Reviewed and cleaned up code for #345615 (Enable SSL Session caching).
git-svn-id: svn+ssh://dev.eclipse.org/svnroot/rt/org.eclipse.jetty/jetty/trunk@3223 7e9141cc-0065-0410-87d8-b60c137991c4
This commit is contained in:
parent
21d9fd77cf
commit
e438787325
|
@ -14,7 +14,6 @@
|
|||
package org.eclipse.jetty.client;
|
||||
|
||||
import java.io.IOException;
|
||||
import java.net.InetSocketAddress;
|
||||
import java.net.SocketTimeoutException;
|
||||
import java.nio.channels.SelectionKey;
|
||||
import java.nio.channels.SocketChannel;
|
||||
|
@ -48,11 +47,9 @@ class SelectConnector extends AbstractLifeCycle implements HttpClient.Connector,
|
|||
private final Map<SocketChannel, Timeout.Task> _connectingChannels = new ConcurrentHashMap<SocketChannel, Timeout.Task>();
|
||||
private SSLContext _sslContext;
|
||||
private Buffers _sslBuffers;
|
||||
private int _maxBuffers=1024;
|
||||
private boolean _enableSslSessionCaching;
|
||||
|
||||
/**
|
||||
* @param httpClient
|
||||
* @param httpClient the HttpClient this connector is associated to
|
||||
*/
|
||||
SelectConnector(HttpClient httpClient)
|
||||
{
|
||||
|
@ -74,7 +71,7 @@ class SelectConnector extends AbstractLifeCycle implements HttpClient.Connector,
|
|||
_sslBuffers = BuffersFactory.newBuffers(
|
||||
direct?Type.DIRECT:Type.INDIRECT,ssl_session.getApplicationBufferSize(),
|
||||
direct?Type.DIRECT:Type.INDIRECT,ssl_session.getApplicationBufferSize(),
|
||||
direct?Type.DIRECT:Type.INDIRECT,_maxBuffers);
|
||||
direct?Type.DIRECT:Type.INDIRECT,1024);
|
||||
|
||||
_httpClient._threadPool.dispatch(this);
|
||||
}
|
||||
|
@ -211,20 +208,15 @@ class SelectConnector extends AbstractLifeCycle implements HttpClient.Connector,
|
|||
|
||||
private synchronized SSLEngine newSslEngine(SocketChannel channel) throws IOException
|
||||
{
|
||||
if (_sslContext==null)
|
||||
{
|
||||
SslContextFactory factory = _httpClient.getSslContextFactory();
|
||||
_sslContext = factory.getSslContext();
|
||||
_enableSslSessionCaching = factory.isEnableSessionCaching();
|
||||
}
|
||||
SslContextFactory sslContextFactory = _httpClient.getSslContextFactory();
|
||||
if (_sslContext == null)
|
||||
_sslContext = sslContextFactory.getSslContext();
|
||||
|
||||
SSLEngine sslEngine = null;
|
||||
if (channel != null && _enableSslSessionCaching)
|
||||
SSLEngine sslEngine;
|
||||
if (channel != null && sslContextFactory.isSessionCachingEnabled())
|
||||
{
|
||||
InetSocketAddress remoteAddr = (InetSocketAddress)channel.socket().getRemoteSocketAddress();
|
||||
String peerHost = remoteAddr.getHostName();
|
||||
int peerPort = remoteAddr.getPort();
|
||||
|
||||
String peerHost = channel.socket().getInetAddress().getHostAddress();
|
||||
int peerPort = channel.socket().getPort();
|
||||
sslEngine = _sslContext.createSSLEngine(peerHost, peerPort);
|
||||
}
|
||||
else
|
||||
|
|
|
@ -4,11 +4,11 @@
|
|||
// All rights reserved. This program and the accompanying materials
|
||||
// are made available under the terms of the Eclipse Public License v1.0
|
||||
// and Apache License v2.0 which accompanies this distribution.
|
||||
// The Eclipse Public License is available at
|
||||
// The Eclipse Public License is available at
|
||||
// http://www.eclipse.org/legal/epl-v10.html
|
||||
// The Apache License v2.0 is available at
|
||||
// http://www.opensource.org/licenses/apache2.0.php
|
||||
// You may elect to redistribute this code under either of these licenses.
|
||||
// You may elect to redistribute this code under either of these licenses.
|
||||
// ========================================================================
|
||||
|
||||
package org.eclipse.jetty.client;
|
||||
|
@ -33,16 +33,16 @@ public class SslContentExchangeTest
|
|||
throws Exception
|
||||
{
|
||||
setProtocol("https");
|
||||
|
||||
|
||||
SslSelectChannelConnector connector = new SslSelectChannelConnector();
|
||||
File keystore = MavenTestingUtils.getTestResourceFile("keystore");
|
||||
SslContextFactory cf = connector.getSslContextFactory();
|
||||
cf.setKeyStore(keystore.getAbsolutePath());
|
||||
cf.setKeyStorePassword("storepwd");
|
||||
cf.setKeyManagerPassword("keypwd");
|
||||
cf.setEnableSessionCaching(true);
|
||||
cf.setSessionCachingEnabled(true);
|
||||
server.addConnector(connector);
|
||||
|
||||
|
||||
Handler handler = new TestHandler(getBasePath());
|
||||
|
||||
ServletContextHandler root = new ServletContextHandler();
|
||||
|
@ -50,11 +50,11 @@ public class SslContentExchangeTest
|
|||
root.setResourceBase(getBasePath());
|
||||
ServletHolder servletHolder = new ServletHolder( new DefaultServlet() );
|
||||
servletHolder.setInitParameter( "gzip", "true" );
|
||||
root.addServlet( servletHolder, "/*" );
|
||||
root.addServlet( servletHolder, "/*" );
|
||||
|
||||
HandlerCollection handlers = new HandlerCollection();
|
||||
handlers.setHandlers(new Handler[]{handler, root});
|
||||
server.setHandler( handlers );
|
||||
server.setHandler( handlers );
|
||||
}
|
||||
|
||||
@Override
|
||||
|
@ -64,6 +64,6 @@ public class SslContentExchangeTest
|
|||
client.setConnectorType(HttpClient.CONNECTOR_SELECT_CHANNEL);
|
||||
|
||||
SslContextFactory cf = client.getSslContextFactory();
|
||||
cf.setEnableSessionCaching(true);
|
||||
cf.setSessionCachingEnabled(true);
|
||||
}
|
||||
}
|
||||
|
|
|
@ -37,7 +37,6 @@ import java.util.Collections;
|
|||
import java.util.HashSet;
|
||||
import java.util.List;
|
||||
import java.util.Set;
|
||||
|
||||
import javax.net.ssl.CertPathTrustManagerParameters;
|
||||
import javax.net.ssl.KeyManager;
|
||||
import javax.net.ssl.KeyManagerFactory;
|
||||
|
@ -62,19 +61,19 @@ import org.eclipse.jetty.util.security.CertificateValidator;
|
|||
* SslContextFactory is used to configure SSL connectors
|
||||
* as well as HttpClient. It holds all SSL parameters and
|
||||
* creates SSL context based on these parameters to be
|
||||
* used by the SSL connectors.
|
||||
* used by the SSL connectors.
|
||||
*/
|
||||
public class SslContextFactory extends AbstractLifeCycle
|
||||
{
|
||||
public static final String DEFAULT_KEYMANAGERFACTORY_ALGORITHM =
|
||||
public static final String DEFAULT_KEYMANAGERFACTORY_ALGORITHM =
|
||||
(Security.getProperty("ssl.KeyManagerFactory.algorithm") == null ?
|
||||
"SunX509" : Security.getProperty("ssl.KeyManagerFactory.algorithm"));
|
||||
public static final String DEFAULT_TRUSTMANAGERFACTORY_ALGORITHM =
|
||||
public static final String DEFAULT_TRUSTMANAGERFACTORY_ALGORITHM =
|
||||
(Security.getProperty("ssl.TrustManagerFactory.algorithm") == null ?
|
||||
"SunX509" : Security.getProperty("ssl.TrustManagerFactory.algorithm"));
|
||||
|
||||
/** Default value for the keystore location path. */
|
||||
public static final String DEFAULT_KEYSTORE_PATH =
|
||||
public static final String DEFAULT_KEYSTORE_PATH =
|
||||
System.getProperty("user.home") + File.separator + ".keystore";
|
||||
|
||||
/** String name of key password property. */
|
||||
|
@ -96,7 +95,7 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
private String _keyStoreType = "JKS";
|
||||
/** Keystore input stream */
|
||||
private InputStream _keyStoreInputStream;
|
||||
|
||||
|
||||
/** SSL certificate alias */
|
||||
private String _certAlias;
|
||||
|
||||
|
@ -113,7 +112,7 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
private boolean _needClientAuth = false;
|
||||
/** Set to true if client certificate authentication is desired */
|
||||
private boolean _wantClientAuth = false;
|
||||
|
||||
|
||||
/** Set to true if renegotiation is allowed */
|
||||
private boolean _allowRenegotiate = true;
|
||||
|
||||
|
@ -150,18 +149,18 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
private boolean _enableOCSP = false;
|
||||
/** Location of OCSP Responder */
|
||||
private String _ocspResponderURL;
|
||||
|
||||
|
||||
/** SSL keystore */
|
||||
private KeyStore _keyStore;
|
||||
/** SSL truststore */
|
||||
private KeyStore _trustStore;
|
||||
/** Set to true to enable SSL Session caching */
|
||||
private boolean _enableSessionCaching;
|
||||
private boolean _sessionCachingEnabled = true;
|
||||
/** SSL session cache size */
|
||||
private int _sslSessionCacheSize;
|
||||
/** SSL session timeout */
|
||||
private int _sslSessionTimeout;
|
||||
|
||||
|
||||
/** SSL context */
|
||||
private SSLContext _context;
|
||||
|
||||
|
@ -173,7 +172,7 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
public SslContextFactory()
|
||||
{
|
||||
}
|
||||
|
||||
|
||||
/* ------------------------------------------------------------ */
|
||||
/**
|
||||
* Construct an instance of SslContextFactory
|
||||
|
@ -183,7 +182,7 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
{
|
||||
_keyStorePath = keyStorePath;
|
||||
}
|
||||
|
||||
|
||||
/* ------------------------------------------------------------ */
|
||||
/**
|
||||
* Create the SSLContext object and start the lifecycle
|
||||
|
@ -204,16 +203,16 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
{
|
||||
return null;
|
||||
}
|
||||
|
||||
|
||||
public void checkClientTrusted(java.security.cert.X509Certificate[] certs, String authType)
|
||||
{
|
||||
}
|
||||
|
||||
|
||||
public void checkServerTrusted(java.security.cert.X509Certificate[] certs, String authType)
|
||||
{
|
||||
}
|
||||
};
|
||||
|
||||
|
||||
_context = SSLContext.getInstance(_sslProtocol);
|
||||
_context.init(null, new TrustManager[]{trustAllCerts}, null);
|
||||
}
|
||||
|
@ -243,7 +242,7 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
public void setExcludeCipherSuites(String[] cipherSuites)
|
||||
{
|
||||
checkStarted();
|
||||
|
||||
|
||||
_excludeCipherSuites = new HashSet<String>(Arrays.asList(cipherSuites));
|
||||
}
|
||||
|
||||
|
@ -266,7 +265,7 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
public void setIncludeCipherSuites(String[] cipherSuites)
|
||||
{
|
||||
checkStarted();
|
||||
|
||||
|
||||
_includeCipherSuites = new HashSet<String>(Arrays.asList(cipherSuites));
|
||||
}
|
||||
|
||||
|
@ -287,7 +286,7 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
public void setKeyStore(String keyStorePath)
|
||||
{
|
||||
checkStarted();
|
||||
|
||||
|
||||
_keyStorePath = keyStorePath;
|
||||
}
|
||||
|
||||
|
@ -308,7 +307,7 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
public void setKeyStoreProvider(String keyStoreProvider)
|
||||
{
|
||||
checkStarted();
|
||||
|
||||
|
||||
_keyStoreProvider = keyStoreProvider;
|
||||
}
|
||||
|
||||
|
@ -329,7 +328,7 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
public void setKeyStoreType(String keyStoreType)
|
||||
{
|
||||
checkStarted();
|
||||
|
||||
|
||||
_keyStoreType = keyStoreType;
|
||||
}
|
||||
|
||||
|
@ -343,21 +342,21 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
public InputStream getKeyStoreInputStream()
|
||||
{
|
||||
checkConfig();
|
||||
|
||||
|
||||
return _keyStoreInputStream;
|
||||
}
|
||||
|
||||
/* ------------------------------------------------------------ */
|
||||
/** Set the keyStoreInputStream.
|
||||
* @param keyStoreInputStream the InputStream to the KeyStore
|
||||
*
|
||||
*
|
||||
* @deprecated
|
||||
*/
|
||||
@Deprecated
|
||||
public void setKeyStoreInputStream(InputStream keyStoreInputStream)
|
||||
{
|
||||
checkStarted();
|
||||
|
||||
|
||||
_keyStoreInputStream = keyStoreInputStream;
|
||||
}
|
||||
|
||||
|
@ -378,7 +377,7 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
public void setCertAlias(String certAlias)
|
||||
{
|
||||
checkStarted();
|
||||
|
||||
|
||||
_certAlias = certAlias;
|
||||
}
|
||||
|
||||
|
@ -399,7 +398,7 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
public void setTrustStore(String trustStorePath)
|
||||
{
|
||||
checkStarted();
|
||||
|
||||
|
||||
_trustStorePath = trustStorePath;
|
||||
}
|
||||
|
||||
|
@ -420,7 +419,7 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
public void setTrustStoreProvider(String trustStoreProvider)
|
||||
{
|
||||
checkStarted();
|
||||
|
||||
|
||||
_trustStoreProvider = trustStoreProvider;
|
||||
}
|
||||
|
||||
|
@ -441,7 +440,7 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
public void setTrustStoreType(String trustStoreType)
|
||||
{
|
||||
checkStarted();
|
||||
|
||||
|
||||
_trustStoreType = trustStoreType;
|
||||
}
|
||||
|
||||
|
@ -455,7 +454,7 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
public InputStream getTrustStoreInputStream()
|
||||
{
|
||||
checkConfig();
|
||||
|
||||
|
||||
return _trustStoreInputStream;
|
||||
}
|
||||
|
||||
|
@ -469,7 +468,7 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
public void setTrustStoreInputStream(InputStream trustStoreInputStream)
|
||||
{
|
||||
checkStarted();
|
||||
|
||||
|
||||
_trustStoreInputStream = trustStoreInputStream;
|
||||
}
|
||||
|
||||
|
@ -492,7 +491,7 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
public void setNeedClientAuth(boolean needClientAuth)
|
||||
{
|
||||
checkStarted();
|
||||
|
||||
|
||||
_needClientAuth = needClientAuth;
|
||||
}
|
||||
|
||||
|
@ -515,7 +514,7 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
public void setWantClientAuth(boolean wantClientAuth)
|
||||
{
|
||||
checkStarted();
|
||||
|
||||
|
||||
_wantClientAuth = wantClientAuth;
|
||||
}
|
||||
|
||||
|
@ -547,7 +546,7 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
public void setValidateCerts(boolean validateCerts)
|
||||
{
|
||||
checkStarted();
|
||||
|
||||
|
||||
_validateCerts = validateCerts;
|
||||
}
|
||||
|
||||
|
@ -568,7 +567,7 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
public void setValidatePeerCerts(boolean validatePeerCerts)
|
||||
{
|
||||
checkStarted();
|
||||
|
||||
|
||||
_validatePeerCerts = validatePeerCerts;
|
||||
}
|
||||
|
||||
|
@ -586,16 +585,16 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
* Set if SSL re-negotiation is allowed. CVE-2009-3555 discovered
|
||||
* a vulnerability in SSL/TLS with re-negotiation. If your JVM
|
||||
* does not have CVE-2009-3555 fixed, then re-negotiation should
|
||||
* not be allowed. CVE-2009-3555 was fixed in Sun java 1.6 with a ban
|
||||
* not be allowed. CVE-2009-3555 was fixed in Sun java 1.6 with a ban
|
||||
* of renegotiates in u19 and with RFC5746 in u22.
|
||||
*
|
||||
*
|
||||
* @param allowRenegotiate
|
||||
* true if re-negotiation is allowed (default false)
|
||||
*/
|
||||
public void setAllowRenegotiate(boolean allowRenegotiate)
|
||||
{
|
||||
checkStarted();
|
||||
|
||||
|
||||
_allowRenegotiate = allowRenegotiate;
|
||||
}
|
||||
|
||||
|
@ -607,7 +606,7 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
public void setKeyStorePassword(String password)
|
||||
{
|
||||
checkStarted();
|
||||
|
||||
|
||||
_keyStorePassword = Password.getPassword(PASSWORD_PROPERTY,password,null);
|
||||
}
|
||||
|
||||
|
@ -619,7 +618,7 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
public void setKeyManagerPassword(String password)
|
||||
{
|
||||
checkStarted();
|
||||
|
||||
|
||||
_keyManagerPassword = Password.getPassword(KEYPASSWORD_PROPERTY,password,null);
|
||||
}
|
||||
|
||||
|
@ -631,7 +630,7 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
public void setTrustStorePassword(String password)
|
||||
{
|
||||
checkStarted();
|
||||
|
||||
|
||||
_trustStorePassword = Password.getPassword(PASSWORD_PROPERTY,password,null);
|
||||
}
|
||||
|
||||
|
@ -654,7 +653,7 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
public void setProvider(String provider)
|
||||
{
|
||||
checkStarted();
|
||||
|
||||
|
||||
_sslProvider = provider;
|
||||
}
|
||||
|
||||
|
@ -677,7 +676,7 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
public void setProtocol(String protocol)
|
||||
{
|
||||
checkStarted();
|
||||
|
||||
|
||||
_sslProtocol = protocol;
|
||||
}
|
||||
|
||||
|
@ -702,7 +701,7 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
public void setSecureRandomAlgorithm(String algorithm)
|
||||
{
|
||||
checkStarted();
|
||||
|
||||
|
||||
_secureRandomAlgorithm = algorithm;
|
||||
}
|
||||
|
||||
|
@ -723,7 +722,7 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
public void setSslKeyManagerFactoryAlgorithm(String algorithm)
|
||||
{
|
||||
checkStarted();
|
||||
|
||||
|
||||
_keyManagerFactoryAlgorithm = algorithm;
|
||||
}
|
||||
|
||||
|
@ -744,7 +743,7 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
public void setTrustManagerFactoryAlgorithm(String algorithm)
|
||||
{
|
||||
checkStarted();
|
||||
|
||||
|
||||
_trustManagerFactoryAlgorithm = algorithm;
|
||||
}
|
||||
|
||||
|
@ -765,7 +764,7 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
public void setCrlPath(String crlPath)
|
||||
{
|
||||
checkStarted();
|
||||
|
||||
|
||||
_crlPath = crlPath;
|
||||
}
|
||||
|
||||
|
@ -788,7 +787,7 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
public void setMaxCertPathLength(int maxCertPathLength)
|
||||
{
|
||||
checkStarted();
|
||||
|
||||
|
||||
_maxCertPathLength = maxCertPathLength;
|
||||
}
|
||||
|
||||
|
@ -809,7 +808,7 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
public void setSslContext(SSLContext sslContext)
|
||||
{
|
||||
checkStarted();
|
||||
|
||||
|
||||
_context = sslContext;
|
||||
}
|
||||
|
||||
|
@ -819,13 +818,13 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
*/
|
||||
protected void createSSLContext() throws Exception
|
||||
{
|
||||
// verify that keystore and truststore
|
||||
// parameters are set up correctly
|
||||
// verify that keystore and truststore
|
||||
// parameters are set up correctly
|
||||
checkConfig();
|
||||
|
||||
|
||||
KeyStore keyStore = loadKeyStore();
|
||||
KeyStore trustStore = loadTrustStore();
|
||||
|
||||
|
||||
Collection<? extends CRL> crls = loadCRL(_crlPath);
|
||||
|
||||
if (_validateCerts && keyStore != null)
|
||||
|
@ -835,7 +834,7 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
List<String> aliases = Collections.list(keyStore.aliases());
|
||||
_certAlias = aliases.size() == 1 ? aliases.get(0) : null;
|
||||
}
|
||||
|
||||
|
||||
Certificate cert = _certAlias == null?null:keyStore.getCertificate(_certAlias);
|
||||
if (cert == null)
|
||||
{
|
||||
|
@ -856,12 +855,12 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
SecureRandom secureRandom = (_secureRandomAlgorithm == null)?null:SecureRandom.getInstance(_secureRandomAlgorithm);
|
||||
_context = (_sslProvider == null)?SSLContext.getInstance(_sslProtocol):SSLContext.getInstance(_sslProtocol,_sslProvider);
|
||||
_context.init(keyManagers,trustManagers,secureRandom);
|
||||
|
||||
|
||||
SSLSessionContext sslSessionContext = _context.getServerSessionContext();
|
||||
sslSessionContext.setSessionCacheSize(_sslSessionCacheSize);
|
||||
sslSessionContext.setSessionTimeout(_sslSessionTimeout);
|
||||
}
|
||||
|
||||
|
||||
/* ------------------------------------------------------------ */
|
||||
/**
|
||||
* Override this method to provide alternate way to load a keystore.
|
||||
|
@ -871,11 +870,11 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
*/
|
||||
protected KeyStore loadKeyStore() throws Exception
|
||||
{
|
||||
return _keyStore != null ? _keyStore : getKeyStore(_keyStoreInputStream,
|
||||
return _keyStore != null ? _keyStore : getKeyStore(_keyStoreInputStream,
|
||||
_keyStorePath, _keyStoreType, _keyStoreProvider,
|
||||
_keyStorePassword==null? null: _keyStorePassword.toString());
|
||||
}
|
||||
|
||||
|
||||
/* ------------------------------------------------------------ */
|
||||
/**
|
||||
* Override this method to provide alternate way to load a truststore.
|
||||
|
@ -889,7 +888,7 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
_trustStorePath, _trustStoreType, _trustStoreProvider,
|
||||
_trustStorePassword==null? null: _trustStorePassword.toString());
|
||||
}
|
||||
|
||||
|
||||
/* ------------------------------------------------------------ */
|
||||
/**
|
||||
* Loads keystore using an input stream or a file path in the same
|
||||
|
@ -905,7 +904,7 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
* @param storePassword keystore password
|
||||
* @return created keystore
|
||||
* @throws Exception
|
||||
*
|
||||
*
|
||||
* @deprecated
|
||||
*/
|
||||
@Deprecated
|
||||
|
@ -934,13 +933,13 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
protected KeyManager[] getKeyManagers(KeyStore keyStore) throws Exception
|
||||
{
|
||||
KeyManager[] managers = null;
|
||||
|
||||
|
||||
if (keyStore != null)
|
||||
{
|
||||
KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(_keyManagerFactoryAlgorithm);
|
||||
keyManagerFactory.init(keyStore,_keyManagerPassword == null?(_keyStorePassword == null?null:_keyStorePassword.toString().toCharArray()):_keyManagerPassword.toString().toCharArray());
|
||||
managers = keyManagerFactory.getKeyManagers();
|
||||
|
||||
|
||||
if (_certAlias != null)
|
||||
{
|
||||
for (int idx = 0; idx < managers.length; idx++)
|
||||
|
@ -988,7 +987,7 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
{
|
||||
// Enable On-Line Certificate Status Protocol (OCSP) support
|
||||
Security.setProperty("ocsp.enable","true");
|
||||
|
||||
|
||||
if (_ocspResponderURL != null)
|
||||
{
|
||||
// Override location of OCSP Responder
|
||||
|
@ -1028,9 +1027,9 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
// configuration doesn't have a valid keystore
|
||||
check = false;
|
||||
}
|
||||
else
|
||||
else
|
||||
{
|
||||
// if the keystore has been configured but there is no
|
||||
// if the keystore has been configured but there is no
|
||||
// truststore configured, use the keystore as the truststore
|
||||
if (_trustStore == null && _trustStoreInputStream == null && _trustStorePath == null)
|
||||
{
|
||||
|
@ -1043,7 +1042,7 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
_trustManagerFactoryAlgorithm = _keyManagerFactoryAlgorithm;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
// It's the same stream we cannot read it twice, so read it once in memory
|
||||
if (_keyStoreInputStream != null && _keyStoreInputStream == _trustStoreInputStream)
|
||||
{
|
||||
|
@ -1052,7 +1051,7 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
ByteArrayOutputStream baos = new ByteArrayOutputStream();
|
||||
IO.copy(_keyStoreInputStream, baos);
|
||||
_keyStoreInputStream.close();
|
||||
|
||||
|
||||
_keyStoreInputStream = new ByteArrayInputStream(baos.toByteArray());
|
||||
_trustStoreInputStream = new ByteArrayInputStream(baos.toByteArray());
|
||||
}
|
||||
|
@ -1061,7 +1060,7 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
throw new RuntimeException(ex);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
return check;
|
||||
}
|
||||
|
||||
|
@ -1070,8 +1069,8 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
* Select cipher suites to be used by the connector
|
||||
* based on configured inclusion and exclusion lists
|
||||
* as well as enabled and supported cipher suite lists.
|
||||
* @param enabledCipherSuites Array of enabled cipher suites
|
||||
* @param supportedCipherSuites Array of supported cipher suites
|
||||
* @param enabledCipherSuites Array of enabled cipher suites
|
||||
* @param supportedCipherSuites Array of supported cipher suites
|
||||
* @return Array of cipher suites to enable
|
||||
*/
|
||||
public String[] selectCipherSuites(String[] enabledCipherSuites, String[] supportedCipherSuites)
|
||||
|
@ -1086,14 +1085,14 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
selectedCipherSuites = new HashSet<String>();
|
||||
}
|
||||
|
||||
if ((supportedCipherSuites != null && supportedCipherSuites.length > 0) &&
|
||||
if ((supportedCipherSuites != null && supportedCipherSuites.length > 0) &&
|
||||
(_includeCipherSuites != null && _includeCipherSuites.size() > 0))
|
||||
{
|
||||
Set<String> supportedCSList = new HashSet<String>(Arrays.asList(supportedCipherSuites));
|
||||
|
||||
|
||||
for (String cipherName : _includeCipherSuites)
|
||||
{
|
||||
if ((!selectedCipherSuites.contains(cipherName)) &&
|
||||
if ((!selectedCipherSuites.contains(cipherName)) &&
|
||||
supportedCSList.contains(cipherName))
|
||||
{
|
||||
selectedCipherSuites.add(cipherName);
|
||||
|
@ -1114,7 +1113,7 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
|
||||
return selectedCipherSuites.toArray(new String[selectedCipherSuites.size()]);
|
||||
}
|
||||
|
||||
|
||||
/* ------------------------------------------------------------ */
|
||||
/**
|
||||
* Check if the lifecycle has been started and throw runtime exception
|
||||
|
@ -1128,7 +1127,7 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
}
|
||||
|
||||
/* ------------------------------------------------------------ */
|
||||
/**
|
||||
/**
|
||||
* @return true if CRL Distribution Points support is enabled
|
||||
*/
|
||||
public boolean isEnableCRLDP()
|
||||
|
@ -1148,7 +1147,7 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
}
|
||||
|
||||
/* ------------------------------------------------------------ */
|
||||
/**
|
||||
/**
|
||||
* @return true if On-Line Certificate Status Protocol support is enabled
|
||||
*/
|
||||
public boolean isEnableOCSP()
|
||||
|
@ -1168,7 +1167,7 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
}
|
||||
|
||||
/* ------------------------------------------------------------ */
|
||||
/**
|
||||
/**
|
||||
* @return Location of the OCSP Responder
|
||||
*/
|
||||
public String getOcspResponderURL()
|
||||
|
@ -1208,7 +1207,7 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
|
||||
_trustStore = trustStore;
|
||||
}
|
||||
|
||||
|
||||
/* ------------------------------------------------------------ */
|
||||
/** Set the key store resource.
|
||||
* @param resource the key store resource to set
|
||||
|
@ -1248,21 +1247,21 @@ public class SslContextFactory extends AbstractLifeCycle
|
|||
}
|
||||
|
||||
/* ------------------------------------------------------------ */
|
||||
/**
|
||||
/**
|
||||
* @return true if SSL Session caching is enabled
|
||||
*/
|
||||
public boolean isEnableSessionCaching()
|
||||
public boolean isSessionCachingEnabled()
|
||||
{
|
||||
return _enableSessionCaching;
|
||||
return _sessionCachingEnabled;
|
||||
}
|
||||
|
||||
|
||||
/* ------------------------------------------------------------ */
|
||||
/** Set the flag to enable SSL Session caching.
|
||||
* @param enableSessionCaching the value of the flag
|
||||
* @param enableSessionCaching the value of the flag
|
||||
*/
|
||||
public void setEnableSessionCaching(boolean enableSessionCaching)
|
||||
public void setSessionCachingEnabled(boolean enableSessionCaching)
|
||||
{
|
||||
_enableSessionCaching = enableSessionCaching;
|
||||
_sessionCachingEnabled = enableSessionCaching;
|
||||
}
|
||||
|
||||
/* ------------------------------------------------------------ */
|
||||
|
|
|
@ -14,10 +14,8 @@
|
|||
package org.eclipse.jetty.server.ssl;
|
||||
|
||||
import java.io.IOException;
|
||||
import java.net.InetSocketAddress;
|
||||
import java.nio.channels.SelectionKey;
|
||||
import java.nio.channels.SocketChannel;
|
||||
|
||||
import javax.net.ssl.SSLContext;
|
||||
import javax.net.ssl.SSLEngine;
|
||||
import javax.net.ssl.SSLSession;
|
||||
|
@ -119,7 +117,7 @@ public class SslSelectChannelConnector extends SelectChannelConnector implements
|
|||
* Set if SSL re-negotiation is allowed. CVE-2009-3555 discovered
|
||||
* a vulnerability in SSL/TLS with re-negotiation. If your JVM
|
||||
* does not have CVE-2009-3555 fixed, then re-negotiation should
|
||||
* not be allowed. CVE-2009-3555 was fixed in Sun java 1.6 with a ban
|
||||
* not be allowed. CVE-2009-3555 was fixed in Sun java 1.6 with a ban
|
||||
* of renegotiate in u19 and with RFC5746 in u22.
|
||||
* @param allowRenegotiate true if re-negotiation is allowed (default false)
|
||||
* @deprecated
|
||||
|
@ -210,7 +208,7 @@ public class SslSelectChannelConnector extends SelectChannelConnector implements
|
|||
/* ------------------------------------------------------------ */
|
||||
/**
|
||||
* Unsupported.
|
||||
*
|
||||
*
|
||||
* TODO: we should remove this as it is no longer an overridden method from SslConnector (like it was in the past)
|
||||
* @deprecated
|
||||
*/
|
||||
|
@ -223,7 +221,7 @@ public class SslSelectChannelConnector extends SelectChannelConnector implements
|
|||
/* ------------------------------------------------------------ */
|
||||
/**
|
||||
* Unsupported.
|
||||
*
|
||||
*
|
||||
* TODO: we should remove this as it is no longer an overridden method from SslConnector (like it was in the past)
|
||||
* @deprecated
|
||||
*/
|
||||
|
@ -542,7 +540,7 @@ public class SslSelectChannelConnector extends SelectChannelConnector implements
|
|||
@Override
|
||||
protected SelectChannelEndPoint newEndPoint(SocketChannel channel, SelectSet selectSet, SelectionKey key) throws IOException
|
||||
{
|
||||
SSLEngine engine = createSSLEngine(_sslContextFactory.isEnableSessionCaching() ? channel : null);
|
||||
SSLEngine engine = createSSLEngine(channel);
|
||||
SslSelectChannelEndPoint endp = new SslSelectChannelEndPoint(_sslBuffers,channel,selectSet,key,engine, SslSelectChannelConnector.this._maxIdleTime);
|
||||
endp.setAllowRenegotiate(_sslContextFactory.isAllowRenegotiate());
|
||||
return endp;
|
||||
|
@ -557,61 +555,39 @@ public class SslSelectChannelConnector extends SelectChannelConnector implements
|
|||
return connection;
|
||||
}
|
||||
|
||||
/* ------------------------------------------------------------ */
|
||||
protected SSLEngine createSSLEngine() throws IOException
|
||||
{
|
||||
SSLEngine engine = null;
|
||||
try
|
||||
{
|
||||
engine = _sslContextFactory.getSslContext().createSSLEngine();
|
||||
|
||||
customizeEngine(engine);
|
||||
}
|
||||
catch (Exception e)
|
||||
{
|
||||
Log.warn("Error creating sslEngine -- closing this connector",e);
|
||||
close();
|
||||
throw new IllegalStateException(e);
|
||||
}
|
||||
return engine;
|
||||
}
|
||||
|
||||
/* ------------------------------------------------------------ */
|
||||
/**
|
||||
* @param channel A channel which if passed is used as to extract remote
|
||||
* @param channel A channel which if passed is used as to extract remote
|
||||
* host and port for the purposes of SSL session caching
|
||||
* @return A SSLEngine for a new or cached SSL Session
|
||||
* @throws IOException
|
||||
* @throws IOException if the SSLEngine cannot be created
|
||||
*/
|
||||
protected SSLEngine createSSLEngine(SocketChannel channel) throws IOException
|
||||
{
|
||||
SSLEngine engine = null;
|
||||
if (channel == null)
|
||||
try
|
||||
{
|
||||
engine = createSSLEngine();
|
||||
}
|
||||
else
|
||||
{
|
||||
try
|
||||
SSLEngine engine;
|
||||
if (channel != null && _sslContextFactory.isSessionCachingEnabled())
|
||||
{
|
||||
InetSocketAddress remoteAddr = (InetSocketAddress)channel.socket().getRemoteSocketAddress();
|
||||
String peerHost = remoteAddr.getHostName();
|
||||
int peerPort = remoteAddr.getPort();
|
||||
|
||||
String peerHost = channel.socket().getInetAddress().getHostAddress();
|
||||
int peerPort = channel.socket().getPort();
|
||||
engine = _sslContextFactory.getSslContext().createSSLEngine(peerHost, peerPort);
|
||||
|
||||
customizeEngine(engine);
|
||||
}
|
||||
catch (Exception e)
|
||||
else
|
||||
{
|
||||
Log.warn("Error creating sslEngine -- closing this connector",e);
|
||||
close();
|
||||
throw new IllegalStateException(e);
|
||||
engine = _sslContextFactory.getSslContext().createSSLEngine();
|
||||
}
|
||||
customizeEngine(engine);
|
||||
return engine;
|
||||
}
|
||||
catch (Exception x)
|
||||
{
|
||||
Log.warn("Error creating SSLEngine -- closing this connector", x);
|
||||
close();
|
||||
throw new IllegalStateException(x);
|
||||
}
|
||||
return engine;
|
||||
}
|
||||
|
||||
|
||||
/* ------------------------------------------------------------ */
|
||||
private void customizeEngine(SSLEngine engine)
|
||||
{
|
||||
|
@ -638,19 +614,19 @@ public class SslSelectChannelConnector extends SelectChannelConnector implements
|
|||
{
|
||||
throw new IllegalStateException("SSL context is not configured correctly.");
|
||||
}
|
||||
|
||||
_sslContextFactory.start();
|
||||
|
||||
|
||||
_sslContextFactory.start();
|
||||
|
||||
SSLEngine sslEngine = _sslContextFactory.getSslContext().createSSLEngine();
|
||||
|
||||
sslEngine.setUseClientMode(false);
|
||||
sslEngine.setWantClientAuth(_sslContextFactory.getWantClientAuth());
|
||||
sslEngine.setNeedClientAuth(_sslContextFactory.getNeedClientAuth());
|
||||
|
||||
|
||||
sslEngine.setEnabledCipherSuites(_sslContextFactory.selectCipherSuites(
|
||||
sslEngine.getEnabledCipherSuites(),
|
||||
sslEngine.getSupportedCipherSuites()));
|
||||
|
||||
|
||||
SSLSession sslSession = sslEngine.getSession();
|
||||
|
||||
_sslBuffers = BuffersFactory.newBuffers(
|
||||
|
@ -666,7 +642,7 @@ public class SslSelectChannelConnector extends SelectChannelConnector implements
|
|||
|
||||
super.doStart();
|
||||
}
|
||||
|
||||
|
||||
/* ------------------------------------------------------------ */
|
||||
/**
|
||||
* @see org.eclipse.jetty.server.nio.SelectChannelConnector#doStop()
|
||||
|
@ -674,7 +650,7 @@ public class SslSelectChannelConnector extends SelectChannelConnector implements
|
|||
@Override
|
||||
protected void doStop() throws Exception
|
||||
{
|
||||
_sslContextFactory.stop();
|
||||
_sslContextFactory.stop();
|
||||
_sslBuffers=null;
|
||||
super.doStop();
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue