This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/9.0.x by this push:
new 6ce18dc93a Allow user provided SSLContext instances on
SSLHostConfigCertificate
6ce18dc93a is described below
commit 6ce18dc93a054949e529952e809b159040b1d158
Author: Mark Thomas <[email protected]>
AuthorDate: Wed Feb 7 13:47:32 2024 +0000
Allow user provided SSLContext instances on SSLHostConfigCertificate
Based on pull request #673 provided by Hakan Altındağ
https://github.com/apache/tomcat/pull/673
---
.../apache/tomcat/util/net/AbstractEndpoint.java | 4 ++-
.../tomcat/util/net/AbstractJsseEndpoint.java | 22 ++++++++++------
.../tomcat/util/net/SSLHostConfigCertificate.java | 29 +++++++++++++++++-----
webapps/docs/changelog.xml | 5 ++++
4 files changed, 46 insertions(+), 14 deletions(-)
diff --git a/java/org/apache/tomcat/util/net/AbstractEndpoint.java
b/java/org/apache/tomcat/util/net/AbstractEndpoint.java
index 53fcea14b7..05a1ede2ec 100644
--- a/java/org/apache/tomcat/util/net/AbstractEndpoint.java
+++ b/java/org/apache/tomcat/util/net/AbstractEndpoint.java
@@ -474,7 +474,8 @@ public abstract class AbstractEndpoint<S,U> {
protected void releaseSSLContext(SSLHostConfig sslHostConfig) {
for (SSLHostConfigCertificate certificate :
sslHostConfig.getCertificates(true)) {
if (certificate.getSslContext() != null) {
- SSLContext sslContext = certificate.getSslContext();
+ // Only release the SSLContext if we generated it.
+ SSLContext sslContext = certificate.getSslContextGenerated();
if (sslContext != null) {
sslContext.destroy();
}
@@ -1323,6 +1324,7 @@ public abstract class AbstractEndpoint<S,U> {
public abstract void bind() throws Exception;
public abstract void unbind() throws Exception;
+
public abstract void startInternal() throws Exception;
public abstract void stopInternal() throws Exception;
diff --git a/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
b/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
index 7db261d825..b2a3390c6a 100644
--- a/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
+++ b/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
@@ -100,14 +100,18 @@ public abstract class AbstractJsseEndpoint<S,U> extends
AbstractEndpoint<S,U> {
sslHostConfig.setEnabledCiphers(sslUtil.getEnabledCiphers());
}
- SSLContext sslContext;
- try {
- sslContext = sslUtil.createSSLContext(negotiableProtocols);
- } catch (Exception e) {
- throw new IllegalArgumentException(e.getMessage(), e);
+ SSLContext sslContext = certificate.getSslContext();
+ // Generate the SSLContext from configuration unless (e.g.
embedded) an SSLContext has been provided.
+ if (sslContext == null) {
+ try {
+ sslContext = sslUtil.createSSLContext(negotiableProtocols);
+ } catch (Exception e) {
+ throw new IllegalArgumentException(e.getMessage(), e);
+ }
+
+ certificate.setSslContextGenerated(sslContext);
}
- certificate.setSslContext(sslContext);
logCertificate(certificate);
}
}
@@ -223,7 +227,11 @@ public abstract class AbstractJsseEndpoint<S,U> extends
AbstractEndpoint<S,U> {
public void unbind() throws Exception {
for (SSLHostConfig sslHostConfig : sslHostConfigs.values()) {
for (SSLHostConfigCertificate certificate :
sslHostConfig.getCertificates(true)) {
- certificate.setSslContext(null);
+ /*
+ * Only remove any generated SSLContext. If the SSLContext was
provided it is left in place in case the
+ * endpoint is re-started.
+ */
+ certificate.setSslContextGenerated(null);
}
}
}
diff --git a/java/org/apache/tomcat/util/net/SSLHostConfigCertificate.java
b/java/org/apache/tomcat/util/net/SSLHostConfigCertificate.java
index 4b7b2a4c70..e50b4b0c5d 100644
--- a/java/org/apache/tomcat/util/net/SSLHostConfigCertificate.java
+++ b/java/org/apache/tomcat/util/net/SSLHostConfigCertificate.java
@@ -50,10 +50,14 @@ public class SSLHostConfigCertificate implements
Serializable {
// Internal
private ObjectName oname;
- // OpenSSL can handle multiple certs in a single config so the reference to
- // the context is at the virtual host level. JSSE can't so the reference is
- // held here on the certificate.
- private transient volatile SSLContext sslContext;
+ /*
+ * OpenSSL can handle multiple certs in a single config so the reference
to the context is at the virtual host
+ * level. JSSE can't so the reference is held here on the certificate.
Typically, the SSLContext is generated from
+ * the configuration but, particularly in embedded scenarios, it can be
provided directly.
+ */
+ private transient volatile SSLContext sslContextProvided;
+ private transient volatile SSLContext sslContextGenerated;
+
// Common
private final SSLHostConfig sslHostConfig;
@@ -90,12 +94,25 @@ public class SSLHostConfigCertificate implements
Serializable {
public SSLContext getSslContext() {
- return sslContext;
+ if (sslContextProvided != null) {
+ return sslContextProvided;
+ }
+ return sslContextGenerated;
}
public void setSslContext(SSLContext sslContext) {
- this.sslContext = sslContext;
+ this.sslContextProvided = sslContext;
+ }
+
+
+ public SSLContext getSslContextGenerated() {
+ return sslContextGenerated;
+ }
+
+
+ void setSslContextGenerated(SSLContext sslContext) {
+ this.sslContextGenerated = sslContext;
}
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 7cbb3c3d9e..2a6b38f9d5 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -147,6 +147,11 @@
operations from debug level to trace. In particular, most of the
HTTP/2 debug logging has been changed to trace level. (remm)
</fix>
+ <fix>
+ Add support for user provided <code>SSLContext</code> instances
+ configured on <code>SSLHostConfigCertificate</code> instances. Based on
+ pull request <pr>673</pr> provided by Hakan Altındağ. (markt)
+ </fix>
</changelog>
</subsection>
<subsection name="Jasper">
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
