Return-Path:
Delivered-To: apmail-tomcat-dev-archive@www.apache.org
Received: (qmail 62196 invoked from network); 19 Nov 2009 18:00:34 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3)
by minotaur.apache.org with SMTP; 19 Nov 2009 18:00:34 -0000
Received: (qmail 27662 invoked by uid 500); 19 Nov 2009 18:00:33 -0000
Delivered-To: apmail-tomcat-dev-archive@tomcat.apache.org
Received: (qmail 27567 invoked by uid 500); 19 Nov 2009 18:00:33 -0000
Mailing-List: contact dev-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
List-Help:
List-Unsubscribe:
List-Post:
List-Id:
Reply-To: "Tomcat Developers List"
Delivered-To: mailing list dev@tomcat.apache.org
Received: (qmail 27556 invoked by uid 99); 19 Nov 2009 18:00:33 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 19 Nov 2009 18:00:33 +0000
X-ASF-Spam-Status: No, hits=-2.0 required=5.0
tests=AWL,BAYES_00,WEIRD_QUOTING
X-Spam-Check-By: apache.org
Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4)
by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 19 Nov 2009 18:00:30 +0000
Received: by eris.apache.org (Postfix, from userid 65534)
id 2E41123889C9; Thu, 19 Nov 2009 18:00:10 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: svn commit: r882231 - in /tomcat/trunk:
java/org/apache/catalina/connector/
java/org/apache/coyote/http11/ java/org/apache/tomcat/util/net/
java/org/apache/tomcat/util/net/jsse/ webapps/docs/config/
Date: Thu, 19 Nov 2009 18:00:09 -0000
To: dev@tomcat.apache.org
From: markt@apache.org
X-Mailer: svnmailer-1.0.8
Message-Id: <20091119180010.2E41123889C9@eris.apache.org>
Author: markt
Date: Thu Nov 19 18:00:09 2009
New Revision: 882231
URL: http://svn.apache.org/viewvc?rev=882231&view=rev
Log:
Fix SSL for BIO post refactoring
Make attribute names consistent
Endpoints are now responsible for configuring the SSL "engine"
Basics work but still needs more testing
NIO & APR to follow
Modified:
tomcat/trunk/java/org/apache/catalina/connector/Connector.java
tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java
tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java
tomcat/trunk/java/org/apache/tomcat/util/net/JIoEndpoint.java
tomcat/trunk/java/org/apache/tomcat/util/net/NioEndpoint.java
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
tomcat/trunk/webapps/docs/config/http.xml
Modified: tomcat/trunk/java/org/apache/catalina/connector/Connector.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/connector/Connector.java?rev=882231&r1=882230&r2=882231&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/connector/Connector.java (original)
+++ tomcat/trunk/java/org/apache/catalina/connector/Connector.java Thu Nov 19 18:00:09 2009
@@ -284,12 +284,8 @@
replacements.put("connectionLinger", "soLinger");
replacements.put("connectionTimeout", "soTimeout");
replacements.put("connectionUploadTimeout", "timeout");
- replacements.put("clientAuth", "clientauth");
- replacements.put("keystoreFile", "keystore");
replacements.put("randomFile", "randomfile");
replacements.put("rootFile", "rootfile");
- replacements.put("keystorePass", "keypass");
- replacements.put("keystoreType", "keytype");
replacements.put("sslProtocols", "protocols");
}
Modified: tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java?rev=882231&r1=882230&r2=882231&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java (original)
+++ tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java Thu Nov 19 18:00:09 2009
@@ -325,49 +325,68 @@
public int getSoLinger() { return endpoint.getSoLinger(); }
public void setSoLinger(int soLinger) { endpoint.setSoLinger(soLinger); }
+ // JSSE SSL attrbutes
+ public String getAlgorithm() { return endpoint.getAlgorithm();}
+ public void setAlgorithm(String s ) { endpoint.setAlgorithm(s);}
+ public String getClientAuth() { return endpoint.getClientAuth();}
+ public void setClientAuth(String s ) { endpoint.setClientAuth(s);}
+
public String getKeystoreFile() { return endpoint.getKeystoreFile();}
public void setKeystoreFile(String s ) { endpoint.setKeystoreFile(s);}
- public void setKeystore(String s) { setKeystoreFile(s);}
- public String getKeystore(){ return getKeystoreFile();}
- public String getKeyAlias() { return (endpoint).getKeyAlias();}
- public void setKeyAlias(String s ) { (endpoint).setKeyAlias(s);}
-
-
- public String getAlgorithm() { return (endpoint).getAlgorithm();}
- public void setAlgorithm(String s ) { (endpoint).setAlgorithm(s);}
-
- public void setClientauth(String s) {setClientAuth(s);}
- public String getClientauth(){ return getClientAuth();}
- public String getClientAuth() { return (endpoint).getClientAuth();}
- public void setClientAuth(String s ) { (endpoint).setClientAuth(s);}
-
- public String getKeystorePass() { return (endpoint).getKeystorePass();}
- public void setKeystorePass(String s ) { (endpoint).setKeystorePass(s);}
- public void setKeypass(String s) { setKeystorePass(s);}
- public String getKeypass() { return getKeystorePass();}
- public String getKeystoreType() { return (endpoint).getKeystoreType();}
- public void setKeystoreType(String s ) { (endpoint).setKeystoreType(s);}
- public String getKeytype() { return getKeystoreType();}
- public void setKeytype(String s ) { setKeystoreType(s);}
-
- public void setTruststoreFile(String f){(endpoint).setTruststoreFile(f);}
- public String getTruststoreFile(){return (endpoint).getTruststoreFile();}
- public void setTruststorePass(String p){(endpoint).setTruststorePass(p);}
- public String getTruststorePass(){return (endpoint).getTruststorePass();}
- public void setTruststoreType(String t){(endpoint).setTruststoreType(t);}
- public String getTruststoreType(){ return (endpoint).getTruststoreType();}
+
+ public String getKeystorePass() { return endpoint.getKeystorePass();}
+ public void setKeystorePass(String s ) { endpoint.setKeystorePass(s);}
+ public String getKeystoreType() { return endpoint.getKeystoreType();}
+ public void setKeystoreType(String s ) { endpoint.setKeystoreType(s);}
+
+ public String getKeystoreProvider() { return endpoint.getKeystoreProvider();}
+ public void setKeystoreProvider(String s ) { endpoint.setKeystoreProvider(s);}
+
+ public String getSslProtocol() { return endpoint.getSslProtocol();}
+ public void setSslProtocol(String s) { endpoint.setSslProtocol(s);}
- public String getSslProtocol() { return (endpoint).getSslProtocol();}
- public void setSslProtocol(String s) { (endpoint).setSslProtocol(s);}
+ public String getCiphers() { return endpoint.getCiphers();}
+ public void setCiphers(String s) { endpoint.setCiphers(s);}
+
+ public String getKeyAlias() { return endpoint.getKeyAlias();}
+ public void setKeyAlias(String s ) { endpoint.setKeyAlias(s);}
+
+ public String getKeyPass() { return endpoint.getKeyPass();}
+ public void setKeyPass(String s ) { endpoint.setKeyPass(s);}
- public String getCiphers() { return (endpoint).getCiphers();}
- public void setCiphers(String s) { (endpoint).setCiphers(s);}
+ public void setTruststoreFile(String f){ endpoint.setTruststoreFile(f);}
+ public String getTruststoreFile(){ return endpoint.getTruststoreFile();}
+
+ public void setTruststorePass(String p){ endpoint.setTruststorePass(p);}
+ public String getTruststorePass(){return endpoint.getTruststorePass();}
+
+ public void setTruststoreType(String t){ endpoint.setTruststoreType(t);}
+ public String getTruststoreType(){ return endpoint.getTruststoreType();}
+
+ public void setTruststoreProvider(String t){endpoint.setTruststoreProvider(t);}
+ public String getTruststoreProvider(){ return endpoint.getTruststoreProvider();}
+
+ public void setTruststoreAlgorithm(String a){endpoint.setTruststoreAlgorithm(a);}
+ public String getTruststoreAlgorithm(){ return endpoint.getTruststoreAlgorithm();}
+
+ public void setTrustMaxCertLength(String s){endpoint.setTrustMaxCertLength(s);}
+ public String getTrustMaxCertLength(){ return endpoint.getTrustMaxCertLength();}
+
+ public void setCrlFile(String s){endpoint.setCrlFile(s);}
+ public String getCrlFile(){ return endpoint.getCrlFile();}
+ public void setSessionCacheSize(String s){endpoint.setSessionCacheSize(s);}
+ public String getSessionCacheSize(){ return endpoint.getTruststoreAlgorithm();}
+ public void setSessionTimeout(String s){endpoint.setTruststoreAlgorithm(s);}
+ public String getSessionTimeout(){ return endpoint.getTruststoreAlgorithm();}
+
+
public abstract void init() throws Exception;
public abstract void start() throws Exception;
+
// -------------------- JMX related methods --------------------
// *
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java?rev=882231&r1=882230&r2=882231&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java Thu Nov 19 18:00:09 2009
@@ -77,7 +77,40 @@
public enum SocketState {
OPEN, CLOSED, LONG
}
- }
+ }
+
+ // Standard SSL Configuration attributes
+ // JSSE
+ // Standard configuration attribute names
+ public static final String SSL_ATTR_ALGORITHM = "algorithm";
+ public static final String SSL_ATTR_CLIENT_AUTH = "clientAuth";
+ public static final String SSL_ATTR_KEYSTORE_FILE = "keystoreFile";
+ public static final String SSL_ATTR_KEYSTORE_PASS = "keystorePass";
+ public static final String SSL_ATTR_KEYSTORE_TYPE = "keystoreType";
+ public static final String SSL_ATTR_KEYSTORE_PROVIDER = "keystoreProvider";
+ public static final String SSL_ATTR_SSL_PROTOCOL = "sslProtocol";
+ public static final String SSL_ATTR_CIPHERS = "ciphers";
+ public static final String SSL_ATTR_CIPHERS_ARRAY = "ciphersArray";
+ public static final String SSL_ATTR_KEY_ALIAS = "keyAlias";
+ public static final String SSL_ATTR_KEY_PASS = "keyPass";
+ public static final String SSL_ATTR_TRUSTSTORE_FILE = "truststoreFile";
+ public static final String SSL_ATTR_TRUSTSTORE_PASS = "truststorePass";
+ public static final String SSL_ATTR_TRUSTSTORE_TYPE = "truststoreType";
+ public static final String SSL_ATTR_TRUSTSTORE_PROVIDER =
+ "truststoreProvider";
+ public static final String SSL_ATTR_TRUSTSTORE_ALGORITHM =
+ "truststoreAlgorithm";
+ public static final String SSL_ATTR_CRL_FILE =
+ "crlFile";
+ public static final String SSL_ATTR_TRUST_MAX_CERT_LENGTH =
+ "trustMaxCertLength";
+ public static final String SSL_ATTR_SESSION_CACHE_SIZE =
+ "sessionCacheSize";
+ public static final String SSL_ATTR_SESSION_TIMEOUT =
+ "sessionTimeout";
+ public static final String SSL_ATTR_ALLOW_UNSAFE_RENEG =
+ "allowUnsafeLegacyRenegotiation";
+
// ----------------------------------------------------------------- Fields
@@ -414,36 +447,11 @@
public String defaultIfNull(String val, String defaultValue) {
if (val==null) return defaultValue;
- else return val;
+ return val;
}
+
// -------------------- SSL related properties --------------------
- private String truststoreFile = System.getProperty("javax.net.ssl.trustStore");
- public void setTruststoreFile(String s) {
- s = adjustRelativePath(s,System.getProperty("catalina.base"));
- this.truststoreFile = s;
- }
- public String getTruststoreFile() {return truststoreFile;}
- private String truststorePass = System.getProperty("javax.net.ssl.trustStorePassword");
- public void setTruststorePass(String truststorePass) {this.truststorePass = truststorePass;}
- public String getTruststorePass() {return truststorePass;}
- private String truststoreType = System.getProperty("javax.net.ssl.trustStoreType");
- public void setTruststoreType(String truststoreType) {this.truststoreType = truststoreType;}
- public String getTruststoreType() {return truststoreType;}
- private String keystoreFile = System.getProperty("user.home")+"/.keystore";
- public String getKeystoreFile() { return keystoreFile;}
- public void setKeystoreFile(String s ) {
- s = adjustRelativePath(s,System.getProperty("catalina.base"));
- this.keystoreFile = s;
- }
- public void setKeystore(String s ) { setKeystoreFile(s);}
- public String getKeystore() { return getKeystoreFile();}
-
- private String keyAlias = null;
- public String getKeyAlias() { return keyAlias;}
- public void setKeyAlias(String s ) { keyAlias = s;}
-
-
private String algorithm = "SunX509";
public String getAlgorithm() { return algorithm;}
public void setAlgorithm(String s ) { this.algorithm = s;}
@@ -452,7 +460,14 @@
public String getClientAuth() { return clientAuth;}
public void setClientAuth(String s ) { this.clientAuth = s;}
- private String keystorePass = "changeit";
+ private String keystoreFile = System.getProperty("user.home")+"/.keystore";
+ public String getKeystoreFile() { return keystoreFile;}
+ public void setKeystoreFile(String s ) {
+ String file = adjustRelativePath(s,System.getProperty("catalina.base"));
+ this.keystoreFile = file;
+ }
+
+ private String keystorePass = null;
public String getKeystorePass() { return keystorePass;}
public void setKeystorePass(String s ) { this.keystorePass = s;}
@@ -460,20 +475,16 @@
public String getKeystoreType() { return keystoreType;}
public void setKeystoreType(String s ) { this.keystoreType = s;}
+ private String keystoreProvider = null;
+ public String getKeystoreProvider() { return keystoreProvider;}
+ public void setKeystoreProvider(String s ) { this.keystoreProvider = s;}
+
private String sslProtocol = "TLS";
public String getSslProtocol() { return sslProtocol;}
public void setSslProtocol(String s) { sslProtocol = s;}
- private String sslEnabledProtocols=null; //"TLSv1,SSLv3,SSLv2Hello"
- private String[] sslEnabledProtocolsarr = new String[0];
- public String[] getSslEnabledProtocolsArray() { return this.sslEnabledProtocolsarr;}
- public void setSslEnabledProtocols(String s) {
- this.sslEnabledProtocols = s;
- StringTokenizer t = new StringTokenizer(s,",");
- sslEnabledProtocolsarr = new String[t.countTokens()];
- for (int i=0; i
- The password used to access the server certificate from the
- specified keystore file. The default value is "changeit
".
+
The password used to access the specified keystore file. The default
+ value is the value of the keyPass
attribute.
@@ -750,6 +750,12 @@
specified the first key read in the keystore will be used.
+
+ The password used to access the server certificate from the
+ specified keystore file. The default value is "changeit
".
+
+
+
The TrustStore file to use to validate client certificates.
@@ -772,6 +778,25 @@
+
+ The algorithm to use for truststore. If not specified, the default
+ value returned by
+ javax.net.ssl.TrustManagerFactory.getDefaultAlgorithm()
is
+ used.
+
+
+
+ The certificate revocation list to be used to verify client
+ certificates. If not defined, client certificates will not be checked
+ against a certificate revocation list.
+
+
+
+ The maximum number of intermediate certificates that will be allowed
+ when validating client certificates. If not specified, the default value
+ of 5 will be used.
+
+
The number of SSL sessions to maintain in the session cache. Use 0 to
specify an unlimited cache size. If not specified, a default of 0 is
@@ -784,11 +809,6 @@
default of 86400 (24 hours) is used.
-
- The certificate revocation list file to use to validate client
- certificates.
-
-
Is unsafe legacy TLS renegotiation allowed which is likely to expose
users to CVE-2009-3555, a man-in-the-middle vulnerability in the TLS
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org