tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ma...@apache.org
Subject svn commit: r1677006 - in /tomcat/trunk: java/org/apache/coyote/http11/ java/org/apache/tomcat/util/net/ webapps/docs/config/
Date Thu, 30 Apr 2015 14:33:59 GMT
Author: markt
Date: Thu Apr 30 14:33:58 2015
New Revision: 1677006

URL: http://svn.apache.org/r1677006
Log:
Move clientAuth/verifyClient to SSLHostConfig

Modified:
    tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11JsseProtocol.java
    tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java
    tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java
    tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java
    tomcat/trunk/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
    tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
    tomcat/trunk/java/org/apache/tomcat/util/net/LocalStrings.properties
    tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java
    tomcat/trunk/webapps/docs/config/http.xml

Modified: tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11JsseProtocol.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11JsseProtocol.java?rev=1677006&r1=1677005&r2=1677006&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11JsseProtocol.java (original)
+++ tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11JsseProtocol.java Thu Apr 30
14:33:58 2015
@@ -25,9 +25,6 @@ public abstract class AbstractHttp11Jsse
         super(endpoint);
     }
 
-    public String getClientAuth() { return getEndpoint().getClientAuth();}
-    public void setClientAuth(String s ) { getEndpoint().setClientAuth(s);}
-
     public String getKeystorePass() { return getEndpoint().getKeystorePass();}
     public void setKeystorePass(String s ) { getEndpoint().setKeystorePass(s);}
 

Modified: tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java?rev=1677006&r1=1677005&r2=1677006&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java (original)
+++ tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java Thu Apr 30 14:33:58
2015
@@ -356,6 +356,9 @@ public abstract class AbstractHttp11Prot
     }
 
 
+    // TODO: All of these SSL setters can be removed once it is no longer
+    // necessary to support the old configuration attributes (Tomcat 10?).
+
     public void setSslEnabledProtocols(String enabledProtocols) {
         registerDefaultSSLHostConfig();
         defaultSSLHostConfig.setProtocols(enabledProtocols);
@@ -384,6 +387,16 @@ public abstract class AbstractHttp11Prot
         defaultSSLHostConfig.setKeyManagerAlgorithm(keyManagerAlgorithm);
     }
 
+    public void setClientAuth(String certificateVerification) {
+        registerDefaultSSLHostConfig();
+        defaultSSLHostConfig.setCertificateVerification(certificateVerification);
+    }
+
+    public void setSSLVerifyClient(String certificateVerification) {
+        registerDefaultSSLHostConfig();
+        defaultSSLHostConfig.setCertificateVerification(certificateVerification);
+    }
+
 
     // ------------------------------------------------------------- Common code
 

Modified: tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java?rev=1677006&r1=1677005&r2=1677006&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java (original)
+++ tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java Thu Apr 30 14:33:58
2015
@@ -133,13 +133,6 @@ public class Http11AprProtocol extends A
 
 
     /**
-     * SSL verify client.
-     */
-    public String getSSLVerifyClient() { return ((AprEndpoint)getEndpoint()).getSSLVerifyClient();
}
-    public void setSSLVerifyClient(String SSLVerifyClient) { ((AprEndpoint)getEndpoint()).setSSLVerifyClient(SSLVerifyClient);
}
-
-
-    /**
      * SSL verify depth.
      */
     public int getSSLVerifyDepth() { return ((AprEndpoint)getEndpoint()).getSSLVerifyDepth();
}

Modified: tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java?rev=1677006&r1=1677005&r2=1677006&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java Thu Apr 30 14:33:58
2015
@@ -984,10 +984,6 @@ public abstract class AbstractEndpoint<S
         this.sslImplementationName = s;
     }
 
-    private String clientAuth = "false";
-    public String getClientAuth() { return clientAuth;}
-    public void setClientAuth(String s ) { this.clientAuth = s;}
-
     private String keystorePass = null;
     public String getKeystorePass() { return keystorePass;}
     public void setKeystorePass(String s ) { this.keystorePass = s;}

Modified: tomcat/trunk/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java?rev=1677006&r1=1677005&r2=1677006&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java Thu Apr 30 14:33:58
2015
@@ -81,13 +81,18 @@ public abstract class AbstractJsseEndpoi
         }
 
         SSLEngine engine = sslContextWrapper.getSSLContext().createSSLEngine();
-        if ("false".equals(getClientAuth())) {
+        switch (sslHostConfig.getCertificateVerification()) {
+        case NONE:
             engine.setNeedClientAuth(false);
             engine.setWantClientAuth(false);
-        } else if ("true".equals(getClientAuth()) || "yes".equals(getClientAuth())){
-            engine.setNeedClientAuth(true);
-        } else if ("want".equals(getClientAuth())) {
+            break;
+        case OPTIONAL:
+        case OPTIONAL_NO_CA:
             engine.setWantClientAuth(true);
+            break;
+        case REQUIRED:
+            engine.setNeedClientAuth(true);
+            break;
         }
         engine.setUseClientMode(false);
         engine.setEnabledCipherSuites(sslContextWrapper.getEnabledCiphers());

Modified: tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java?rev=1677006&r1=1677005&r2=1677006&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java Thu Apr 30 14:33:58 2015
@@ -272,14 +272,6 @@ public class AprEndpoint extends Abstrac
     public void setSSLDisableSessionTickets(boolean SSLDisableSessionTickets) { this.SSLDisableSessionTickets
= SSLDisableSessionTickets; }
 
     /**
-     * SSL verify client.
-     */
-    protected String SSLVerifyClient = "none";
-    public String getSSLVerifyClient() { return SSLVerifyClient; }
-    public void setSSLVerifyClient(String SSLVerifyClient) { this.SSLVerifyClient = SSLVerifyClient;
}
-
-
-    /**
      * SSL verify depth.
      */
     protected int SSLVerifyDepth = 10;
@@ -611,13 +603,19 @@ public class AprEndpoint extends Abstrac
                 // Set revocation
                 SSLContext.setCARevocation(ctx, SSLCARevocationFile, SSLCARevocationPath);
                 // Client certificate verification
-                value = SSL.SSL_CVERIFY_NONE;
-                if ("optional".equalsIgnoreCase(SSLVerifyClient)) {
+                switch (sslHostConfig.getCertificateVerification()) {
+                case NONE:
+                    value = SSL.SSL_CVERIFY_NONE;
+                    break;
+                case OPTIONAL:
                     value = SSL.SSL_CVERIFY_OPTIONAL;
-                } else if ("require".equalsIgnoreCase(SSLVerifyClient)) {
-                    value = SSL.SSL_CVERIFY_REQUIRE;
-                } else if ("optionalNoCA".equalsIgnoreCase(SSLVerifyClient)) {
+                    break;
+                case OPTIONAL_NO_CA:
                     value = SSL.SSL_CVERIFY_OPTIONAL_NO_CA;
+                    break;
+                case REQUIRED:
+                    value = SSL.SSL_CVERIFY_REQUIRE;
+                    break;
                 }
                 SSLContext.setVerify(ctx, value, SSLVerifyDepth);
                 // For now, sendfile is not supported with SSL

Modified: tomcat/trunk/java/org/apache/tomcat/util/net/LocalStrings.properties
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/LocalStrings.properties?rev=1677006&r1=1677005&r2=1677006&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/LocalStrings.properties (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/LocalStrings.properties Thu Apr 30 14:33:58
2015
@@ -110,4 +110,5 @@ socket.apr.read.sslGeneralError=An APR g
 socket.apr.write.error=Unexpected error [{0}] writing data to the APR/native socket [{1}]
with wrapper [{2}].
 socket.apr.closed=The socket [{0}] associated with this connection has been closed.
 
+sslHostConfig.certificateVerificationInvalid=The certificate verification value [{0}] is
not recognised
 sslHostConfig.mismatch=The property [{0}] was set on the SSLHostConfig named [{1}] but this
property is for connectors of type [{2}] by the SSLHostConfig is being used with a connector
of type [{3}]
\ No newline at end of file

Modified: tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java?rev=1677006&r1=1677005&r2=1677006&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java Thu Apr 30 14:33:58 2015
@@ -44,6 +44,8 @@ public class SSLHostConfig {
     // Configuration properties
 
     // Common
+    private CertificateVerification certificateVerification = CertificateVerification.NONE;
+
     private Set<String> protocols = new HashSet<>();
     // JSSE
     private String keyManagerAlgorithm = KeyManagerFactory.getDefaultAlgorithm();
@@ -99,6 +101,16 @@ public class SSLHostConfig {
 
     // ----------------------------------------- Common configuration properties
 
+    public void setCertificateVerification(String certificateVerification) {
+        this.certificateVerification = CertificateVerification.fromString(certificateVerification);
+    }
+
+
+    public CertificateVerification getCertificateVerification() {
+        return certificateVerification;
+    }
+
+
     public void setHostName(String hostName) {
         this.hostName = hostName;
     }
@@ -189,4 +201,37 @@ public class SSLHostConfig {
         JSSE,
         OPENSSL
     }
+
+
+    public static enum CertificateVerification {
+        NONE,
+        OPTIONAL_NO_CA,
+        OPTIONAL,
+        REQUIRED;
+
+        public static CertificateVerification fromString(String value) {
+            if ("true".equalsIgnoreCase(value) ||
+                    "yes".equalsIgnoreCase(value) ||
+                    "require".equalsIgnoreCase(value) ||
+                    "required".equalsIgnoreCase(value)) {
+                return REQUIRED;
+            } else if ("optional".equalsIgnoreCase(value) ||
+                    "want".equalsIgnoreCase(value)) {
+                return OPTIONAL;
+            } else if ("optionalNoCA".equalsIgnoreCase(value) ||
+                    "optional_no_ca".equalsIgnoreCase(value)) {
+                return OPTIONAL_NO_CA;
+            } else if ("false".equalsIgnoreCase(value) ||
+                    "no".equalsIgnoreCase(value) ||
+                    "none".equalsIgnoreCase(value)) {
+                return NONE;
+            } else {
+                // Could be a typo. Don't default to NONE since that is not
+                // secure. Force user to fix config. Could default to REQUIRED
+                // instead.
+                throw new IllegalArgumentException(
+                        sm.getString("sslHostConfig.certificateVerificationInvalid", value));
+            }
+        }
+    }
 }

Modified: tomcat/trunk/webapps/docs/config/http.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/http.xml?rev=1677006&r1=1677005&r2=1677006&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/config/http.xml (original)
+++ tomcat/trunk/webapps/docs/config/http.xml Thu Apr 30 14:33:58 2015
@@ -1065,6 +1065,20 @@
       RECOMMENDED).</p>
     </attribute>
 
+    <attribute name="certificateVerification" required="false">
+      <p>Set to <code>required</code> if you want the SSL stack to require
a
+      valid certificate chain from the client before accepting a connection.
+      Set to <code>optional</code> if you want the SSL stack to request a client
+      Certificate, but not fail if one isn't presented. Set to
+      <code>optionalNoCA</code> if you want client certificates to be optional
+      and you don't want Tomcat to check them against the list of trusted CAs.
+      If the TLS provider doesn't support this option (OpenSSL does, JSSE does
+      not) it is treated as if <code>optional</code> was specified. A
+      <code>none</code> value (which is the default) will not require a
+      certificate chain unless the client requests a resource protected by a
+      security constraint that uses <code>CLIENT-CERT</code> authentication.</p>
+    </attribute>
+
     <attribute name="hostName" required="false">
       <p>The name of the SSL Host. This should either be the fully qualified
       domain name (e.g. <code>tomcat.apache.org</code>) or a wild card domain
@@ -1142,13 +1156,9 @@
     </attribute>
 
     <attribute name="clientAuth" required="false">
-      <p>Set to <code>true</code> if you want the SSL stack to require
a
-      valid certificate chain from the client before accepting a connection.
-      Set to <code>want</code> if you want the SSL stack to request a client
-      Certificate, but not fail if one isn't presented. A <code>false</code>
-      value (which is the default) will not require a certificate chain
-      unless the client requests a resource protected by a security
-      constraint that uses <code>CLIENT-CERT</code> authentication.</p>
+      <p>This is an alias for the <code>certificateValidation</code> attribute
+      of the default <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a>
+      element.</p>
     </attribute>
 
     <attribute name="clientCertProvider" required="false">
@@ -1425,9 +1435,9 @@
     </attribute>
 
     <attribute name="SSLVerifyClient" required="false">
-      <p>Ask client for certificate. The default is "none", meaning the client
-      will not have the opportunity to submit a certificate. Other acceptable
-      values include "optional", "require" and "optionalNoCA".</p>
+      <p>This is an alias for the <code>certificateValidation</code> attribute
+      of the default <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a>
+      element.</p>
     </attribute>
 
     <attribute name="SSLVerifyDepth" required="false">



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message