Author: markt Date: Tue May 5 19:23:55 2015 New Revision: 1677881 URL: http://svn.apache.org/r1677881 Log: Move crlFile/SSLCARevocationFile & SSLCARevocationPath to SSLHostConfig
Modified: tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11JsseProtocol.java tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java tomcat/trunk/webapps/docs/config/http.xml Modified: tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11JsseProtocol.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11JsseProtocol.java?rev=1677881&r1=1677880&r2=1677881&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11JsseProtocol.java (original) +++ tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11JsseProtocol.java Tue May 5 19:23:55 2015 @@ -64,9 +64,6 @@ public abstract class AbstractHttp11Jsse return getEndpoint().getTruststoreAlgorithm(); } - public void setCrlFile(String s){getEndpoint().setCrlFile(s);} - public String getCrlFile(){ return getEndpoint().getCrlFile();} - public void setSessionCacheSize(String s){getEndpoint().setSessionCacheSize(s);} public String getSessionCacheSize(){ return getEndpoint().getSessionCacheSize();} Modified: tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java?rev=1677881&r1=1677880&r2=1677881&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java (original) +++ tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java Tue May 5 19:23:55 2015 @@ -445,6 +445,19 @@ public abstract class AbstractHttp11Prot } + public void setCrlFile(String certificateRevocationListFile){ + registerDefaultSSLHostConfig(); + defaultSSLHostConfig.setCertificateRevocationListFile(certificateRevocationListFile); + } + public void setSSLCARevocationFile(String certificateRevocationListFile) { + registerDefaultSSLHostConfig(); + defaultSSLHostConfig.setCertificateRevocationListFile(certificateRevocationListFile); + } + public void setSSLCARevocationPath(String certificateRevocationListPath) { + registerDefaultSSLHostConfig(); + defaultSSLHostConfig.setCertificateRevocationListPath(certificateRevocationListPath); + } + // ------------------------------------------------------------- Common code Modified: tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java?rev=1677881&r1=1677880&r2=1677881&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java (original) +++ tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java Tue May 5 19:23:55 2015 @@ -94,20 +94,6 @@ public class Http11AprProtocol extends A /** - * SSL CA revocation path. - */ - public String getSSLCARevocationPath() { return ((AprEndpoint)getEndpoint()).getSSLCARevocationPath(); } - public void setSSLCARevocationPath(String SSLCARevocationPath) { ((AprEndpoint)getEndpoint()).setSSLCARevocationPath(SSLCARevocationPath); } - - - /** - * SSL CA revocation file. - */ - public String getSSLCARevocationFile() { return ((AprEndpoint)getEndpoint()).getSSLCARevocationFile(); } - public void setSSLCARevocationFile(String SSLCARevocationFile) { ((AprEndpoint)getEndpoint()).setSSLCARevocationFile(SSLCARevocationFile); } - - - /** * Disable SSL compression. */ public boolean getSSLDisableCompression() { return ((AprEndpoint)getEndpoint()).getSSLDisableCompression(); } Modified: tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java?rev=1677881&r1=1677880&r2=1677881&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java (original) +++ tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java Tue May 5 19:23:55 2015 @@ -1037,12 +1037,6 @@ public abstract class AbstractEndpoint<S this.trustManagerClassName = trustManagerClassName; } - private String crlFile = null; - public String getCrlFile() {return crlFile;} - public void setCrlFile(String crlFile) { - this.crlFile = crlFile; - } - private String sessionCacheSize = null; public String getSessionCacheSize() { return sessionCacheSize;} public void setSessionCacheSize(String s) { sessionCacheSize = s;} Modified: tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java?rev=1677881&r1=1677880&r2=1677881&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java (original) +++ tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java Tue May 5 19:23:55 2015 @@ -233,21 +233,6 @@ public class AprEndpoint extends Abstrac /** - * SSL CA revocation path. - */ - protected String SSLCARevocationPath = null; - public String getSSLCARevocationPath() { return SSLCARevocationPath; } - public void setSSLCARevocationPath(String SSLCARevocationPath) { this.SSLCARevocationPath = SSLCARevocationPath; } - - - /** - * SSL CA revocation file. - */ - protected String SSLCARevocationFile = null; - public String getSSLCARevocationFile() { return SSLCARevocationFile; } - public void setSSLCARevocationFile(String SSLCARevocationFile) { this.SSLCARevocationFile = SSLCARevocationFile; } - - /** * SSL disable TLS Session Tickets (RFC 4507). */ protected boolean SSLDisableSessionTickets = false; @@ -564,7 +549,8 @@ public class AprEndpoint extends Abstrac // Support Client Certificates SSLContext.setCACertificate(ctx, SSLCACertificateFile, SSLCACertificatePath); // Set revocation - SSLContext.setCARevocation(ctx, SSLCARevocationFile, SSLCARevocationPath); + SSLContext.setCARevocation(ctx, sslHostConfig.getCertificateRevocationListFile(), + sslHostConfig.getCertificateRevocationListPath()); // Client certificate verification switch (sslHostConfig.getCertificateVerification()) { case NONE: Modified: tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java?rev=1677881&r1=1677880&r2=1677881&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java (original) +++ tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java Tue May 5 19:23:55 2015 @@ -50,8 +50,8 @@ public class SSLHostConfig { private int certificateVerificationDepth = 10; private String ciphers = "HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA"; private boolean honorCipherOrder = false; - private Set<String> protocols = new HashSet<>(); + private String certificateRevocationListFile; // JSSE private String certificateKeystorePassword = "changeit"; private String certificateKeystoreFile = System.getProperty("user.home")+"/.keystore"; @@ -59,6 +59,7 @@ public class SSLHostConfig { // OpenSSL private String certificateFile; private String certificateKeyFile; + private String certificateRevocationListPath; public SSLHostConfig() { // Set defaults that can't be (easily) set when defining the fields. @@ -117,6 +118,16 @@ public class SSLHostConfig { } + public void setCertificateRevocationListFile(String certificateRevocationListFile) { + this.certificateRevocationListFile = certificateRevocationListFile; + } + + + public String getCertificateRevocationListFile() { + return certificateRevocationListFile; + } + + public void setCertificateVerification(String certificateVerification) { this.certificateVerification = CertificateVerification.fromString(certificateVerification); } @@ -275,6 +286,17 @@ public class SSLHostConfig { } + public void setCertificateRevocationListPath(String certificateRevocationListPath) { + setProperty("certificateRevocationListPath", Type.OPENSSL); + this.certificateRevocationListPath = certificateRevocationListPath; + } + + + public String getCertificateRevocationListPath() { + return certificateRevocationListPath; + } + + // ----------------------------------------------------------- Inner classes public static enum Type { Modified: tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java?rev=1677881&r1=1677880&r2=1677881&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java (original) +++ tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java Tue May 5 19:23:55 2015 @@ -435,7 +435,7 @@ public class JSSESocketFactory implement protected TrustManager[] getTrustManagers(String keystoreType, String keystoreProvider, String algorithm) throws Exception { - String crlf = endpoint.getCrlFile(); + String crlf = sslHostConfig.getCertificateRevocationListFile(); String className = endpoint.getTrustManagerClassName(); if(className != null && className.length() > 0) { Modified: tomcat/trunk/webapps/docs/config/http.xml URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/http.xml?rev=1677881&r1=1677880&r2=1677881&view=diff ============================================================================== --- tomcat/trunk/webapps/docs/config/http.xml (original) +++ tomcat/trunk/webapps/docs/config/http.xml Tue May 5 19:23:55 2015 @@ -1069,6 +1069,20 @@ behaviour is not to use a password.</p> </attribute> + <attribute name="certificateRevocationFile" required="false"> + <p>Name of the file that contains the concatenated certificate revocation + lists for the certificate authorities. The format is PEM-encoded. If not + defined, client certificates will not be checked against a certificate + revocation list (unless an OpenSSl based connector is used and + <strong>certificateRevocationPath</strong> is defined).</p> + </attribute> + + <attribute name="certificateRevocationPath" required="false"> + <p>OpenSSL only.</p> + <p>Name of the directory that contains the certificate revocation lists + for the certificate authorities. The format is PEM-encoded.</p> + </attribute> + <attribute name="certificateVerification" required="false"> <p>Set to <code>required</code> if you want the SSL stack to require a valid certificate chain from the client before accepting a connection. @@ -1173,9 +1187,9 @@ </attribute> <attribute name="crlFile" required="false"> - <p>The certificate revocation list to be used to verify client - certificates. If not defined, client certificates will not be checked - against a certificate revocation list.</p> + <p>This is an alias for the <code>certificateRevocationFile</code> + attribute of the default + <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a> element.</p> </attribute> <attribute name="keyAlias" required="false"> @@ -1350,13 +1364,15 @@ </attribute> <attribute name="SSLCARevocationFile" required="false"> - <p>Name of the file that contains the concatenated certificate revocation - lists for the certificate authorities. The format is PEM-encoded.</p> + <p>This is an alias for the <code>certificateRevocationFile</code> + attribute of the default + <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a> element.</p> </attribute> <attribute name="SSLCARevocationPath" required="false"> - <p>Name of the directory that contains the certificate revocation lists - for the certificate authorities. The format is PEM-encoded.</p> + <p>This is an alias for the <code>certificateRevocationPath</code> + attribute of the default + <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a> element.</p> </attribute> <attribute name="SSLCertificateChainFile" required="false"> --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org