From f712dda438f5b1d5f53bf5989a1bd90c4e77cee9 Mon Sep 17 00:00:00 2001
From: markt <markt@13f79535-47bb-0310-9956-ffa450edef68>
Date: Thu, 19 Nov 2009 18:00:09 +0000
Subject: [PATCH] Fix SSL for BIO post refactoring Make attribute names
 consistent Endpoints are now responsible for configuring the SSL "engine"
 Basics work but still needs more testing NIO & APR to follow

git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@882231 13f79535-47bb-0310-9956-ffa450edef68
---
 java/org/apache/catalina/connector/Connector.java  |   4 -
 .../coyote/http11/AbstractHttp11Protocol.java      |  77 +++++----
 .../apache/tomcat/util/net/AbstractEndpoint.java   | 172 +++++++++++++++------
 java/org/apache/tomcat/util/net/JIoEndpoint.java   |  69 +++++++--
 java/org/apache/tomcat/util/net/NioEndpoint.java   |  10 +-
 .../tomcat/util/net/jsse/JSSESocketFactory.java    |  79 ++++++----
 webapps/docs/config/http.xml                       |  34 +++-
 7 files changed, 313 insertions(+), 132 deletions(-)

diff --git a/java/org/apache/catalina/connector/Connector.java b/java/org/apache/catalina/connector/Connector.java
index 54bebe931..6253e766b 100644
--- a/java/org/apache/catalina/connector/Connector.java
+++ b/java/org/apache/catalina/connector/Connector.java
@@ -284,12 +284,8 @@ public class Connector
          replacements.put("connectionLinger", "soLinger");
          replacements.put("connectionTimeout", "soTimeout");
          replacements.put("connectionUploadTimeout", "timeout");
-         replacements.put("clientAuth", "clientauth");
-         replacements.put("keystoreFile", "keystore");
          replacements.put("randomFile", "randomfile");
          replacements.put("rootFile", "rootfile");
-         replacements.put("keystorePass", "keypass");
-         replacements.put("keystoreType", "keytype");
          replacements.put("sslProtocols", "protocols");
      }
 
diff --git a/java/org/apache/coyote/http11/AbstractHttp11Protocol.java b/java/org/apache/coyote/http11/AbstractHttp11Protocol.java
index e9944cb31..5a435efc7 100644
--- a/java/org/apache/coyote/http11/AbstractHttp11Protocol.java
+++ b/java/org/apache/coyote/http11/AbstractHttp11Protocol.java
@@ -325,49 +325,68 @@ public abstract class AbstractHttp11Protocol implements ProtocolHandler, MBeanRe
     public int getSoLinger() { return endpoint.getSoLinger(); }
     public void setSoLinger(int soLinger) { endpoint.setSoLinger(soLinger); }
 
+    // JSSE SSL attrbutes
+    public String getAlgorithm() { return endpoint.getAlgorithm();}
+    public void setAlgorithm(String s ) { endpoint.setAlgorithm(s);}
     
+    public String getClientAuth() { return endpoint.getClientAuth();}
+    public void setClientAuth(String s ) { endpoint.setClientAuth(s);}
+
     public String getKeystoreFile() { return endpoint.getKeystoreFile();}
     public void setKeystoreFile(String s ) { endpoint.setKeystoreFile(s);}
-    public void setKeystore(String s) { setKeystoreFile(s);}
-    public String getKeystore(){ return getKeystoreFile();}
-    public String getKeyAlias() { return (endpoint).getKeyAlias();}
-    public void setKeyAlias(String s ) { (endpoint).setKeyAlias(s);}
 
+    public String getKeystorePass() { return endpoint.getKeystorePass();}
+    public void setKeystorePass(String s ) { endpoint.setKeystorePass(s);}
     
-    public String getAlgorithm() { return (endpoint).getAlgorithm();}
-    public void setAlgorithm(String s ) { (endpoint).setAlgorithm(s);}
-    
-    public void setClientauth(String s) {setClientAuth(s);}
-    public String getClientauth(){ return getClientAuth();}
-    public String getClientAuth() { return (endpoint).getClientAuth();}
-    public void setClientAuth(String s ) { (endpoint).setClientAuth(s);}
+    public String getKeystoreType() { return endpoint.getKeystoreType();}
+    public void setKeystoreType(String s ) { endpoint.setKeystoreType(s);}
+
+    public String getKeystoreProvider() { return endpoint.getKeystoreProvider();}
+    public void setKeystoreProvider(String s ) { endpoint.setKeystoreProvider(s);}
+
+    public String getSslProtocol() { return endpoint.getSslProtocol();}
+    public void setSslProtocol(String s) { endpoint.setSslProtocol(s);}
     
-    public String getKeystorePass() { return (endpoint).getKeystorePass();}
-    public void setKeystorePass(String s ) { (endpoint).setKeystorePass(s);}
-    public void setKeypass(String s) { setKeystorePass(s);}
-    public String getKeypass() { return getKeystorePass();}
-    public String getKeystoreType() { return (endpoint).getKeystoreType();}
-    public void setKeystoreType(String s ) { (endpoint).setKeystoreType(s);}
-    public String getKeytype() { return getKeystoreType();}
-    public void setKeytype(String s ) { setKeystoreType(s);}
+    public String getCiphers() { return endpoint.getCiphers();}
+    public void setCiphers(String s) { endpoint.setCiphers(s);}
+
+    public String getKeyAlias() { return endpoint.getKeyAlias();}
+    public void setKeyAlias(String s ) { endpoint.setKeyAlias(s);}
 
-    public void setTruststoreFile(String f){(endpoint).setTruststoreFile(f);}
-    public String getTruststoreFile(){return (endpoint).getTruststoreFile();}
-    public void setTruststorePass(String p){(endpoint).setTruststorePass(p);}
-    public String getTruststorePass(){return (endpoint).getTruststorePass();}
-    public void setTruststoreType(String t){(endpoint).setTruststoreType(t);}
-    public String getTruststoreType(){ return (endpoint).getTruststoreType();}
+    public String getKeyPass() { return endpoint.getKeyPass();}
+    public void setKeyPass(String s ) { endpoint.setKeyPass(s);}
     
+    public void setTruststoreFile(String f){ endpoint.setTruststoreFile(f);}
+    public String getTruststoreFile(){ return endpoint.getTruststoreFile();}
+
+    public void setTruststorePass(String p){ endpoint.setTruststorePass(p);}
+    public String getTruststorePass(){return endpoint.getTruststorePass();}
+
+    public void setTruststoreType(String t){ endpoint.setTruststoreType(t);}
+    public String getTruststoreType(){ return endpoint.getTruststoreType();}
+
+    public void setTruststoreProvider(String t){endpoint.setTruststoreProvider(t);}
+    public String getTruststoreProvider(){ return endpoint.getTruststoreProvider();}
+
+    public void setTruststoreAlgorithm(String a){endpoint.setTruststoreAlgorithm(a);}
+    public String getTruststoreAlgorithm(){ return endpoint.getTruststoreAlgorithm();}
     
-    public String getSslProtocol() { return (endpoint).getSslProtocol();}
-    public void setSslProtocol(String s) { (endpoint).setSslProtocol(s);}
+    public void setTrustMaxCertLength(String s){endpoint.setTrustMaxCertLength(s);}
+    public String getTrustMaxCertLength(){ return endpoint.getTrustMaxCertLength();}
     
-    public String getCiphers() { return (endpoint).getCiphers();}
-    public void setCiphers(String s) { (endpoint).setCiphers(s);}
+    public void setCrlFile(String s){endpoint.setCrlFile(s);}
+    public String getCrlFile(){ return endpoint.getCrlFile();}
     
+    public void setSessionCacheSize(String s){endpoint.setSessionCacheSize(s);}
+    public String getSessionCacheSize(){ return endpoint.getTruststoreAlgorithm();}
 
+    public void setSessionTimeout(String s){endpoint.setTruststoreAlgorithm(s);}
+    public String getSessionTimeout(){ return endpoint.getTruststoreAlgorithm();}
+    
+    
     public abstract void init() throws Exception;
     public abstract void start() throws Exception;
+    
     // -------------------- JMX related methods --------------------
 
     // *
diff --git a/java/org/apache/tomcat/util/net/AbstractEndpoint.java b/java/org/apache/tomcat/util/net/AbstractEndpoint.java
index 6b3ddf797..8afcb806a 100644
--- a/java/org/apache/tomcat/util/net/AbstractEndpoint.java
+++ b/java/org/apache/tomcat/util/net/AbstractEndpoint.java
@@ -77,7 +77,40 @@ public abstract class AbstractEndpoint {
         public enum SocketState {
             OPEN, CLOSED, LONG
         }
-    }    
+    }
+    
+    // Standard SSL Configuration attributes
+    // JSSE
+    // Standard configuration attribute names
+    public static final String SSL_ATTR_ALGORITHM = "algorithm";
+    public static final String SSL_ATTR_CLIENT_AUTH = "clientAuth";
+    public static final String SSL_ATTR_KEYSTORE_FILE = "keystoreFile";
+    public static final String SSL_ATTR_KEYSTORE_PASS = "keystorePass";
+    public static final String SSL_ATTR_KEYSTORE_TYPE = "keystoreType";
+    public static final String SSL_ATTR_KEYSTORE_PROVIDER = "keystoreProvider";
+    public static final String SSL_ATTR_SSL_PROTOCOL = "sslProtocol";
+    public static final String SSL_ATTR_CIPHERS = "ciphers";
+    public static final String SSL_ATTR_CIPHERS_ARRAY = "ciphersArray";
+    public static final String SSL_ATTR_KEY_ALIAS = "keyAlias";
+    public static final String SSL_ATTR_KEY_PASS = "keyPass";
+    public static final String SSL_ATTR_TRUSTSTORE_FILE = "truststoreFile";
+    public static final String SSL_ATTR_TRUSTSTORE_PASS = "truststorePass";
+    public static final String SSL_ATTR_TRUSTSTORE_TYPE = "truststoreType";
+    public static final String SSL_ATTR_TRUSTSTORE_PROVIDER =
+        "truststoreProvider";
+    public static final String SSL_ATTR_TRUSTSTORE_ALGORITHM =
+        "truststoreAlgorithm";
+    public static final String SSL_ATTR_CRL_FILE =
+        "crlFile";
+    public static final String SSL_ATTR_TRUST_MAX_CERT_LENGTH =
+        "trustMaxCertLength";
+    public static final String SSL_ATTR_SESSION_CACHE_SIZE =
+        "sessionCacheSize";
+    public static final String SSL_ATTR_SESSION_TIMEOUT =
+        "sessionTimeout";
+    public static final String SSL_ATTR_ALLOW_UNSAFE_RENEG =
+        "allowUnsafeLegacyRenegotiation";
+
     // ----------------------------------------------------------------- Fields
 
 
@@ -414,36 +447,11 @@ public abstract class AbstractEndpoint {
     
     public String defaultIfNull(String val, String defaultValue) {
         if (val==null) return defaultValue;
-        else return val;
+        return val;
     }
+    
     // --------------------  SSL related properties --------------------
-    private String truststoreFile = System.getProperty("javax.net.ssl.trustStore");
-    public void setTruststoreFile(String s) {
-        s = adjustRelativePath(s,System.getProperty("catalina.base"));
-        this.truststoreFile = s;
-    }
-    public String getTruststoreFile() {return truststoreFile;}
-    private String truststorePass = System.getProperty("javax.net.ssl.trustStorePassword");
-    public void setTruststorePass(String truststorePass) {this.truststorePass = truststorePass;}
-    public String getTruststorePass() {return truststorePass;}
-    private String truststoreType = System.getProperty("javax.net.ssl.trustStoreType");
-    public void setTruststoreType(String truststoreType) {this.truststoreType = truststoreType;}
-    public String getTruststoreType() {return truststoreType;}
 
-    private String keystoreFile = System.getProperty("user.home")+"/.keystore";
-    public String getKeystoreFile() { return keystoreFile;}
-    public void setKeystoreFile(String s ) { 
-        s = adjustRelativePath(s,System.getProperty("catalina.base"));
-        this.keystoreFile = s; 
-    }
-    public void setKeystore(String s ) { setKeystoreFile(s);}
-    public String getKeystore() { return getKeystoreFile();}
-
-    private String keyAlias = null;
-    public String getKeyAlias() { return keyAlias;}
-    public void setKeyAlias(String s ) { keyAlias = s;}
-    
-    
     private String algorithm = "SunX509";
     public String getAlgorithm() { return algorithm;}
     public void setAlgorithm(String s ) { this.algorithm = s;}
@@ -452,7 +460,14 @@ public abstract class AbstractEndpoint {
     public String getClientAuth() { return clientAuth;}
     public void setClientAuth(String s ) { this.clientAuth = s;}
     
-    private String keystorePass = "changeit";
+    private String keystoreFile = System.getProperty("user.home")+"/.keystore";
+    public String getKeystoreFile() { return keystoreFile;}
+    public void setKeystoreFile(String s ) { 
+        String file = adjustRelativePath(s,System.getProperty("catalina.base"));
+        this.keystoreFile = file; 
+    }
+
+    private String keystorePass = null;
     public String getKeystorePass() { return keystorePass;}
     public void setKeystorePass(String s ) { this.keystorePass = s;}
     
@@ -460,20 +475,16 @@ public abstract class AbstractEndpoint {
     public String getKeystoreType() { return keystoreType;}
     public void setKeystoreType(String s ) { this.keystoreType = s;}
 
+    private String keystoreProvider = null;
+    public String getKeystoreProvider() { return keystoreProvider;}
+    public void setKeystoreProvider(String s ) { this.keystoreProvider = s;}
+
     private String sslProtocol = "TLS"; 
     public String getSslProtocol() { return sslProtocol;}
     public void setSslProtocol(String s) { sslProtocol = s;}
     
-    private String sslEnabledProtocols=null; //"TLSv1,SSLv3,SSLv2Hello"
-    private String[] sslEnabledProtocolsarr =  new String[0];
-    public String[] getSslEnabledProtocolsArray() { return this.sslEnabledProtocolsarr;}
-    public void setSslEnabledProtocols(String s) {
-        this.sslEnabledProtocols = s;
-        StringTokenizer t = new StringTokenizer(s,",");
-        sslEnabledProtocolsarr = new String[t.countTokens()];
-        for (int i=0; i<sslEnabledProtocolsarr.length; i++ ) sslEnabledProtocolsarr[i] = t.nextToken();
-    }
-    
+    // Note: Some implementations use the comma separated string, some use
+    // the array
     private String ciphers = null;
     private String[] ciphersarr = new String[0];
     public String[] getCiphersArray() { return this.ciphersarr;}
@@ -488,15 +499,86 @@ public abstract class AbstractEndpoint {
         }
     }
 
-    private int sessionCacheSize = 0;
-    public int getSessionCacheSize() { return sessionCacheSize;}
-    public void setSessionCacheSize(int i) { sessionCacheSize = i;}
+    private String keyAlias = null;
+    public String getKeyAlias() { return keyAlias;}
+    public void setKeyAlias(String s ) { keyAlias = s;}
+    
+    private String keyPass = "changeit";
+    public String getKeyPass() { return keyPass;}
+    public void setKeyPass(String s ) { this.keyPass = s;}
+
+    private String truststoreFile = System.getProperty("javax.net.ssl.trustStore");
+    public String getTruststoreFile() {return truststoreFile;}
+    public void setTruststoreFile(String s) {
+        String file = adjustRelativePath(s,System.getProperty("catalina.base"));
+        this.truststoreFile = file;
+    }
+
+    private String truststorePass =
+        System.getProperty("javax.net.ssl.trustStorePassword");
+    public String getTruststorePass() {return truststorePass;}
+    public void setTruststorePass(String truststorePass) {
+        this.truststorePass = truststorePass;
+    }
+    
+    private String truststoreType =
+        System.getProperty("javax.net.ssl.trustStoreType");
+    public String getTruststoreType() {return truststoreType;}
+    public void setTruststoreType(String truststoreType) {
+        this.truststoreType = truststoreType;
+    }
+
+    private String truststoreProvider = null;
+    public String getTruststoreProvider() {return truststoreProvider;}
+    public void setTruststoreProvider(String truststoreProvider) {
+        this.truststoreProvider = truststoreProvider;
+    }
+
+    private String truststoreAlgorithm = null;
+    public String getTruststoreAlgorithm() {return truststoreAlgorithm;}
+    public void setTruststoreAlgorithm(String truststoreAlgorithm) {
+        this.truststoreAlgorithm = truststoreAlgorithm;
+    }
+
+    private String crlFile = null;
+    public String getCrlFile() {return crlFile;}
+    public void setCrlFile(String crlFile) {
+        this.crlFile = crlFile;
+    }
+
+    private String trustMaxCertLength = null;
+    public String getTrustMaxCertLength() {return trustMaxCertLength;}
+    public void setTrustMaxCertLength(String trustMaxCertLength) {
+        this.trustMaxCertLength = trustMaxCertLength;
+    }
 
-    private int sessionCacheTimeout = 86400;
-    public int getSessionCacheTimeout() { return sessionCacheTimeout;}
-    public void setSessionCacheTimeout(int i) { sessionCacheTimeout = i;}
+    private String sessionCacheSize = null;
+    public String getSessionCacheSize() { return sessionCacheSize;}
+    public void setSessionCacheSize(String s) { sessionCacheSize = s;}
 
+    private String sessionCacheTimeout = "86400";
+    public String getSessionCacheTimeout() { return sessionCacheTimeout;}
+    public void setSessionCacheTimeout(String s) { sessionCacheTimeout = s;}
 
+    private String allowUnsafeLegacyRenegotiation = null;
+    public String getAllowUnsafeLegacyRenegotiation() {
+        return allowUnsafeLegacyRenegotiation;
+    }
+    public void setAllowUnsafeLegacyRenegotiation(String s) {
+        allowUnsafeLegacyRenegotiation = s;
+    }
+
+    
     
+    private String sslEnabledProtocols=null; //"TLSv1,SSLv3,SSLv2Hello"
+    private String[] sslEnabledProtocolsarr =  new String[0];
+    public String[] getSslEnabledProtocolsArray() { return this.sslEnabledProtocolsarr;}
+    public void setSslEnabledProtocols(String s) {
+        this.sslEnabledProtocols = s;
+        StringTokenizer t = new StringTokenizer(s,",");
+        sslEnabledProtocolsarr = new String[t.countTokens()];
+        for (int i=0; i<sslEnabledProtocolsarr.length; i++ ) sslEnabledProtocolsarr[i] = t.nextToken();
+    }
+        
 }
 
diff --git a/java/org/apache/tomcat/util/net/JIoEndpoint.java b/java/org/apache/tomcat/util/net/JIoEndpoint.java
index 1008c01bb..674b9c9c4 100644
--- a/java/org/apache/tomcat/util/net/JIoEndpoint.java
+++ b/java/org/apache/tomcat/util/net/JIoEndpoint.java
@@ -62,7 +62,7 @@ public class JIoEndpoint extends AbstractEndpoint {
     // ------------------------------------------------------------- Properties
 
     /**
-     * Generic properties - currently only socket.XXX properties
+     * Generic properties - currently only socket.xxx properties
      */
     @Override
     public boolean setProperty(String name, String value) {
@@ -70,10 +70,9 @@ public class JIoEndpoint extends AbstractEndpoint {
         try {
             if (name.startsWith(socketName)) {
                 return IntrospectionUtils.setProperty(socketProperties, name.substring(socketName.length()), value);
-            } else {
-                return IntrospectionUtils.setProperty(this,name,value);
             }
-        }catch ( Exception x ) {
+            return IntrospectionUtils.setProperty(this,name,value);
+        } catch ( Exception x ) {
             log.error("Unable to set attribute \""+name+"\" to \""+value+"\"",x);
             return false;
         }
@@ -85,16 +84,6 @@ public class JIoEndpoint extends AbstractEndpoint {
     protected int acceptorThreadCount = 0;
     public void setAcceptorThreadCount(int acceptorThreadCount) { this.acceptorThreadCount = acceptorThreadCount; }
     public int getAcceptorThreadCount() { return acceptorThreadCount; }
-
-    /**
-     * Priority of the acceptor and poller threads.
-     */
-    protected int threadPriority = Thread.NORM_PRIORITY;
-    @Override
-    public void setThreadPriority(int threadPriority) { this.threadPriority = threadPriority; }
-    @Override
-    public int getThreadPriority() { return threadPriority; }
-
     
     /**
      * Handling of accepted sockets.
@@ -211,6 +200,7 @@ public class JIoEndpoint extends AbstractEndpoint {
                 try {
                     socket.getSocket().close();
                 } catch (IOException e) {
+                    // Ignore
                 }
             } else {
                 //keepalive connection
@@ -226,6 +216,7 @@ public class JIoEndpoint extends AbstractEndpoint {
 
     // -------------------- Public methods --------------------
 
+    @Override
     public void init()
         throws Exception {
 
@@ -239,6 +230,49 @@ public class JIoEndpoint extends AbstractEndpoint {
         if (serverSocketFactory == null) {
             serverSocketFactory = ServerSocketFactory.getDefault();
         }
+        if (isSSLEnabled()) {
+            serverSocketFactory.setAttribute(SSL_ATTR_ALGORITHM,
+                    getAlgorithm());
+            serverSocketFactory.setAttribute(SSL_ATTR_CLIENT_AUTH,
+                    getClientAuth());
+            serverSocketFactory.setAttribute(SSL_ATTR_KEYSTORE_FILE,
+                    getKeystoreFile());
+            serverSocketFactory.setAttribute(SSL_ATTR_KEYSTORE_PASS,
+                    getKeystorePass());
+            serverSocketFactory.setAttribute(SSL_ATTR_KEYSTORE_TYPE,
+                    getKeystoreType());
+            serverSocketFactory.setAttribute(SSL_ATTR_KEYSTORE_PROVIDER,
+                    getKeystoreProvider());
+            serverSocketFactory.setAttribute(SSL_ATTR_SSL_PROTOCOL,
+                    getSslProtocol());
+            serverSocketFactory.setAttribute(SSL_ATTR_CIPHERS,
+                    getCiphers());
+            serverSocketFactory.setAttribute(SSL_ATTR_KEY_ALIAS,
+                    getKeyAlias());
+            serverSocketFactory.setAttribute(SSL_ATTR_KEY_PASS,
+                    getKeyPass());
+            serverSocketFactory.setAttribute(SSL_ATTR_TRUSTSTORE_FILE,
+                    getTruststoreFile());
+            serverSocketFactory.setAttribute(SSL_ATTR_TRUSTSTORE_PASS,
+                    getTruststorePass());
+            serverSocketFactory.setAttribute(SSL_ATTR_TRUSTSTORE_TYPE,
+                    getTruststoreType());
+            serverSocketFactory.setAttribute(SSL_ATTR_TRUSTSTORE_PROVIDER,
+                    getTruststoreProvider());
+            serverSocketFactory.setAttribute(SSL_ATTR_TRUSTSTORE_ALGORITHM,
+                    getTruststoreAlgorithm());
+            serverSocketFactory.setAttribute(SSL_ATTR_CRL_FILE,
+                    getCrlFile());
+            serverSocketFactory.setAttribute(SSL_ATTR_TRUST_MAX_CERT_LENGTH,
+                    getTrustMaxCertLength());
+            serverSocketFactory.setAttribute(SSL_ATTR_SESSION_CACHE_SIZE,
+                    getSessionCacheSize());
+            serverSocketFactory.setAttribute(SSL_ATTR_SESSION_TIMEOUT,
+                    getSessionCacheTimeout());
+            serverSocketFactory.setAttribute(SSL_ATTR_ALLOW_UNSAFE_RENEG,
+                    getAllowUnsafeLegacyRenegotiation());
+        }
+
         if (serverSocket == null) {
             try {
                 if (getAddress() == null) {
@@ -265,8 +299,8 @@ public class JIoEndpoint extends AbstractEndpoint {
         
     }
     
-    public void start()
-        throws Exception {
+    @Override
+    public void start() throws Exception {
         // Initialize socket if not done before
         if (!initialized) {
             init();
@@ -290,6 +324,7 @@ public class JIoEndpoint extends AbstractEndpoint {
         }
     }
 
+    @Override
     public void pause() {
         if (running && !paused) {
             paused = true;
@@ -297,6 +332,7 @@ public class JIoEndpoint extends AbstractEndpoint {
         }
     }
 
+    @Override
     public void resume() {
         if (running) {
             paused = false;
@@ -314,6 +350,7 @@ public class JIoEndpoint extends AbstractEndpoint {
     /**
      * Deallocate APR memory pools, and close server socket.
      */
+    @Override
     public void destroy() throws Exception {
         if (running) {
             stop();
diff --git a/java/org/apache/tomcat/util/net/NioEndpoint.java b/java/org/apache/tomcat/util/net/NioEndpoint.java
index 77a0e9713..99885fde3 100644
--- a/java/org/apache/tomcat/util/net/NioEndpoint.java
+++ b/java/org/apache/tomcat/util/net/NioEndpoint.java
@@ -530,8 +530,14 @@ public class NioEndpoint extends AbstractEndpoint {
             SSLSessionContext sessionContext =
                 sslContext.getServerSessionContext();
             if (sessionContext != null) {
-                sessionContext.setSessionCacheSize(getSessionCacheSize());
-                sessionContext.setSessionTimeout(getSessionCacheTimeout());
+                if (getSessionCacheSize() != null) {
+                    sessionContext.setSessionCacheSize(
+                            Integer.parseInt(getSessionCacheSize()));
+                }
+                if (getSessionCacheTimeout() != null) {
+                    sessionContext.setSessionTimeout(
+                            Integer.parseInt(getSessionCacheTimeout()));
+                }
             }
         }
         
diff --git a/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java b/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
index c4265cf4e..ee2c234af 100644
--- a/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
+++ b/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
@@ -58,6 +58,7 @@ import javax.net.ssl.TrustManager;
 import javax.net.ssl.TrustManagerFactory;
 import javax.net.ssl.X509KeyManager;
 
+import org.apache.tomcat.util.net.AbstractEndpoint;
 import org.apache.tomcat.util.res.StringManager;
 
 /*
@@ -276,11 +277,13 @@ public class JSSESocketFactory
      * Gets the SSL server's keystore password.
      */
     protected String getKeystorePassword() {
-        String keyPass = (String)attributes.get("keypass");
+        String keyPass = (String)attributes.get(
+                AbstractEndpoint.SSL_ATTR_KEY_PASS);
         if (keyPass == null) {
             keyPass = defaultKeyPass;
         }
-        String keystorePass = (String)attributes.get("keystorePass");
+        String keystorePass = (String)attributes.get(
+                AbstractEndpoint.SSL_ATTR_KEYSTORE_PASS);
         if (keystorePass == null) {
             keystorePass = keyPass;
         }
@@ -293,7 +296,8 @@ public class JSSESocketFactory
     protected KeyStore getKeystore(String type, String provider, String pass)
             throws IOException {
 
-        String keystoreFile = (String)attributes.get("keystore");
+        String keystoreFile = (String)attributes.get(
+                AbstractEndpoint.SSL_ATTR_KEYSTORE_FILE);
         if (keystoreFile == null)
             keystoreFile = defaultKeystoreFile;
 
@@ -307,7 +311,8 @@ public class JSSESocketFactory
             String keystoreProvider) throws IOException {
         KeyStore trustStore = null;
 
-        String truststoreFile = (String)attributes.get("truststoreFile");
+        String truststoreFile = (String)attributes.get(
+                AbstractEndpoint.SSL_ATTR_TRUSTSTORE_FILE);
         if(truststoreFile == null) {
             truststoreFile = System.getProperty("javax.net.ssl.trustStore");
         }
@@ -315,7 +320,8 @@ public class JSSESocketFactory
             log.debug("Truststore = " + truststoreFile);
         }
 
-        String truststorePassword = (String)attributes.get("truststorePass");
+        String truststorePassword = (String)attributes.get(
+                AbstractEndpoint.SSL_ATTR_TRUSTSTORE_PASS);
         if( truststorePassword == null) {
             truststorePassword =
                 System.getProperty("javax.net.ssl.trustStorePassword");
@@ -327,7 +333,8 @@ public class JSSESocketFactory
             log.debug("TrustPass = " + truststorePassword);
         }
 
-        String truststoreType = (String)attributes.get("truststoreType");
+        String truststoreType = (String)attributes.get(
+                AbstractEndpoint.SSL_ATTR_TRUSTSTORE_TYPE);
         if( truststoreType == null) {
             truststoreType = System.getProperty("javax.net.ssl.trustStoreType");
         }
@@ -339,7 +346,8 @@ public class JSSESocketFactory
         }
 
         String truststoreProvider =
-            (String)attributes.get("truststoreProvider");
+            (String)attributes.get(
+                    AbstractEndpoint.SSL_ATTR_TRUSTSTORE_PROVIDER);
         if( truststoreProvider == null) {
             truststoreProvider =
                 System.getProperty("javax.net.ssl.trustStoreProvider");
@@ -416,7 +424,8 @@ public class JSSESocketFactory
     void init() throws IOException {
         try {
 
-            String clientAuthStr = (String) attributes.get("clientauth");
+            String clientAuthStr = (String) attributes.get(
+                    AbstractEndpoint.SSL_ATTR_CLIENT_AUTH);
             if("true".equalsIgnoreCase(clientAuthStr) ||
                "yes".equalsIgnoreCase(clientAuthStr)) {
                 requireClientAuth = true;
@@ -425,27 +434,32 @@ public class JSSESocketFactory
             }
 
             // SSL protocol variant (e.g., TLS, SSL v3, etc.)
-            String protocol = (String) attributes.get("protocol");
+            String protocol = (String) attributes.get(
+                    AbstractEndpoint.SSL_ATTR_SSL_PROTOCOL);
             if (protocol == null) {
                 protocol = defaultProtocol;
             }
 
             // Certificate encoding algorithm (e.g., SunX509)
-            String algorithm = (String) attributes.get("algorithm");
+            String algorithm = (String) attributes.get(
+                    AbstractEndpoint.SSL_ATTR_ALGORITHM);
             if (algorithm == null) {
                 algorithm = KeyManagerFactory.getDefaultAlgorithm();
             }
 
-            String keystoreType = (String) attributes.get("keystoreType");
+            String keystoreType = (String) attributes.get(
+                    AbstractEndpoint.SSL_ATTR_KEYSTORE_TYPE);
             if (keystoreType == null) {
                 keystoreType = defaultKeystoreType;
             }
 
             String keystoreProvider =
-                (String) attributes.get("keystoreProvider");
+                (String) attributes.get(
+                        AbstractEndpoint.SSL_ATTR_KEYSTORE_PROVIDER);
 
             String trustAlgorithm =
-                (String)attributes.get("truststoreAlgorithm");
+                (String)attributes.get(
+                        AbstractEndpoint.SSL_ATTR_TRUSTSTORE_ALGORITHM);
             if( trustAlgorithm == null ) {
                 trustAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
             }
@@ -453,24 +467,28 @@ public class JSSESocketFactory
             // Create and init SSLContext
             SSLContext context = SSLContext.getInstance(protocol); 
             context.init(getKeyManagers(keystoreType, keystoreProvider,
-                                 algorithm,
-                                 (String) attributes.get("keyAlias")),
-                         getTrustManagers(keystoreType, keystoreProvider,
-                                 trustAlgorithm),
-                         new SecureRandom());
+                    algorithm,
+                    (String) attributes.get(AbstractEndpoint.SSL_ATTR_KEY_ALIAS)),
+                    getTrustManagers(keystoreType, keystoreProvider,
+                            trustAlgorithm),
+                    new SecureRandom());
 
             // Configure SSL session cache
             int sessionCacheSize;
-            if (attributes.get("sessionCacheSize") != null) {
+            if (attributes.get(
+                    AbstractEndpoint.SSL_ATTR_SESSION_CACHE_SIZE) != null) {
                 sessionCacheSize = Integer.parseInt(
-                        (String)attributes.get("sessionCacheSize"));
+                        (String)attributes.get(
+                                AbstractEndpoint.SSL_ATTR_SESSION_CACHE_SIZE));
             } else {
                 sessionCacheSize = defaultSessionCacheSize;
             }
             int sessionCacheTimeout;
-            if (attributes.get("sessionCacheTimeout") != null) {
+            if (attributes.get(
+                    AbstractEndpoint.SSL_ATTR_SESSION_TIMEOUT) != null) {
                 sessionCacheTimeout = Integer.parseInt(
-                        (String)attributes.get("sessionCacheTimeout"));
+                        (String)attributes.get(
+                                AbstractEndpoint.SSL_ATTR_SESSION_TIMEOUT));
             } else {
                 sessionCacheTimeout = defaultSessionTimeout;
             }
@@ -485,13 +503,14 @@ public class JSSESocketFactory
             sslProxy = context.getServerSocketFactory();
 
             // Determine which cipher suites to enable
-            String requestedCiphers = (String)attributes.get("ciphers");
-            enabledCiphers =
-                getEnabledCiphers(requestedCiphers,
-                        sslProxy.getSupportedCipherSuites());
+            String requestedCiphers = (String)attributes.get(
+                    AbstractEndpoint.SSL_ATTR_CIPHERS);
+            enabledCiphers = getEnabledCiphers(requestedCiphers,
+                    sslProxy.getSupportedCipherSuites());
 
             allowUnsafeLegacyRenegotiation =
-                "true".equals(attributes.get("allowUnsafeLegacyRenegotiation"));
+                "true".equals(attributes.get(
+                        AbstractEndpoint.SSL_ATTR_ALLOW_UNSAFE_RENEG));
             
             // Check the SSL config is OK
             checkConfig();
@@ -545,7 +564,8 @@ public class JSSESocketFactory
     protected TrustManager[] getTrustManagers(String keystoreType,
             String keystoreProvider, String algorithm)
         throws Exception {
-        String crlf = (String) attributes.get("crlFile");
+        String crlf = (String) attributes.get(
+                AbstractEndpoint.SSL_ATTR_CRL_FILE);
         
         TrustManager[] tms = null;
         
@@ -593,7 +613,8 @@ public class JSSESocketFactory
             CertStore store = CertStore.getInstance("Collection", csp);
             xparams.addCertStore(store);
             xparams.setRevocationEnabled(true);
-            String trustLength = (String)attributes.get("trustMaxCertLength");
+            String trustLength = (String)attributes.get(
+                    AbstractEndpoint.SSL_ATTR_TRUST_MAX_CERT_LENGTH);
             if(trustLength != null) {
                 try {
                     xparams.setMaxPathLength(Integer.parseInt(trustLength));
diff --git a/webapps/docs/config/http.xml b/webapps/docs/config/http.xml
index e7ed38c37..5038d3fd2 100644
--- a/webapps/docs/config/http.xml
+++ b/webapps/docs/config/http.xml
@@ -714,8 +714,8 @@
     </attribute>
 
     <attribute name="keystorePass" required="false">
-      <p>The password used to access the server certificate from the
-      specified keystore file.  The default value is "<code>changeit</code>".
+      <p>The password used to access the specified keystore file. The default
+      value is the value of the <code>keyPass</code> attribute.
       </p>
     </attribute>
 
@@ -750,6 +750,12 @@
       specified the first key read in the keystore will be used.</p>
     </attribute>
 
+    <attribute name="keyPass" required="false">
+      <p>The password used to access the server certificate from the
+      specified keystore file.  The default value is "<code>changeit</code>".
+      </p>
+    </attribute>
+
     <attribute name="truststoreFile" required="false">
       <p>The TrustStore file to use to validate client certificates.</p>
     </attribute>
@@ -772,6 +778,25 @@
       </p>
     </attribute>
 
+    <attribute name="truststoreAlgorithm" required="false">
+      <p>The algorithm to use for truststore. If not specified, the default
+      value returned by
+      <code>javax.net.ssl.TrustManagerFactory.getDefaultAlgorithm()</code> is
+      used.</p>
+    </attribute>
+
+    <attribute name="crlFile" required="false">
+      <p>The certificate revocation list to be used to verify client
+      certificates. If not defined, client certificates will not be checked
+      against a certificate revocation list.</p>
+    </attribute>
+
+    <attribute name="trustMaxCertLength" required="false">
+      <p>The maximum number of intermediate certificates that will be allowed
+      when validating client certificates. If not specified, the default value
+      of 5 will be used.</p>
+    </attribute>
+
     <attribute name="sessionCacheSize" required="false">
       <p>The number of SSL sessions to maintain in the session cache. Use 0 to
       specify an unlimited cache size. If not specified, a default of 0 is
@@ -784,11 +809,6 @@
       default of 86400 (24 hours) is used.</p>
     </attribute>
 
-    <attribute name="crlFile" required="false">
-      <p>The certificate revocation list file to use to validate client
-      certificates.</p>
-    </attribute>
-    
     <attribute name="allowUnsafeLegacyRenegotiation" required="false">
       <p>Is unsafe legacy TLS renegotiation allowed which is likely to expose
       users to CVE-2009-3555, a man-in-the-middle vulnerability in the TLS
-- 
2.11.0