430951 Support SNI with ExtendedSslContextFactory

made ExtendedSslContextFactory work with non SNI keystore
2015-05-08 12:06:20 +10:00 · 2015-05-08 12:06:20 +10:00 · 3e0b95be4f
parent 6428718962
commit 3e0b95be4f
4 changed files with 22 additions and 7 deletions
--- a/examples/embedded/src/main/java/org/eclipse/jetty/embedded/LikeJettyXml.java
+++ b/examples/embedded/src/main/java/org/eclipse/jetty/embedded/LikeJettyXml.java
@ -42,6 +42,7 @@ import org.eclipse.jetty.server.handler.DefaultHandler;
 import org.eclipse.jetty.server.handler.HandlerCollection;
 import org.eclipse.jetty.server.handler.RequestLogHandler;
 import org.eclipse.jetty.server.handler.StatisticsHandler;
+import org.eclipse.jetty.util.ssl.ExtendedSslContextFactory;
 import org.eclipse.jetty.util.ssl.SslContextFactory;
 import org.eclipse.jetty.util.thread.QueuedThreadPool;
 import org.eclipse.jetty.util.thread.ScheduledExecutorScheduler;
@ -128,7 +129,7 @@ public class LikeJettyXml

        // === jetty-https.xml ===
        // SSL Context Factory
-        SslContextFactory sslContextFactory = new SslContextFactory();
+        SslContextFactory sslContextFactory = new ExtendedSslContextFactory();
        sslContextFactory.setKeyStorePath(jetty_home + "/../../../jetty-server/src/test/config/etc/keystore");
        sslContextFactory.setKeyStorePassword("OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4");
        sslContextFactory.setKeyManagerPassword("OBF:1u2u1wml1z7s1z7a1wnl1u2g");
--- a/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/ExtendedSslContextFactory.java
+++ b/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/ExtendedSslContextFactory.java
@ -132,7 +132,7 @@ public class ExtendedSslContextFactory extends SslContextFactory
                                String cn = rdn.getValue().toString();
                                if (LOG.isDebugEnabled())
                                    LOG.debug("Certificate cn alias={} cn={} in {}",alias,cn,_factory);
-                                if (cn!=null)
+                                if (cn!=null && cn.contains(".") && !cn.contains(" "))
                                    _aliases.put(cn,alias);
                            }
                        }
@ -197,6 +197,14 @@ public class ExtendedSslContextFactory extends SslContextFactory
        public boolean matches(SNIServerName serverName)
        {
            LOG.debug("matches={} for {}",serverName,this);
+            
+            if (_aliases.size()==0 && _wild.size()==0)
+            {
+                if (LOG.isDebugEnabled())
+                    LOG.debug("No SNI ready certificates for {} in {}",serverName,ExtendedSslContextFactory.this);
+                return true;
+            }
+            
            if (serverName instanceof SNIHostName)
            {
                _name=(SNIHostName)serverName;
--- a/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SniX509ExtendedKeyManager.java
+++ b/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SniX509ExtendedKeyManager.java
@ -96,7 +96,7 @@ public class SniX509ExtendedKeyManager extends X509ExtendedKeyManager
        }

        if (LOG.isDebugEnabled())
-            LOG.debug("choose {} from {}",alias,Arrays.asList(aliases));
+            LOG.debug("matched {}/{} from {}",alias,host,Arrays.asList(aliases));
        
        // Check if the SNI selected alias is allowable
        if (alias!=null)
@ -120,14 +120,22 @@ public class SniX509ExtendedKeyManager extends X509ExtendedKeyManager
        SSLSocket sslSocket = (SSLSocket)socket;
        
        String alias = chooseServerAlias(keyType,issuers,sslSocket.getSSLParameters().getSNIMatchers(),sslSocket.getHandshakeSession());
-        return alias==NO_MATCHERS?_delegate.chooseServerAlias(keyType,issuers,socket):alias;
+        if (alias==NO_MATCHERS)
+            alias=_delegate.chooseServerAlias(keyType,issuers,socket);
+        if (LOG.isDebugEnabled())
+            LOG.debug("chose {}/{} on {}",alias,keyType,socket);
+        return alias;
    }
        
    @Override
    public String chooseEngineServerAlias(String keyType, Principal[] issuers, SSLEngine engine)
    {
        String alias = chooseServerAlias(keyType,issuers,engine.getSSLParameters().getSNIMatchers(),engine.getHandshakeSession());
-        return alias==NO_MATCHERS?_delegate.chooseEngineServerAlias(keyType,issuers,engine):alias;
+        if (alias==NO_MATCHERS)
+            alias=_delegate.chooseEngineServerAlias(keyType,issuers,engine);
+        if (LOG.isDebugEnabled())
+            LOG.debug("chose {}/{} on {}",alias,keyType,engine);
+        return alias;
    }   
    
    @Override
--- a/tests/test-webapps/test-servlet-spec/test-spec-webapp/src/main/java/com/acme/test/TestListener.java
+++ b/tests/test-webapps/test-servlet-spec/test-spec-webapp/src/main/java/com/acme/test/TestListener.java
@ -111,8 +111,6 @@ public class TestListener implements HttpSessionListener,  HttpSessionAttributeL

    public void contextInitialized(ServletContextEvent sce)
    {
-        System.err.println("Calling TestListener.contextInitialized");
-        
        sce.getServletContext().setAttribute("com.acme.AnnotationTest.sclInjectTest", Boolean.valueOf(maxAmount != null));
        
        //Can't add a ServletContextListener from a ServletContextListener even if it is declared in web.xml