Merge remote-tracking branch 'origin/master'
This commit is contained in:
commit
8b4eea85d7
|
@ -88,33 +88,13 @@ public class LikeJettyXml
|
|||
"SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
|
||||
"SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA"
|
||||
});
|
||||
cf.setProtocol("TLSv1.1");
|
||||
cf.addExcludeProtocols(new String[]{"TLSv1","SSLv3"});
|
||||
ssl_connector.setStatsOn(true);
|
||||
server.addConnector(ssl_connector);
|
||||
ssl_connector.open();
|
||||
|
||||
|
||||
SslSocketConnector ssls_connector = new SslSocketConnector();
|
||||
ssls_connector.setPort(8444);
|
||||
cf = ssls_connector.getSslContextFactory();
|
||||
cf.setKeyStore(jetty_home + "/etc/keystore");
|
||||
cf.setKeyStorePassword("OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4");
|
||||
cf.setKeyManagerPassword("OBF:1u2u1wml1z7s1z7a1wnl1u2g");
|
||||
cf.setTrustStore(jetty_home + "/etc/keystore");
|
||||
cf.setTrustStorePassword("OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4");
|
||||
cf.setExcludeCipherSuites(
|
||||
new String[] {
|
||||
"SSL_RSA_WITH_DES_CBC_SHA",
|
||||
"SSL_DHE_RSA_WITH_DES_CBC_SHA",
|
||||
"SSL_DHE_DSS_WITH_DES_CBC_SHA",
|
||||
"SSL_RSA_EXPORT_WITH_RC4_40_MD5",
|
||||
"SSL_RSA_EXPORT_WITH_DES40_CBC_SHA",
|
||||
"SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
|
||||
"SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA"
|
||||
});
|
||||
ssls_connector.setStatsOn(true);
|
||||
server.addConnector(ssls_connector);
|
||||
ssls_connector.open();
|
||||
|
||||
|
||||
|
||||
Ajp13SocketConnector ajp = new Ajp13SocketConnector();
|
||||
|
|
|
@ -178,7 +178,7 @@ public class HttpClient extends HttpBuffers implements Attributes, Dumpable
|
|||
|
||||
/* ------------------------------------------------------------ */
|
||||
/**
|
||||
* @return the threadPool
|
||||
* @return the threadpool
|
||||
*/
|
||||
public ThreadPool getThreadPool()
|
||||
{
|
||||
|
|
|
@ -51,7 +51,6 @@ class SelectConnector extends AbstractLifeCycle implements HttpClient.Connector
|
|||
private final HttpClient _httpClient;
|
||||
private final Manager _selectorManager=new Manager();
|
||||
private final Map<SocketChannel, Timeout.Task> _connectingChannels = new ConcurrentHashMap<SocketChannel, Timeout.Task>();
|
||||
private SSLContext _sslContext;
|
||||
private Buffers _sslBuffers;
|
||||
|
||||
/**
|
||||
|
@ -211,19 +210,16 @@ class SelectConnector extends AbstractLifeCycle implements HttpClient.Connector
|
|||
private synchronized SSLEngine newSslEngine(SocketChannel channel) throws IOException
|
||||
{
|
||||
SslContextFactory sslContextFactory = _httpClient.getSslContextFactory();
|
||||
if (_sslContext == null)
|
||||
_sslContext = sslContextFactory.getSslContext();
|
||||
|
||||
SSLEngine sslEngine;
|
||||
if (channel != null && sslContextFactory.isSessionCachingEnabled())
|
||||
if (channel != null)
|
||||
{
|
||||
String peerHost = channel.socket().getInetAddress().getHostAddress();
|
||||
int peerPort = channel.socket().getPort();
|
||||
sslEngine = _sslContext.createSSLEngine(peerHost, peerPort);
|
||||
sslEngine = sslContextFactory.newSslEngine(peerHost, peerPort);
|
||||
}
|
||||
else
|
||||
{
|
||||
sslEngine = _sslContext.createSSLEngine();
|
||||
sslEngine = sslContextFactory.newSslEngine();
|
||||
}
|
||||
sslEngine.setUseClientMode(true);
|
||||
sslEngine.beginHandshake();
|
||||
|
|
|
@ -45,18 +45,9 @@ class SocketConnector extends AbstractLifeCycle implements HttpClient.Connector
|
|||
|
||||
public void startConnection(final HttpDestination destination) throws IOException
|
||||
{
|
||||
Socket socket=null;
|
||||
|
||||
if ( destination.isSecure() )
|
||||
{
|
||||
SSLContext sslContext = _httpClient.getSSLContext();
|
||||
socket = sslContext.getSocketFactory().createSocket();
|
||||
}
|
||||
else
|
||||
{
|
||||
LOG.debug("Using Regular Socket");
|
||||
socket = SocketFactory.getDefault().createSocket();
|
||||
}
|
||||
Socket socket= destination.isSecure()
|
||||
?_httpClient.getSslContextFactory().newSslSocket()
|
||||
:SocketFactory.getDefault().createSocket();
|
||||
|
||||
socket.setSoTimeout(0);
|
||||
socket.setTcpNoDelay(true);
|
||||
|
|
|
@ -68,7 +68,7 @@ public class GenericServerHandler extends AbstractHandler
|
|||
}
|
||||
catch (InterruptedException e)
|
||||
{
|
||||
LOG.warn(e);
|
||||
LOG.debug(e);
|
||||
}
|
||||
catch (IOException e)
|
||||
{
|
||||
|
|
|
@ -22,7 +22,7 @@
|
|||
</Set>
|
||||
<Call name="setContextAttribute">
|
||||
<Arg>org.eclipse.jetty.server.webapp.ContainerIncludeJarPattern</Arg>
|
||||
<Arg>.*/jsp-api-[^/]*\.jar$|.*/jsp-[^/]*\.jar$</Arg>
|
||||
<Arg>.*/.*jsp-api-[^/]*\.jar$|.*/.*jsp-[^/]*\.jar$|.*/.*taglibs[^/]*\.jar$</Arg>
|
||||
</Call>
|
||||
|
||||
|
||||
|
|
|
@ -21,6 +21,7 @@ import java.io.ByteArrayOutputStream;
|
|||
import java.io.File;
|
||||
import java.io.IOException;
|
||||
import java.io.InputStream;
|
||||
import java.net.InetAddress;
|
||||
import java.security.InvalidParameterException;
|
||||
import java.security.KeyStore;
|
||||
import java.security.SecureRandom;
|
||||
|
@ -42,7 +43,10 @@ import javax.net.ssl.KeyManager;
|
|||
import javax.net.ssl.KeyManagerFactory;
|
||||
import javax.net.ssl.SSLContext;
|
||||
import javax.net.ssl.SSLEngine;
|
||||
import javax.net.ssl.SSLSessionContext;
|
||||
import javax.net.ssl.SSLServerSocket;
|
||||
import javax.net.ssl.SSLServerSocketFactory;
|
||||
import javax.net.ssl.SSLSocket;
|
||||
import javax.net.ssl.SSLSocketFactory;
|
||||
import javax.net.ssl.TrustManager;
|
||||
import javax.net.ssl.TrustManagerFactory;
|
||||
import javax.net.ssl.X509KeyManager;
|
||||
|
@ -51,6 +55,8 @@ import javax.net.ssl.X509TrustManager;
|
|||
import org.eclipse.jetty.http.security.Password;
|
||||
import org.eclipse.jetty.util.IO;
|
||||
import org.eclipse.jetty.util.component.AbstractLifeCycle;
|
||||
import org.eclipse.jetty.util.log.Log;
|
||||
import org.eclipse.jetty.util.log.Logger;
|
||||
import org.eclipse.jetty.util.resource.Resource;
|
||||
import org.eclipse.jetty.util.security.CertificateUtils;
|
||||
import org.eclipse.jetty.util.security.CertificateValidator;
|
||||
|
@ -65,6 +71,8 @@ import org.eclipse.jetty.util.security.CertificateValidator;
|
|||
*/
|
||||
public class SslContextFactory extends AbstractLifeCycle
|
||||
{
|
||||
private static final Logger LOG = Log.getLogger(SslContextFactory.class);
|
||||
|
||||
public static final String DEFAULT_KEYMANAGERFACTORY_ALGORITHM =
|
||||
(Security.getProperty("ssl.KeyManagerFactory.algorithm") == null ?
|
||||
"SunX509" : Security.getProperty("ssl.KeyManagerFactory.algorithm"));
|
||||
|
@ -82,8 +90,14 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
/** String name of keystore password property. */
|
||||
public static final String PASSWORD_PROPERTY = "org.eclipse.jetty.ssl.password";
|
||||
|
||||
/** Excluded protocols. */
|
||||
private final Set<String> _excludeProtocols = new HashSet<String>();
|
||||
// private final Set<String> _excludeProtocols = new HashSet<String>(Collections.singleton("SSLv2Hello"));
|
||||
/** Included protocols. */
|
||||
private Set<String> _includeProtocols = null;
|
||||
|
||||
/** Excluded cipher suites. */
|
||||
private Set<String> _excludeCipherSuites = null;
|
||||
private final Set<String> _excludeCipherSuites = new HashSet<String>();
|
||||
/** Included cipher suites. */
|
||||
private Set<String> _includeCipherSuites = null;
|
||||
|
||||
|
@ -196,6 +210,7 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
if (_keyStoreInputStream == null && _keyStorePath == null &&
|
||||
_trustStoreInputStream == null && _trustStorePath == null )
|
||||
{
|
||||
LOG.debug("No keystore or trust store configured. ACCEPTING UNTRUSTED CERTIFICATES!!!!!");
|
||||
// Create a trust manager that does not validate certificate chains
|
||||
TrustManager trustAllCerts = new X509TrustManager()
|
||||
{
|
||||
|
@ -218,11 +233,115 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
}
|
||||
else
|
||||
{
|
||||
createSSLContext();
|
||||
// verify that keystore and truststore
|
||||
// parameters are set up correctly
|
||||
try
|
||||
{
|
||||
checkKeyStore();
|
||||
}
|
||||
catch(IllegalStateException e)
|
||||
{
|
||||
LOG.ignore(e);
|
||||
}
|
||||
|
||||
KeyStore keyStore = loadKeyStore();
|
||||
KeyStore trustStore = loadTrustStore();
|
||||
|
||||
Collection<? extends CRL> crls = loadCRL(_crlPath);
|
||||
|
||||
if (_validateCerts && keyStore != null)
|
||||
{
|
||||
if (_certAlias == null)
|
||||
{
|
||||
List<String> aliases = Collections.list(keyStore.aliases());
|
||||
_certAlias = aliases.size() == 1 ? aliases.get(0) : null;
|
||||
}
|
||||
|
||||
Certificate cert = _certAlias == null?null:keyStore.getCertificate(_certAlias);
|
||||
if (cert == null)
|
||||
{
|
||||
throw new Exception("No certificate found in the keystore" + (_certAlias==null ? "":" for alias " + _certAlias));
|
||||
}
|
||||
|
||||
CertificateValidator validator = new CertificateValidator(trustStore, crls);
|
||||
validator.setMaxCertPathLength(_maxCertPathLength);
|
||||
validator.setEnableCRLDP(_enableCRLDP);
|
||||
validator.setEnableOCSP(_enableOCSP);
|
||||
validator.setOcspResponderURL(_ocspResponderURL);
|
||||
validator.validate(keyStore, cert);
|
||||
}
|
||||
|
||||
KeyManager[] keyManagers = getKeyManagers(keyStore);
|
||||
TrustManager[] trustManagers = getTrustManagers(trustStore,crls);
|
||||
|
||||
SecureRandom secureRandom = (_secureRandomAlgorithm == null)?null:SecureRandom.getInstance(_secureRandomAlgorithm);
|
||||
_context = (_sslProvider == null)?SSLContext.getInstance(_sslProtocol):SSLContext.getInstance(_sslProtocol,_sslProvider);
|
||||
_context.init(keyManagers,trustManagers,secureRandom);
|
||||
|
||||
SSLEngine engine=newSslEngine();
|
||||
LOG.info("Enabled Protocols {} of {}",Arrays.asList(engine.getEnabledProtocols()),Arrays.asList(engine.getSupportedProtocols()));
|
||||
LOG.debug("Enabled Ciphers {} of {}",Arrays.asList(engine.getEnabledCipherSuites()),Arrays.asList(engine.getSupportedCipherSuites()));
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/* ------------------------------------------------------------ */
|
||||
/**
|
||||
* @return The array of protocol names to exclude from
|
||||
* {@link SSLEngine#setEnabledProtocols(String[])}
|
||||
*/
|
||||
public String[] getExcludeProtocols()
|
||||
{
|
||||
return _excludeProtocols.toArray(new String[_excludeProtocols.size()]);
|
||||
}
|
||||
|
||||
/* ------------------------------------------------------------ */
|
||||
/**
|
||||
* @param Protocols
|
||||
* The array of protocol names to exclude from
|
||||
* {@link SSLEngine#setEnabledProtocols(String[])}
|
||||
*/
|
||||
public void setExcludeProtocols(String... protocols)
|
||||
{
|
||||
checkNotStarted();
|
||||
|
||||
_excludeProtocols.clear();
|
||||
_excludeProtocols.addAll(Arrays.asList(protocols));
|
||||
}
|
||||
|
||||
/* ------------------------------------------------------------ */
|
||||
/**
|
||||
* @param protocol Protocol names to add to {@link SSLEngine#setEnabledProtocols(String[])}
|
||||
*/
|
||||
public void addExcludeProtocols(String... protocol)
|
||||
{
|
||||
checkNotStarted();
|
||||
_excludeProtocols.addAll(Arrays.asList(protocol));
|
||||
}
|
||||
|
||||
/* ------------------------------------------------------------ */
|
||||
/**
|
||||
* @return The array of protocol names to include in
|
||||
* {@link SSLEngine#setEnabledProtocols(String[])}
|
||||
*/
|
||||
public String[] getIncludeProtocols()
|
||||
{
|
||||
return _includeProtocols.toArray(new String[_includeProtocols.size()]);
|
||||
}
|
||||
|
||||
/* ------------------------------------------------------------ */
|
||||
/**
|
||||
* @param Protocols
|
||||
* The array of protocol names to include in
|
||||
* {@link SSLEngine#setEnabledProtocols(String[])}
|
||||
*/
|
||||
public void setIncludeProtocols(String... protocols)
|
||||
{
|
||||
checkNotStarted();
|
||||
|
||||
_includeProtocols = new HashSet<String>(Arrays.asList(protocols));
|
||||
}
|
||||
|
||||
/* ------------------------------------------------------------ */
|
||||
/**
|
||||
* @return The array of cipher suite names to exclude from
|
||||
|
@ -239,11 +358,21 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
* The array of cipher suite names to exclude from
|
||||
* {@link SSLEngine#setEnabledCipherSuites(String[])}
|
||||
*/
|
||||
public void setExcludeCipherSuites(String[] cipherSuites)
|
||||
public void setExcludeCipherSuites(String... cipherSuites)
|
||||
{
|
||||
checkStarted();
|
||||
|
||||
_excludeCipherSuites = new HashSet<String>(Arrays.asList(cipherSuites));
|
||||
checkNotStarted();
|
||||
_excludeCipherSuites.clear();
|
||||
_excludeCipherSuites.addAll(Arrays.asList(cipherSuites));
|
||||
}
|
||||
|
||||
/* ------------------------------------------------------------ */
|
||||
/**
|
||||
* @param cipher Cipher names to add to {@link SSLEngine#setEnabledCipherSuites(String[])}
|
||||
*/
|
||||
public void addExcludeCipherSuites(String... cipher)
|
||||
{
|
||||
checkNotStarted();
|
||||
_excludeCipherSuites.addAll(Arrays.asList(cipher));
|
||||
}
|
||||
|
||||
/* ------------------------------------------------------------ */
|
||||
|
@ -262,9 +391,9 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
* The array of cipher suite names to include in
|
||||
* {@link SSLEngine#setEnabledCipherSuites(String[])}
|
||||
*/
|
||||
public void setIncludeCipherSuites(String[] cipherSuites)
|
||||
public void setIncludeCipherSuites(String... cipherSuites)
|
||||
{
|
||||
checkStarted();
|
||||
checkNotStarted();
|
||||
|
||||
_includeCipherSuites = new HashSet<String>(Arrays.asList(cipherSuites));
|
||||
}
|
||||
|
@ -285,7 +414,7 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
*/
|
||||
public void setKeyStore(String keyStorePath)
|
||||
{
|
||||
checkStarted();
|
||||
checkNotStarted();
|
||||
|
||||
_keyStorePath = keyStorePath;
|
||||
}
|
||||
|
@ -306,7 +435,7 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
*/
|
||||
public void setKeyStoreProvider(String keyStoreProvider)
|
||||
{
|
||||
checkStarted();
|
||||
checkNotStarted();
|
||||
|
||||
_keyStoreProvider = keyStoreProvider;
|
||||
}
|
||||
|
@ -327,7 +456,7 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
*/
|
||||
public void setKeyStoreType(String keyStoreType)
|
||||
{
|
||||
checkStarted();
|
||||
checkNotStarted();
|
||||
|
||||
_keyStoreType = keyStoreType;
|
||||
}
|
||||
|
@ -341,7 +470,7 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
@Deprecated
|
||||
public InputStream getKeyStoreInputStream()
|
||||
{
|
||||
checkConfig();
|
||||
checkKeyStore();
|
||||
|
||||
return _keyStoreInputStream;
|
||||
}
|
||||
|
@ -355,7 +484,7 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
@Deprecated
|
||||
public void setKeyStoreInputStream(InputStream keyStoreInputStream)
|
||||
{
|
||||
checkStarted();
|
||||
checkNotStarted();
|
||||
|
||||
_keyStoreInputStream = keyStoreInputStream;
|
||||
}
|
||||
|
@ -376,7 +505,7 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
*/
|
||||
public void setCertAlias(String certAlias)
|
||||
{
|
||||
checkStarted();
|
||||
checkNotStarted();
|
||||
|
||||
_certAlias = certAlias;
|
||||
}
|
||||
|
@ -397,7 +526,7 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
*/
|
||||
public void setTrustStore(String trustStorePath)
|
||||
{
|
||||
checkStarted();
|
||||
checkNotStarted();
|
||||
|
||||
_trustStorePath = trustStorePath;
|
||||
}
|
||||
|
@ -418,7 +547,7 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
*/
|
||||
public void setTrustStoreProvider(String trustStoreProvider)
|
||||
{
|
||||
checkStarted();
|
||||
checkNotStarted();
|
||||
|
||||
_trustStoreProvider = trustStoreProvider;
|
||||
}
|
||||
|
@ -439,7 +568,7 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
*/
|
||||
public void setTrustStoreType(String trustStoreType)
|
||||
{
|
||||
checkStarted();
|
||||
checkNotStarted();
|
||||
|
||||
_trustStoreType = trustStoreType;
|
||||
}
|
||||
|
@ -453,7 +582,7 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
@Deprecated
|
||||
public InputStream getTrustStoreInputStream()
|
||||
{
|
||||
checkConfig();
|
||||
checkKeyStore();
|
||||
|
||||
return _trustStoreInputStream;
|
||||
}
|
||||
|
@ -467,7 +596,7 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
@Deprecated
|
||||
public void setTrustStoreInputStream(InputStream trustStoreInputStream)
|
||||
{
|
||||
checkStarted();
|
||||
checkNotStarted();
|
||||
|
||||
_trustStoreInputStream = trustStoreInputStream;
|
||||
}
|
||||
|
@ -490,7 +619,7 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
*/
|
||||
public void setNeedClientAuth(boolean needClientAuth)
|
||||
{
|
||||
checkStarted();
|
||||
checkNotStarted();
|
||||
|
||||
_needClientAuth = needClientAuth;
|
||||
}
|
||||
|
@ -513,7 +642,7 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
*/
|
||||
public void setWantClientAuth(boolean wantClientAuth)
|
||||
{
|
||||
checkStarted();
|
||||
checkNotStarted();
|
||||
|
||||
_wantClientAuth = wantClientAuth;
|
||||
}
|
||||
|
@ -545,7 +674,7 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
*/
|
||||
public void setValidateCerts(boolean validateCerts)
|
||||
{
|
||||
checkStarted();
|
||||
checkNotStarted();
|
||||
|
||||
_validateCerts = validateCerts;
|
||||
}
|
||||
|
@ -566,7 +695,7 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
*/
|
||||
public void setValidatePeerCerts(boolean validatePeerCerts)
|
||||
{
|
||||
checkStarted();
|
||||
checkNotStarted();
|
||||
|
||||
_validatePeerCerts = validatePeerCerts;
|
||||
}
|
||||
|
@ -593,7 +722,7 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
*/
|
||||
public void setAllowRenegotiate(boolean allowRenegotiate)
|
||||
{
|
||||
checkStarted();
|
||||
checkNotStarted();
|
||||
|
||||
_allowRenegotiate = allowRenegotiate;
|
||||
}
|
||||
|
@ -605,7 +734,7 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
*/
|
||||
public void setKeyStorePassword(String password)
|
||||
{
|
||||
checkStarted();
|
||||
checkNotStarted();
|
||||
|
||||
_keyStorePassword = Password.getPassword(PASSWORD_PROPERTY,password,null);
|
||||
}
|
||||
|
@ -617,7 +746,7 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
*/
|
||||
public void setKeyManagerPassword(String password)
|
||||
{
|
||||
checkStarted();
|
||||
checkNotStarted();
|
||||
|
||||
_keyManagerPassword = Password.getPassword(KEYPASSWORD_PROPERTY,password,null);
|
||||
}
|
||||
|
@ -629,7 +758,7 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
*/
|
||||
public void setTrustStorePassword(String password)
|
||||
{
|
||||
checkStarted();
|
||||
checkNotStarted();
|
||||
|
||||
_trustStorePassword = Password.getPassword(PASSWORD_PROPERTY,password,null);
|
||||
}
|
||||
|
@ -652,7 +781,7 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
*/
|
||||
public void setProvider(String provider)
|
||||
{
|
||||
checkStarted();
|
||||
checkNotStarted();
|
||||
|
||||
_sslProvider = provider;
|
||||
}
|
||||
|
@ -675,7 +804,7 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
*/
|
||||
public void setProtocol(String protocol)
|
||||
{
|
||||
checkStarted();
|
||||
checkNotStarted();
|
||||
|
||||
_sslProtocol = protocol;
|
||||
}
|
||||
|
@ -700,7 +829,7 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
*/
|
||||
public void setSecureRandomAlgorithm(String algorithm)
|
||||
{
|
||||
checkStarted();
|
||||
checkNotStarted();
|
||||
|
||||
_secureRandomAlgorithm = algorithm;
|
||||
}
|
||||
|
@ -721,7 +850,7 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
*/
|
||||
public void setSslKeyManagerFactoryAlgorithm(String algorithm)
|
||||
{
|
||||
checkStarted();
|
||||
checkNotStarted();
|
||||
|
||||
_keyManagerFactoryAlgorithm = algorithm;
|
||||
}
|
||||
|
@ -742,7 +871,7 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
*/
|
||||
public void setTrustManagerFactoryAlgorithm(String algorithm)
|
||||
{
|
||||
checkStarted();
|
||||
checkNotStarted();
|
||||
|
||||
_trustManagerFactoryAlgorithm = algorithm;
|
||||
}
|
||||
|
@ -763,7 +892,7 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
*/
|
||||
public void setCrlPath(String crlPath)
|
||||
{
|
||||
checkStarted();
|
||||
checkNotStarted();
|
||||
|
||||
_crlPath = crlPath;
|
||||
}
|
||||
|
@ -786,7 +915,7 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
*/
|
||||
public void setMaxCertPathLength(int maxCertPathLength)
|
||||
{
|
||||
checkStarted();
|
||||
checkNotStarted();
|
||||
|
||||
_maxCertPathLength = maxCertPathLength;
|
||||
}
|
||||
|
@ -797,6 +926,8 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
*/
|
||||
public SSLContext getSslContext()
|
||||
{
|
||||
if (!isStarted())
|
||||
throw new IllegalStateException(getState());
|
||||
return _context;
|
||||
}
|
||||
|
||||
|
@ -807,60 +938,11 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
*/
|
||||
public void setSslContext(SSLContext sslContext)
|
||||
{
|
||||
checkStarted();
|
||||
checkNotStarted();
|
||||
|
||||
_context = sslContext;
|
||||
}
|
||||
|
||||
/* ------------------------------------------------------------ */
|
||||
/**
|
||||
* @throws Exception
|
||||
*/
|
||||
protected void createSSLContext() throws Exception
|
||||
{
|
||||
// verify that keystore and truststore
|
||||
// parameters are set up correctly
|
||||
checkConfig();
|
||||
|
||||
KeyStore keyStore = loadKeyStore();
|
||||
KeyStore trustStore = loadTrustStore();
|
||||
|
||||
Collection<? extends CRL> crls = loadCRL(_crlPath);
|
||||
|
||||
if (_validateCerts && keyStore != null)
|
||||
{
|
||||
if (_certAlias == null)
|
||||
{
|
||||
List<String> aliases = Collections.list(keyStore.aliases());
|
||||
_certAlias = aliases.size() == 1 ? aliases.get(0) : null;
|
||||
}
|
||||
|
||||
Certificate cert = _certAlias == null?null:keyStore.getCertificate(_certAlias);
|
||||
if (cert == null)
|
||||
{
|
||||
throw new Exception("No certificate found in the keystore" + (_certAlias==null ? "":" for alias " + _certAlias));
|
||||
}
|
||||
|
||||
CertificateValidator validator = new CertificateValidator(trustStore, crls);
|
||||
validator.setMaxCertPathLength(_maxCertPathLength);
|
||||
validator.setEnableCRLDP(_enableCRLDP);
|
||||
validator.setEnableOCSP(_enableOCSP);
|
||||
validator.setOcspResponderURL(_ocspResponderURL);
|
||||
validator.validate(keyStore, cert);
|
||||
}
|
||||
|
||||
KeyManager[] keyManagers = getKeyManagers(keyStore);
|
||||
TrustManager[] trustManagers = getTrustManagers(trustStore,crls);
|
||||
|
||||
SecureRandom secureRandom = (_secureRandomAlgorithm == null)?null:SecureRandom.getInstance(_secureRandomAlgorithm);
|
||||
_context = (_sslProvider == null)?SSLContext.getInstance(_sslProtocol):SSLContext.getInstance(_sslProtocol,_sslProvider);
|
||||
_context.init(keyManagers,trustManagers,secureRandom);
|
||||
|
||||
SSLSessionContext sslSessionContext = _context.getServerSessionContext();
|
||||
sslSessionContext.setSessionCacheSize(_sslSessionCacheSize);
|
||||
sslSessionContext.setSessionTimeout(_sslSessionTimeout);
|
||||
}
|
||||
|
||||
/* ------------------------------------------------------------ */
|
||||
/**
|
||||
* Override this method to provide alternate way to load a keystore.
|
||||
|
@ -1014,33 +1096,27 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
|
||||
/* ------------------------------------------------------------ */
|
||||
/**
|
||||
* Check configuration. Ensures that if keystore has been
|
||||
* Check KetyStore Configuration. Ensures that if keystore has been
|
||||
* configured but there's no truststore, that keystore is
|
||||
* used as truststore.
|
||||
* @return true SslContextFactory configuration can be used in server connector.
|
||||
* @throws IllegalStateException if SslContextFactory configuration can't be used.
|
||||
*/
|
||||
public boolean checkConfig()
|
||||
public void checkKeyStore()
|
||||
{
|
||||
boolean check = true;
|
||||
if (_keyStore == null && _keyStoreInputStream == null && _keyStorePath == null)
|
||||
throw new IllegalStateException("SSL doesn't have a valid keystore");
|
||||
|
||||
// if the keystore has been configured but there is no
|
||||
// truststore configured, use the keystore as the truststore
|
||||
if (_trustStore == null && _trustStoreInputStream == null && _trustStorePath == null)
|
||||
{
|
||||
// configuration doesn't have a valid keystore
|
||||
check = false;
|
||||
}
|
||||
else
|
||||
{
|
||||
// if the keystore has been configured but there is no
|
||||
// truststore configured, use the keystore as the truststore
|
||||
if (_trustStore == null && _trustStoreInputStream == null && _trustStorePath == null)
|
||||
{
|
||||
_trustStore = _keyStore;
|
||||
_trustStorePath = _keyStorePath;
|
||||
_trustStoreInputStream = _keyStoreInputStream;
|
||||
_trustStoreType = _keyStoreType;
|
||||
_trustStoreProvider = _keyStoreProvider;
|
||||
_trustStorePassword = _keyStorePassword;
|
||||
_trustManagerFactoryAlgorithm = _keyManagerFactoryAlgorithm;
|
||||
}
|
||||
_trustStore = _keyStore;
|
||||
_trustStorePath = _keyStorePath;
|
||||
_trustStoreInputStream = _keyStoreInputStream;
|
||||
_trustStoreType = _keyStoreType;
|
||||
_trustStoreProvider = _keyStoreProvider;
|
||||
_trustStorePassword = _keyStorePassword;
|
||||
_trustManagerFactoryAlgorithm = _keyManagerFactoryAlgorithm;
|
||||
}
|
||||
|
||||
// It's the same stream we cannot read it twice, so read it once in memory
|
||||
|
@ -1057,11 +1133,9 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
}
|
||||
catch (Exception ex)
|
||||
{
|
||||
throw new RuntimeException(ex);
|
||||
throw new IllegalStateException(ex);
|
||||
}
|
||||
}
|
||||
|
||||
return check;
|
||||
}
|
||||
|
||||
/* ------------------------------------------------------------ */
|
||||
|
@ -1073,57 +1147,68 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
* @param supportedCipherSuites Array of supported cipher suites
|
||||
* @return Array of cipher suites to enable
|
||||
*/
|
||||
public String[] selectCipherSuites(String[] enabledCipherSuites, String[] supportedCipherSuites)
|
||||
public String[] selectProtocols(String[] enabledProtocols, String[] supportedProtocols)
|
||||
{
|
||||
Set<String> selectedCipherSuites = null;
|
||||
if (enabledCipherSuites != null)
|
||||
Set<String> selected_protocols = new HashSet<String>();
|
||||
|
||||
// Set the starting protocols - either from the included or enabled list
|
||||
if (_includeProtocols!=null)
|
||||
{
|
||||
selectedCipherSuites = new HashSet<String>(Arrays.asList(enabledCipherSuites));
|
||||
// Use only the supported included protocols
|
||||
for (String protocol : supportedProtocols)
|
||||
if (_includeProtocols.contains(protocol))
|
||||
selected_protocols.add(protocol);
|
||||
}
|
||||
else
|
||||
selected_protocols.addAll(Arrays.asList(enabledProtocols));
|
||||
|
||||
|
||||
// Remove any excluded protocols
|
||||
if (_excludeProtocols != null)
|
||||
selected_protocols.removeAll(_excludeProtocols);
|
||||
|
||||
return selected_protocols.toArray(new String[selected_protocols.size()]);
|
||||
}
|
||||
|
||||
/* ------------------------------------------------------------ */
|
||||
/**
|
||||
* Select cipher suites to be used by the connector
|
||||
* based on configured inclusion and exclusion lists
|
||||
* as well as enabled and supported cipher suite lists.
|
||||
* @param enabledCipherSuites Array of enabled cipher suites
|
||||
* @param supportedCipherSuites Array of supported cipher suites
|
||||
* @return Array of cipher suites to enable
|
||||
*/
|
||||
public String[] selectCipherSuites(String[] enabledCipherSuites, String[] supportedCipherSuites)
|
||||
{
|
||||
Set<String> selected_ciphers = new HashSet<String>();
|
||||
|
||||
// Set the starting ciphers - either from the included or enabled list
|
||||
if (_includeCipherSuites!=null)
|
||||
{
|
||||
selectedCipherSuites = new HashSet<String>();
|
||||
// Use only the supported included ciphers
|
||||
for (String cipherSuite : supportedCipherSuites)
|
||||
if (_includeCipherSuites.contains(cipherSuite))
|
||||
selected_ciphers.add(cipherSuite);
|
||||
}
|
||||
|
||||
if ((supportedCipherSuites != null && supportedCipherSuites.length > 0) &&
|
||||
(_includeCipherSuites != null && _includeCipherSuites.size() > 0))
|
||||
{
|
||||
Set<String> supportedCSList = new HashSet<String>(Arrays.asList(supportedCipherSuites));
|
||||
|
||||
for (String cipherName : _includeCipherSuites)
|
||||
{
|
||||
if ((!selectedCipherSuites.contains(cipherName)) &&
|
||||
supportedCSList.contains(cipherName))
|
||||
{
|
||||
selectedCipherSuites.add(cipherName);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if (_excludeCipherSuites != null && _excludeCipherSuites.size() > 0)
|
||||
{
|
||||
for (String cipherName : _excludeCipherSuites)
|
||||
{
|
||||
if (selectedCipherSuites.contains(cipherName))
|
||||
{
|
||||
selectedCipherSuites.remove(cipherName);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return selectedCipherSuites.toArray(new String[selectedCipherSuites.size()]);
|
||||
else
|
||||
selected_ciphers.addAll(Arrays.asList(enabledCipherSuites));
|
||||
|
||||
|
||||
// Remove any excluded ciphers
|
||||
if (_excludeCipherSuites != null)
|
||||
selected_ciphers.removeAll(_excludeCipherSuites);
|
||||
return selected_ciphers.toArray(new String[selected_ciphers.size()]);
|
||||
}
|
||||
|
||||
/* ------------------------------------------------------------ */
|
||||
/**
|
||||
* Check if the lifecycle has been started and throw runtime exception
|
||||
*/
|
||||
protected void checkStarted()
|
||||
protected void checkNotStarted()
|
||||
{
|
||||
if (isStarted())
|
||||
{
|
||||
throw new IllegalStateException("Cannot modify configuration after SslContextFactory was started");
|
||||
}
|
||||
throw new IllegalStateException("Cannot modify configuration when "+getState());
|
||||
}
|
||||
|
||||
/* ------------------------------------------------------------ */
|
||||
|
@ -1141,7 +1226,7 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
*/
|
||||
public void setEnableCRLDP(boolean enableCRLDP)
|
||||
{
|
||||
checkStarted();
|
||||
checkNotStarted();
|
||||
|
||||
_enableCRLDP = enableCRLDP;
|
||||
}
|
||||
|
@ -1161,7 +1246,7 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
*/
|
||||
public void setEnableOCSP(boolean enableOCSP)
|
||||
{
|
||||
checkStarted();
|
||||
checkNotStarted();
|
||||
|
||||
_enableOCSP = enableOCSP;
|
||||
}
|
||||
|
@ -1181,7 +1266,7 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
*/
|
||||
public void setOcspResponderURL(String ocspResponderURL)
|
||||
{
|
||||
checkStarted();
|
||||
checkNotStarted();
|
||||
|
||||
_ocspResponderURL = ocspResponderURL;
|
||||
}
|
||||
|
@ -1192,7 +1277,7 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
*/
|
||||
public void setKeyStore(KeyStore keyStore)
|
||||
{
|
||||
checkStarted();
|
||||
checkNotStarted();
|
||||
|
||||
_keyStore = keyStore;
|
||||
}
|
||||
|
@ -1203,7 +1288,7 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
*/
|
||||
public void setTrustStore(KeyStore trustStore)
|
||||
{
|
||||
checkStarted();
|
||||
checkNotStarted();
|
||||
|
||||
_trustStore = trustStore;
|
||||
}
|
||||
|
@ -1214,7 +1299,7 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
*/
|
||||
public void setKeyStoreResource(Resource resource)
|
||||
{
|
||||
checkStarted();
|
||||
checkNotStarted();
|
||||
|
||||
try
|
||||
{
|
||||
|
@ -1233,7 +1318,7 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
*/
|
||||
public void setTrustStore(Resource resource)
|
||||
{
|
||||
checkStarted();
|
||||
checkNotStarted();
|
||||
|
||||
try
|
||||
{
|
||||
|
@ -1299,4 +1384,83 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
{
|
||||
_sslSessionTimeout = sslSessionTimeout;
|
||||
}
|
||||
|
||||
|
||||
/* ------------------------------------------------------------ */
|
||||
public SSLServerSocket newSslServerSocket(String host,int port,int backlog) throws IOException
|
||||
{
|
||||
SSLServerSocketFactory factory = _context.getServerSocketFactory();
|
||||
|
||||
SSLServerSocket socket =
|
||||
(SSLServerSocket) (host==null ?
|
||||
factory.createServerSocket(port,backlog):
|
||||
factory.createServerSocket(port,backlog,InetAddress.getByName(host)));
|
||||
|
||||
if (getWantClientAuth())
|
||||
socket.setWantClientAuth(getWantClientAuth());
|
||||
if (getNeedClientAuth())
|
||||
socket.setNeedClientAuth(getNeedClientAuth());
|
||||
|
||||
socket.setEnabledCipherSuites(selectCipherSuites(
|
||||
socket.getEnabledCipherSuites(),
|
||||
socket.getSupportedCipherSuites()));
|
||||
socket.setEnabledProtocols(selectProtocols(socket.getEnabledProtocols(),socket.getSupportedProtocols()));
|
||||
|
||||
return socket;
|
||||
}
|
||||
|
||||
/* ------------------------------------------------------------ */
|
||||
public SSLSocket newSslSocket() throws IOException
|
||||
{
|
||||
SSLSocketFactory factory = _context.getSocketFactory();
|
||||
|
||||
SSLSocket socket = (SSLSocket)factory.createSocket();
|
||||
|
||||
if (getWantClientAuth())
|
||||
socket.setWantClientAuth(getWantClientAuth());
|
||||
if (getNeedClientAuth())
|
||||
socket.setNeedClientAuth(getNeedClientAuth());
|
||||
|
||||
socket.setEnabledCipherSuites(selectCipherSuites(
|
||||
socket.getEnabledCipherSuites(),
|
||||
socket.getSupportedCipherSuites()));
|
||||
socket.setEnabledProtocols(selectProtocols(socket.getEnabledProtocols(),socket.getSupportedProtocols()));
|
||||
|
||||
return socket;
|
||||
}
|
||||
|
||||
/* ------------------------------------------------------------ */
|
||||
public SSLEngine newSslEngine(String host,int port)
|
||||
{
|
||||
SSLEngine sslEngine=isSessionCachingEnabled()
|
||||
?_context.createSSLEngine(host, port)
|
||||
:_context.createSSLEngine();
|
||||
|
||||
customize(sslEngine);
|
||||
return sslEngine;
|
||||
}
|
||||
|
||||
/* ------------------------------------------------------------ */
|
||||
public SSLEngine newSslEngine()
|
||||
{
|
||||
SSLEngine sslEngine=_context.createSSLEngine();
|
||||
customize(sslEngine);
|
||||
return sslEngine;
|
||||
}
|
||||
|
||||
/* ------------------------------------------------------------ */
|
||||
public void customize(SSLEngine sslEngine)
|
||||
{
|
||||
if (getWantClientAuth())
|
||||
sslEngine.setWantClientAuth(getWantClientAuth());
|
||||
if (getNeedClientAuth())
|
||||
sslEngine.setNeedClientAuth(getNeedClientAuth());
|
||||
|
||||
sslEngine.setEnabledCipherSuites(selectCipherSuites(
|
||||
sslEngine.getEnabledCipherSuites(),
|
||||
sslEngine.getSupportedCipherSuites()));
|
||||
|
||||
sslEngine.setEnabledProtocols(selectProtocols(sslEngine.getEnabledProtocols(),sslEngine.getSupportedProtocols()));
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
@ -251,7 +251,7 @@ public class SelectChannelEndPoint extends ChannelEndPoint implements AsyncEndPo
|
|||
public void checkIdleTimestamp(long now)
|
||||
{
|
||||
long idleTimestamp=_idleTimestamp;
|
||||
if (!getChannel().isOpen() || idleTimestamp!=0 && _maxIdleTime!=0 && now>(idleTimestamp+_maxIdleTime))
|
||||
if (!getChannel().isOpen() || idleTimestamp!=0 && _maxIdleTime>0 && now>(idleTimestamp+_maxIdleTime))
|
||||
idleExpired();
|
||||
}
|
||||
|
||||
|
|
|
@ -674,10 +674,10 @@ public abstract class HttpConnection extends AbstractConnection
|
|||
/* ------------------------------------------------------------ */
|
||||
public int getMaxIdleTime()
|
||||
{
|
||||
if (_connector.isLowResources() && _endp.getMaxIdleTime()==_connector.getMaxIdleTime())
|
||||
return _connector.getLowResourceMaxIdleTime();
|
||||
if (_endp.getMaxIdleTime()>0)
|
||||
return _endp.getMaxIdleTime();
|
||||
if (_connector.isLowResources())
|
||||
return _connector.getLowResourceMaxIdleTime();
|
||||
return _connector.getMaxIdleTime();
|
||||
}
|
||||
|
||||
|
|
|
@ -16,6 +16,8 @@ package org.eclipse.jetty.server.ssl;
|
|||
import java.io.IOException;
|
||||
import java.nio.channels.SelectionKey;
|
||||
import java.nio.channels.SocketChannel;
|
||||
import java.util.Arrays;
|
||||
|
||||
import javax.net.ssl.SSLContext;
|
||||
import javax.net.ssl.SSLEngine;
|
||||
import javax.net.ssl.SSLSession;
|
||||
|
@ -36,7 +38,6 @@ import org.eclipse.jetty.io.nio.SslSelectChannelEndPoint;
|
|||
import org.eclipse.jetty.server.HttpConnection;
|
||||
import org.eclipse.jetty.server.Request;
|
||||
import org.eclipse.jetty.server.nio.SelectChannelConnector;
|
||||
import org.eclipse.jetty.util.log.Log;
|
||||
|
||||
/* ------------------------------------------------------------ */
|
||||
/**
|
||||
|
@ -97,7 +98,9 @@ public class SslSelectChannelConnector extends SelectChannelConnector implements
|
|||
SslSelectChannelEndPoint sslHttpChannelEndpoint=(SslSelectChannelEndPoint)endpoint;
|
||||
SSLEngine sslEngine=sslHttpChannelEndpoint.getSSLEngine();
|
||||
SSLSession sslSession=sslEngine.getSession();
|
||||
|
||||
|
||||
System.err.println(sslSession.getProtocol());
|
||||
|
||||
SslCertificates.customize(sslSession,endpoint,request);
|
||||
}
|
||||
|
||||
|
@ -565,33 +568,19 @@ public class SslSelectChannelConnector extends SelectChannelConnector implements
|
|||
protected SSLEngine createSSLEngine(SocketChannel channel) throws IOException
|
||||
{
|
||||
SSLEngine engine;
|
||||
if (channel != null && _sslContextFactory.isSessionCachingEnabled())
|
||||
if (channel != null)
|
||||
{
|
||||
String peerHost = channel.socket().getInetAddress().getHostAddress();
|
||||
int peerPort = channel.socket().getPort();
|
||||
engine = _sslContextFactory.getSslContext().createSSLEngine(peerHost, peerPort);
|
||||
engine = _sslContextFactory.newSslEngine(peerHost, peerPort);
|
||||
}
|
||||
else
|
||||
{
|
||||
engine = _sslContextFactory.getSslContext().createSSLEngine();
|
||||
engine = _sslContextFactory.newSslEngine();
|
||||
}
|
||||
customizeEngine(engine);
|
||||
return engine;
|
||||
}
|
||||
|
||||
/* ------------------------------------------------------------ */
|
||||
private void customizeEngine(SSLEngine engine)
|
||||
{
|
||||
|
||||
engine.setUseClientMode(false);
|
||||
|
||||
if (_sslContextFactory.getWantClientAuth())
|
||||
engine.setWantClientAuth(_sslContextFactory.getWantClientAuth());
|
||||
if (_sslContextFactory.getNeedClientAuth())
|
||||
engine.setNeedClientAuth(_sslContextFactory.getNeedClientAuth());
|
||||
|
||||
engine.setEnabledCipherSuites(
|
||||
_sslContextFactory.selectCipherSuites(engine.getEnabledCipherSuites(),
|
||||
engine.getSupportedCipherSuites()));
|
||||
return engine;
|
||||
}
|
||||
|
||||
/* ------------------------------------------------------------ */
|
||||
|
@ -601,22 +590,13 @@ public class SslSelectChannelConnector extends SelectChannelConnector implements
|
|||
@Override
|
||||
protected void doStart() throws Exception
|
||||
{
|
||||
if (!_sslContextFactory.checkConfig())
|
||||
{
|
||||
throw new IllegalStateException("SSL context is not configured correctly.");
|
||||
}
|
||||
_sslContextFactory.checkKeyStore();
|
||||
|
||||
_sslContextFactory.start();
|
||||
|
||||
SSLEngine sslEngine = _sslContextFactory.getSslContext().createSSLEngine();
|
||||
SSLEngine sslEngine = _sslContextFactory.newSslEngine();
|
||||
|
||||
sslEngine.setUseClientMode(false);
|
||||
sslEngine.setWantClientAuth(_sslContextFactory.getWantClientAuth());
|
||||
sslEngine.setNeedClientAuth(_sslContextFactory.getNeedClientAuth());
|
||||
|
||||
sslEngine.setEnabledCipherSuites(_sslContextFactory.selectCipherSuites(
|
||||
sslEngine.getEnabledCipherSuites(),
|
||||
sslEngine.getSupportedCipherSuites()));
|
||||
|
||||
SSLSession sslSession = sslEngine.getSession();
|
||||
|
||||
|
|
|
@ -335,11 +335,7 @@ public class SslSocketConnector extends SocketConnector implements SslConnector
|
|||
@Override
|
||||
public void open() throws IOException
|
||||
{
|
||||
if (!_sslContextFactory.checkConfig())
|
||||
{
|
||||
throw new IllegalStateException("SSL context is not configured correctly.");
|
||||
}
|
||||
|
||||
_sslContextFactory.checkKeyStore();
|
||||
try
|
||||
{
|
||||
_sslContextFactory.start();
|
||||
|
@ -358,11 +354,7 @@ public class SslSocketConnector extends SocketConnector implements SslConnector
|
|||
@Override
|
||||
protected void doStart() throws Exception
|
||||
{
|
||||
if (!_sslContextFactory.checkConfig())
|
||||
{
|
||||
throw new IllegalStateException("SSL context is not configured correctly.");
|
||||
}
|
||||
|
||||
_sslContextFactory.checkKeyStore();
|
||||
_sslContextFactory.start();
|
||||
|
||||
super.doStart();
|
||||
|
@ -394,22 +386,7 @@ public class SslSocketConnector extends SocketConnector implements SslConnector
|
|||
@Override
|
||||
protected ServerSocket newServerSocket(String host, int port,int backlog) throws IOException
|
||||
{
|
||||
SSLServerSocketFactory factory = _sslContextFactory.getSslContext().getServerSocketFactory();
|
||||
|
||||
SSLServerSocket socket =
|
||||
(SSLServerSocket) (host==null ?
|
||||
factory.createServerSocket(port,backlog):
|
||||
factory.createServerSocket(port,backlog,InetAddress.getByName(host)));
|
||||
|
||||
if (_sslContextFactory.getWantClientAuth())
|
||||
socket.setWantClientAuth(_sslContextFactory.getWantClientAuth());
|
||||
if (_sslContextFactory.getNeedClientAuth())
|
||||
socket.setNeedClientAuth(_sslContextFactory.getNeedClientAuth());
|
||||
|
||||
socket.setEnabledCipherSuites(_sslContextFactory.selectCipherSuites(
|
||||
socket.getEnabledCipherSuites(),
|
||||
socket.getSupportedCipherSuites()));
|
||||
return socket;
|
||||
return _sslContextFactory.newSslServerSocket(host,port,backlog);
|
||||
}
|
||||
|
||||
/* ------------------------------------------------------------ */
|
||||
|
|
|
@ -425,7 +425,7 @@ public abstract class HttpServerTestBase extends HttpServerTestFixture
|
|||
|
||||
while(len>=0)
|
||||
{
|
||||
Thread.sleep(500);
|
||||
Thread.sleep(100);
|
||||
len=is.read(buf);
|
||||
if (len>0)
|
||||
total+=len;
|
||||
|
|
|
@ -133,7 +133,7 @@ public class SSLEngineTest
|
|||
@Test
|
||||
public void testBigResponse() throws Exception
|
||||
{
|
||||
SSLContext ctx=SSLContext.getInstance("SSLv3");
|
||||
SSLContext ctx=SSLContext.getInstance("TLS");
|
||||
ctx.init(null,s_dummyTrustManagers,new java.security.SecureRandom());
|
||||
|
||||
int port=connector.getLocalPort();
|
||||
|
@ -367,4 +367,5 @@ public class SSLEngineTest
|
|||
response.flushBuffer();
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
@ -60,14 +60,14 @@ public class SslSelectChannelServerTest extends HttpServerTestBase
|
|||
keystore.load(new FileInputStream(connector.getKeystore()), "storepwd".toCharArray());
|
||||
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
|
||||
trustManagerFactory.init(keystore);
|
||||
__sslContext = SSLContext.getInstance("SSL");
|
||||
__sslContext = SSLContext.getInstance("TLS");
|
||||
__sslContext.init(null, trustManagerFactory.getTrustManagers(), null);
|
||||
|
||||
|
||||
try
|
||||
{
|
||||
HttpsURLConnection.setDefaultHostnameVerifier(__hostnameverifier);
|
||||
SSLContext sc = SSLContext.getInstance("SSL");
|
||||
SSLContext sc = SSLContext.getInstance("TLS");
|
||||
sc.init(null, __trustAllCerts, new java.security.SecureRandom());
|
||||
HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
|
||||
}
|
||||
|
|
|
@ -15,8 +15,10 @@ package org.eclipse.jetty.server.ssl;
|
|||
import java.io.FileInputStream;
|
||||
import java.net.Socket;
|
||||
import java.security.KeyStore;
|
||||
import java.util.Arrays;
|
||||
|
||||
import javax.net.ssl.SSLContext;
|
||||
import javax.net.ssl.SSLSocket;
|
||||
import javax.net.ssl.TrustManagerFactory;
|
||||
|
||||
import org.eclipse.jetty.http.ssl.SslContextFactory;
|
||||
|
@ -37,7 +39,9 @@ public class SslSocketServerTest extends HttpServerTestBase
|
|||
@Override
|
||||
protected Socket newSocket(String host, int port) throws Exception
|
||||
{
|
||||
return __sslContext.getSocketFactory().createSocket(host,port);
|
||||
SSLSocket socket = (SSLSocket)__sslContext.getSocketFactory().createSocket(host,port);
|
||||
socket.setEnabledProtocols(new String[] {"TLSv1"});
|
||||
return socket;
|
||||
}
|
||||
|
||||
|
||||
|
@ -59,7 +63,7 @@ public class SslSocketServerTest extends HttpServerTestBase
|
|||
keystore.load(new FileInputStream(connector.getKeystore()), "storepwd".toCharArray());
|
||||
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
|
||||
trustManagerFactory.init(keystore);
|
||||
__sslContext = SSLContext.getInstance("SSL");
|
||||
__sslContext = SSLContext.getInstance("TLSv1");
|
||||
__sslContext.init(null, trustManagerFactory.getTrustManagers(), null);
|
||||
|
||||
|
||||
|
|
|
@ -18,6 +18,7 @@ import java.net.Socket;
|
|||
import java.security.KeyStore;
|
||||
|
||||
import javax.net.ssl.SSLContext;
|
||||
import javax.net.ssl.SSLSocket;
|
||||
import javax.net.ssl.TrustManagerFactory;
|
||||
|
||||
import org.eclipse.jetty.http.ssl.SslContextFactory;
|
||||
|
@ -26,12 +27,14 @@ import org.junit.BeforeClass;
|
|||
|
||||
public class SslSocketTimeoutTest extends ConnectorTimeoutTest
|
||||
{
|
||||
static SSLContext _sslContext;
|
||||
static SSLContext __sslContext;
|
||||
|
||||
@Override
|
||||
protected Socket newSocket(String host, int port) throws Exception
|
||||
{
|
||||
return _sslContext.getSocketFactory().createSocket(host,port);
|
||||
SSLSocket socket = (SSLSocket)__sslContext.getSocketFactory().createSocket(host,port);
|
||||
socket.setEnabledProtocols(new String[] {"TLSv1"});
|
||||
return socket;
|
||||
}
|
||||
|
||||
@BeforeClass
|
||||
|
@ -53,8 +56,8 @@ public class SslSocketTimeoutTest extends ConnectorTimeoutTest
|
|||
keystore.load(new FileInputStream(connector.getKeystore()), "storepwd".toCharArray());
|
||||
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
|
||||
trustManagerFactory.init(keystore);
|
||||
_sslContext = SSLContext.getInstance("SSL");
|
||||
_sslContext.init(null, trustManagerFactory.getTrustManagers(), null);
|
||||
__sslContext = SSLContext.getInstance("TLSv1");
|
||||
__sslContext.init(null, trustManagerFactory.getTrustManagers(), null);
|
||||
|
||||
}
|
||||
|
||||
|
|
|
@ -14,13 +14,16 @@
|
|||
package org.eclipse.jetty.webapp;
|
||||
|
||||
import java.io.IOException;
|
||||
import java.net.URI;
|
||||
import java.net.URL;
|
||||
import java.util.ArrayList;
|
||||
import java.util.Collection;
|
||||
import java.util.EventListener;
|
||||
import java.util.HashMap;
|
||||
import java.util.HashSet;
|
||||
import java.util.Iterator;
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
import java.util.Set;
|
||||
|
||||
import javax.servlet.Servlet;
|
||||
|
@ -58,6 +61,7 @@ public class TagLibConfiguration extends AbstractConfiguration
|
|||
|
||||
public static final String TLD_RESOURCES = "org.eclipse.jetty.tlds";
|
||||
|
||||
|
||||
/**
|
||||
* TagLibListener
|
||||
*
|
||||
|
@ -96,7 +100,37 @@ public class TagLibConfiguration extends AbstractConfiguration
|
|||
|
||||
public void contextInitialized(ServletContextEvent sce)
|
||||
{
|
||||
try {
|
||||
try
|
||||
{
|
||||
//For jasper 2.1:
|
||||
//Get the system classpath tlds and tell jasper about them, if jasper is on the classpath
|
||||
try
|
||||
{
|
||||
Class clazz = getClass().getClassLoader().loadClass("org.apache.jasper.compiler.TldLocationsCache");
|
||||
Collection<Resource> tld_resources = (Collection<Resource>)_context.getAttribute(TLD_RESOURCES);
|
||||
|
||||
Map<URI, List<String>> tldMap = new HashMap<URI, List<String>>();
|
||||
|
||||
if (tld_resources != null)
|
||||
{
|
||||
//get the jar file names of the files
|
||||
for (Resource r:tld_resources)
|
||||
{
|
||||
Resource jarResource = extractJarResource(r);
|
||||
//jasper is happy with an empty list of tlds
|
||||
if (!tldMap.containsKey(jarResource.getURI()))
|
||||
tldMap.put(jarResource.getURI(), null);
|
||||
|
||||
}
|
||||
//set the magic context attribute that tells jasper about the system tlds
|
||||
sce.getServletContext().setAttribute("com.sun.appserv.tld.map", tldMap);
|
||||
}
|
||||
}
|
||||
catch (ClassNotFoundException e)
|
||||
{
|
||||
LOG.ignore(e);
|
||||
}
|
||||
|
||||
//find the tld files and parse them to get out their
|
||||
//listeners
|
||||
Set<Resource> tlds = findTldResources();
|
||||
|
@ -117,12 +151,37 @@ public class TagLibConfiguration extends AbstractConfiguration
|
|||
}
|
||||
}
|
||||
|
||||
} catch (Exception e) {
|
||||
}
|
||||
catch (Exception e) {
|
||||
LOG.warn(e);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
private Resource extractJarResource (Resource r)
|
||||
{
|
||||
if (r == null)
|
||||
return null;
|
||||
|
||||
try
|
||||
{
|
||||
String url = r.getURI().toURL().toString();
|
||||
int idx = url.lastIndexOf("!/");
|
||||
if (idx >= 0)
|
||||
url = url.substring(0, idx);
|
||||
if (url.startsWith("jar:"))
|
||||
url = url.substring(4);
|
||||
return Resource.newResource(url);
|
||||
}
|
||||
catch (IOException e)
|
||||
{
|
||||
LOG.warn(e);
|
||||
return null;
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Find all the locations that can harbour tld files that may contain
|
||||
* a listener which the web container is supposed to instantiate and
|
||||
|
|
|
@ -25,6 +25,7 @@ import java.net.SocketAddress;
|
|||
import javax.net.ssl.HostnameVerifier;
|
||||
import javax.net.ssl.SSLContext;
|
||||
import javax.net.ssl.SSLSession;
|
||||
import javax.net.ssl.SSLSocket;
|
||||
import javax.net.ssl.SSLSocketFactory;
|
||||
import javax.net.ssl.TrustManager;
|
||||
import javax.net.ssl.X509TrustManager;
|
||||
|
@ -78,7 +79,7 @@ public class HttpsSocketImpl implements HttpSocket
|
|||
try
|
||||
{
|
||||
// TODO real trust manager
|
||||
this.sslContext = SSLContext.getInstance("SSL");
|
||||
this.sslContext = SSLContext.getInstance("TLS");
|
||||
sslContext.init(null,trustAllCerts,new java.security.SecureRandom());
|
||||
}
|
||||
catch (Exception e)
|
||||
|
@ -87,11 +88,13 @@ public class HttpsSocketImpl implements HttpSocket
|
|||
}
|
||||
|
||||
sslfactory = sslContext.getSocketFactory();
|
||||
|
||||
}
|
||||
|
||||
public Socket connect(InetAddress host, int port) throws IOException
|
||||
{
|
||||
Socket sslsock = sslfactory.createSocket();
|
||||
SSLSocket sslsock = (SSLSocket)sslfactory.createSocket();
|
||||
sslsock.setEnabledProtocols(new String[] {"TLSv1"});
|
||||
SocketAddress address = new InetSocketAddress(host,port);
|
||||
sslsock.connect(address);
|
||||
return sslsock;
|
||||
|
|
Loading…
Reference in New Issue