Author: markt
Date: Thu Apr 30 21:14:35 2015
New Revision: 1677075
URL: http://svn.apache.org/r1677075
Log:
Move trustMaxCertLength/SSLVerifyDepth to SSLHostConfig
Modified:
tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11JsseProtocol.java
tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java
tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java
tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java
tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
Modified:
tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11JsseProtocol.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11JsseProtocol.java?rev=1677075&r1=1677074&r2=1677075&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11JsseProtocol.java
(original)
+++ tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11JsseProtocol.java
Thu Apr 30 21:14:35 2015
@@ -73,13 +73,6 @@ public abstract class AbstractHttp11Jsse
return getEndpoint().getTruststoreAlgorithm();
}
- public void setTrustMaxCertLength(String s){
- getEndpoint().setTrustMaxCertLength(s);
- }
- public String getTrustMaxCertLength(){
- return getEndpoint().getTrustMaxCertLength();
- }
-
public void setCrlFile(String s){getEndpoint().setCrlFile(s);}
public String getCrlFile(){ return getEndpoint().getCrlFile();}
Modified: tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java?rev=1677075&r1=1677074&r2=1677075&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java
(original)
+++ tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java Thu
Apr 30 21:14:35 2015
@@ -397,6 +397,15 @@ public abstract class AbstractHttp11Prot
defaultSSLHostConfig.setCertificateVerification(certificateVerification);
}
+ public void setTrustMaxCertLength(int certificateVerificationDepth){
+ registerDefaultSSLHostConfig();
+
defaultSSLHostConfig.setCertificateVerificationDepth(certificateVerificationDepth);
+ }
+ public void setSSLVerifyDepth(int certificateVerificationDepth) {
+ registerDefaultSSLHostConfig();
+
defaultSSLHostConfig.setCertificateVerificationDepth(certificateVerificationDepth);
+ }
+
// ------------------------------------------------------------- Common
code
Modified: tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java?rev=1677075&r1=1677074&r2=1677075&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java (original)
+++ tomcat/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java Thu Apr
30 21:14:35 2015
@@ -133,12 +133,6 @@ public class Http11AprProtocol extends A
/**
- * SSL verify depth.
- */
- public int getSSLVerifyDepth() { return
((AprEndpoint)getEndpoint()).getSSLVerifyDepth(); }
- public void setSSLVerifyDepth(int SSLVerifyDepth) {
((AprEndpoint)getEndpoint()).setSSLVerifyDepth(SSLVerifyDepth); }
-
- /**
* Disable SSL compression.
*/
public boolean getSSLDisableCompression() { return
((AprEndpoint)getEndpoint()).getSSLDisableCompression(); }
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java?rev=1677075&r1=1677074&r2=1677075&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java Thu Apr
30 21:14:35 2015
@@ -1063,12 +1063,6 @@ public abstract class AbstractEndpoint<S
this.crlFile = crlFile;
}
- private String trustMaxCertLength = null;
- public String getTrustMaxCertLength() {return trustMaxCertLength;}
- public void setTrustMaxCertLength(String trustMaxCertLength) {
- this.trustMaxCertLength = trustMaxCertLength;
- }
-
private String sessionCacheSize = null;
public String getSessionCacheSize() { return sessionCacheSize;}
public void setSessionCacheSize(String s) { sessionCacheSize = s;}
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java?rev=1677075&r1=1677074&r2=1677075&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java Thu Apr 30
21:14:35 2015
@@ -272,14 +272,6 @@ public class AprEndpoint extends Abstrac
public void setSSLDisableSessionTickets(boolean SSLDisableSessionTickets)
{ this.SSLDisableSessionTickets = SSLDisableSessionTickets; }
/**
- * SSL verify depth.
- */
- protected int SSLVerifyDepth = 10;
- public int getSSLVerifyDepth() { return SSLVerifyDepth; }
- public void setSSLVerifyDepth(int SSLVerifyDepth) { this.SSLVerifyDepth =
SSLVerifyDepth; }
-
-
- /**
* SSL allow insecure renegotiation for the the client that does not
* support the secure renegotiation.
*/
@@ -617,7 +609,7 @@ public class AprEndpoint extends Abstrac
value = SSL.SSL_CVERIFY_REQUIRE;
break;
}
- SSLContext.setVerify(ctx, value, SSLVerifyDepth);
+ SSLContext.setVerify(ctx, value,
sslHostConfig.getCertificateVerificationDepth());
// For now, sendfile is not supported with SSL
if (getUseSendfile()) {
setUseSendfileInternal(false);
@@ -2918,8 +2910,7 @@ public class AprEndpoint extends Abstrac
public void doClientAuth(SSLSupport sslSupport) {
long socket = getSocket().longValue();
// Configure connection to require a certificate
- SSLSocket.setVerify(socket, SSL.SSL_CVERIFY_REQUIRE,
- ((AprEndpoint)getEndpoint()).getSSLVerifyDepth());
+ SSLSocket.setVerify(socket, SSL.SSL_CVERIFY_REQUIRE, -1);
SSLSocket.renegotiate(socket);
}
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java?rev=1677075&r1=1677074&r2=1677075&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java Thu Apr 30
21:14:35 2015
@@ -45,6 +45,7 @@ public class SSLHostConfig {
// Common
private CertificateVerification certificateVerification =
CertificateVerification.NONE;
+ private int certificateVerificationDepth = 10;
private Set<String> protocols = new HashSet<>();
// JSSE
@@ -111,6 +112,16 @@ public class SSLHostConfig {
}
+ public void setCertificateVerificationDepth(int
certificateVerificationDepth) {
+ this.certificateVerificationDepth = certificateVerificationDepth;
+ }
+
+
+ public int getCertificateVerificationDepth() {
+ return certificateVerificationDepth;
+ }
+
+
public void setHostName(String hostName) {
this.hostName = hostName;
}
Modified:
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java?rev=1677075&r1=1677074&r2=1677075&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
Thu Apr 30 21:14:35 2015
@@ -527,33 +527,22 @@ public class JSSESocketFactory implement
* @param trustStore The configured TrustStore.
* @return The parameters including the CRLs and TrustStore.
*/
- protected CertPathParameters getParameters(String algorithm,
- String crlf,
- KeyStore trustStore)
- throws Exception {
- CertPathParameters params = null;
+ protected CertPathParameters getParameters(String algorithm, String crlf,
+ KeyStore trustStore) throws Exception {
+
if("PKIX".equalsIgnoreCase(algorithm)) {
PKIXBuilderParameters xparams =
- new PKIXBuilderParameters(trustStore, new X509CertSelector());
+ new PKIXBuilderParameters(trustStore, new
X509CertSelector());
Collection<? extends CRL> crls = getCRLs(crlf);
CertStoreParameters csp = new CollectionCertStoreParameters(crls);
CertStore store = CertStore.getInstance("Collection", csp);
xparams.addCertStore(store);
xparams.setRevocationEnabled(true);
- String trustLength = endpoint.getTrustMaxCertLength();
- if(trustLength != null) {
- try {
- xparams.setMaxPathLength(Integer.parseInt(trustLength));
- } catch(Exception ex) {
- log.warn("Bad maxCertLength: "+trustLength);
- }
- }
-
- params = xparams;
+
xparams.setMaxPathLength(sslHostConfig.getCertificateVerificationDepth());
+ return xparams;
} else {
throw new CRLException("CRLs not supported for type: "+algorithm);
}
- return params;
}
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
