Author: markt
Date: Wed Dec 31 05:38:45 2008
New Revision: 730393
URL: http://svn.apache.org/viewvc?rev=730393&view=rev
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=44285
Make SSL session cache size and timeout configurable
Modified:
tomcat/tc6.0.x/trunk/ (props changed)
tomcat/tc6.0.x/trunk/STATUS.txt
tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/NioEndpoint.java
tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
tomcat/tc6.0.x/trunk/webapps/docs/config/http.xml
Propchange: tomcat/tc6.0.x/trunk/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Wed Dec 31 05:38:45 2008
@@ -1 +1 @@
-/tomcat/trunk:601180,606992,612607,630314,652744,653247,673796,673820,683982,684001,684081,684234,684269-684270,687503,687645,690781,691392,691805,692748,695053,695311,696780,696782,698012,698227,698236,698613,699427,699634,709294,709811,709816,710063,710125,710205,711126,711600,712461,718360,719602,719626,719628,720069,726052,728032,728947,729057
+/tomcat/trunk:601180,606992,612607,630314,652744,653247,673796,673820,683982,684001,684081,684234,684269-684270,687503,687645,690781,691392,691805,692748,695053,695311,696780,696782,698012,698227,698236,698613,699427,699634,709294,709811,709816,710063,710125,710205,711126,711600,712461,718360,719602,719626,719628,720069,723404,726052,728032,728947,729057
Modified: tomcat/tc6.0.x/trunk/STATUS.txt
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=730393&r1=730392&r2=730393&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/STATUS.txt (original)
+++ tomcat/tc6.0.x/trunk/STATUS.txt Wed Dec 31 05:38:45 2008
@@ -191,12 +191,6 @@
possibly be exploited by a malicious webapp.
-1:
-* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=44285
- Make SSL session cache size and timeout configurable
- http://svn.apache.org/viewvc?rev=723404&view=rev
- +1: markt, fhanik, jim
- -1:
-
* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=46232
Don't override the endorsed dir if the user has set it
http://svn.apache.org/viewvc?rev=723738&view=rev
Modified: tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/NioEndpoint.java
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/NioEndpoint.java?rev=730393&r1=730392&r2=730393&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/NioEndpoint.java
(original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/NioEndpoint.java Wed
Dec 31 05:38:45 2008
@@ -47,6 +47,7 @@
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
+import javax.net.ssl.SSLSessionContext;
import javax.net.ssl.TrustManagerFactory;
import org.apache.juli.logging.Log;
@@ -589,7 +590,6 @@
public void setKeystoreType(String s ) { this.keystoreType = s;}
protected String sslProtocol = "TLS";
-
public String getSslProtocol() { return sslProtocol;}
public void setSslProtocol(String s) { sslProtocol = s;}
@@ -602,7 +602,6 @@
for (int i=0; i<sslEnabledProtocolsarr.length; i++ )
sslEnabledProtocolsarr[i] = t.nextToken();
}
-
protected String ciphers = null;
protected String[] ciphersarr = new String[0];
public String getCiphers() { return ciphers;}
@@ -615,7 +614,15 @@
for (int i=0; i<ciphersarr.length; i++ ) ciphersarr[i] =
t.nextToken();
}
}
-
+
+ protected int sessionCacheSize = 0;
+ public int getSessionCacheSize() { return sessionCacheSize;}
+ public void setSessionCacheSize(int i) { sessionCacheSize = i;}
+
+ protected int sessionCacheTimeout = 86400;
+ public int getSessionCacheTimeout() { return sessionCacheTimeout;}
+ public void setSessionCacheTimeout(int i) { sessionCacheTimeout = i;}
+
/**
* SSL engine.
*/
@@ -793,6 +800,12 @@
sslContext = SSLContext.getInstance(getSslProtocol());
sslContext.init(kmf.getKeyManagers(), tmf.getTrustManagers(),
null);
+ SSLSessionContext sessionContext =
+ sslContext.getServerSessionContext();
+ if (sessionContext != null) {
+ sessionContext.setSessionCacheSize(sessionCacheSize);
+ sessionContext.setSessionTimeout(sessionCacheTimeout);
+ }
}
if (oomParachute>0) reclaimParachute(true);
Modified:
tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java?rev=730393&r1=730392&r2=730393&view=diff
==============================================================================
---
tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
(original)
+++
tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
Wed Dec 31 05:38:45 2008
@@ -49,6 +49,7 @@
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLServerSocket;
import javax.net.ssl.SSLServerSocketFactory;
+import javax.net.ssl.SSLSessionContext;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
@@ -88,6 +89,9 @@
private static final String defaultKeystoreFile
= System.getProperty("user.home") + "/.keystore";
private static final String defaultKeyPass = "changeit";
+ private static final int defaultSessionCacheSize = 0;
+ private static final int defaultSessionTimeout = 86400;
+
static org.apache.juli.logging.Log log =
org.apache.juli.logging.LogFactory.getLog(JSSESocketFactory.class);
@@ -413,6 +417,28 @@
trustAlgorithm),
new SecureRandom());
+ // Configure SSL session cache
+ int sessionCacheSize;
+ if (attributes.get("sessionCacheSize") != null) {
+ sessionCacheSize = Integer.parseInt(
+ (String)attributes.get("sessionCacheSize"));
+ } else {
+ sessionCacheSize = defaultSessionCacheSize;
+ }
+ int sessionCacheTimeout;
+ if (attributes.get("sessionCacheTimeout") != null) {
+ sessionCacheTimeout = Integer.parseInt(
+ (String)attributes.get("sessionCacheTimeout"));
+ } else {
+ sessionCacheTimeout = defaultSessionTimeout;
+ }
+ SSLSessionContext sessionContext =
+ context.getServerSessionContext();
+ if (sessionContext != null) {
+ sessionContext.setSessionCacheSize(sessionCacheSize);
+ sessionContext.setSessionTimeout(sessionCacheTimeout);
+ }
+
// create proxy
sslProxy = context.getServerSocketFactory();
Modified: tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml?rev=730393&r1=730392&r2=730393&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml Wed Dec 31 05:38:45 2008
@@ -229,6 +229,10 @@
<bug>43327</bug>: Socket bind fails when using APR on a system with
IPv6
enabled but no explicit IPv6 address configured. (markt/jfclere)
</fix>
+ <add>
+ <bug>44285</bug>: Make the SSL session cache size and timeout
+ configurable. (markt)
+ </add>
<fix>
<bug>45528</bug>: Add detection for invalid SSL configuration to
prevent
infinite logging loop on start-up. (markt)
Modified: tomcat/tc6.0.x/trunk/webapps/docs/config/http.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/config/http.xml?rev=730393&r1=730392&r2=730393&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/config/http.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/config/http.xml Wed Dec 31 05:38:45 2008
@@ -103,20 +103,14 @@
the container during FORM or CLIENT-CERT authentication. For both types
of authentication, the POST will be saved/buffered before the user is
authenticated. For CLIENT-CERT authentication, the POST is buffered for
- the duration of
- the SSL handshake and the buffer emptied when the request
- is processed. For FORM authentication the POST is
- saved whilst the user
+ the duration of the SSL handshake and the buffer emptied when the request
+ is processed. For FORM authentication the POST is saved whilst the user
is re-directed to the login form and is retained until the user
successfully authenticates or the session associated with the
authentication request expires. The limit can be disabled by setting this
- attribute to -1. Setting the attribute to
- zero will disable the saving of
- POST data during authentication
-. If not
- specified, this attribute is set
- to
- 4096 (4 kilobytes).</p>
+ attribute to -1. Setting the attribute to zero will disable the saving of
+ POST data during authentication. If not specified, this attribute is set
+ to 4096 (4 kilobytes).</p>
</attribute>
<attribute name="protocol" required="false">
@@ -724,6 +718,18 @@
</p>
</attribute>
+ <attribute name="sessionCacheSize" required="false">
+ <p>The number of SSL sessions to maintain in the session cache. Use 0 to
+ specify an unlimited cache size. If not specified, a default of 0 is
+ used.</p>
+ </attribute>
+
+ <attribute name="sessionTimeout" required="false">
+ <p>The time, in seconds, after the creation of an SSL session that it
will
+ timeout. Use 0 to specify an unlimited timeout. If not specified, a
+ default of 86400 (24 hours) is used.</p>
+ </attribute>
+
</attributes>
<p>For more information, see the
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
