From 0638c4abdf1df05964e7ff96c871c2a28796eb91 Mon Sep 17 00:00:00 2001
From: markt <markt@13f79535-47bb-0310-9956-ffa450edef68>
Date: Thu, 4 Dec 2008 19:31:34 +0000
Subject: [PATCH] Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=44285
 Provide support for configuring the JSSE SSL session cache size and timeout

git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@723404 13f79535-47bb-0310-9956-ffa450edef68
---
 java/org/apache/tomcat/util/net/NioEndpoint.java   | 19 ++++++++++++---
 .../tomcat/util/net/jsse/JSSESocketFactory.java    | 26 ++++++++++++++++++++
 webapps/docs/config/http.xml                       | 28 +++++++++++++---------
 3 files changed, 59 insertions(+), 14 deletions(-)

diff --git a/java/org/apache/tomcat/util/net/NioEndpoint.java b/java/org/apache/tomcat/util/net/NioEndpoint.java
index 92e24b55c..7595f6f23 100644
--- a/java/org/apache/tomcat/util/net/NioEndpoint.java
+++ b/java/org/apache/tomcat/util/net/NioEndpoint.java
@@ -50,6 +50,7 @@ import javax.net.ssl.KeyManager;
 import javax.net.ssl.KeyManagerFactory;
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLEngine;
+import javax.net.ssl.SSLSessionContext;
 import javax.net.ssl.TrustManagerFactory;
 import javax.net.ssl.X509KeyManager;
 
@@ -604,7 +605,6 @@ public class NioEndpoint {
     public void setKeystoreType(String s ) { this.keystoreType = s;}
 
     protected String sslProtocol = "TLS"; 
-    
     public String getSslProtocol() { return sslProtocol;}
     public void setSslProtocol(String s) { sslProtocol = s;}
     
@@ -617,7 +617,6 @@ public class NioEndpoint {
         for (int i=0; i<sslEnabledProtocolsarr.length; i++ ) sslEnabledProtocolsarr[i] = t.nextToken();
     }
     
-    
     protected String ciphers = null;
     protected String[] ciphersarr = new String[0];
     public String getCiphers() { return ciphers;}
@@ -630,7 +629,15 @@ public class NioEndpoint {
             for (int i=0; i<ciphersarr.length; i++ ) ciphersarr[i] = t.nextToken();
         }
     }
-    
+
+    protected int sessionCacheSize = 0;
+    public int getSessionCacheSize() { return sessionCacheSize;}
+    public void setSessionCacheSize(int i) { sessionCacheSize = i;}
+
+    protected int sessionCacheTimeout = 86400;
+    public int getSessionCacheTimeout() { return sessionCacheTimeout;}
+    public void setSessionCacheTimeout(int i) { sessionCacheTimeout = i;}
+
     /**
      * SSL engine.
      */
@@ -808,6 +815,12 @@ public class NioEndpoint {
 
             sslContext = SSLContext.getInstance(getSslProtocol());
             sslContext.init(wrap(kmf.getKeyManagers()), tmf.getTrustManagers(), null);
+            SSLSessionContext sessionContext =
+                sslContext.getServerSessionContext();
+            if (sessionContext != null) {
+                sessionContext.setSessionCacheSize(sessionCacheSize);
+                sessionContext.setSessionTimeout(sessionCacheTimeout);
+            }
         }
         
         if (oomParachute>0) reclaimParachute(true);
diff --git a/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java b/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
index 42a9c9104..698751c8b 100644
--- a/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
+++ b/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
@@ -49,6 +49,7 @@ import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLException;
 import javax.net.ssl.SSLServerSocket;
 import javax.net.ssl.SSLServerSocketFactory;
+import javax.net.ssl.SSLSessionContext;
 import javax.net.ssl.SSLSocket;
 import javax.net.ssl.TrustManager;
 import javax.net.ssl.TrustManagerFactory;
@@ -88,6 +89,9 @@ public class JSSESocketFactory
     private static final String defaultKeystoreFile
         = System.getProperty("user.home") + "/.keystore";
     private static final String defaultKeyPass = "changeit";
+    private static final int defaultSessionCacheSize = 0;
+    private static final int defaultSessionTimeout = 86400;
+    
     static org.apache.juli.logging.Log log =
         org.apache.juli.logging.LogFactory.getLog(JSSESocketFactory.class);
 
@@ -419,6 +423,28 @@ public class JSSESocketFactory
                                  trustAlgorithm),
                          new SecureRandom());
 
+            // Configure SSL session cache
+            int sessionCacheSize;
+            if (attributes.get("sessionCacheSize") != null) {
+                sessionCacheSize = Integer.parseInt(
+                        (String)attributes.get("sessionCacheSize"));
+            } else {
+                sessionCacheSize = defaultSessionCacheSize;
+            }
+            int sessionCacheTimeout;
+            if (attributes.get("sessionCacheTimeout") != null) {
+                sessionCacheTimeout = Integer.parseInt(
+                        (String)attributes.get("sessionCacheTimeout"));
+            } else {
+                sessionCacheTimeout = defaultSessionTimeout;
+            }
+            SSLSessionContext sessionContext =
+                context.getServerSessionContext();
+            if (sessionContext != null) {
+                sessionContext.setSessionCacheSize(sessionCacheSize);
+                sessionContext.setSessionTimeout(sessionCacheTimeout);
+            }
+
             // create proxy
             sslProxy = context.getServerSocketFactory();
 
diff --git a/webapps/docs/config/http.xml b/webapps/docs/config/http.xml
index 981d93fe1..eab1c60c9 100644
--- a/webapps/docs/config/http.xml
+++ b/webapps/docs/config/http.xml
@@ -103,20 +103,14 @@
       the container during FORM or CLIENT-CERT authentication. For both types
       of authentication, the POST will be saved/buffered before the user is
       authenticated. For CLIENT-CERT authentication, the POST is buffered for
-      the duration of
- the SSL handshake and the buffer emptied when the request
-      is processed. For FORM authentication the POST is
- saved whilst the user
+      the duration of the SSL handshake and the buffer emptied when the request
+      is processed. For FORM authentication the POST is saved whilst the user
       is re-directed to the login form and is retained until the user
       successfully authenticates or the session associated with the
       authentication request expires. The limit can be disabled by setting this
-      attribute to -1. Setting the attribute to
- zero will disable the saving of
-      POST data during authentication
-. If not
- specified, this attribute is set
-      to
- 4096 (4 kilobytes).</p>
+      attribute to -1. Setting the attribute to zero will disable the saving of
+      POST data during authentication. If not specified, this attribute is set
+      to 4096 (4 kilobytes).</p>
     </attribute>
 
     <attribute name="protocol" required="false">
@@ -748,6 +742,18 @@
       </p>
     </attribute>
 
+    <attribute name="sessionCacheSize" required="false">
+      <p>The number of SSL sessions to maintain in the session cache. Use 0 to
+      specify an unlimited cache size. If not specified, a default of 0 is
+      used.</p>
+    </attribute>
+    
+    <attribute name="sessionTimeout" required="false">
+      <p>The time, in seconds, after the creation of an SSL session that it will
+      timeout. Use 0 to specify an unlimited timeout. If not specified, a
+      default of 86400 (24 hours) is used.</p>
+    </attribute>
+    
   </attributes>
 
   <p>For more information, see the
-- 
2.11.0