Author: markt Date: Thu May 7 11:07:50 2015 New Revision: 1678165 URL: http://svn.apache.org/r1678165 Log: Move remaining OpenSSL TLS config attributes to SSLHostConfig
Modified: tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java tomcat/trunk/webapps/docs/config/http.xml Modified: tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java?rev=1678165&r1=1678164&r2=1678165&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java (original) +++ tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java Thu May 7 11:07:50 2015 @@ -524,6 +524,36 @@ public abstract class AbstractHttp11Prot } + public void setSSLCertificateChainFile(String certificateChainFile) { + registerDefaultSSLHostConfig(); + defaultSSLHostConfig.setCertificateChainFile(certificateChainFile); + } + + + public void setSSLCACertificatePath(String caCertificatePath) { + registerDefaultSSLHostConfig(); + defaultSSLHostConfig.setCaCertificatePath(caCertificatePath); + } + + + public void setSSLCACertificateFile(String caCertificateFile) { + registerDefaultSSLHostConfig(); + defaultSSLHostConfig.setCaCertificateFile(caCertificateFile); + } + + + public void setSSLDisableCompression(boolean disableCompression) { + registerDefaultSSLHostConfig(); + defaultSSLHostConfig.setDisableCompression(disableCompression); + } + + + public void setSSLDisableSessionTickets(boolean disableSessionTickets) { + registerDefaultSSLHostConfig(); + defaultSSLHostConfig.setDisableSessionTickets(disableSessionTickets); + } + + // ------------------------------------------------------------- Common code // Common configuration required for all new HTTP11 processors Modified: tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java?rev=1678165&r1=1678164&r2=1678165&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java (original) +++ tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java Thu May 7 11:07:50 2015 @@ -70,42 +70,6 @@ public class Http11AprProtocol extends A public void setDeferAccept(boolean deferAccept) { ((AprEndpoint)getEndpoint()).setDeferAccept(deferAccept); } - // -------------------- SSL related properties -------------------- - - /** - * SSL certificate chain file. - */ - public String getSSLCertificateChainFile() { return ((AprEndpoint)getEndpoint()).getSSLCertificateChainFile(); } - public void setSSLCertificateChainFile(String SSLCertificateChainFile) { ((AprEndpoint)getEndpoint()).setSSLCertificateChainFile(SSLCertificateChainFile); } - - - /** - * SSL CA certificate path. - */ - public String getSSLCACertificatePath() { return ((AprEndpoint)getEndpoint()).getSSLCACertificatePath(); } - public void setSSLCACertificatePath(String SSLCACertificatePath) { ((AprEndpoint)getEndpoint()).setSSLCACertificatePath(SSLCACertificatePath); } - - - /** - * SSL CA certificate file. - */ - public String getSSLCACertificateFile() { return ((AprEndpoint)getEndpoint()).getSSLCACertificateFile(); } - public void setSSLCACertificateFile(String SSLCACertificateFile) { ((AprEndpoint)getEndpoint()).setSSLCACertificateFile(SSLCACertificateFile); } - - - /** - * Disable SSL compression. - */ - public boolean getSSLDisableCompression() { return ((AprEndpoint)getEndpoint()).getSSLDisableCompression(); } - public void setSSLDisableCompression(boolean disable) { ((AprEndpoint)getEndpoint()).setSSLDisableCompression(disable); } - - /** - * Disable TLS Session Tickets (RFC 4507). - */ - public boolean getSSLDisableSessionTickets() { return ((AprEndpoint)getEndpoint()).getSSLDisableSessionTickets(); } - public void setSSLDisableSessionTickets(boolean enable) { ((AprEndpoint)getEndpoint()).setSSLDisableSessionTickets(enable); } - - // ----------------------------------------------------- JMX related methods @Override Modified: tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java?rev=1678165&r1=1678164&r2=1678165&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java (original) +++ tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java Thu May 7 11:07:50 2015 @@ -209,62 +209,6 @@ public class AprEndpoint extends Abstrac /** - * SSL certificate chain file. - */ - protected String SSLCertificateChainFile = null; - public String getSSLCertificateChainFile() { return SSLCertificateChainFile; } - public void setSSLCertificateChainFile(String SSLCertificateChainFile) { this.SSLCertificateChainFile = SSLCertificateChainFile; } - - - /** - * SSL CA certificate path. - */ - protected String SSLCACertificatePath = null; - public String getSSLCACertificatePath() { return SSLCACertificatePath; } - public void setSSLCACertificatePath(String SSLCACertificatePath) { this.SSLCACertificatePath = SSLCACertificatePath; } - - - /** - * SSL CA certificate file. - */ - protected String SSLCACertificateFile = null; - public String getSSLCACertificateFile() { return SSLCACertificateFile; } - public void setSSLCACertificateFile(String SSLCACertificateFile) { this.SSLCACertificateFile = SSLCACertificateFile; } - - - /** - * SSL disable TLS Session Tickets (RFC 4507). - */ - protected boolean SSLDisableSessionTickets = false; - public boolean getSSLDisableSessionTickets() { return SSLDisableSessionTickets; } - public void setSSLDisableSessionTickets(boolean SSLDisableSessionTickets) { this.SSLDisableSessionTickets = SSLDisableSessionTickets; } - - /** - * SSL allow insecure renegotiation for the the client that does not - * support the secure renegotiation. - */ - protected boolean SSLInsecureRenegotiation = false; - public void setSSLInsecureRenegotiation(boolean SSLInsecureRenegotiation) { this.SSLInsecureRenegotiation = SSLInsecureRenegotiation; } - public boolean getSSLInsecureRenegotiation() { return SSLInsecureRenegotiation; } - - /** - * Disables compression of the SSL stream. This thwarts CRIME attack - * and possibly improves performance by not compressing uncompressible - * content such as JPEG, etc. - */ - protected boolean SSLDisableCompression = false; - - /** - * Configures whether or not to use SSL compression. The default is - * <code>false</code>. - * - * @param SSLDisableCompression Set to <code>true</code> to disable SSL - * compression. This thwarts the CRIMEattack. - */ - public void setSSLDisableCompression(boolean SSLDisableCompression) { this.SSLDisableCompression = SSLDisableCompression; } - public boolean getSSLDisableCompression() { return SSLDisableCompression; } - - /** * Port in use. */ @Override @@ -470,7 +414,7 @@ public class AprEndpoint extends Abstrac sm.getString("endpoint.apr.failSslContextMake"), e); } - if (SSLInsecureRenegotiation) { + if (sslHostConfig.getInsecureRenegotiation()) { boolean legacyRenegSupported = false; try { legacyRenegSupported = SSL.hasOp(SSL.SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION); @@ -504,7 +448,7 @@ public class AprEndpoint extends Abstrac } // Disable compression if requested - if (SSLDisableCompression) { + if (sslHostConfig.getDisableCompression()) { boolean disableCompressionSupported = false; try { disableCompressionSupported = SSL.hasOp(SSL.SSL_OP_NO_COMPRESSION); @@ -521,7 +465,7 @@ public class AprEndpoint extends Abstrac } // Disable TLS Session Tickets (RFC4507) to protect perfect forward secrecy - if (SSLDisableSessionTickets) { + if (sslHostConfig.getDisableSessionTickets()) { boolean disableSessionTicketsSupported = false; try { disableSessionTicketsSupported = SSL.hasOp(SSL.SSL_OP_NO_TICKET); @@ -545,9 +489,11 @@ public class AprEndpoint extends Abstrac sslHostConfig.getCertificateKeyFile(), sslHostConfig.getCertificateKeyPassword(), SSL.SSL_AIDX_RSA); // Set certificate chain file - SSLContext.setCertificateChainFile(ctx, SSLCertificateChainFile, false); + SSLContext.setCertificateChainFile( + ctx, sslHostConfig.getCertificateChainFile(), false); // Support Client Certificates - SSLContext.setCACertificate(ctx, SSLCACertificateFile, SSLCACertificatePath); + SSLContext.setCACertificate(ctx, sslHostConfig.getCaCertificateFile(), + sslHostConfig.getCaCertificatePath()); // Set revocation SSLContext.setCARevocation(ctx, sslHostConfig.getCertificateRevocationListFile(), sslHostConfig.getCertificateRevocationListPath()); Modified: tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java?rev=1678165&r1=1678164&r2=1678165&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java (original) +++ tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java Thu May 7 11:07:50 2015 @@ -73,11 +73,16 @@ public class SSLHostConfig { private String truststorePassword = System.getProperty("javax.net.ssl.trustStorePassword"); private String truststoreProvider = System.getProperty("javax.net.ssl.trustStoreProvider"); private String truststoreType = System.getProperty("javax.net.ssl.trustStoreType"); - // OpenSSL + private String certificateChainFile; private String certificateFile; private String certificateKeyFile; private String certificateRevocationListPath; + private String caCertificateFile; + private String caCertificatePath; + private boolean disableCompression = true; + private boolean disableSessionTickets = false; + private boolean insecureRenegotiation = false; public SSLHostConfig() { // Set defaults that can't be (easily) set when defining the fields. @@ -427,6 +432,16 @@ public class SSLHostConfig { // ------------------------------- OpenSSL specific configuration properties + public void setCertificateChainFile(String certificateChainFile) { + setProperty("certificateChainFile", Type.OPENSSL); + this.certificateChainFile = adjustRelativePath(certificateChainFile); + } + + public String getCertificateChainFile() { + return certificateChainFile; + } + + public void setCertificateFile(String certificateFile) { setProperty("certificateFile", Type.OPENSSL); this.certificateFile = adjustRelativePath(certificateFile); @@ -460,6 +475,61 @@ public class SSLHostConfig { } + public void setCaCertificateFile(String caCertificateFile) { + setProperty("caCertificateFile", Type.OPENSSL); + this.caCertificateFile = adjustRelativePath(caCertificateFile); + } + + + public String getCaCertificateFile() { + return caCertificateFile; + } + + + public void setCaCertificatePath(String caCertificatePath) { + setProperty("caCertificatePath", Type.OPENSSL); + this.caCertificatePath = adjustRelativePath(caCertificatePath); + } + + + public String getCaCertificatePath() { + return caCertificatePath; + } + + + public void setDisableCompression(boolean disableCompression) { + setProperty("disableCompression", Type.OPENSSL); + this.disableCompression = disableCompression; + } + + + public boolean getDisableCompression() { + return disableCompression; + } + + + public void setDisableSessionTickets(boolean disableSessionTickets) { + setProperty("disableSessionTickets", Type.OPENSSL); + this.disableSessionTickets = disableSessionTickets; + } + + + public boolean getDisableSessionTickets() { + return disableSessionTickets; + } + + + public void setInsecureRenegotiation(boolean insecureRenegotiation) { + setProperty("insecureRenegotiation", Type.OPENSSL); + this.insecureRenegotiation = insecureRenegotiation; + } + + + public boolean getInsecureRenegotiation() { + return insecureRenegotiation; + } + + // --------------------------------------------------------- Support methods private String adjustRelativePath(String path) { Modified: tomcat/trunk/webapps/docs/config/http.xml URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/http.xml?rev=1678165&r1=1678164&r2=1678165&view=diff ============================================================================== --- tomcat/trunk/webapps/docs/config/http.xml (original) +++ tomcat/trunk/webapps/docs/config/http.xml Thu May 7 11:07:50 2015 @@ -1031,6 +1031,13 @@ <attributes> + <attribute name="certificateChainFile" required="false"> + <p>OpenSSL only.</p> + <p>Name of the file that contains concatenated certifcates for the + certificate authorities which form the certifcate chain for the server + certificate. The format is PEM-encoded.</p> + </attribute> + <attribute name="certificateFile" required="true"> <p>OpenSSL only.</p> <p>Name of the file that contains the server certificate. The format is @@ -1140,6 +1147,18 @@ of 10 will be used.</p> </attribute> + <attribute name="caCertificateFile" required="false"> + <p>OpenSSL only.</p> + <p>Name of the file that contains the concatenated certificates for the + trusted certificate authorities. The format is PEM-encoded.</p> + </attribute> + + <attribute name="caCertificatePath" required="false"> + <p>OpenSSL only.</p> + <p>Name of the directory that contains the certificates for the trusted + certificate authorities. The format is PEM-encoded.</p> + </attribute> + <attribute name="ciphers" required="false"> <p>The ciphers to enable using the OpenSSL syntax. (See the OpenSSL documentation for the list of ciphers supported and the syntax). @@ -1156,6 +1175,19 @@ treated as an order of preference. See <code>honorCipherOrder</code>.</p> </attribute> + <attribute name="disableCompression" required="false"> + <p>OpenSSL only.</p> + <p>Disables compression if set to <code>true</code> and OpenSSL supports + disabling compression. Default is <code>true</code>. If <code>false</code> + the default compression setting in OpenSSL will be used.</p> + </attribute> + + <attribute name="disableSessionTickets" required="false"> + <p>OpenSSL only.</p> + <p>Disables use of TLS Session Tickets (RFC 4507) if set to + <code>true</code>. Default is <code>false</code>.</p> + </attribute> + <attribute name="honorCipherOrder" required="false"> <p>Set to <code>true</code> to enforce the server's cipher order (from the <code>ciphers</code> setting) instead of allowing @@ -1169,6 +1201,14 @@ of <code>_default_</code> will be used.</p> </attribute> + <attribute name="insecureRenegotiation" required="false"> + <p>OpenSSL only.</p> + <p>Enables insecure renegotiation if set to <code>true</code> and OpenSSL + supports enabling insecure renegotiation. Default is <code>false</code>. + If <code>false</code> the default insecure renegotiation setting in + OpenSSL will be used.</p> + </attribute> + <attribute name="keyManagerAlgorithm" required="false"> <p>JSSE only.</p> <p>The <code>KeyManager</code> algorithm to be used. This defaults to @@ -1451,13 +1491,15 @@ <attributes> <attribute name="SSLCACertificateFile" required="false"> - <p>Name of the file that contains the concatenated certificates for the - trusted certificate authorities. The format is PEM-encoded.</p> + <p>This is an alias for the <code>caCertificateFile</code> + attribute of the default + <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a> element.</p> </attribute> <attribute name="SSLCACertificatePath" required="false"> - <p>Name of the directory that contains the certificates for the trusted - certificate authorities. The format is PEM-encoded.</p> + <p>This is an alias for the <code>caCertificatePath</code> + attribute of the default + <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a> element.</p> </attribute> <attribute name="SSLCARevocationFile" required="false"> @@ -1473,9 +1515,9 @@ </attribute> <attribute name="SSLCertificateChainFile" required="false"> - <p>Name of the file that contains concatenated certifcates for the - certificate authorities which form the certifcate chain for the server - certificate. The format is PEM-encoded.</p> + <p>This is an alias for the <code>certificateChainFile</code> + attribute of the default + <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a> element.</p> </attribute> <attribute name="SSLCertificateFile" required="true"> @@ -1496,9 +1538,9 @@ </attribute> <attribute name="SSLDisableCompression" required="false"> - <p>Disables compression if set to <code>true</code> and OpenSSL supports - disabling compression. Default is <code>false</code> which inherits the - default compression setting in OpenSSL.</p> + <p>This is an alias for the <code>disableCompression</code> attribute of + the default <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a> + element.</p> </attribute> <attribute name="SSLHonorCipherOrder" required="false"> @@ -1532,8 +1574,9 @@ </attribute> <attribute name="SSLDisableSessionTickets" required="false"> - <p>Disables use of TLS Session Tickets (RFC 4507) if set to - <code>true</code>. Default is <code>false</code>.</p> + <p>This is an alias for the <code>disableSessionTickets</code> attribute + of the default <a href="#SSL_Support_-_SSLHostConfig">SSLHostConfig</a> + element.</p> </attribute> </attributes> --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org