Author: markt
Date: Tue May 5 19:23:55 2015
New Revision: 1677881
URL: http://svn.apache.org/r1677881
Log:
Move crlFile/SSLCARevocationFile & SSLCARevocationPath to SSLHostConfig
Modified:
tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11JsseProtocol.java
tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java
tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java
tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java
tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
tomcat/trunk/webapps/docs/config/http.xml
Modified:
tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11JsseProtocol.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11JsseProtocol.java?rev=1677881&r1=1677880&r2=1677881&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11JsseProtocol.java
(original)
+++ tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11JsseProtocol.java
Tue May 5 19:23:55 2015
@@ -64,9 +64,6 @@ public abstract class AbstractHttp11Jsse
return getEndpoint().getTruststoreAlgorithm();
}
- public void setCrlFile(String s){getEndpoint().setCrlFile(s);}
- public String getCrlFile(){ return getEndpoint().getCrlFile();}
-
public void setSessionCacheSize(String
s){getEndpoint().setSessionCacheSize(s);}
public String getSessionCacheSize(){ return
getEndpoint().getSessionCacheSize();}
Modified: tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java?rev=1677881&r1=1677880&r2=1677881&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java
(original)
+++ tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java Tue
May 5 19:23:55 2015
@@ -445,6 +445,19 @@ public abstract class AbstractHttp11Prot
}
+ public void setCrlFile(String certificateRevocationListFile){
+ registerDefaultSSLHostConfig();
+
defaultSSLHostConfig.setCertificateRevocationListFile(certificateRevocationListFile);
+ }
+ public void setSSLCARevocationFile(String certificateRevocationListFile) {
+ registerDefaultSSLHostConfig();
+
defaultSSLHostConfig.setCertificateRevocationListFile(certificateRevocationListFile);
+ }
+ public void setSSLCARevocationPath(String certificateRevocationListPath) {
+ registerDefaultSSLHostConfig();
+
defaultSSLHostConfig.setCertificateRevocationListPath(certificateRevocationListPath);
+ }
+
// ------------------------------------------------------------- Common
code
Modified: tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java?rev=1677881&r1=1677880&r2=1677881&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java (original)
+++ tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java Tue May
5 19:23:55 2015
@@ -94,20 +94,6 @@ public class Http11AprProtocol extends A
/**
- * SSL CA revocation path.
- */
- public String getSSLCARevocationPath() { return
((AprEndpoint)getEndpoint()).getSSLCARevocationPath(); }
- public void setSSLCARevocationPath(String SSLCARevocationPath) {
((AprEndpoint)getEndpoint()).setSSLCARevocationPath(SSLCARevocationPath); }
-
-
- /**
- * SSL CA revocation file.
- */
- public String getSSLCARevocationFile() { return
((AprEndpoint)getEndpoint()).getSSLCARevocationFile(); }
- public void setSSLCARevocationFile(String SSLCARevocationFile) {
((AprEndpoint)getEndpoint()).setSSLCARevocationFile(SSLCARevocationFile); }
-
-
- /**
* Disable SSL compression.
*/
public boolean getSSLDisableCompression() { return
((AprEndpoint)getEndpoint()).getSSLDisableCompression(); }
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java?rev=1677881&r1=1677880&r2=1677881&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java Tue May
5 19:23:55 2015
@@ -1037,12 +1037,6 @@ public abstract class AbstractEndpoint<S
this.trustManagerClassName = trustManagerClassName;
}
- private String crlFile = null;
- public String getCrlFile() {return crlFile;}
- public void setCrlFile(String crlFile) {
- this.crlFile = crlFile;
- }
-
private String sessionCacheSize = null;
public String getSessionCacheSize() { return sessionCacheSize;}
public void setSessionCacheSize(String s) { sessionCacheSize = s;}
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java?rev=1677881&r1=1677880&r2=1677881&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java Tue May 5
19:23:55 2015
@@ -233,21 +233,6 @@ public class AprEndpoint extends Abstrac
/**
- * SSL CA revocation path.
- */
- protected String SSLCARevocationPath = null;
- public String getSSLCARevocationPath() { return SSLCARevocationPath; }
- public void setSSLCARevocationPath(String SSLCARevocationPath) {
this.SSLCARevocationPath = SSLCARevocationPath; }
-
-
- /**
- * SSL CA revocation file.
- */
- protected String SSLCARevocationFile = null;
- public String getSSLCARevocationFile() { return SSLCARevocationFile; }
- public void setSSLCARevocationFile(String SSLCARevocationFile) {
this.SSLCARevocationFile = SSLCARevocationFile; }
-
- /**
* SSL disable TLS Session Tickets (RFC 4507).
*/
protected boolean SSLDisableSessionTickets = false;
@@ -564,7 +549,8 @@ public class AprEndpoint extends Abstrac
// Support Client Certificates
SSLContext.setCACertificate(ctx, SSLCACertificateFile,
SSLCACertificatePath);
// Set revocation
- SSLContext.setCARevocation(ctx, SSLCARevocationFile,
SSLCARevocationPath);
+ SSLContext.setCARevocation(ctx,
sslHostConfig.getCertificateRevocationListFile(),
+ sslHostConfig.getCertificateRevocationListPath());
// Client certificate verification
switch (sslHostConfig.getCertificateVerification()) {
case NONE:
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java?rev=1677881&r1=1677880&r2=1677881&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java Tue May 5
19:23:55 2015
@@ -50,8 +50,8 @@ public class SSLHostConfig {
private int certificateVerificationDepth = 10;
private String ciphers = "HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA";
private boolean honorCipherOrder = false;
-
private Set<String> protocols = new HashSet<>();
+ private String certificateRevocationListFile;
// JSSE
private String certificateKeystorePassword = "changeit";
private String certificateKeystoreFile =
System.getProperty("user.home")+"/.keystore";
@@ -59,6 +59,7 @@ public class SSLHostConfig {
// OpenSSL
private String certificateFile;
private String certificateKeyFile;
+ private String certificateRevocationListPath;
public SSLHostConfig() {
// Set defaults that can't be (easily) set when defining the fields.
@@ -117,6 +118,16 @@ public class SSLHostConfig {
}
+ public void setCertificateRevocationListFile(String
certificateRevocationListFile) {
+ this.certificateRevocationListFile = certificateRevocationListFile;
+ }
+
+
+ public String getCertificateRevocationListFile() {
+ return certificateRevocationListFile;
+ }
+
+
public void setCertificateVerification(String certificateVerification) {
this.certificateVerification =
CertificateVerification.fromString(certificateVerification);
}
@@ -275,6 +286,17 @@ public class SSLHostConfig {
}
+ public void setCertificateRevocationListPath(String
certificateRevocationListPath) {
+ setProperty("certificateRevocationListPath", Type.OPENSSL);
+ this.certificateRevocationListPath = certificateRevocationListPath;
+ }
+
+
+ public String getCertificateRevocationListPath() {
+ return certificateRevocationListPath;
+ }
+
+
// ----------------------------------------------------------- Inner
classes
public static enum Type {
Modified:
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java?rev=1677881&r1=1677880&r2=1677881&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
Tue May 5 19:23:55 2015
@@ -435,7 +435,7 @@ public class JSSESocketFactory implement
protected TrustManager[] getTrustManagers(String keystoreType,
String keystoreProvider, String algorithm)
throws Exception {
- String crlf = endpoint.getCrlFile();
+ String crlf = sslHostConfig.getCertificateRevocationListFile();
String className = endpoint.getTrustManagerClassName();
if(className != null && className.length() > 0) {
Modified: tomcat/trunk/webapps/docs/config/http.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/http.xml?rev=1677881&r1=1677880&r2=1677881&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/config/http.xml (original)
+++ tomcat/trunk/webapps/docs/config/http.xml Tue May 5 19:23:55 2015
@@ -1069,6 +1069,20 @@
behaviour is not to use a password.</p>
</attribute>
+ <attribute name="certificateRevocationFile" required="false">
+ <p>Name of the file that contains the concatenated certificate revocation
+ lists for the certificate authorities. The format is PEM-encoded. If not
+ defined, client certificates will not be checked against a certificate
+ revocation list (unless an OpenSSl based connector is used and
+ <strong>certificateRevocationPath</strong> is defined).</p>
+ </attribute>
+
+ <attribute name="certificateRevocationPath" required="false">
+ <p>OpenSSL only.</p>
+ <p>Name of the directory that contains the certificate revocation lists
+ for the certificate authorities. The format is PEM-encoded.</p>
+ </attribute>
+
<attribute name="certificateVerification" required="false">
<p>Set to <code>required</code> if you want the SSL stack to require a
valid certificate chain from the client before accepting a connection.
@@ -1173,9 +1187,9 @@
</attribute>
<attribute name="crlFile" required="false">
- <p>The certificate revocation list to be used to verify client
- certificates. If not defined, client certificates will not be checked
- against a certificate revocation list.</p>
+ <p>This is an alias for the <code>certificateRevocationFile</code>
+ attribute of the default
+ <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a> element.</p>
</attribute>
<attribute name="keyAlias" required="false">
@@ -1350,13 +1364,15 @@
</attribute>
<attribute name="SSLCARevocationFile" required="false">
- <p>Name of the file that contains the concatenated certificate revocation
- lists for the certificate authorities. The format is PEM-encoded.</p>
+ <p>This is an alias for the <code>certificateRevocationFile</code>
+ attribute of the default
+ <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a> element.</p>
</attribute>
<attribute name="SSLCARevocationPath" required="false">
- <p>Name of the directory that contains the certificate revocation lists
- for the certificate authorities. The format is PEM-encoded.</p>
+ <p>This is an alias for the <code>certificateRevocationPath</code>
+ attribute of the default
+ <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a> element.</p>
</attribute>
<attribute name="SSLCertificateChainFile" required="false">
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
