connector.setScheme("https"); connector.setAttribute("SSLEnabled", "true"); SSLHostConfig sslHostConfig = new SSLHostConfig(); SSLHostConfigCertificate cert = new SSLHostConfigCertificate(sslHostConfig, SSLHostConfigCertificate.Type.RSA); cert.setCertificateKeystorePassword(keystorePassword); cert.setCertificateKeyAlias(keyAlias); sslHostConfig.addCertificate(cert); connector.addSslHostConfig(sslHostConfig);
/** * To SslHostConfig info. * * @param sslHostConfig the SslHostConfig * @return the SslHostConfig info * @throws IllegalAccessException the illegal access exception * @throws InvocationTargetException the invocation target exception */ private SslHostConfigInfo toSslHostConfigInfo(SSLHostConfig sslHostConfig) throws IllegalAccessException, InvocationTargetException { SslHostConfigInfo sslHostConfigInfo = new SslHostConfigInfo(); BeanUtils.copyProperties(sslHostConfigInfo, sslHostConfig); Set<SSLHostConfigCertificate> certificates = sslHostConfig.getCertificates(); List<CertificateInfo> certificateInfos = new ArrayList<>(certificates.size()); sslHostConfigInfo.setCertificateInfos(certificateInfos); for (SSLHostConfigCertificate sslHostConfigCertificate : certificates) { certificateInfos.add(toCertificateInfo(sslHostConfigCertificate)); } return sslHostConfigInfo; }
if (isCertificateFromClasspath(sslHostConf.getCertificateKeystoreFile())) { copyCertificateToConfDir(sslHostConf.getCertificateKeystoreFile()); sslHostConf.setCertificateKeystoreFile(base.getAbsolutePath() + "/conf/" + sslHostConf.getCertificateKeystoreFile()); if (isCertificateFromClasspath(sslHostConf.getCertificateKeyFile())) { copyCertificateToConfDir(sslHostConf.getCertificateKeyFile()); sslHostConf.setCertificateKeyFile(base.getAbsolutePath() + "/conf/" + sslHostConf.getCertificateKeyFile()); copyCertificateToConfDir(sslHostConf.getCertificateFile()); sslHostConf.setCertificateFile(base.getAbsolutePath() + "/conf/" + sslHostConf.getCertificateFile()); if (isCertificateFromClasspath(sslHostConf.getTruststoreFile())) { copyCertificateToConfDir(sslHostConf.getTruststoreFile()); sslHostConf.setTruststoreFile(base.getAbsolutePath() + "/conf/" + sslHostConf.getTruststoreFile()); if (isCertificateFromClasspath(sslHostConf.getCertificateChainFile())) { copyCertificateToConfDir(sslHostConf.getCertificateChainFile()); sslHostConf.setCertificateChainFile(base.getAbsolutePath() + "/conf/" + sslHostConf.getCertificateChainFile());
@Override protected void createSSLContext(SSLHostConfig sslHostConfig) throws Exception { Set<SSLHostConfigCertificate> certificates = sslHostConfig.getCertificates(true); boolean firstCertificate = true; for (SSLHostConfigCertificate certificate : certificates) { if (SSLHostConfig.adjustRelativePath(certificate.getCertificateFile()) == null) { true, sslHostConfig.getProtocols(), OpenSSLEngine.IMPLEMENTED_PROTOCOLS_SET); sslHostConfig.setEnabledProtocols( enabledProtocols.toArray(new String[enabledProtocols.size()])); false, sslHostConfig.getJsseCipherNames(), OpenSSLEngine.AVAILABLE_CIPHER_SUITES); sslHostConfig.setEnabledCiphers( enabledCiphers.toArray(new String[enabledCiphers.size()])); if (sslHostConfig.getProtocols().size() == 0) { for (String protocol : sslHostConfig.getEnabledProtocols()) { if (Constants.SSL_PROTO_SSLv2Hello.equalsIgnoreCase(protocol)) { if (sslHostConfig.getInsecureRenegotiation()) { SSLContext.setOptions(ctx, SSL.SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION); } else { if (sslHostConfig.getHonorCipherOrder()) { SSLContext.setOptions(ctx, SSL.SSL_OP_CIPHER_SERVER_PREFERENCE); } else {
SSLHostConfig[] sslHostConfigs = connector.getProtocolHandler().findSslHostConfigs(); for (SSLHostConfig sslHostConfig : sslHostConfigs) { String name = connector.toString() + "-" + sslHostConfig.getHostName(); List<String> certList = new ArrayList<>(); if (sslHostConfig.getOpenSslContext().longValue() == 0) { sslHostConfig.getCertificates().iterator().next().getSslContext(); X509Certificate[] certs = sslContext.getAcceptedIssuers(); if (certs == null) {
public void setConfigType(Type configType) { this.configType = configType; if (configType == Type.EITHER) { if (configuredProperties.remove(Type.JSSE) == null) { configuredProperties.remove(Type.OPENSSL); } } else { configuredProperties.remove(configType); } for (Map.Entry<Type,Set<String>> entry : configuredProperties.entrySet()) { for (String property : entry.getValue()) { log.warn(sm.getString("sslHostConfig.mismatch", property, getHostName(), entry.getKey(), configType)); } } }
private void registerDefaultSSLHostConfig() { if (defaultSSLHostConfig == null) { for (SSLHostConfig sslHostConfig : findSslHostConfigs()) { if (getDefaultSSLHostConfigName().equals(sslHostConfig.getHostName())) { defaultSSLHostConfig = sslHostConfig; break; } } if (defaultSSLHostConfig == null) { defaultSSLHostConfig = new SSLHostConfig(); defaultSSLHostConfig.setHostName(getDefaultSSLHostConfigName()); getEndpoint().addSslHostConfig(defaultSSLHostConfig); } } }
SSLHostConfig[] sslHostConfigs = connector.getProtocolHandler().findSslHostConfigs(); for (SSLHostConfig sslHostConfig : sslHostConfigs) { String name = connector.toString() + "-" + sslHostConfig.getHostName(); List<String> certList = new ArrayList<>(); SSLContext sslContext = sslHostConfig.getCertificates().iterator().next().getSslContext(); X509Certificate[] certs = sslContext.getAcceptedIssuers(); if (certs == null) {
try { sslOname = new ObjectName(domain + ":type=SSLHostConfig,ThreadPool=\"" + getName() + "\",name=" + ObjectName.quote(sslHostConfig.getHostName())); sslHostConfig.setObjectName(sslOname); try { Registry.getRegistry(null, null).registerComponent(sslHostConfig, sslOname, null); sslHostConfig.getHostName()), e); for (SSLHostConfigCertificate sslHostConfigCert : sslHostConfig.getCertificates()) { ObjectName sslCertOname = null; try { sslCertOname = new ObjectName(domain + ":type=SSLHostConfigCertificate,ThreadPool=\"" + getName() + "\",Host=" + ObjectName.quote(sslHostConfig.getHostName()) + ",name=" + sslHostConfigCert.getType()); sslHostConfigCert.setObjectName(sslCertOname); sslHostConfig.getHostName(), sslHostConfigCert.getType()), e);
protected Map<String,List<String>> getConnectorCiphers() { Map<String,List<String>> result = new HashMap<>(); Connector connectors[] = getConnectors(); for (Connector connector : connectors) { if (Boolean.TRUE.equals(connector.getProperty("SSLEnabled"))) { SSLHostConfig[] sslHostConfigs = connector.getProtocolHandler().findSslHostConfigs(); for (SSLHostConfig sslHostConfig : sslHostConfigs) { String name = connector.toString() + "-" + sslHostConfig.getHostName(); /* Add cipher list, keep order but remove duplicates */ result.put(name, new ArrayList<>(new LinkedHashSet<>( Arrays.asList(sslHostConfig.getEnabledCiphers())))); } } else { ArrayList<String> cipherList = new ArrayList<>(1); cipherList.add(sm.getString("managerServlet.notSslConnector")); result.put(connector.toString(), cipherList); } } return result; }
@Override protected void releaseSSLContext(SSLHostConfig sslHostConfig) { Long ctx = sslHostConfig.getOpenSslContext(); if (ctx != null && ctx.longValue() != 0L) { SSLContext.free(ctx.longValue()); sslHostConfig.setOpenSslContext(null); } Long cctx = sslHostConfig.getOpenSslConfContext(); if (cctx != null && cctx.longValue() != 0L) { SSLConf.free(cctx.longValue()); sslHostConfig.setOpenSslConfContext(null); } }
private SSLHostConfigCertificate selectCertificate( SSLHostConfig sslHostConfig, List<Cipher> clientCiphers) { Set<SSLHostConfigCertificate> certificates = sslHostConfig.getCertificates(true); if (certificates.size() == 1) { return certificates.iterator().next(); } LinkedHashSet<Cipher> serverCiphers = sslHostConfig.getCipherList(); List<Cipher> candidateCiphers = new ArrayList<>(); if (sslHostConfig.getHonorCipherOrder()) { candidateCiphers.addAll(serverCiphers); candidateCiphers.retainAll(clientCiphers); } else { candidateCiphers.addAll(clientCiphers); candidateCiphers.retainAll(serverCiphers); } for (Cipher candidate : candidateCiphers) { for (SSLHostConfigCertificate certificate : certificates) { if (certificate.getType().isCompatibleWith(candidate.getAu())) { return certificate; } } } // No matches. Just return the first certificate. The handshake will // then fail due to no matching ciphers. return certificates.iterator().next(); }
switch (sslHostConfig.getCertificateVerification()) { case NONE: engine.setNeedClientAuth(false); engine.setEnabledCipherSuites(sslHostConfig.getEnabledCiphers()); engine.setEnabledProtocols(sslHostConfig.getEnabledProtocols()); sslParameters.setUseCipherSuitesOrder(sslHostConfig.getHonorCipherOrder()); if (JreCompat.isJre9Available() && clientRequestedApplicationProtocols != null && clientRequestedApplicationProtocols.size() > 0
@Override protected void createSSLContext(SSLHostConfig sslHostConfig) throws IllegalArgumentException { boolean firstCertificate = true; for (SSLHostConfigCertificate certificate : sslHostConfig.getCertificates(true)) { SSLUtil sslUtil = sslImplementation.getSSLUtil(certificate); if (firstCertificate) { firstCertificate = false; sslHostConfig.setEnabledProtocols(sslUtil.getEnabledProtocols()); sslHostConfig.setEnabledCiphers(sslUtil.getEnabledCiphers()); } SSLContext sslContext; try { sslContext = sslUtil.createSSLContext(negotiableProtocols); sslContext.init(sslUtil.getKeyManagers(), sslUtil.getTrustManagers(), null); } catch (Exception e) { throw new IllegalArgumentException(e.getMessage(), e); } SSLSessionContext sessionContext = sslContext.getServerSessionContext(); if (sessionContext != null) { sslUtil.configureSessionContext(sessionContext); } certificate.setSslContext(sslContext); } }
private void unregisterJmx(SSLHostConfig sslHostConfig) { Registry registry = Registry.getRegistry(null, null); registry.unregisterComponent(sslHostConfig.getObjectName()); for (SSLHostConfigCertificate sslHostConfigCert : sslHostConfig.getCertificates()) { registry.unregisterComponent(sslHostConfigCert.getObjectName()); } }
String key = sslHostConfig.getHostName(); if (key == null || key.length() == 0) { throw new IllegalArgumentException(sm.getString("endpoint.noSslHostName")); sslHostConfig.setConfigType(getSslConfigType()); try { createSSLContext(sslHostConfig);
sslHostConfig.setConfigType(getSslConfigType()); createSSLContext(sslHostConfig); getDefaultSSLHostConfigName(), getName())); Long defaultSSLContext = defaultSSLHostConfig.getOpenSslContext(); sslContext = defaultSSLContext.longValue(); SSLContext.registerDefault(defaultSSLContext, this);
public String getKeystoreFile() { registerDefaultSSLHostConfig(); return defaultSSLHostConfig.getCertificateKeystoreFile(); } public void setKeystoreFile(String keystoreFile) {
public String getSSLCertificateChainFile() { registerDefaultSSLHostConfig(); return defaultSSLHostConfig.getCertificateChainFile(); } public void setSSLCertificateChainFile(String certificateChainFile) {
@Override public long getSslContext(String sniHostName) { SSLHostConfig sslHostConfig = getSSLHostConfig(sniHostName); Long ctx = sslHostConfig.getOpenSslContext(); if (ctx != null) { return ctx.longValue(); } // Default return 0; }