<Server port="8005" shutdown="SHUTDOWN">
<!--APR library loader. Documentation at /docs/apr.html -->
- <Listener className="org.apache.catalina.core.AprLifecycleListener" />
+ <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
<!--Initialize Jasper prior to webapps are loaded. Documentation at /docs/jasper-howto.html -->
<Listener className="org.apache.catalina.core.JasperListener" />
<!-- JMX Support for the Tomcat server. Documentation at /docs/non-existent.html -->
import org.apache.catalina.util.StringManager;
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
+import java.lang.reflect.InvocationTargetException;
+
/**
protected static final int RECOMMENDED_PV = 6;
+ // ---------------------------------------------- Properties
+ protected static String SSLEngine = "on"; //default on
+ protected static boolean sslInitialized = false;
+
// ---------------------------------------------- LifecycleListener Methods
-
/**
* Primary entry point for startup and shutdown events.
*
minor = clazz.getField("TCN_MINOR_VERSION").getInt(null);
patch = clazz.getField("TCN_PATCH_VERSION").getInt(null);
} catch (Throwable t) {
+ t.printStackTrace();
if (!log.isDebugEnabled()) {
log.info(sm.getString("aprListener.aprInit",
System.getProperty("java.library.path")));
+ REQUIRED_MINOR + "." + RECOMMENDED_PV));
}
}
+ try {
+ initializeSSL();
+ }catch ( Throwable t ) {
+ log.error(sm.getString("aprListener.sslInit",t.getMessage()),t);
+ }
} else if (Lifecycle.AFTER_STOP_EVENT.equals(event.getType())) {
try {
String methodName = "terminate";
}
}
+
+ public static synchronized void initializeSSL()
+ throws ClassNotFoundException,NoSuchMethodException,
+ IllegalAccessException,InvocationTargetException{
+
+ if ("off".equalsIgnoreCase(SSLEngine) ) return;
+ if ( sslInitialized ) return; //only once per VM
+ String methodName = "initialize";
+ Class paramTypes[] = new Class[1];
+ paramTypes[0] = String.class;
+ Object paramValues[] = new Object[1];
+ paramValues[0] = "on".equalsIgnoreCase(SSLEngine)?null:SSLEngine;
+ Class clazz = Class.forName("org.apache.tomcat.jni.SSL");
+ Method method = clazz.getMethod(methodName, paramTypes);
+ method.invoke(null, paramValues);
+ sslInitialized = true;
+
+ }
}
aprListener.tcnInvalid=An incompatible version {0} of the Apache Tomcat Native library is installed, while Tomcat requires version {1}
aprListener.tcnVersion=An older version {0} of the Apache Tomcat Native library is installed, while Tomcat recommends version greater then {1}
aprListener.aprDestroy=Failed shutdown of Apache Portable Runtime
+aprListener.sslInit=Unable to initialize the SSLEngine, failed with message: {0}
containerBase.addDefaultMapper=Exception configuring default mapper of class {0}
containerBase.alreadyStarted=Container {0} has already been started
containerBase.notConfigured=No basic Valve has been configured
response.setOutputBuffer(outputBuffer);
request.setResponse(response);
- ssl = !"off".equalsIgnoreCase(endpoint.getSSLEngine());
+ ssl = endpoint.isSSLEnabled();
initializeFilters();
/**
* SSL engine.
*/
- public String getSSLEngine() { return ep.getSSLEngine(); }
- public void setSSLEngine(String SSLEngine) { ep.setSSLEngine(SSLEngine); }
+ public boolean isSSLEnabled() { return ep.isSSLEnabled(); }
+ public void setSSLEnabled(boolean SSLEnabled) { ep.setSSLEnabled(SSLEnabled); }
/**
response.setOutputBuffer(outputBuffer);
request.setResponse(response);
- ssl = "on".equalsIgnoreCase(endpoint.getSSLEngine());
+ ssl = endpoint.isSSLEnabled();
initializeFilters();
public String getCiphers() { return ep.getCiphers();}
public void setCiphers(String s) { ep.setCiphers(s);}
- public String getSSLEngine() { return ep.getSSLEngine(); }
- public void setSSLEngine(String SSLEngine) { ep.setSSLEngine(SSLEngine); }
+ public boolean getSSLEnabled() { return ep.isSSLEnabled(); }
+ public void setSSLEnabled(boolean SSLEnabled) { ep.setSSLEnabled(SSLEnabled); }
// Verify the validity of the configured socket factory
try {
- if ("on".equalsIgnoreCase(getSSLEngine())) {
+ if (isSSLEnabled()) {
sslImplementation =
SSLImplementation.getInstance(sslImplementationName);
socketFactory = sslImplementation.getServerSocketFactory();
public boolean getSecure() { return secure; }
public void setSecure(boolean b) { secure = b; }
- protected String SSLEngine = "off";
- public String getSSLEngine() { return SSLEngine;}
- public void setSSLEngine(String SSLEngine) {this.SSLEngine = SSLEngine;}
+ protected boolean SSLEnabled = false;
+ public boolean isSSLEnabled() { return SSLEnabled;}
+ public void setSSLEnabled(boolean SSLEnabled) {this.SSLEnabled = SSLEnabled;}
/**
* Name of the socket factory.
/**
* SSL engine.
*/
- protected String SSLEngine = "off";
- public String getSSLEngine() { return SSLEngine; }
- public void setSSLEngine(String SSLEngine) { this.SSLEngine = SSLEngine; }
+ protected boolean SSLEnabled = false;
+ public boolean isSSLEnabled() { return SSLEnabled; }
+ public void setSSLEnabled(boolean SSLEnabled) { this.SSLEnabled = SSLEnabled; }
/**
Socket.optSet(serverSock, Socket.APR_TCP_DEFER_ACCEPT, 1);
// Initialize SSL if needed
- if (!"off".equalsIgnoreCase(SSLEngine)) {
- // Initialize SSL
- // FIXME: one per VM call ?
- if ("on".equalsIgnoreCase(SSLEngine)) {
- SSL.initialize(null);
- } else {
- SSL.initialize(SSLEngine);
- }
+ if (SSLEnabled) {
+
// SSL protocol
int value = SSL.SSL_PROTOCOL_ALL;
if ("SSLv2".equalsIgnoreCase(SSLProtocol)) {
/**
* SSL engine.
*/
- protected String SSLEngine = "off";
- public String getSSLEngine() { return SSLEngine;}
- public void setSSLEngine(String SSLEngine) {this.SSLEngine = SSLEngine;}
+ protected boolean SSLEnabled = false;
+ public boolean isSSLEnabled() { return SSLEnabled;}
+ public void setSSLEnabled(boolean SSLEnabled) {this.SSLEnabled = SSLEnabled;}
protected boolean secure = false;
public boolean getSecure() { return secure;}
}
// Initialize SSL if needed
- if ("on".equalsIgnoreCase(getSSLEngine())) {
+ if (isSSLEnabled()) {
// Initialize SSL
char[] passphrase = getKeystorePass().toCharArray();
</section>
+ <section name="APR Lifecycle Listener Configuration">
+ <subsection name="AprLifecycleListener">
+ <attribute name="SSLEngine" required="false">
+ <p>
+ Name of the SSLEngine to use. off: Do not use SSL, on: Use SSL but no specific ENGINE.
+ The default value is on.
+ This initializes the native SSL engine, then enable the use of this engine in the connector
+ using the <code>SSLEnabled</code> attribute. Example:
+ <source>
+<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
+ </source>
+ </p>
+ </attribute>
+ </subsection>
+ </section>
+
<section name="APR Connectors Configuration">
<subsection name="HTTP">
<attributes>
- <attribute name="SSLEngine" required="false">
+ <attribute name="SSLEnabled" required="false">
<p>
- Name of the SSLEngine to use. off: Do not use SSL, on: Use SSL but no specific ENGINE.
- The default value is off.
+ Enable SSL on the socket, default value is false. Set this value to true
+ to enable SSL handshake/encryption/decryption in the APR connector.
</p>
</attribute>
<attribute name="SSLProtocol" required="false">
<subsection name="Catalina">
<changelog>
<add>
+ SSLEngine attribute added to the AprLifecycleListener(fhanik)
+ </add>
+ <add>
Add API for Comet IO handling (remm, fhanik)
</add>
<add>
<subsection name="Coyote">
<changelog>
<add>
- SSLEngine attribute required for SSL to be turned on, on all HTTP connectors(fhanik)
+ SSLEnabled attribute required for SSL to be turned on, on all HTTP connectors(fhanik)
</add>
</changelog>
</subsection>
number specified here.</p>
</attribute>
- <attribute name="SSLEngine" required="false">
+ <attribute name="SSLEnabled" required="false">
<p>
Use this attribute to enable SSL traffic on a connector.
To turn on SSL handshake/encryption/decryption on a connector
- set this value to <code>on</code>.
- The default value is <code>off</code>.
- When turning this value <code>on</code> you will want to set the
+ set this value to <code>true</code>.
+ The default value is <code>false</code>.
+ When turning this value <code>true</code> you will want to set the
<code>scheme</code> and the <code>secure</code> attributes as well
to pass the correct <code>request.getScheme()</code> and
<code>request.isSecure()</code> values to the servlets
</subsection>
<subsection name="Edit the Tomcat Configuration File">
+<p>If you are using APR, you have the option of configuring an alternative engine to openSSL.
+<source>
+<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="someengine" />
+</source>
+The default value is
+<source>
+<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
+</source>
+So to use SSL under APR, make sure the SSLEngine attribute is set to something other than <code>off</code>.
+The default value is <code>on</code> and if you specify another value, it has to be a valid engine name.
+<br/>
+If you haven't compiled in SSL support into your Tomcat Native library, then you can turn this initialization off
+<source>
+<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="off" />
+</source>
+
+</p>
<p>The final step is to configure your secure socket in the
<code>$CATALINA_HOME/conf/server.xml</code> file, where
port="8443" minSpareThreads="5" maxSpareThreads="75"
enableLookups="true" disableUploadTimeout="true"
acceptCount="100" maxThreads="200"
- scheme="https" secure="true" SSLEngine="on"
+ scheme="https" secure="true" SSLEnabled="true"
+ keystoreFile="${user.home}/.keystore" keystorePass="changeit"
+ clientAuth="false" sslProtocol="TLS"/>
+-->
+</source>
+<p>
+ The example above will throw an error if you have the APR and the Tomcat Native libraries in your path,
+ as tomcat will try to autoload the APR connector. The APR connector uses different attributes for
+ SSL keys and certificates. An example of such configuration would be
+<source>
+<-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
+<!--
+<Connector
+ port="8443" minSpareThreads="5" maxSpareThreads="75"
+ enableLookups="true" disableUploadTimeout="true"
+ acceptCount="100" maxThreads="200"
+ scheme="https" secure="true" SSLEnabled="true"
+ SSLCertificateFile="/usr/local/ssl/server.crt"
+ SSLCertificateKeyFile="/usr/local/ssl/server.pem"
+ clientAuth="false" sslProtocol="TLS"/>
+-->
+</source>
+</p>
+
+<p>
+ To avoid auto configuration you can define which connector to use by specifying a classname
+ in the protocol attribute.<br/>
+ To define a Java connector, regardless if the APR library is loaded or not do:
+<source>
+<-- Define a blocking Java SSL Coyote HTTP/1.1 Connector on port 8443 -->
+<!--
+<Connector protocol="org.apache.coyote.http11.Http11Protocol"
+ port="8443" minSpareThreads="5" maxSpareThreads="75"
+ enableLookups="true" disableUploadTimeout="true"
+ acceptCount="100" maxThreads="200"
+ scheme="https" secure="true" SSLEnabled="true"
+ keystoreFile="${user.home}/.keystore" keystorePass="changeit"
+ clientAuth="false" sslProtocol="TLS"/>
+-->
+<-- Define a non-blocking Java SSL Coyote HTTP/1.1 Connector on port 8443 -->
+<!--
+<Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
+ port="8443" minSpareThreads="5" maxSpareThreads="75"
+ enableLookups="true" disableUploadTimeout="true"
+ acceptCount="100" maxThreads="200"
+ scheme="https" secure="true" SSLEnabled="true"
keystoreFile="${user.home}/.keystore" keystorePass="changeit"
clientAuth="false" sslProtocol="TLS"/>
-->
</source>
+and to specify an APR connector
+<source>
+<-- Define a APR SSL Coyote HTTP/1.1 Connector on port 8443 -->
+<!--
+<Connector protocol="org.apache.coyote.http11.Http11AprProtocol"
+ port="8443" minSpareThreads="5" maxSpareThreads="75"
+ enableLookups="true" disableUploadTimeout="true"
+ acceptCount="100" maxThreads="200"
+ scheme="https" secure="true" SSLEnabled="true"
+ SSLCertificateFile="/usr/local/ssl/server.crt"
+ SSLCertificateKeyFile="/usr/local/ssl/server.pem"
+ clientAuth="false" sslProtocol="TLS"/>
+-->
+</source>
+
+</p>
<p>You will note that the Connector element itself is commented out by default,
so you will need to remove the comment tags around it. Then, you can
to request a client Certificate, but not fail if one isn't presented.
</td>
</tr>
- <tr><td><code>SSLEngine</code></td>
+ <tr><td><code>SSLEnabled</code></td>
<td>
Use this attribute to enable SSL traffic on a connector.
To turn on SSL handshake/encryption/decryption on a connector
- set this value to <code>on</code>.
- The default value is <code>off</code>.
- When turning this value <code>on</code> you will want to set the
+ set this value to <code>true</code>.
+ The default value is <code>false</code>.
+ When turning this value <code>true</code> you will want to set the
<code>scheme</code> and the <code>secure</code> attributes as well
to pass the correct <code>request.getScheme()</code> and
<code>request.isSecure()</code> values to the servlets
projects / tomcat7.0 / commitdiff