From c6aafeccebd82b3865795198e7ade3450c1b1305 Mon Sep 17 00:00:00 2001 From: Simone Bordet Date: Wed, 25 May 2016 00:47:58 +0200 Subject: [PATCH 1/3] Code cleanups. --- .../jetty/server/SecureRequestCustomizer.java | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/jetty-server/src/main/java/org/eclipse/jetty/server/SecureRequestCustomizer.java b/jetty-server/src/main/java/org/eclipse/jetty/server/SecureRequestCustomizer.java index e23cdadd8b8..089409f322c 100644 --- a/jetty-server/src/main/java/org/eclipse/jetty/server/SecureRequestCustomizer.java +++ b/jetty-server/src/main/java/org/eclipse/jetty/server/SecureRequestCustomizer.java @@ -71,7 +71,7 @@ public class SecureRequestCustomizer implements HttpConfiguration.Customizer { this(sniHostCheck,-1,false); } - + /** * @param sniHostCheck True if the SNI Host name must match. * @param stsMaxAgeSeconds The max age in seconds for a Strict-Transport-Security response header. If set less than zero then no header is sent. @@ -97,7 +97,7 @@ public class SecureRequestCustomizer implements HttpConfiguration.Customizer } /** - * @param sniHostCheck True if the SNI Host name must match. + * @param sniHostCheck True if the SNI Host name must match. */ public void setSniHostCheck(boolean sniHostCheck) { @@ -163,10 +163,10 @@ public class SecureRequestCustomizer implements HttpConfiguration.Customizer { if (request.getHttpChannel().getEndPoint() instanceof DecryptedEndPoint) { - + if (request.getHttpURI().getScheme()==null) request.setScheme(HttpScheme.HTTPS.asString()); - + SslConnection.DecryptedEndPoint ssl_endp = (DecryptedEndPoint)request.getHttpChannel().getEndPoint(); SslConnection sslConnection = ssl_endp.getSslConnection(); SSLEngine sslEngine=sslConnection.getSSLEngine(); @@ -181,19 +181,18 @@ public class SecureRequestCustomizer implements HttpConfiguration.Customizer /** * Customizes the request attributes for general secure settings. * The default impl calls {@link Request#setSecure(boolean)} with true - * and sets a response header if the Strict-Transport-Security options + * and sets a response header if the Strict-Transport-Security options * are set. * @param request the request being customized */ protected void customizeSecure(Request request) { request.setSecure(true); - + if (_stsField!=null) request.getResponse().getHttpFields().add(_stsField); } - - + /** *

* Customizes the request attributes to be set for SSL requests. @@ -210,7 +209,7 @@ public class SecureRequestCustomizer implements HttpConfiguration.Customizer * trust. The first certificate in the chain is the one set by the client, the next is the one used to authenticate * the first, and so on. * - * + * * @param sslEngine * the sslEngine to be customized. * @param request @@ -273,7 +272,7 @@ public class SecureRequestCustomizer implements HttpConfiguration.Customizer LOG.warn(Log.EXCEPTION,e); } } - + public void setSslSessionAttribute(String attribute) { this.sslSessionAttribute = attribute; From 031bc0fed90b812829145b7f6408a3ae0ad54a40 Mon Sep 17 00:00:00 2001 From: Simone Bordet Date: Wed, 25 May 2016 00:50:01 +0200 Subject: [PATCH 2/3] Issue #85 - Expose TLS protocol used for connection in SecureRequestCustomizer. Exposed the SSLSession as attribute only if the attribute key is valid. --- .../org/eclipse/jetty/server/SecureRequestCustomizer.java | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/jetty-server/src/main/java/org/eclipse/jetty/server/SecureRequestCustomizer.java b/jetty-server/src/main/java/org/eclipse/jetty/server/SecureRequestCustomizer.java index 089409f322c..7b90e9d66cc 100644 --- a/jetty-server/src/main/java/org/eclipse/jetty/server/SecureRequestCustomizer.java +++ b/jetty-server/src/main/java/org/eclipse/jetty/server/SecureRequestCustomizer.java @@ -265,7 +265,9 @@ public class SecureRequestCustomizer implements HttpConfiguration.Customizer request.setAttribute("javax.servlet.request.cipher_suite",cipherSuite); request.setAttribute("javax.servlet.request.key_size",keySize); request.setAttribute("javax.servlet.request.ssl_session_id", idStr); - request.setAttribute(getSslSessionAttribute(), sslSession); + String sessionAttribute = getSslSessionAttribute(); + if (sessionAttribute != null && sessionAttribute.isEmpty()) + request.setAttribute(sessionAttribute, sslSession); } catch (Exception e) { From 4762a6eaa38b022dbbf3ad3d7c06ba01b8fcaf24 Mon Sep 17 00:00:00 2001 From: Simone Bordet Date: Wed, 25 May 2016 00:52:10 +0200 Subject: [PATCH 3/3] Issue #464 - Improve reporting of SSLHandshakeException. Making sure that the raw EndPoint is closed if the decrypted EndPoint output is shutdown when the input is also shutdown. --- .../src/main/java/org/eclipse/jetty/io/ssl/SslConnection.java | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/jetty-io/src/main/java/org/eclipse/jetty/io/ssl/SslConnection.java b/jetty-io/src/main/java/org/eclipse/jetty/io/ssl/SslConnection.java index a1a7d5fdbd7..de5c8fdd7b4 100644 --- a/jetty-io/src/main/java/org/eclipse/jetty/io/ssl/SslConnection.java +++ b/jetty-io/src/main/java/org/eclipse/jetty/io/ssl/SslConnection.java @@ -926,7 +926,9 @@ public class SslConnection extends AbstractConnection _sslEngine.closeOutbound(); // Send the TLS close message. flush(BufferUtil.EMPTY_BUFFER); - if (!ishut) + if (ishut) + getEndPoint().close(); + else ensureFillInterested(); } }