345656 Disambiguate SslContextFactory#validateCerts property

git-svn-id: svn+ssh://dev.eclipse.org/svnroot/rt/org.eclipse.jetty/jetty/trunk@3141 7e9141cc-0065-0410-87d8-b60c137991c4
2011-05-13 17:52:09 +00:00 · 2011-05-13 17:52:09 +00:00 · dbcdcc6ce6
parent 6a2ecc493e
commit dbcdcc6ce6
2 changed files with 25 additions and 1 deletions
--- a/VERSION.txt
+++ b/VERSION.txt
@ -20,6 +20,7 @@ jetty-7.4.1.v20110513
 + 345047 Readded deprecated ScanningAppDeployer#setMonitoredDir
 + 345290 Weak references from SessionIdManager. HashSessionManager cleanup.
 + 345543 Always close endpoint on SSLException
+ + 345656 Disambiguate SslContextFactory#validateCerts property 
 + 345679 Allow setting an initialized KeyStore as keystore/truststore of SslContextFactory
 + 345704 jetty-nested works with forwarded SSL in cloudfoundry
 + JETTY-954 WebAppContext eats any start exceptions instead of stopping the server load
--- a/jetty-http/src/main/java/org/eclipse/jetty/http/ssl/SslContextFactory.java
+++ b/jetty-http/src/main/java/org/eclipse/jetty/http/ssl/SslContextFactory.java
@ -137,6 +137,8 @@ public class SslContextFactory extends AbstractLifeCycle

    /** Set to true if SSL certificate validation is required */
    private boolean _validateCerts;
+    /** Set to true if SSL certificate of the peer validation is required */
+    private boolean _validatePeerCerts;
    /** Maximum certification path length (n - number of intermediate certs, -1 for unlimited) */
    private int _maxCertPathLength = -1;
    /** Path to file that contains Certificate Revocation List */
@ -541,6 +543,27 @@ public class SslContextFactory extends AbstractLifeCycle
        _validateCerts = validateCerts;
    }

+    /* ------------------------------------------------------------ */
+    /**
+     * @return true if SSL certificates of the peer have to be validated
+     */
+    public boolean isValidatePeerCerts()
+    {
+        return _validatePeerCerts;
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @param validatePeerCerts
+     *            true if SSL certificates of the peer have to be validated
+     */
+    public void setValidatePeerCerts(boolean validatePeerCerts)
+    {
+        checkStarted();
+        
+        _validatePeerCerts = validatePeerCerts;
+    }
+
    /* ------------------------------------------------------------ */
    /**
     * @return True if SSL re-negotiation is allowed (default false)
@ -928,7 +951,7 @@ public class SslContextFactory extends AbstractLifeCycle
        if (trustStore != null)
        {
            // Revocation checking is only supported for PKIX algorithm
-            if (_validateCerts && _trustManagerFactoryAlgorithm.equalsIgnoreCase("PKIX"))
+            if (_validatePeerCerts && _trustManagerFactoryAlgorithm.equalsIgnoreCase("PKIX"))
            {
                PKIXBuilderParameters pbParams = new PKIXBuilderParameters(trustStore,new X509CertSelector());