the current code. I think implementation of handling the specific SSL_CONF_cmd attributes would be easier (and cleaner), if we introduce another SSLHostConfig sub element (analogous to ), e.g. named , and each attribute there gets set by calling a generic method using key and value as args instead of a key-specific attribute setter. That's most likely easier to implement with digester and produces less config magic plus we no longer need such an attribute name prefix. It kind of is implicit in the new sub element. I'll try to do a prototype later and if it works already include the needed native calls in the tcnative, so that we'll have something in 1.2.13 that we can build upon. Since at config parsing time we do not already have the SSL context available that needs to be passed when calling SSL_CONF_cmd(), we would need to store the list of key/values during config parse time and then later when creating the ssl context we need to apply them. That is quite similar to what happens in mod_ssl. Storing the list would be easier in the Java world and keep the native part simpler. In addition to the SSL_CONF_cmd() calls when actually setting up the ssl context, we could do some checks for the key/value pairs already during config parse time using SSL_CONF_cmd_value_type() and code similar to mod_ssl (ssl_cmd_SSLOpenSSLConfCmd). There seems to be a conceptual problem. The order of attributes seems to not be well-defined, but the order of SSL_CONF_cmd executions can be relevant, so we should aim at getting the commands in the order they have been put into the config file. I guess we need the more ugly config style (beneath SSLHostConfig): ... since elements should already get processed in an ordered way. I added the functionality today to tcnative and TC 9. Currently when you try to use it it checks for UnsatisfiedLinkError because we can't yet assume a tcnative version is present, that already contains that functionality. You need to build it from tcnative trunk to get it. An example would be (it is just meant to show the principles). Docs for the supported names (varying by OpenSSL version): https://www.openssl.org/docs/man1.0.2/ssl/SSL_CONF_cmd.html https://www.openssl.org/docs/man1.1.0/ssl/SSL_CONF_cmd.html https://www.openssl.org/docs/manmaster/man3/SSL_CONF_cmd.html Look for "SUPPORTED CONFIGURATION FILE COMMANDS" Some remarks: - storeconfig support is still missing - docs are missing; simple example and warning that if your "normal" attributes and OpenSSLConf are in conflict you might get unexpected results (although in general OpenSSLConf since applied later simply overrides) - tests are missing - I had to make two method in SSLHostConfig public, see the log for r1805529 - during testing I observed that we continuously reconfigure the SSL objects when using a Java connector w
svn commit: r1805530 - in /tomcat/trunk/java/org/apache/tomcat/util/net: AprEndpoint.java openssl/OpenSSLContext.java
Author: rjung
Date: Sat Aug 19 22:20:56 2017
New Revision: 1805530
URL: http://svn.apache.org/viewvc?rev=1805530&view=rev
Log:
Tone down log message for new OpenSSLConf
from info to debug.
Modified:
tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java?rev=1805530&r1=1805529&r2=1805530&view=diff
==
--- tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java Sat Aug 19
22:20:56 2017
@@ -548,7 +548,8 @@ public class AprEndpoint extends Abstrac
if (openSslConf != null) {
// Create OpenSSLConfCmd context if used
try {
-log.info(sm.getString("endpoint.apr.makeConf"));
+if (log.isDebugEnabled())
+log.debug(sm.getString("endpoint.apr.makeConf"));
cctx = SSLConf.make(rootPool,
SSL.SSL_CONF_FLAG_FILE |
SSL.SSL_CONF_FLAG_SERVER |
@@ -562,7 +563,8 @@ public class AprEndpoint extends Abstrac
}
if (cctx != 0) {
// Check OpenSSLConfCmd if used
-log.info(sm.getString("endpoint.apr.checkConf"));
+if (log.isDebugEnabled())
+log.debug(sm.getString("endpoint.apr.checkConf"));
try {
if (!openSslConf.check(cctx)) {
log.error(sm.getString("endpoint.apr.errCheckConf"));
@@ -572,7 +574,8 @@ public class AprEndpoint extends Abstrac
throw new
Exception(sm.getString("endpoint.apr.errCheckConf"), e);
}
// Apply OpenSSLConfCmd if used
-log.info(sm.getString("endpoint.apr.applyConf"));
+if (log.isDebugEnabled())
+log.debug(sm.getString("endpoint.apr.applyConf"));
try {
if (!openSslConf.apply(cctx, ctx)) {
log.error(sm.getString("endpoint.apr.errApplyConf"));
Modified:
tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java?rev=1805530&r1=1805529&r2=1805530&view=diff
==
--- tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
Sat Aug 19 22:20:56 2017
@@ -120,7 +120,8 @@ public class OpenSSLContext implements o
OpenSSLConf openSslConf = sslHostConfig.getOpenSslConf();
if (openSslConf != null) {
try {
-log.info(sm.getString("openssl.makeConf"));
+if (log.isDebugEnabled())
+log.debug(sm.getString("openssl.makeConf"));
cctx = SSLConf.make(aprPool,
SSL.SSL_CONF_FLAG_FILE |
SSL.SSL_CONF_FLAG_SERVER |
@@ -379,7 +380,8 @@ public class OpenSSLContext implements o
OpenSSLConf openSslConf = sslHostConfig.getOpenSslConf();
if (openSslConf != null && cctx != 0) {
// Check OpenSSLConfCmd if used
-log.info(sm.getString("openssl.checkConf"));
+if (log.isDebugEnabled())
+log.debug(sm.getString("openssl.checkConf"));
try {
if (!openSslConf.check(cctx)) {
log.error(sm.getString("openssl.errCheckConf"));
@@ -388,7 +390,8 @@ public class OpenSSLContext implements o
} catch (Exception e) {
throw new Exception(sm.getString("openssl.errCheckConf"),
e);
}
-log.info(sm.getString("openssl.applyConf"));
+if (log.isDebugEnabled())
+log.debug(sm.getString("openssl.applyConf"));
try {
if (!openSslConf.apply(cctx, ctx)) {
log.error(sm.getString("openssl.errApplyConf"));
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
