billbarker 2003/03/28 23:37:25
Modified: util/java/org/apache/tomcat/util/net/jsse JSSE14Support.java
JSSESupport.java
Log:
Yet more improvements for JSSE 1.1.x
The timeout is still problematic. The settings here work-for-me, but I'm open to
tweaking. The old settings were too strict, since they didn't give enough time for
non-MSIE browsers to finish the client interaction. The new settings are still a
little slow however.
The main fix is that since JSSE 1.1.x already computes X509Certificates, we don't
have to waste cycles computing them again.
Revision Changes Path
1.2 +36 -7
jakarta-tomcat-connectors/util/java/org/apache/tomcat/util/net/jsse/JSSE14Support.java
Index: JSSE14Support.java
===================================================================
RCS file:
/home/cvs/jakarta-tomcat-connectors/util/java/org/apache/tomcat/util/net/jsse/JSSE14Support.java,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- JSSE14Support.java 17 Mar 2003 04:04:07 -0000 1.1
+++ JSSE14Support.java 29 Mar 2003 07:37:25 -0000 1.2
@@ -64,13 +64,15 @@
import java.net.*;
import java.util.Vector;
import java.security.cert.CertificateFactory;
+import java.security.cert.X509Certificate;
+import java.security.cert.Certificate;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLException;
import javax.net.ssl.HandshakeCompletedListener;
import javax.net.ssl.HandshakeCompletedEvent;
import java.security.cert.CertificateFactory;
-import javax.security.cert.X509Certificate;
+
/* JSSESupport
@@ -112,12 +114,14 @@
throws IOException {
InputStream in = socket.getInputStream();
int oldTimeout = socket.getSoTimeout();
- socket.setSoTimeout(100);
+ socket.setSoTimeout(1000);
byte[] b = new byte[0];
listener.reset();
socket.startHandshake();
- int maxTries = 50; // 50 * 100 = example 5 second rehandshake timeout
+ int maxTries = 60; // 60 * 1000 = example 1 minute time out
for (int i = 0; i < maxTries; i++) {
+ if(logger.isTraceEnabled())
+ logger.trace("Reading for try #" +i);
try {
int x = in.read(b);
} catch(SSLException sslex) {
@@ -136,14 +140,39 @@
}
}
+ protected X509Certificate [] getX509Certificates(SSLSession session)
+ throws IOException {
+ Certificate [] certs = session.getPeerCertificates();
+ X509Certificate [] x509Certs = new X509Certificate[certs.length];
+ for(int i=0; i < certs.length; i++) {
+ if( certs[i] instanceof X509Certificate ) {
+ // always currently true with the JSSE 1.1.x
+ x509Certs[i] = (X509Certificate)certs[i];
+ } else {
+ try {
+ byte [] buffer = certs[i].getEncoded();
+ CertificateFactory cf =
+ CertificateFactory.getInstance("X.509");
+ ByteArrayInputStream stream =
+ new ByteArrayInputStream(buffer);
+ x509Certs[i] = (X509Certificate)
+ cf.generateCertificate(stream);
+ } catch(Exception ex) {
+ logger.info("Error translating cert " + certs[i], ex);
+ return null;
+ }
+ }
+ }
+ if(x509Certs.length < 1)
+ return null;
+ return x509Certs;
+ }
+
+
private static class Listener implements HandshakeCompletedListener {
volatile boolean completed = false;
public void handshakeCompleted(HandshakeCompletedEvent event) {
completed = true;
- if(logger.isTraceEnabled())
- logger.trace("SSL handshake done : Socket = " +
- event.getSocket() );
-
}
void reset() {
completed = false;
1.5 +47 -38
jakarta-tomcat-connectors/util/java/org/apache/tomcat/util/net/jsse/JSSESupport.java
Index: JSSESupport.java
===================================================================
RCS file:
/home/cvs/jakarta-tomcat-connectors/util/java/org/apache/tomcat/util/net/jsse/JSSESupport.java,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- JSSESupport.java 17 Mar 2003 04:04:07 -0000 1.4
+++ JSSESupport.java 29 Mar 2003 07:37:25 -0000 1.5
@@ -84,6 +84,8 @@
*/
class JSSESupport implements SSLSupport {
+ private org.apache.commons.logging.Log log =
+ org.apache.commons.logging.LogFactory.getLog(JSSESupport.class);
protected SSLSocket ssl;
@@ -105,51 +107,58 @@
return getPeerCertificateChain(false);
}
+ protected java.security.cert.X509Certificate []
+ getX509Certificates(SSLSession session) throws IOException {
+ X509Certificate jsseCerts[] = null;
+ jsseCerts = session.getPeerCertificateChain();
+
+ if(jsseCerts == null)
+ jsseCerts = new X509Certificate[0];
+ java.security.cert.X509Certificate [] x509Certs =
+ new java.security.cert.X509Certificate[jsseCerts.length];
+ for (int i = 0; i < x509Certs.length; i++) {
+ try {
+ byte buffer[] = jsseCerts[i].getEncoded();
+ CertificateFactory cf =
+ CertificateFactory.getInstance("X.509");
+ ByteArrayInputStream stream =
+ new ByteArrayInputStream(buffer);
+ x509Certs[i] = (java.security.cert.X509Certificate)
+ cf.generateCertificate(stream);
+ if(log.isTraceEnabled())
+ log.trace("Cert #" + i + " = " + x509Certs[i]);
+ } catch(Exception ex) {
+ log.info("Error translating " + jsseCerts[i], ex);
+ return null;
+ }
+ }
+
+ if ( x509Certs.length < 1 )
+ return null;
+ return x509Certs;
+ }
public Object[] getPeerCertificateChain(boolean force)
throws IOException {
// Look up the current SSLSession
- SSLSession session = ssl.getSession();
+ SSLSession session = ssl.getSession();
if (session == null)
return null;
// Convert JSSE's certificate format to the ones we need
- X509Certificate jsseCerts[] = null;
- java.security.cert.X509Certificate x509Certs[] = null;
- try {
- try {
- jsseCerts = session.getPeerCertificateChain();
- } catch(Exception bex) {
- // ignore.
- }
- if (jsseCerts == null)
- jsseCerts = new X509Certificate[0];
- if(jsseCerts.length <= 0 && force) {
- session.invalidate();
- handShake();
- session = ssl.getSession();
- jsseCerts = session.getPeerCertificateChain();
- if(jsseCerts == null)
- jsseCerts = new X509Certificate[0];
- }
- x509Certs =
- new java.security.cert.X509Certificate[jsseCerts.length];
- for (int i = 0; i < x509Certs.length; i++) {
- byte buffer[] = jsseCerts[i].getEncoded();
- CertificateFactory cf =
- CertificateFactory.getInstance("X.509");
- ByteArrayInputStream stream =
- new ByteArrayInputStream(buffer);
- x509Certs[i] = (java.security.cert.X509Certificate)
- cf.generateCertificate(stream);
- }
- } catch (Throwable t) {
- return null;
- }
-
- if ((x509Certs == null) || (x509Certs.length < 1))
- return null;
-
- return x509Certs;
+ X509Certificate [] jsseCerts = null;
+ try {
+ jsseCerts = session.getPeerCertificateChain();
+ } catch(Exception bex) {
+ // ignore.
+ }
+ if (jsseCerts == null)
+ jsseCerts = new X509Certificate[0];
+ if(jsseCerts.length <= 0 && force) {
+ session.invalidate();
+ handShake();
+ session = ssl.getSession();
+ }
+ return getX509Certificates(session);
}
protected void handShake() throws IOException {
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
