tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ma...@apache.org
Subject svn commit: r1749978 - in /tomcat/trunk: java/org/apache/tomcat/util/net/ test/org/apache/tomcat/util/net/ webapps/docs/
Date Thu, 23 Jun 2016 19:11:56 GMT
Author: markt
Date: Thu Jun 23 19:11:56 2016
New Revision: 1749978

URL: http://svn.apache.org/viewvc?rev=1749978&view=rev
Log:
Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=59233
Add the ability to add TLS virtual hosts dynamically

Added:
    tomcat/trunk/test/org/apache/tomcat/util/net/TestSSLHostConfigIntegration.java   (with
props)
Modified:
    tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java
    tomcat/trunk/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
    tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
    tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java
    tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfigCertificate.java
    tomcat/trunk/webapps/docs/changelog.xml

Modified: tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java?rev=1749978&r1=1749977&r2=1749978&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java Thu Jun 23 19:11:56
2016
@@ -22,9 +22,9 @@ import java.net.InetSocketAddress;
 import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.List;
-import java.util.Map;
 import java.util.Set;
 import java.util.concurrent.ConcurrentHashMap;
+import java.util.concurrent.ConcurrentMap;
 import java.util.concurrent.Executor;
 import java.util.concurrent.RejectedExecutionException;
 import java.util.concurrent.TimeUnit;
@@ -197,23 +197,48 @@ public abstract class AbstractEndpoint<S
     }
 
 
-    protected Map<String,SSLHostConfig> sslHostConfigs = new ConcurrentHashMap<>();
-    public void addSslHostConfig(SSLHostConfig sslHostConfig) {
+    protected ConcurrentMap<String,SSLHostConfig> sslHostConfigs = new ConcurrentHashMap<>();
+    public void addSslHostConfig(SSLHostConfig sslHostConfig) throws IllegalArgumentException
{
         String key = sslHostConfig.getHostName();
         if (key == null || key.length() == 0) {
             throw new IllegalArgumentException(sm.getString("endpoint.noSslHostName"));
         }
-        SSLHostConfig duplicate = sslHostConfigs.put(key, sslHostConfig);
+        sslHostConfig.setConfigType(getSslConfigType());
+        if (bindState != BindState.UNBOUND) {
+            try {
+                createSSLContext(sslHostConfig);
+            } catch (Exception e) {
+                throw new IllegalArgumentException(e);
+            }
+        }
+        SSLHostConfig duplicate = sslHostConfigs.putIfAbsent(key, sslHostConfig);
         if (duplicate != null) {
+            releaseSSLContext(sslHostConfig);
             throw new IllegalArgumentException(sm.getString("endpoint.duplicateSslHostName",
key));
         }
-        sslHostConfig.setConfigType(getSslConfigType());
     }
     public SSLHostConfig[] findSslHostConfigs() {
         return sslHostConfigs.values().toArray(new SSLHostConfig[0]);
     }
+
     protected abstract SSLHostConfig.Type getSslConfigType();
 
+    /**
+     * Create the SSLContextfor the the given SSLHostConfig.
+     *
+     * @param sslHostConfig The SSLHostConfig for which the SSLContext should be
+     *                      created
+     */
+    protected abstract void createSSLContext(SSLHostConfig sslHostConfig) throws Exception;
+
+    /**
+     * Release the SSLContext, if any, associated with the SSLHostConfig.
+     *
+     * @param sslHostConfig The SSLHostConfig for which the SSLContext should be
+     *                      released
+     */
+    protected abstract void releaseSSLContext(SSLHostConfig sslHostConfig);
+
     protected SSLHostConfig getSSLHostConfig(String sniHostName) {
         SSLHostConfig result = null;
 
@@ -376,7 +401,7 @@ public abstract class AbstractEndpoint<S
     private boolean bindOnInit = true;
     public boolean getBindOnInit() { return bindOnInit; }
     public void setBindOnInit(boolean b) { this.bindOnInit = b; }
-    private BindState bindState = BindState.UNBOUND;
+    private volatile BindState bindState = BindState.UNBOUND;
 
     /**
      * Keepalive timeout, if not set the soTimeout is used.

Modified: tomcat/trunk/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java?rev=1749978&r1=1749977&r2=1749978&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java Thu Jun 23 19:11:56
2016
@@ -77,26 +77,36 @@ public abstract class AbstractJsseEndpoi
             sslImplementation = SSLImplementation.getInstance(getSslImplementationName());
 
             for (SSLHostConfig sslHostConfig : sslHostConfigs.values()) {
-                boolean firstCertificate = true;
-                for (SSLHostConfigCertificate certificate : sslHostConfig.getCertificates(true))
{
-                    SSLUtil sslUtil = sslImplementation.getSSLUtil(certificate);
-                    if (firstCertificate) {
-                        firstCertificate = false;
-                        sslHostConfig.setEnabledProtocols(sslUtil.getEnabledProtocols());
-                        sslHostConfig.setEnabledCiphers(sslUtil.getEnabledCiphers());
-                    }
-
-                    SSLContext sslContext = sslUtil.createSSLContext(negotiableProtocols);
-                    sslContext.init(sslUtil.getKeyManagers(), sslUtil.getTrustManagers(),
null);
-
-                    SSLSessionContext sessionContext = sslContext.getServerSessionContext();
-                    if (sessionContext != null) {
-                        sslUtil.configureSessionContext(sessionContext);
-                    }
-                    certificate.setSslContext(sslContext);
-                }
+                createSSLContext(sslHostConfig);
+            }
+        }
+    }
+
+
+    @Override
+    protected void createSSLContext(SSLHostConfig sslHostConfig) throws IllegalArgumentException
{
+        boolean firstCertificate = true;
+        for (SSLHostConfigCertificate certificate : sslHostConfig.getCertificates(true))
{
+            SSLUtil sslUtil = sslImplementation.getSSLUtil(certificate);
+            if (firstCertificate) {
+                firstCertificate = false;
+                sslHostConfig.setEnabledProtocols(sslUtil.getEnabledProtocols());
+                sslHostConfig.setEnabledCiphers(sslUtil.getEnabledCiphers());
+            }
+
+            SSLContext sslContext;
+            try {
+                sslContext = sslUtil.createSSLContext(negotiableProtocols);
+                sslContext.init(sslUtil.getKeyManagers(), sslUtil.getTrustManagers(), null);
+            } catch (Exception e) {
+                throw new IllegalArgumentException(e);
             }
 
+            SSLSessionContext sessionContext = sslContext.getServerSessionContext();
+            if (sessionContext != null) {
+                sslUtil.configureSessionContext(sessionContext);
+            }
+            certificate.setSslContext(sslContext);
         }
     }
 
@@ -104,18 +114,25 @@ public abstract class AbstractJsseEndpoi
     protected void destroySsl() throws Exception {
         if (isSSLEnabled()) {
             for (SSLHostConfig sslHostConfig : sslHostConfigs.values()) {
-                for (SSLHostConfigCertificate certificate : sslHostConfig.getCertificates(true))
{
-                    if (certificate.getSslContext() != null) {
-                        SSLContext sslContext = certificate.getSslContext();
-                        if (sslContext != null) {
-                            sslContext.destroy();
-                        }
-                    }
+                releaseSSLContext(sslHostConfig);
+            }
+        }
+    }
+
+
+    @Override
+    protected void releaseSSLContext(SSLHostConfig sslHostConfig) {
+        for (SSLHostConfigCertificate certificate : sslHostConfig.getCertificates(true))
{
+            if (certificate.getSslContext() != null) {
+                SSLContext sslContext = certificate.getSslContext();
+                if (sslContext != null) {
+                    sslContext.destroy();
                 }
             }
         }
     }
 
+
     protected SSLEngine createSSLEngine(String sniHostName, List<Cipher> clientRequestedCiphers)
{
         SSLHostConfig sslHostConfig = getSSLHostConfig(sniHostName);
 

Modified: tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java?rev=1749978&r1=1749977&r2=1749978&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java Thu Jun 23 19:11:56 2016
@@ -347,167 +347,182 @@ public class AprEndpoint extends Abstrac
         // Initialize SSL if needed
         if (isSSLEnabled()) {
             for (SSLHostConfig sslHostConfig : sslHostConfigs.values()) {
+                createSSLContext(sslHostConfig);
+            }
+            SSLHostConfig defaultSSLHostConfig = sslHostConfigs.get(getDefaultSSLHostConfigName());
+            Long defaultSSLContext = defaultSSLHostConfig.getOpenSslContext();
+            sslContext = defaultSSLContext.longValue();
+            SSLContext.registerDefault(defaultSSLContext, this);
+        }
+    }
 
-                Set<SSLHostConfigCertificate> certificates = sslHostConfig.getCertificates(true);
-                boolean firstCertificate = true;
-                for (SSLHostConfigCertificate certificate : certificates) {
-                    if (SSLHostConfig.adjustRelativePath(certificate.getCertificateFile())
== null) {
-                        // This is required
-                        throw new Exception(sm.getString("endpoint.apr.noSslCertFile"));
-                    }
-                    if (firstCertificate) {
-                        // TODO: Duplicates code in SSLUtilBase. Consider
-                        //       refactoring to reduce duplication
-                        firstCertificate = false;
-                        // Configure the enabled protocols
-                        List<String> enabledProtocols = SSLUtilBase.getEnabled("protocols",
log,
-                                true, sslHostConfig.getProtocols(),
-                                OpenSSLEngine.IMPLEMENTED_PROTOCOLS_SET);
-                        sslHostConfig.setEnabledProtocols(
-                                enabledProtocols.toArray(new String[enabledProtocols.size()]));
-                        // Configure the enabled ciphers
-                        List<String> enabledCiphers = SSLUtilBase.getEnabled("ciphers",
log,
-                                false, sslHostConfig.getJsseCipherNames(),
-                                OpenSSLEngine.AVAILABLE_CIPHER_SUITES);
-                        sslHostConfig.setEnabledCiphers(
-                                enabledCiphers.toArray(new String[enabledCiphers.size()]));
-                    }
-                }
-                if (certificates.size() > 2) {
-                    // TODO: Can this limitation be removed?
-                    throw new Exception(sm.getString("endpoint.apr.tooManyCertFiles"));
-                }
 
-                // SSL protocol
-                int value = SSL.SSL_PROTOCOL_NONE;
-                if (sslHostConfig.getProtocols().size() == 0) {
-                    // Native fallback used if protocols=""
-                    value = SSL.SSL_PROTOCOL_ALL;
-                } else {
-                    for (String protocol : sslHostConfig.getEnabledProtocols()) {
-                        if (Constants.SSL_PROTO_SSLv2Hello.equalsIgnoreCase(protocol)) {
-                            // NO-OP. OpenSSL always supports SSLv2Hello
-                        } else if (Constants.SSL_PROTO_SSLv2.equalsIgnoreCase(protocol))
{
-                            value |= SSL.SSL_PROTOCOL_SSLV2;
-                        } else if (Constants.SSL_PROTO_SSLv3.equalsIgnoreCase(protocol))
{
-                            value |= SSL.SSL_PROTOCOL_SSLV3;
-                        } else if (Constants.SSL_PROTO_TLSv1.equalsIgnoreCase(protocol))
{
-                            value |= SSL.SSL_PROTOCOL_TLSV1;
-                        } else if (Constants.SSL_PROTO_TLSv1_1.equalsIgnoreCase(protocol))
{
-                            value |= SSL.SSL_PROTOCOL_TLSV1_1;
-                        } else if (Constants.SSL_PROTO_TLSv1_2.equalsIgnoreCase(protocol))
{
-                            value |= SSL.SSL_PROTOCOL_TLSV1_2;
-                        } else {
-                            // Should not happen since filtering to build
-                            // enabled protocols removes invalid values.
-                            throw new Exception(sm.getString(
-                                    "endpoint.apr.invalidSslProtocol", protocol));
-                        }
-                    }
-                }
 
-                // Create SSL Context
-                long ctx = 0;
-                try {
-                    ctx = SSLContext.make(rootPool, value, SSL.SSL_MODE_SERVER);
-                } catch (Exception e) {
-                    // If the sslEngine is disabled on the AprLifecycleListener
-                    // there will be an Exception here but there is no way to check
-                    // the AprLifecycleListener settings from here
-                    throw new Exception(
-                            sm.getString("endpoint.apr.failSslContextMake"), e);
-                }
+    @Override
+    protected void createSSLContext(SSLHostConfig sslHostConfig) throws Exception {
+        Set<SSLHostConfigCertificate> certificates = sslHostConfig.getCertificates(true);
+        boolean firstCertificate = true;
+        for (SSLHostConfigCertificate certificate : certificates) {
+            if (SSLHostConfig.adjustRelativePath(certificate.getCertificateFile()) == null)
{
+                // This is required
+                throw new Exception(sm.getString("endpoint.apr.noSslCertFile"));
+            }
+            if (firstCertificate) {
+                // TODO: Duplicates code in SSLUtilBase. Consider
+                //       refactoring to reduce duplication
+                firstCertificate = false;
+                // Configure the enabled protocols
+                List<String> enabledProtocols = SSLUtilBase.getEnabled("protocols",
log,
+                        true, sslHostConfig.getProtocols(),
+                        OpenSSLEngine.IMPLEMENTED_PROTOCOLS_SET);
+                sslHostConfig.setEnabledProtocols(
+                        enabledProtocols.toArray(new String[enabledProtocols.size()]));
+                // Configure the enabled ciphers
+                List<String> enabledCiphers = SSLUtilBase.getEnabled("ciphers", log,
+                        false, sslHostConfig.getJsseCipherNames(),
+                        OpenSSLEngine.AVAILABLE_CIPHER_SUITES);
+                sslHostConfig.setEnabledCiphers(
+                        enabledCiphers.toArray(new String[enabledCiphers.size()]));
+            }
+        }
+        if (certificates.size() > 2) {
+            // TODO: Can this limitation be removed?
+            throw new Exception(sm.getString("endpoint.apr.tooManyCertFiles"));
+        }
 
-                if (sslHostConfig.getInsecureRenegotiation()) {
-                    SSLContext.setOptions(ctx, SSL.SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
+        // SSL protocol
+        int value = SSL.SSL_PROTOCOL_NONE;
+        if (sslHostConfig.getProtocols().size() == 0) {
+            // Native fallback used if protocols=""
+            value = SSL.SSL_PROTOCOL_ALL;
+        } else {
+            for (String protocol : sslHostConfig.getEnabledProtocols()) {
+                if (Constants.SSL_PROTO_SSLv2Hello.equalsIgnoreCase(protocol)) {
+                    // NO-OP. OpenSSL always supports SSLv2Hello
+                } else if (Constants.SSL_PROTO_SSLv2.equalsIgnoreCase(protocol)) {
+                    value |= SSL.SSL_PROTOCOL_SSLV2;
+                } else if (Constants.SSL_PROTO_SSLv3.equalsIgnoreCase(protocol)) {
+                    value |= SSL.SSL_PROTOCOL_SSLV3;
+                } else if (Constants.SSL_PROTO_TLSv1.equalsIgnoreCase(protocol)) {
+                    value |= SSL.SSL_PROTOCOL_TLSV1;
+                } else if (Constants.SSL_PROTO_TLSv1_1.equalsIgnoreCase(protocol)) {
+                    value |= SSL.SSL_PROTOCOL_TLSV1_1;
+                } else if (Constants.SSL_PROTO_TLSv1_2.equalsIgnoreCase(protocol)) {
+                    value |= SSL.SSL_PROTOCOL_TLSV1_2;
                 } else {
-                    SSLContext.clearOptions(ctx, SSL.SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
+                    // Should not happen since filtering to build
+                    // enabled protocols removes invalid values.
+                    throw new Exception(sm.getString(
+                            "endpoint.apr.invalidSslProtocol", protocol));
                 }
+            }
+        }
 
-                // Use server's preference order for ciphers (rather than
-                // client's)
-                if (sslHostConfig.getHonorCipherOrder()) {
-                    SSLContext.setOptions(ctx, SSL.SSL_OP_CIPHER_SERVER_PREFERENCE);
-                } else {
-                    SSLContext.clearOptions(ctx, SSL.SSL_OP_CIPHER_SERVER_PREFERENCE);
-                }
+        // Create SSL Context
+        long ctx = 0;
+        try {
+            ctx = SSLContext.make(rootPool, value, SSL.SSL_MODE_SERVER);
+        } catch (Exception e) {
+            // If the sslEngine is disabled on the AprLifecycleListener
+            // there will be an Exception here but there is no way to check
+            // the AprLifecycleListener settings from here
+            throw new Exception(
+                    sm.getString("endpoint.apr.failSslContextMake"), e);
+        }
 
-                // Disable compression if requested
-                if (sslHostConfig.getDisableCompression()) {
-                    SSLContext.setOptions(ctx, SSL.SSL_OP_NO_COMPRESSION);
-                } else {
-                    SSLContext.clearOptions(ctx, SSL.SSL_OP_NO_COMPRESSION);
-                }
+        if (sslHostConfig.getInsecureRenegotiation()) {
+            SSLContext.setOptions(ctx, SSL.SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
+        } else {
+            SSLContext.clearOptions(ctx, SSL.SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
+        }
 
-                // Disable TLS Session Tickets (RFC4507) to protect perfect forward secrecy
-                if (sslHostConfig.getDisableSessionTickets()) {
-                    SSLContext.setOptions(ctx, SSL.SSL_OP_NO_TICKET);
-                } else {
-                    SSLContext.clearOptions(ctx, SSL.SSL_OP_NO_TICKET);
-                }
+        // Use server's preference order for ciphers (rather than client's)
+        if (sslHostConfig.getHonorCipherOrder()) {
+            SSLContext.setOptions(ctx, SSL.SSL_OP_CIPHER_SERVER_PREFERENCE);
+        } else {
+            SSLContext.clearOptions(ctx, SSL.SSL_OP_CIPHER_SERVER_PREFERENCE);
+        }
 
-                // List the ciphers that the client is permitted to negotiate
-                SSLContext.setCipherSuite(ctx, sslHostConfig.getCiphers());
-                // Load Server key and certificate
-                // TODO: Confirm assumption that idx is not specific to
-                //       key/certificate type
-                int idx = 0;
-                for (SSLHostConfigCertificate certificate : sslHostConfig.getCertificates(true))
{
-                    SSLContext.setCertificate(ctx,
-                            SSLHostConfig.adjustRelativePath(certificate.getCertificateFile()),
-                            SSLHostConfig.adjustRelativePath(certificate.getCertificateKeyFile()),
-                            certificate.getCertificateKeyPassword(), idx++);
-                    // Set certificate chain file
-                    SSLContext.setCertificateChainFile(ctx,
-                            SSLHostConfig.adjustRelativePath(certificate.getCertificateChainFile()),
false);
-                }
-                // Support Client Certificates
-                SSLContext.setCACertificate(ctx,
-                        SSLHostConfig.adjustRelativePath(sslHostConfig.getCaCertificateFile()),
-                        SSLHostConfig.adjustRelativePath(sslHostConfig.getCaCertificatePath()));
-                // Set revocation
-                SSLContext.setCARevocation(ctx,
-                        SSLHostConfig.adjustRelativePath(
-                                sslHostConfig.getCertificateRevocationListFile()),
-                        SSLHostConfig.adjustRelativePath(
-                                sslHostConfig.getCertificateRevocationListPath()));
-                // Client certificate verification
-                switch (sslHostConfig.getCertificateVerification()) {
-                case NONE:
-                    value = SSL.SSL_CVERIFY_NONE;
-                    break;
-                case OPTIONAL:
-                    value = SSL.SSL_CVERIFY_OPTIONAL;
-                    break;
-                case OPTIONAL_NO_CA:
-                    value = SSL.SSL_CVERIFY_OPTIONAL_NO_CA;
-                    break;
-                case REQUIRED:
-                    value = SSL.SSL_CVERIFY_REQUIRE;
-                    break;
-                }
-                SSLContext.setVerify(ctx, value, sslHostConfig.getCertificateVerificationDepth());
-                // For now, sendfile is not supported with SSL
-                if (getUseSendfile()) {
-                    setUseSendfileInternal(false);
-                    if (useSendFileSet) {
-                        log.warn(sm.getString("endpoint.apr.noSendfileWithSSL"));
-                    }
-                }
+        // Disable compression if requested
+        if (sslHostConfig.getDisableCompression()) {
+            SSLContext.setOptions(ctx, SSL.SSL_OP_NO_COMPRESSION);
+        } else {
+            SSLContext.clearOptions(ctx, SSL.SSL_OP_NO_COMPRESSION);
+        }
 
-                if (negotiableProtocols.size() > 0) {
-                    ArrayList<String> protocols = new ArrayList<>();
-                    protocols.addAll(negotiableProtocols);
-                    protocols.add("http/1.1");
-                    String[] protocolsArray = protocols.toArray(new String[0]);
-                    SSLContext.setAlpnProtos(ctx, protocolsArray, SSL.SSL_SELECTOR_FAILURE_NO_ADVERTISE);
-                }
-                sslHostConfig.setOpenSslContext(Long.valueOf(ctx));
+        // Disable TLS Session Tickets (RFC4507) to protect perfect forward secrecy
+        if (sslHostConfig.getDisableSessionTickets()) {
+            SSLContext.setOptions(ctx, SSL.SSL_OP_NO_TICKET);
+        } else {
+            SSLContext.clearOptions(ctx, SSL.SSL_OP_NO_TICKET);
+        }
+
+        // List the ciphers that the client is permitted to negotiate
+        SSLContext.setCipherSuite(ctx, sslHostConfig.getCiphers());
+        // Load Server key and certificate
+        // TODO: Confirm assumption that idx is not specific to
+        //       key/certificate type
+        int idx = 0;
+        for (SSLHostConfigCertificate certificate : sslHostConfig.getCertificates(true))
{
+            SSLContext.setCertificate(ctx,
+                    SSLHostConfig.adjustRelativePath(certificate.getCertificateFile()),
+                    SSLHostConfig.adjustRelativePath(certificate.getCertificateKeyFile()),
+                    certificate.getCertificateKeyPassword(), idx++);
+            // Set certificate chain file
+            SSLContext.setCertificateChainFile(ctx,
+                    SSLHostConfig.adjustRelativePath(certificate.getCertificateChainFile()),
false);
+        }
+        // Support Client Certificates
+        SSLContext.setCACertificate(ctx,
+                SSLHostConfig.adjustRelativePath(sslHostConfig.getCaCertificateFile()),
+                SSLHostConfig.adjustRelativePath(sslHostConfig.getCaCertificatePath()));
+        // Set revocation
+        SSLContext.setCARevocation(ctx,
+                SSLHostConfig.adjustRelativePath(
+                        sslHostConfig.getCertificateRevocationListFile()),
+                SSLHostConfig.adjustRelativePath(
+                        sslHostConfig.getCertificateRevocationListPath()));
+        // Client certificate verification
+        switch (sslHostConfig.getCertificateVerification()) {
+        case NONE:
+            value = SSL.SSL_CVERIFY_NONE;
+            break;
+        case OPTIONAL:
+            value = SSL.SSL_CVERIFY_OPTIONAL;
+            break;
+        case OPTIONAL_NO_CA:
+            value = SSL.SSL_CVERIFY_OPTIONAL_NO_CA;
+            break;
+        case REQUIRED:
+            value = SSL.SSL_CVERIFY_REQUIRE;
+            break;
+        }
+        SSLContext.setVerify(ctx, value, sslHostConfig.getCertificateVerificationDepth());
+        // For now, sendfile is not supported with SSL
+        if (getUseSendfile()) {
+            setUseSendfileInternal(false);
+            if (useSendFileSet) {
+                log.warn(sm.getString("endpoint.apr.noSendfileWithSSL"));
             }
-            SSLHostConfig defaultSSLHostConfig = sslHostConfigs.get(getDefaultSSLHostConfigName());
-            Long defaultSSLContext = defaultSSLHostConfig.getOpenSslContext();
-            sslContext = defaultSSLContext.longValue();
-            SSLContext.registerDefault(defaultSSLContext, this);
+        }
+
+        if (negotiableProtocols.size() > 0) {
+            ArrayList<String> protocols = new ArrayList<>();
+            protocols.addAll(negotiableProtocols);
+            protocols.add("http/1.1");
+            String[] protocolsArray = protocols.toArray(new String[0]);
+            SSLContext.setAlpnProtos(ctx, protocolsArray, SSL.SSL_SELECTOR_FAILURE_NO_ADVERTISE);
+        }
+        sslHostConfig.setOpenSslContext(Long.valueOf(ctx));
+    }
+
+
+    @Override
+    protected void releaseSSLContext(SSLHostConfig sslHostConfig) {
+        Long ctx = sslHostConfig.getOpenSslContext();
+        if (ctx != null) {
+            SSLContext.free(ctx.longValue());
+            sslHostConfig.setOpenSslContext(null);
         }
     }
 

Modified: tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java?rev=1749978&r1=1749977&r2=1749978&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java Thu Jun 23 19:11:56 2016
@@ -18,6 +18,7 @@ package org.apache.tomcat.util.net;
 
 import java.io.File;
 import java.io.IOException;
+import java.io.Serializable;
 import java.security.KeyStore;
 import java.security.UnrecoverableKeyException;
 import java.util.HashMap;
@@ -39,7 +40,9 @@ import org.apache.tomcat.util.res.String
 /**
  * Represents the TLS configuration for a virtual host.
  */
-public class SSLHostConfig {
+public class SSLHostConfig implements Serializable {
+
+    private static final long serialVersionUID = 1L;
 
     private static final Log log = LogFactory.getLog(SSLHostConfig.class);
     private static final StringManager sm = StringManager.getManager(SSLHostConfig.class);
@@ -69,7 +72,7 @@ public class SSLHostConfig {
     // OpenSSL can handle multiple certs in a single config so the reference to
     // the context is here at the virtual host level. JSSE can't so the
     // reference is held on the certificate.
-    private Long openSslContext;
+    private transient Long openSslContext;
 
     // Configuration properties
 
@@ -99,7 +102,7 @@ public class SSLHostConfig {
     private String truststorePassword = System.getProperty("javax.net.ssl.trustStorePassword");
     private String truststoreProvider = System.getProperty("javax.net.ssl.trustStoreProvider");
     private String truststoreType = System.getProperty("javax.net.ssl.trustStoreType");
-    private KeyStore truststore = null;
+    private transient KeyStore truststore = null;
     // OpenSSL
     private String certificateRevocationListPath;
     private String caCertificateFile;

Modified: tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfigCertificate.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfigCertificate.java?rev=1749978&r1=1749977&r2=1749978&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfigCertificate.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfigCertificate.java Thu Jun 23
19:11:56 2016
@@ -17,6 +17,7 @@
 package org.apache.tomcat.util.net;
 
 import java.io.IOException;
+import java.io.Serializable;
 import java.security.KeyStore;
 import java.util.HashSet;
 import java.util.Set;
@@ -26,8 +27,9 @@ import org.apache.juli.logging.LogFactor
 import org.apache.tomcat.util.net.openssl.ciphers.Authentication;
 import org.apache.tomcat.util.res.StringManager;
 
+public class SSLHostConfigCertificate implements Serializable {
 
-public class SSLHostConfigCertificate {
+    private static final long serialVersionUID = 1L;
 
     private static final Log log = LogFactory.getLog(SSLHostConfigCertificate.class);
     private static final StringManager sm = StringManager.getManager(SSLHostConfigCertificate.class);
@@ -42,7 +44,7 @@ public class SSLHostConfigCertificate {
     // OpenSSL can handle multiple certs in a single config so the reference to
     // the context is at the virtual host level. JSSE can't so the reference is
     // held here on the certificate.
-    private SSLContext sslContext;
+    private transient SSLContext sslContext;
 
     // Common
     private final SSLHostConfig sslHostConfig;
@@ -55,7 +57,7 @@ public class SSLHostConfigCertificate {
     private String certificateKeystoreFile = System.getProperty("user.home")+"/.keystore";
     private String certificateKeystoreProvider = DEFAULT_KEYSTORE_PROVIDER;
     private String certificateKeystoreType = DEFAULT_KEYSTORE_TYPE;
-    private KeyStore certificateKeystore = null;
+    private transient KeyStore certificateKeystore = null;
 
     // OpenSSL
     private String certificateChainFile;

Added: tomcat/trunk/test/org/apache/tomcat/util/net/TestSSLHostConfigIntegration.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/tomcat/util/net/TestSSLHostConfigIntegration.java?rev=1749978&view=auto
==============================================================================
--- tomcat/trunk/test/org/apache/tomcat/util/net/TestSSLHostConfigIntegration.java (added)
+++ tomcat/trunk/test/org/apache/tomcat/util/net/TestSSLHostConfigIntegration.java Thu Jun
23 19:11:56 2016
@@ -0,0 +1,61 @@
+/*
+ *  Licensed to the Apache Software Foundation (ASF) under one or more
+ *  contributor license agreements.  See the NOTICE file distributed with
+ *  this work for additional information regarding copyright ownership.
+ *  The ASF licenses this file to You under the Apache License, Version 2.0
+ *  (the "License"); you may not use this file except in compliance with
+ *  the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+package org.apache.tomcat.util.net;
+
+import java.io.File;
+import java.io.ObjectOutputStream;
+
+import org.apache.catalina.startup.Tomcat;
+import org.apache.catalina.startup.TomcatBaseTest;
+import org.apache.tomcat.util.http.fileupload.ByteArrayOutputStream;
+import org.apache.tomcat.websocket.server.WsContextListener;
+import org.junit.Assert;
+import org.junit.Test;
+
+public class TestSSLHostConfigIntegration extends TomcatBaseTest {
+
+    @Test
+    public void testSslHostConfigIsSerializable() throws Exception {
+        TesterSupport.configureClientSsl();
+
+        Tomcat tomcat = getTomcatInstance();
+
+        File appDir = new File(getBuildDirectory(), "webapps/examples");
+        org.apache.catalina.Context ctxt  = tomcat.addWebapp(
+                null, "/examples", appDir.getAbsolutePath());
+        ctxt.addApplicationListener(WsContextListener.class.getName());
+
+        TesterSupport.initSsl(tomcat);
+
+        tomcat.start();
+
+        SSLHostConfig[] sslHostConfigs =
+                tomcat.getConnector().getProtocolHandler().findSslHostConfigs();
+
+        boolean written = false;
+
+        ByteArrayOutputStream baos = new ByteArrayOutputStream();
+        try (ObjectOutputStream oos = new ObjectOutputStream(baos)) {
+            for (SSLHostConfig sslHostConfig : sslHostConfigs) {
+                oos.writeObject(sslHostConfig);
+                written = true;
+            }
+        }
+
+        Assert.assertTrue(written);
+    }
+}

Propchange: tomcat/trunk/test/org/apache/tomcat/util/net/TestSSLHostConfigIntegration.java
------------------------------------------------------------------------------
    svn:eol-style = native

Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1749978&r1=1749977&r2=1749978&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Thu Jun 23 19:11:56 2016
@@ -101,6 +101,10 @@
         that are being executed in a single connection. The default is to
         not limit it. (remm)
       </update>
+      <add>
+        <bug>59233</bug>: Add the ability to add TLS virtual hosts dynamically.
+        (markt)
+      </add>
     </changelog>
   </subsection>
   <subsection name="WebSocket">



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message