Author: jfclere Date: Mon Mar 17 05:49:46 2008 New Revision: 637867 URL: http://svn.apache.org/viewvc?rev=637867&view=rev Log: Allow to specify the random device to use (with docs).
Modified: tomcat/tc6.0.x/trunk/STATUS.txt tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/AprLifecycleListener.java tomcat/tc6.0.x/trunk/java/org/apache/tomcat/jni/SSL.java tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml tomcat/tc6.0.x/trunk/webapps/docs/ssl-howto.xml Modified: tomcat/tc6.0.x/trunk/STATUS.txt URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=637867&r1=637866&r2=637867&view=diff ============================================================================== --- tomcat/tc6.0.x/trunk/STATUS.txt (original) +++ tomcat/tc6.0.x/trunk/STATUS.txt Mon Mar 17 05:49:46 2008 @@ -55,13 +55,6 @@ +0: remm: do we really want to fix these sort of "bugs" ? -1: -* Allow to specify the random device to use. (/dev/urandom is faster). - http://svn.apache.org/viewvc?view=rev&revision=602114 - http://svn.apache.org/viewvc?view=rev&revision=601795 - +1: jfclere, fhanik, remm - +0: markt, jim - should really be added to the docs as well - -1: - * Revert back to original patch proposed for UTF8 parsing. This also fixes the regression for 6.0.16 and 5.5.26 (and possibly 4.1.37) mentioned in http://issues.apache.org/bugzilla/show_bug.cgi?id=44494 Modified: tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/AprLifecycleListener.java URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/AprLifecycleListener.java?rev=637867&r1=637866&r2=637867&view=diff ============================================================================== --- tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/AprLifecycleListener.java (original) +++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/AprLifecycleListener.java Mon Mar 17 05:49:46 2008 @@ -64,6 +64,7 @@ // ---------------------------------------------- Properties protected static String SSLEngine = "on"; //default on + protected static String SSLRandomSeed = "builtin"; protected static boolean sslInitialized = false; protected static boolean aprInitialized = false; @@ -204,14 +205,21 @@ //only once per VM return; } - String methodName = "initialize"; + String methodName = "randSet"; Class paramTypes[] = new Class[1]; paramTypes[0] = String.class; Object paramValues[] = new Object[1]; - paramValues[0] = "on".equalsIgnoreCase(SSLEngine)?null:SSLEngine; + paramValues[0] = SSLRandomSeed; Class clazz = Class.forName("org.apache.tomcat.jni.SSL"); Method method = clazz.getMethod(methodName, paramTypes); method.invoke(null, paramValues); + + + methodName = "initialize"; + paramValues[0] = "on".equalsIgnoreCase(SSLEngine)?null:SSLEngine; + method = clazz.getMethod(methodName, paramTypes); + method.invoke(null, paramValues); + sslInitialized = true; } @@ -223,4 +231,11 @@ this.SSLEngine = SSLEngine; } + public String getSSLRandomSeed() { + return SSLRandomSeed; + } + + public void setSSLRandomSeed(String SSLRandomSeed) { + this.SSLRandomSeed = SSLRandomSeed; + } } Modified: tomcat/tc6.0.x/trunk/java/org/apache/tomcat/jni/SSL.java URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/tomcat/jni/SSL.java?rev=637867&r1=637866&r2=637867&view=diff ============================================================================== --- tomcat/tc6.0.x/trunk/java/org/apache/tomcat/jni/SSL.java (original) +++ tomcat/tc6.0.x/trunk/java/org/apache/tomcat/jni/SSL.java Mon Mar 17 05:49:46 2008 @@ -227,6 +227,12 @@ public static native int initialize(String engine); /** + * Set source of entropy to use in SSL + * @param filename Filename containing random data + */ + public static native boolean randSet(String filename); + + /** * Add content of the file to the PRNG * @param filename Filename containing random data. * If null the default file will be tested. Modified: tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml?rev=637867&r1=637866&r2=637867&view=diff ============================================================================== --- tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml (original) +++ tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml Mon Mar 17 05:49:46 2008 @@ -57,6 +57,9 @@ <subsection name="Coyote"> <changelog> <update> + APR: Allow to specify the "random device" to use to collect the entropy. (jfclere) + </update> + <update> Fix NIO/SSL live lock during client disconnect (fhanik) </update> <fix> Modified: tomcat/tc6.0.x/trunk/webapps/docs/ssl-howto.xml URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/ssl-howto.xml?rev=637867&r1=637866&r2=637867&view=diff ============================================================================== --- tomcat/tc6.0.x/trunk/webapps/docs/ssl-howto.xml (original) +++ tomcat/tc6.0.x/trunk/webapps/docs/ssl-howto.xml Mon Mar 17 05:49:46 2008 @@ -282,11 +282,11 @@ <subsection name="Edit the Tomcat Configuration File"> <p>If you are using APR, you have the option of configuring an alternative engine to openSSL. <source> -<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="someengine" /> +<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="someengine" SSLRandomSeed="somedevice" /> </source> The default value is <source> -<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" /> +<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" SSLRandomSeed="builtin" /> </source> So to use SSL under APR, make sure the SSLEngine attribute is set to something other than <code>off</code>. The default value is <code>on</code> and if you specify another value, it has to be a valid engine name. @@ -295,6 +295,9 @@ <source> <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="off" /> </source> +SSLRandomSeed allows to specify a source of entropy. Productive system needs a reliable source of entropy +but entropy may need a lot of time to be collected therefore test systems could use no blocking entropy +sources like "/dev/urandom" that will allow quicker starts of Tomcat. </p> --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]