* Issue #3863 - Enforce use of SNI.
Introduced SslContextFactory.rejectUnmatchedSNIHost (default false)
so that if no SNI is sent, or SNI does not match a certificate,
then the TLS handshake is aborted.
Signed-off-by: Simone Bordet <simone.bordet@gmail.com>
* Issue #3863 - Enforce use of SNI.
Updates after review.
Introduced SslContextFactory.SNISelector to allow application to write
their custom logic to select a certificate based on SNI information.
Signed-off-by: Simone Bordet <simone.bordet@gmail.com>
* Issue #3863 Enforce SNI
Added two sniRequired fields - one at SslContextLevel and the other at the SecureRequestCustomizer. This allows rejection either at TLS handshake or by 400 response.
Signed-off-by: Greg Wilkins <gregw@webtide.com>
* Issue #3863 Enforce SNI
cleanups from review
Signed-off-by: Greg Wilkins <gregw@webtide.com>
* Issue #3863 Enforce SNI
improved comments
Signed-off-by: Greg Wilkins <gregw@webtide.com>
* Issue #3863 Enforce SNI
syntax sugar
Signed-off-by: Greg Wilkins <gregw@webtide.com>
* Issue #3863 SNI
Updates from review. Extra test for sniSelector function
Signed-off-by: Greg Wilkins <gregw@webtide.com>
Made method reportDifferences(...) private since it was exposing
package private class TimeNSize and no code outside of jetty-util
could have used it.
Signed-off-by: Simone Bordet <simone.bordet@gmail.com>
* issue exclude/include con name InetAccesHandler - add better unit test
this logic:
String name =
baseRequest.getHttpChannel().getConnector().getName();
return _names.test(name) && _addrs.test(addr);
Is not correct. it's treating the connector name exactly like the
filter. But that's not what it's intended to do. It's supposed to tell
what connectors are applicable to this filter. And what connectors are
not affected.
For example in the unit test there exists 2 connectors:
http
tls
We want to restrict the http connector, but we want to leave tls
connector alone.
So we would specify:
include = 192.168.1.1-192.168.1.254
includeConnector = http
The way the logic is above, it is treating the connector name as if it's
the filter itself. Which is not what I intended.
What i need in psuedo-code is this:
if (there are no "include connectors" OR if this connector is
included) AND (if this connector is not in the excluded list)
---> Then apply the IP filter.
Signed-off-by: Nicholas DiPiazza <nicholas.dipiazza@lucidworks.com>
* exclude should take precedence over include
Signed-off-by: Nicholas DiPiazza <nicholas.dipiazza@lucidworks.com>
* Issue #4193 InetAccessHandler
reverted changes to IncludeExcludeSet
Signed-off-by: Greg Wilkins <gregw@webtide.com>
* Issue #4193 InetAccessHandler
updates from review
Signed-off-by: Greg Wilkins <gregw@webtide.com>
* Issue #4188 Spin in close of GzipHandler
Cleanup and simplify code
Signed-off-by: Greg Wilkins <gregw@webtide.com>
* Issue #4188 Spin in close of GzipHandler
Fix slice code. Added unit test for it.
Signed-off-by: Greg Wilkins <gregw@webtide.com>
* Issue #4188 Spin in close of GzipHandler
Fixed last slice.
Signed-off-by: Greg Wilkins <gregw@webtide.com>
* cleanup from review
Signed-off-by: Greg Wilkins <gregw@webtide.com>
There is a race between the doStop clearing the key map and the watching thread
checking isRunning before iterating over the key map.
While more sophisticated approaches could be used, I think that is best to defer
until this class is reworked entirely. For now just using a ConcurrentHashMap will
avoid the exception and the closing of the pathwatcher will prevent watching forever.
Signed-off-by: Greg Wilkins <gregw@webtide.com>
Fixed setting of host/port in AbstractConnectorHttpClientTransport
and HttpProxy so that the creation of SSLEngine can use the proper
host/port pair, and can be subsequently used in TLS components.
Introduced SslContextFactory X509ExtendedKeyManagerWrapper and
X509ExtendedTrustManagerWrapper as utility classes used internally
and in tests.
The test case for this issue required 3 keystores, so other test
classes have been refactored to use the new keystores.
Signed-off-by: Simone Bordet <simone.bordet@gmail.com>
Several QTP fixes:
* #4105 Threads without jobs now check if they should idle die before waiting rather than before, this allows idling under steady load. 3ad6780
* #4121 ThreadFactory behaviour supported by doing thread config within newThread call. 7b306d7
* #4122 Always clear the interrupted status. c37a4ff
task = queue.poll(timeout);
Signed-off-by: Greg Wilkins <gregw@webtide.com>
* Issue #4105 - starting a thread in QTP now increments idle count
Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
* Issue #4105 - improve comments in test
Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
Added test to reproduce issue
Fixed bug from #2772 where output was shutdown on DONE without checking for END.
Fixed aggregation logic to aggregate last write if aggregation already started
Improved comments and clarify conditions
Signed-off-by: Greg Wilkins <gregw@webtide.com>
Now using the _size AtomicInteger to resolve the race between stopping
and adding to the stack.
A _size of -1 now means no more threads can be added to the stack, and
the loop in doStop() will now only exit if it can set the size to -1.
Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
Introduced a Response.DemandedContentListener to explicitly separate
the will to request more content from the notification that the content
has been consumed.
Updated all transports to follow the new semantic: rather than waiting
for the callback to complete before delivering more content, now they
wait for the demand to be positive to deliver more content.
Since now the content may be unconsumed but there can be more demand,
all transport implementation had to be changed to use RetainableByteBuffer
to retain content buffers that were not consumed.
Signed-off-by: Simone Bordet <simone.bordet@gmail.com>
Code cleanups and reformatting.
Fixed logic for SETTINGS frame replies: they are not subject to rate control.
Signed-off-by: Simone Bordet <simone.bordet@gmail.com>