From 3e0b95be4fb25eb0eee0dfc7cda70e94a9be85c0 Mon Sep 17 00:00:00 2001 From: Greg Wilkins Date: Fri, 8 May 2015 12:06:20 +1000 Subject: [PATCH] 430951 Support SNI with ExtendedSslContextFactory made ExtendedSslContextFactory work with non SNI keystore --- .../org/eclipse/jetty/embedded/LikeJettyXml.java | 3 ++- .../jetty/util/ssl/ExtendedSslContextFactory.java | 10 +++++++++- .../jetty/util/ssl/SniX509ExtendedKeyManager.java | 14 +++++++++++--- .../src/main/java/com/acme/test/TestListener.java | 2 -- 4 files changed, 22 insertions(+), 7 deletions(-) diff --git a/examples/embedded/src/main/java/org/eclipse/jetty/embedded/LikeJettyXml.java b/examples/embedded/src/main/java/org/eclipse/jetty/embedded/LikeJettyXml.java index 6e5866bf628..5040ade5e04 100644 --- a/examples/embedded/src/main/java/org/eclipse/jetty/embedded/LikeJettyXml.java +++ b/examples/embedded/src/main/java/org/eclipse/jetty/embedded/LikeJettyXml.java @@ -42,6 +42,7 @@ import org.eclipse.jetty.server.handler.DefaultHandler; import org.eclipse.jetty.server.handler.HandlerCollection; import org.eclipse.jetty.server.handler.RequestLogHandler; import org.eclipse.jetty.server.handler.StatisticsHandler; +import org.eclipse.jetty.util.ssl.ExtendedSslContextFactory; import org.eclipse.jetty.util.ssl.SslContextFactory; import org.eclipse.jetty.util.thread.QueuedThreadPool; import org.eclipse.jetty.util.thread.ScheduledExecutorScheduler; @@ -128,7 +129,7 @@ public class LikeJettyXml // === jetty-https.xml === // SSL Context Factory - SslContextFactory sslContextFactory = new SslContextFactory(); + SslContextFactory sslContextFactory = new ExtendedSslContextFactory(); sslContextFactory.setKeyStorePath(jetty_home + "/../../../jetty-server/src/test/config/etc/keystore"); sslContextFactory.setKeyStorePassword("OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4"); sslContextFactory.setKeyManagerPassword("OBF:1u2u1wml1z7s1z7a1wnl1u2g"); diff --git a/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/ExtendedSslContextFactory.java b/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/ExtendedSslContextFactory.java index 9e8442f9420..eb4c677f58e 100644 --- a/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/ExtendedSslContextFactory.java +++ b/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/ExtendedSslContextFactory.java @@ -132,7 +132,7 @@ public class ExtendedSslContextFactory extends SslContextFactory String cn = rdn.getValue().toString(); if (LOG.isDebugEnabled()) LOG.debug("Certificate cn alias={} cn={} in {}",alias,cn,_factory); - if (cn!=null) + if (cn!=null && cn.contains(".") && !cn.contains(" ")) _aliases.put(cn,alias); } } @@ -197,6 +197,14 @@ public class ExtendedSslContextFactory extends SslContextFactory public boolean matches(SNIServerName serverName) { LOG.debug("matches={} for {}",serverName,this); + + if (_aliases.size()==0 && _wild.size()==0) + { + if (LOG.isDebugEnabled()) + LOG.debug("No SNI ready certificates for {} in {}",serverName,ExtendedSslContextFactory.this); + return true; + } + if (serverName instanceof SNIHostName) { _name=(SNIHostName)serverName; diff --git a/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SniX509ExtendedKeyManager.java b/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SniX509ExtendedKeyManager.java index 9730e3caabe..46516dcc9fe 100644 --- a/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SniX509ExtendedKeyManager.java +++ b/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SniX509ExtendedKeyManager.java @@ -96,7 +96,7 @@ public class SniX509ExtendedKeyManager extends X509ExtendedKeyManager } if (LOG.isDebugEnabled()) - LOG.debug("choose {} from {}",alias,Arrays.asList(aliases)); + LOG.debug("matched {}/{} from {}",alias,host,Arrays.asList(aliases)); // Check if the SNI selected alias is allowable if (alias!=null) @@ -120,14 +120,22 @@ public class SniX509ExtendedKeyManager extends X509ExtendedKeyManager SSLSocket sslSocket = (SSLSocket)socket; String alias = chooseServerAlias(keyType,issuers,sslSocket.getSSLParameters().getSNIMatchers(),sslSocket.getHandshakeSession()); - return alias==NO_MATCHERS?_delegate.chooseServerAlias(keyType,issuers,socket):alias; + if (alias==NO_MATCHERS) + alias=_delegate.chooseServerAlias(keyType,issuers,socket); + if (LOG.isDebugEnabled()) + LOG.debug("chose {}/{} on {}",alias,keyType,socket); + return alias; } @Override public String chooseEngineServerAlias(String keyType, Principal[] issuers, SSLEngine engine) { String alias = chooseServerAlias(keyType,issuers,engine.getSSLParameters().getSNIMatchers(),engine.getHandshakeSession()); - return alias==NO_MATCHERS?_delegate.chooseEngineServerAlias(keyType,issuers,engine):alias; + if (alias==NO_MATCHERS) + alias=_delegate.chooseEngineServerAlias(keyType,issuers,engine); + if (LOG.isDebugEnabled()) + LOG.debug("chose {}/{} on {}",alias,keyType,engine); + return alias; } @Override diff --git a/tests/test-webapps/test-servlet-spec/test-spec-webapp/src/main/java/com/acme/test/TestListener.java b/tests/test-webapps/test-servlet-spec/test-spec-webapp/src/main/java/com/acme/test/TestListener.java index b4ea9027e9c..e98f2847aca 100644 --- a/tests/test-webapps/test-servlet-spec/test-spec-webapp/src/main/java/com/acme/test/TestListener.java +++ b/tests/test-webapps/test-servlet-spec/test-spec-webapp/src/main/java/com/acme/test/TestListener.java @@ -111,8 +111,6 @@ public class TestListener implements HttpSessionListener, HttpSessionAttributeL public void contextInitialized(ServletContextEvent sce) { - System.err.println("Calling TestListener.contextInitialized"); - sce.getServletContext().setAttribute("com.acme.AnnotationTest.sclInjectTest", Boolean.valueOf(maxAmount != null)); //Can't add a ServletContextListener from a ServletContextListener even if it is declared in web.xml