Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 714DE200B32 for ; Thu, 23 Jun 2016 21:28:28 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 6FEEF160A59; Thu, 23 Jun 2016 19:28:28 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id C1674160A35 for ; Thu, 23 Jun 2016 21:28:26 +0200 (CEST) Received: (qmail 46752 invoked by uid 500); 23 Jun 2016 19:28:25 -0000 Mailing-List: contact dev-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Developers List" Delivered-To: mailing list dev@tomcat.apache.org Received: (qmail 46742 invoked by uid 99); 23 Jun 2016 19:28:25 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd4-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 23 Jun 2016 19:28:25 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id 15564C028E for ; Thu, 23 Jun 2016 19:28:25 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 0.374 X-Spam-Level: X-Spam-Status: No, score=0.374 tagged_above=-999 required=6.31 tests=[KAM_ASCII_DIVIDERS=0.8, KAM_LAZY_DOMAIN_SECURITY=1, RP_MATCHES_RCVD=-1.426] autolearn=disabled Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024) with ESMTP id PX-JzJdpw9Iy for ; Thu, 23 Jun 2016 19:28:19 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTP id 6976C5FB60 for ; Thu, 23 Jun 2016 19:28:19 +0000 (UTC) Received: from svn01-us-west.apache.org (svn.apache.org [10.41.0.6]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 2EE23E002B for ; Thu, 23 Jun 2016 19:28:18 +0000 (UTC) Received: from svn01-us-west.apache.org (localhost [127.0.0.1]) by svn01-us-west.apache.org (ASF Mail Server at svn01-us-west.apache.org) with ESMTP id 2B2B53A006B for ; Thu, 23 Jun 2016 19:28:18 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r1749984 - in /tomcat/tc8.5.x/trunk: ./ java/org/apache/tomcat/util/net/ test/org/apache/tomcat/util/net/ webapps/docs/ Date: Thu, 23 Jun 2016 19:28:18 -0000 To: dev@tomcat.apache.org From: markt@apache.org X-Mailer: svnmailer-1.0.9 Message-Id: <20160623192818.2B2B53A006B@svn01-us-west.apache.org> archived-at: Thu, 23 Jun 2016 19:28:28 -0000 Author: markt Date: Thu Jun 23 19:28:17 2016 New Revision: 1749984 URL: http://svn.apache.org/viewvc?rev=1749984&view=rev Log: Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=59233 Add the ability to add TLS virtual hosts dynamically Added: tomcat/tc8.5.x/trunk/test/org/apache/tomcat/util/net/TestSSLHostConfigIntegration.java - copied, changed from r1749978, tomcat/trunk/test/org/apache/tomcat/util/net/TestSSLHostConfigIntegration.java Modified: tomcat/tc8.5.x/trunk/ (props changed) tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/SSLHostConfigCertificate.java tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml Propchange: tomcat/tc8.5.x/trunk/ ------------------------------------------------------------------------------ --- svn:mergeinfo (original) +++ svn:mergeinfo Thu Jun 23 19:28:17 2016 @@ -1 +1 @@ -/tomcat/trunk:1734785,1734799,1734845,1734928,1735041,1735044,1735480,1735577,1735597,1735599-1735600,1735615,1736145,1736162,1736209,1736280,1736297,1736299,1736489,1736646,1736703,1736836,1736849,1737104-1737105,1737112,1737117,1737119-1737120,1737155,1737157,1737192,1737280,1737339,1737632,1737664,1737715,1737748,1737785,1737834,1737860,1737903,1737959,1738005,1738007,1738014-1738015,1738018,1738022,1738039,1738043,1738059-1738060,1738147,1738149,1738174-1738175,1738261,1738589,1738623-1738625,1738643,1738816,1738850,1738855,1738946-1738948,1738953-1738954,1738979,1738982,1739079-1739081,1739087,1739113,1739153,1739172,1739176,1739191,1739474,1739726,1739762,1739775,1739814,1739817-1739818,1739975,1740131,1740324,1740465,1740495,1740508-1740509,1740520,1740535,1740707,1740803,1740810,1740969,1740980,1740991,1740997,1741015,1741033,1741036,1741058,1741060,1741080,1741147,1741159,1741164,1741173,1741181,1741190,1741197,1741202,1741208,1741213,1741221,1741225,1741232,1741409,1741501 ,1741677,1741892,1741896,1741984,1742023,1742042,1742071,1742090,1742093,1742101,1742105,1742111,1742139,1742146,1742148,1742166,1742181,1742184,1742187,1742246,1742248-1742251,1742263-1742264,1742268,1742276,1742369,1742387,1742448,1742509-1742512,1742917,1742919,1742933,1742975-1742976,1742984,1742986,1743019,1743115,1743117,1743124-1743125,1743134,1743425,1743554,1743679,1743696-1743698,1743700-1743701,1744058,1744064-1744065,1744125,1744194,1744229,1744270,1744323,1744432,1744684,1744697,1744705,1744713,1744760,1744786,1745142-1745143,1745145,1745177,1745179-1745180,1745227,1745248,1745254,1745337,1745467,1745576,1745735,1745744,1746304,1746306-1746307,1746319,1746327,1746338,1746340-1746341,1746344,1746427,1746441,1746473,1746490,1746492,1746495-1746496,1746499-1746501,1746503-1746507,1746509,1746549,1746551,1746554,1746556,1746558,1746584,1746620,1746649,1746724,1746939,1746989,1747014,1747028,1747035,1747210,1747225,1747234,1747253,1747404,1747506,1747536,1747924,1747980,1747 993,1748001,1748253,1748452,1748547,1748629,1748676,1748715,1749287,1749296,1749328,1749373,1749465,1749506,1749508,1749665-1749666,1749763,1749865-1749866 +/tomcat/trunk:1734785,1734799,1734845,1734928,1735041,1735044,1735480,1735577,1735597,1735599-1735600,1735615,1736145,1736162,1736209,1736280,1736297,1736299,1736489,1736646,1736703,1736836,1736849,1737104-1737105,1737112,1737117,1737119-1737120,1737155,1737157,1737192,1737280,1737339,1737632,1737664,1737715,1737748,1737785,1737834,1737860,1737903,1737959,1738005,1738007,1738014-1738015,1738018,1738022,1738039,1738043,1738059-1738060,1738147,1738149,1738174-1738175,1738261,1738589,1738623-1738625,1738643,1738816,1738850,1738855,1738946-1738948,1738953-1738954,1738979,1738982,1739079-1739081,1739087,1739113,1739153,1739172,1739176,1739191,1739474,1739726,1739762,1739775,1739814,1739817-1739818,1739975,1740131,1740324,1740465,1740495,1740508-1740509,1740520,1740535,1740707,1740803,1740810,1740969,1740980,1740991,1740997,1741015,1741033,1741036,1741058,1741060,1741080,1741147,1741159,1741164,1741173,1741181,1741190,1741197,1741202,1741208,1741213,1741221,1741225,1741232,1741409,1741501 ,1741677,1741892,1741896,1741984,1742023,1742042,1742071,1742090,1742093,1742101,1742105,1742111,1742139,1742146,1742148,1742166,1742181,1742184,1742187,1742246,1742248-1742251,1742263-1742264,1742268,1742276,1742369,1742387,1742448,1742509-1742512,1742917,1742919,1742933,1742975-1742976,1742984,1742986,1743019,1743115,1743117,1743124-1743125,1743134,1743425,1743554,1743679,1743696-1743698,1743700-1743701,1744058,1744064-1744065,1744125,1744194,1744229,1744270,1744323,1744432,1744684,1744697,1744705,1744713,1744760,1744786,1745142-1745143,1745145,1745177,1745179-1745180,1745227,1745248,1745254,1745337,1745467,1745576,1745735,1745744,1746304,1746306-1746307,1746319,1746327,1746338,1746340-1746341,1746344,1746427,1746441,1746473,1746490,1746492,1746495-1746496,1746499-1746501,1746503-1746507,1746509,1746549,1746551,1746554,1746556,1746558,1746584,1746620,1746649,1746724,1746939,1746989,1747014,1747028,1747035,1747210,1747225,1747234,1747253,1747404,1747506,1747536,1747924,1747980,1747 993,1748001,1748253,1748452,1748547,1748629,1748676,1748715,1749287,1749296,1749328,1749373,1749465,1749506,1749508,1749665-1749666,1749763,1749865-1749866,1749978,1749980 Modified: tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java URL: http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java?rev=1749984&r1=1749983&r2=1749984&view=diff ============================================================================== --- tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java (original) +++ tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java Thu Jun 23 19:28:17 2016 @@ -22,9 +22,9 @@ import java.net.InetSocketAddress; import java.util.ArrayList; import java.util.HashMap; import java.util.List; -import java.util.Map; import java.util.Set; import java.util.concurrent.ConcurrentHashMap; +import java.util.concurrent.ConcurrentMap; import java.util.concurrent.Executor; import java.util.concurrent.RejectedExecutionException; import java.util.concurrent.TimeUnit; @@ -197,23 +197,50 @@ public abstract class AbstractEndpoint sslHostConfigs = new ConcurrentHashMap<>(); - public void addSslHostConfig(SSLHostConfig sslHostConfig) { + protected ConcurrentMap sslHostConfigs = new ConcurrentHashMap<>(); + public void addSslHostConfig(SSLHostConfig sslHostConfig) throws IllegalArgumentException { String key = sslHostConfig.getHostName(); if (key == null || key.length() == 0) { throw new IllegalArgumentException(sm.getString("endpoint.noSslHostName")); } - SSLHostConfig duplicate = sslHostConfigs.put(key, sslHostConfig); + sslHostConfig.setConfigType(getSslConfigType()); + if (bindState != BindState.UNBOUND) { + try { + createSSLContext(sslHostConfig); + } catch (Exception e) { + throw new IllegalArgumentException(e); + } + } + SSLHostConfig duplicate = sslHostConfigs.putIfAbsent(key, sslHostConfig); if (duplicate != null) { + releaseSSLContext(sslHostConfig); throw new IllegalArgumentException(sm.getString("endpoint.duplicateSslHostName", key)); } - sslHostConfig.setConfigType(getSslConfigType()); } public SSLHostConfig[] findSslHostConfigs() { return sslHostConfigs.values().toArray(new SSLHostConfig[0]); } + protected abstract SSLHostConfig.Type getSslConfigType(); + /** + * Create the SSLContextfor the the given SSLHostConfig. + * + * @param sslHostConfig The SSLHostConfig for which the SSLContext should be + * created + * @throws Exception If the SSLContext cannot be created for the given + * SSLHostConfig + */ + protected abstract void createSSLContext(SSLHostConfig sslHostConfig) throws Exception; + + /** + * Release the SSLContext, if any, associated with the SSLHostConfig. + * + * @param sslHostConfig The SSLHostConfig for which the SSLContext should be + * released + */ + protected abstract void releaseSSLContext(SSLHostConfig sslHostConfig); + protected SSLHostConfig getSSLHostConfig(String sniHostName) { SSLHostConfig result = null; @@ -376,7 +403,7 @@ public abstract class AbstractEndpoint clientRequestedCiphers) { SSLHostConfig sslHostConfig = getSSLHostConfig(sniHostName); Modified: tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java URL: http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java?rev=1749984&r1=1749983&r2=1749984&view=diff ============================================================================== --- tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java (original) +++ tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java Thu Jun 23 19:28:17 2016 @@ -347,171 +347,186 @@ public class AprEndpoint extends Abstrac // Initialize SSL if needed if (isSSLEnabled()) { for (SSLHostConfig sslHostConfig : sslHostConfigs.values()) { + createSSLContext(sslHostConfig); + } + SSLHostConfig defaultSSLHostConfig = sslHostConfigs.get(getDefaultSSLHostConfigName()); + Long defaultSSLContext = defaultSSLHostConfig.getOpenSslContext(); + sslContext = defaultSSLContext.longValue(); + SSLContext.registerDefault(defaultSSLContext, this); + } + } - Set certificates = sslHostConfig.getCertificates(true); - boolean firstCertificate = true; - for (SSLHostConfigCertificate certificate : certificates) { - if (SSLHostConfig.adjustRelativePath(certificate.getCertificateFile()) == null) { - // This is required - throw new Exception(sm.getString("endpoint.apr.noSslCertFile")); - } - if (firstCertificate) { - // TODO: Duplicates code in SSLUtilBase. Consider - // refactoring to reduce duplication - firstCertificate = false; - // Configure the enabled protocols - List enabledProtocols = SSLUtilBase.getEnabled("protocols", log, - true, sslHostConfig.getProtocols(), - OpenSSLEngine.IMPLEMENTED_PROTOCOLS_SET); - sslHostConfig.setEnabledProtocols( - enabledProtocols.toArray(new String[enabledProtocols.size()])); - // Configure the enabled ciphers - List enabledCiphers = SSLUtilBase.getEnabled("ciphers", log, - false, sslHostConfig.getJsseCipherNames(), - OpenSSLEngine.AVAILABLE_CIPHER_SUITES); - sslHostConfig.setEnabledCiphers( - enabledCiphers.toArray(new String[enabledCiphers.size()])); - } - } - if (certificates.size() > 2) { - // TODO: Can this limitation be removed? - throw new Exception(sm.getString("endpoint.apr.tooManyCertFiles")); - } - // SSL protocol - int value = SSL.SSL_PROTOCOL_NONE; - if (sslHostConfig.getProtocols().size() == 0) { - // Native fallback used if protocols="" - value = SSL.SSL_PROTOCOL_ALL; - } else { - for (String protocol : sslHostConfig.getEnabledProtocols()) { - if (Constants.SSL_PROTO_SSLv2Hello.equalsIgnoreCase(protocol)) { - // NO-OP. OpenSSL always supports SSLv2Hello - } else if (Constants.SSL_PROTO_SSLv2.equalsIgnoreCase(protocol)) { - value |= SSL.SSL_PROTOCOL_SSLV2; - } else if (Constants.SSL_PROTO_SSLv3.equalsIgnoreCase(protocol)) { - value |= SSL.SSL_PROTOCOL_SSLV3; - } else if (Constants.SSL_PROTO_TLSv1.equalsIgnoreCase(protocol)) { - value |= SSL.SSL_PROTOCOL_TLSV1; - } else if (Constants.SSL_PROTO_TLSv1_1.equalsIgnoreCase(protocol)) { - value |= SSL.SSL_PROTOCOL_TLSV1_1; - } else if (Constants.SSL_PROTO_TLSv1_2.equalsIgnoreCase(protocol)) { - value |= SSL.SSL_PROTOCOL_TLSV1_2; - } else { - // Should not happen since filtering to build - // enabled protocols removes invalid values. - throw new Exception(sm.getString( - "endpoint.apr.invalidSslProtocol", protocol)); - } - } - } - // Create SSL Context - long ctx = 0; - try { - ctx = SSLContext.make(rootPool, value, SSL.SSL_MODE_SERVER); - } catch (Exception e) { - // If the sslEngine is disabled on the AprLifecycleListener - // there will be an Exception here but there is no way to check - // the AprLifecycleListener settings from here - throw new Exception( - sm.getString("endpoint.apr.failSslContextMake"), e); - } + @Override + protected void createSSLContext(SSLHostConfig sslHostConfig) throws Exception { + Set certificates = sslHostConfig.getCertificates(true); + boolean firstCertificate = true; + for (SSLHostConfigCertificate certificate : certificates) { + if (SSLHostConfig.adjustRelativePath(certificate.getCertificateFile()) == null) { + // This is required + throw new Exception(sm.getString("endpoint.apr.noSslCertFile")); + } + if (firstCertificate) { + // TODO: Duplicates code in SSLUtilBase. Consider + // refactoring to reduce duplication + firstCertificate = false; + // Configure the enabled protocols + List enabledProtocols = SSLUtilBase.getEnabled("protocols", log, + true, sslHostConfig.getProtocols(), + OpenSSLEngine.IMPLEMENTED_PROTOCOLS_SET); + sslHostConfig.setEnabledProtocols( + enabledProtocols.toArray(new String[enabledProtocols.size()])); + // Configure the enabled ciphers + List enabledCiphers = SSLUtilBase.getEnabled("ciphers", log, + false, sslHostConfig.getJsseCipherNames(), + OpenSSLEngine.AVAILABLE_CIPHER_SUITES); + sslHostConfig.setEnabledCiphers( + enabledCiphers.toArray(new String[enabledCiphers.size()])); + } + } + if (certificates.size() > 2) { + // TODO: Can this limitation be removed? + throw new Exception(sm.getString("endpoint.apr.tooManyCertFiles")); + } - if (sslHostConfig.getInsecureRenegotiation()) { - SSLContext.setOptions(ctx, SSL.SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION); + // SSL protocol + int value = SSL.SSL_PROTOCOL_NONE; + if (sslHostConfig.getProtocols().size() == 0) { + // Native fallback used if protocols="" + value = SSL.SSL_PROTOCOL_ALL; + } else { + for (String protocol : sslHostConfig.getEnabledProtocols()) { + if (Constants.SSL_PROTO_SSLv2Hello.equalsIgnoreCase(protocol)) { + // NO-OP. OpenSSL always supports SSLv2Hello + } else if (Constants.SSL_PROTO_SSLv2.equalsIgnoreCase(protocol)) { + value |= SSL.SSL_PROTOCOL_SSLV2; + } else if (Constants.SSL_PROTO_SSLv3.equalsIgnoreCase(protocol)) { + value |= SSL.SSL_PROTOCOL_SSLV3; + } else if (Constants.SSL_PROTO_TLSv1.equalsIgnoreCase(protocol)) { + value |= SSL.SSL_PROTOCOL_TLSV1; + } else if (Constants.SSL_PROTO_TLSv1_1.equalsIgnoreCase(protocol)) { + value |= SSL.SSL_PROTOCOL_TLSV1_1; + } else if (Constants.SSL_PROTO_TLSv1_2.equalsIgnoreCase(protocol)) { + value |= SSL.SSL_PROTOCOL_TLSV1_2; } else { - SSLContext.clearOptions(ctx, SSL.SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION); + // Should not happen since filtering to build + // enabled protocols removes invalid values. + throw new Exception(sm.getString( + "endpoint.apr.invalidSslProtocol", protocol)); } + } + } - // Use server's preference order for ciphers (rather than - // client's) - String honorCipherOrderStr = sslHostConfig.getHonorCipherOrder(); - if (honorCipherOrderStr != null) { - boolean honorCipherOrder = Boolean.valueOf(honorCipherOrderStr).booleanValue(); - if (honorCipherOrder) { - SSLContext.setOptions(ctx, SSL.SSL_OP_CIPHER_SERVER_PREFERENCE); - } else { - SSLContext.clearOptions(ctx, SSL.SSL_OP_CIPHER_SERVER_PREFERENCE); - } - } + // Create SSL Context + long ctx = 0; + try { + ctx = SSLContext.make(rootPool, value, SSL.SSL_MODE_SERVER); + } catch (Exception e) { + // If the sslEngine is disabled on the AprLifecycleListener + // there will be an Exception here but there is no way to check + // the AprLifecycleListener settings from here + throw new Exception( + sm.getString("endpoint.apr.failSslContextMake"), e); + } - // Disable compression if requested - if (sslHostConfig.getDisableCompression()) { - SSLContext.setOptions(ctx, SSL.SSL_OP_NO_COMPRESSION); - } else { - SSLContext.clearOptions(ctx, SSL.SSL_OP_NO_COMPRESSION); - } + if (sslHostConfig.getInsecureRenegotiation()) { + SSLContext.setOptions(ctx, SSL.SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION); + } else { + SSLContext.clearOptions(ctx, SSL.SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION); + } - // Disable TLS Session Tickets (RFC4507) to protect perfect forward secrecy - if (sslHostConfig.getDisableSessionTickets()) { - SSLContext.setOptions(ctx, SSL.SSL_OP_NO_TICKET); - } else { - SSLContext.clearOptions(ctx, SSL.SSL_OP_NO_TICKET); - } + // Use server's preference order for ciphers (rather than client's) + String honorCipherOrderStr = sslHostConfig.getHonorCipherOrder(); + if (honorCipherOrderStr != null) { + boolean honorCipherOrder = Boolean.valueOf(honorCipherOrderStr).booleanValue(); + if (honorCipherOrder) { + SSLContext.setOptions(ctx, SSL.SSL_OP_CIPHER_SERVER_PREFERENCE); + } else { + SSLContext.clearOptions(ctx, SSL.SSL_OP_CIPHER_SERVER_PREFERENCE); + } + } - // List the ciphers that the client is permitted to negotiate - SSLContext.setCipherSuite(ctx, sslHostConfig.getCiphers()); - // Load Server key and certificate - // TODO: Confirm assumption that idx is not specific to - // key/certificate type - int idx = 0; - for (SSLHostConfigCertificate certificate : sslHostConfig.getCertificates(true)) { - SSLContext.setCertificate(ctx, - SSLHostConfig.adjustRelativePath(certificate.getCertificateFile()), - SSLHostConfig.adjustRelativePath(certificate.getCertificateKeyFile()), - certificate.getCertificateKeyPassword(), idx++); - // Set certificate chain file - SSLContext.setCertificateChainFile(ctx, - SSLHostConfig.adjustRelativePath(certificate.getCertificateChainFile()), false); - } - // Support Client Certificates - SSLContext.setCACertificate(ctx, - SSLHostConfig.adjustRelativePath(sslHostConfig.getCaCertificateFile()), - SSLHostConfig.adjustRelativePath(sslHostConfig.getCaCertificatePath())); - // Set revocation - SSLContext.setCARevocation(ctx, - SSLHostConfig.adjustRelativePath( - sslHostConfig.getCertificateRevocationListFile()), - SSLHostConfig.adjustRelativePath( - sslHostConfig.getCertificateRevocationListPath())); - // Client certificate verification - switch (sslHostConfig.getCertificateVerification()) { - case NONE: - value = SSL.SSL_CVERIFY_NONE; - break; - case OPTIONAL: - value = SSL.SSL_CVERIFY_OPTIONAL; - break; - case OPTIONAL_NO_CA: - value = SSL.SSL_CVERIFY_OPTIONAL_NO_CA; - break; - case REQUIRED: - value = SSL.SSL_CVERIFY_REQUIRE; - break; - } - SSLContext.setVerify(ctx, value, sslHostConfig.getCertificateVerificationDepth()); - // For now, sendfile is not supported with SSL - if (getUseSendfile()) { - setUseSendfileInternal(false); - if (useSendFileSet) { - log.warn(sm.getString("endpoint.apr.noSendfileWithSSL")); - } - } + // Disable compression if requested + if (sslHostConfig.getDisableCompression()) { + SSLContext.setOptions(ctx, SSL.SSL_OP_NO_COMPRESSION); + } else { + SSLContext.clearOptions(ctx, SSL.SSL_OP_NO_COMPRESSION); + } - if (negotiableProtocols.size() > 0) { - ArrayList protocols = new ArrayList<>(); - protocols.addAll(negotiableProtocols); - protocols.add("http/1.1"); - String[] protocolsArray = protocols.toArray(new String[0]); - SSLContext.setAlpnProtos(ctx, protocolsArray, SSL.SSL_SELECTOR_FAILURE_NO_ADVERTISE); - } - sslHostConfig.setOpenSslContext(Long.valueOf(ctx)); + // Disable TLS Session Tickets (RFC4507) to protect perfect forward secrecy + if (sslHostConfig.getDisableSessionTickets()) { + SSLContext.setOptions(ctx, SSL.SSL_OP_NO_TICKET); + } else { + SSLContext.clearOptions(ctx, SSL.SSL_OP_NO_TICKET); + } + + // List the ciphers that the client is permitted to negotiate + SSLContext.setCipherSuite(ctx, sslHostConfig.getCiphers()); + // Load Server key and certificate + // TODO: Confirm assumption that idx is not specific to + // key/certificate type + int idx = 0; + for (SSLHostConfigCertificate certificate : sslHostConfig.getCertificates(true)) { + SSLContext.setCertificate(ctx, + SSLHostConfig.adjustRelativePath(certificate.getCertificateFile()), + SSLHostConfig.adjustRelativePath(certificate.getCertificateKeyFile()), + certificate.getCertificateKeyPassword(), idx++); + // Set certificate chain file + SSLContext.setCertificateChainFile(ctx, + SSLHostConfig.adjustRelativePath(certificate.getCertificateChainFile()), false); + } + // Support Client Certificates + SSLContext.setCACertificate(ctx, + SSLHostConfig.adjustRelativePath(sslHostConfig.getCaCertificateFile()), + SSLHostConfig.adjustRelativePath(sslHostConfig.getCaCertificatePath())); + // Set revocation + SSLContext.setCARevocation(ctx, + SSLHostConfig.adjustRelativePath( + sslHostConfig.getCertificateRevocationListFile()), + SSLHostConfig.adjustRelativePath( + sslHostConfig.getCertificateRevocationListPath())); + // Client certificate verification + switch (sslHostConfig.getCertificateVerification()) { + case NONE: + value = SSL.SSL_CVERIFY_NONE; + break; + case OPTIONAL: + value = SSL.SSL_CVERIFY_OPTIONAL; + break; + case OPTIONAL_NO_CA: + value = SSL.SSL_CVERIFY_OPTIONAL_NO_CA; + break; + case REQUIRED: + value = SSL.SSL_CVERIFY_REQUIRE; + break; + } + SSLContext.setVerify(ctx, value, sslHostConfig.getCertificateVerificationDepth()); + // For now, sendfile is not supported with SSL + if (getUseSendfile()) { + setUseSendfileInternal(false); + if (useSendFileSet) { + log.warn(sm.getString("endpoint.apr.noSendfileWithSSL")); } - SSLHostConfig defaultSSLHostConfig = sslHostConfigs.get(getDefaultSSLHostConfigName()); - Long defaultSSLContext = defaultSSLHostConfig.getOpenSslContext(); - sslContext = defaultSSLContext.longValue(); - SSLContext.registerDefault(defaultSSLContext, this); + } + + if (negotiableProtocols.size() > 0) { + ArrayList protocols = new ArrayList<>(); + protocols.addAll(negotiableProtocols); + protocols.add("http/1.1"); + String[] protocolsArray = protocols.toArray(new String[0]); + SSLContext.setAlpnProtos(ctx, protocolsArray, SSL.SSL_SELECTOR_FAILURE_NO_ADVERTISE); + } + sslHostConfig.setOpenSslContext(Long.valueOf(ctx)); + } + + + @Override + protected void releaseSSLContext(SSLHostConfig sslHostConfig) { + Long ctx = sslHostConfig.getOpenSslContext(); + if (ctx != null) { + SSLContext.free(ctx.longValue()); + sslHostConfig.setOpenSslContext(null); } } Modified: tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java URL: http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java?rev=1749984&r1=1749983&r2=1749984&view=diff ============================================================================== --- tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java (original) +++ tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java Thu Jun 23 19:28:17 2016 @@ -18,6 +18,7 @@ package org.apache.tomcat.util.net; import java.io.File; import java.io.IOException; +import java.io.Serializable; import java.security.KeyStore; import java.security.UnrecoverableKeyException; import java.util.HashMap; @@ -40,7 +41,9 @@ import org.apache.tomcat.util.res.String /** * Represents the TLS configuration for a virtual host. */ -public class SSLHostConfig { +public class SSLHostConfig implements Serializable { + + private static final long serialVersionUID = 1L; private static final Log log = LogFactory.getLog(SSLHostConfig.class); private static final StringManager sm = StringManager.getManager(SSLHostConfig.class); @@ -72,7 +75,7 @@ public class SSLHostConfig { // OpenSSL can handle multiple certs in a single config so the reference to // the context is here at the virtual host level. JSSE can't so the // reference is held on the certificate. - private Long openSslContext; + private transient Long openSslContext; // Configuration properties @@ -102,7 +105,7 @@ public class SSLHostConfig { private String truststorePassword = System.getProperty("javax.net.ssl.trustStorePassword"); private String truststoreProvider = System.getProperty("javax.net.ssl.trustStoreProvider"); private String truststoreType = System.getProperty("javax.net.ssl.trustStoreType"); - private KeyStore truststore = null; + private transient KeyStore truststore = null; // OpenSSL private String certificateRevocationListPath; private String caCertificateFile; Modified: tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/SSLHostConfigCertificate.java URL: http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/SSLHostConfigCertificate.java?rev=1749984&r1=1749983&r2=1749984&view=diff ============================================================================== --- tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/SSLHostConfigCertificate.java (original) +++ tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/SSLHostConfigCertificate.java Thu Jun 23 19:28:17 2016 @@ -17,6 +17,7 @@ package org.apache.tomcat.util.net; import java.io.IOException; +import java.io.Serializable; import java.security.KeyStore; import java.util.HashSet; import java.util.Set; @@ -26,8 +27,9 @@ import org.apache.juli.logging.LogFactor import org.apache.tomcat.util.net.openssl.ciphers.Authentication; import org.apache.tomcat.util.res.StringManager; +public class SSLHostConfigCertificate implements Serializable { -public class SSLHostConfigCertificate { + private static final long serialVersionUID = 1L; private static final Log log = LogFactory.getLog(SSLHostConfigCertificate.class); private static final StringManager sm = StringManager.getManager(SSLHostConfigCertificate.class); @@ -42,7 +44,7 @@ public class SSLHostConfigCertificate { // OpenSSL can handle multiple certs in a single config so the reference to // the context is at the virtual host level. JSSE can't so the reference is // held here on the certificate. - private SSLContext sslContext; + private transient SSLContext sslContext; // Common private final SSLHostConfig sslHostConfig; @@ -55,7 +57,7 @@ public class SSLHostConfigCertificate { private String certificateKeystoreFile = System.getProperty("user.home")+"/.keystore"; private String certificateKeystoreProvider = DEFAULT_KEYSTORE_PROVIDER; private String certificateKeystoreType = DEFAULT_KEYSTORE_TYPE; - private KeyStore certificateKeystore = null; + private transient KeyStore certificateKeystore = null; // OpenSSL private String certificateChainFile; Copied: tomcat/tc8.5.x/trunk/test/org/apache/tomcat/util/net/TestSSLHostConfigIntegration.java (from r1749978, tomcat/trunk/test/org/apache/tomcat/util/net/TestSSLHostConfigIntegration.java) URL: http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/test/org/apache/tomcat/util/net/TestSSLHostConfigIntegration.java?p2=tomcat/tc8.5.x/trunk/test/org/apache/tomcat/util/net/TestSSLHostConfigIntegration.java&p1=tomcat/trunk/test/org/apache/tomcat/util/net/TestSSLHostConfigIntegration.java&r1=1749978&r2=1749984&rev=1749984&view=diff ============================================================================== --- tomcat/trunk/test/org/apache/tomcat/util/net/TestSSLHostConfigIntegration.java (original) +++ tomcat/tc8.5.x/trunk/test/org/apache/tomcat/util/net/TestSSLHostConfigIntegration.java Thu Jun 23 19:28:17 2016 @@ -19,12 +19,13 @@ package org.apache.tomcat.util.net; import java.io.File; import java.io.ObjectOutputStream; +import org.junit.Assert; +import org.junit.Test; + import org.apache.catalina.startup.Tomcat; import org.apache.catalina.startup.TomcatBaseTest; import org.apache.tomcat.util.http.fileupload.ByteArrayOutputStream; import org.apache.tomcat.websocket.server.WsContextListener; -import org.junit.Assert; -import org.junit.Test; public class TestSSLHostConfigIntegration extends TomcatBaseTest { Modified: tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml?rev=1749984&r1=1749983&r2=1749984&view=diff ============================================================================== --- tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml (original) +++ tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml Thu Jun 23 19:28:17 2016 @@ -92,6 +92,10 @@ Refactor the certifcate keystore and trust store generation to make it easier for embedded users to inject their own key stores. (markt) + + 59233: Add the ability to add TLS virtual hosts dynamically. + (markt) + --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For additional commands, e-mail: dev-help@tomcat.apache.org