Remove class hierarchy complexity (no client mode), and pass the JSSE…

… session options to OpenSSL. git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@1731247 13f79535-47bb-0310-9956-ffa450edef68
apache · Feb 19, 2016 · 67d040c · 67d040c
1 parent d406edc
commit 67d040c
Show file tree

Hide file tree

Showing 5 changed files with 57 additions and 88 deletions.
diff --git a/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java b/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
@@ -63,7 +63,7 @@ public class OpenSSLContext implements org.apache.tomcat.util.net.SSLContext {
 
     private final SSLHostConfig sslHostConfig;
     private final SSLHostConfigCertificate certificate;
-    private OpenSSLServerSessionContext sessionContext;
+    private OpenSSLSessionContext sessionContext;
 
     private final List<String> negotiableProtocols;
 
@@ -373,7 +373,7 @@ public boolean verify(long ssl, byte[][] chain, String auth) {
                 SSLContext.setNpnProtos(ctx, protocolsArray, SSL.SSL_SELECTOR_FAILURE_NO_ADVERTISE);
             }
 
-            sessionContext = new OpenSSLServerSessionContext(ctx);
+            sessionContext = new OpenSSLSessionContext(ctx);
             sslHostConfig.setOpenSslContext(Long.valueOf(ctx));
             initialized = true;
         } catch (Exception e) {

diff --git a/java/org/apache/tomcat/util/net/openssl/OpenSSLServerSessionContext.java b/java/org/apache/tomcat/util/net/openssl/OpenSSLServerSessionContext.java
diff --git a/java/org/apache/tomcat/util/net/openssl/OpenSSLSessionContext.java b/java/org/apache/tomcat/util/net/openssl/OpenSSLSessionContext.java
@@ -22,18 +22,19 @@
 import javax.net.ssl.SSLSession;
 import javax.net.ssl.SSLSessionContext;
 
+import org.apache.tomcat.jni.SSL;
 import org.apache.tomcat.jni.SSLContext;
 import org.apache.tomcat.util.res.StringManager;
 
 /**
  * OpenSSL specific {@link SSLSessionContext} implementation.
  */
-public abstract class OpenSSLSessionContext implements SSLSessionContext {
+public class OpenSSLSessionContext implements SSLSessionContext {
     private static final StringManager sm = StringManager.getManager(OpenSSLSessionContext.class);
     private static final Enumeration<byte[]> EMPTY = new EmptyEnumeration();
 
     private final OpenSSLSessionStats stats;
-    final long context;
+    private final long context;
 
     OpenSSLSessionContext(long context) {
         this.context = context;
@@ -67,13 +68,18 @@ public void setTicketKeys(byte[] keys) {
      *
      * @param enabled {@code true} to enable caching, {@code false} to disable
      */
-    public abstract void setSessionCacheEnabled(boolean enabled);
+    public void setSessionCacheEnabled(boolean enabled) {
+        long mode = enabled ? SSL.SSL_SESS_CACHE_SERVER : SSL.SSL_SESS_CACHE_OFF;
+        SSLContext.setSessionCacheMode(context, mode);
+    }
 
     /**
      * @return {@code true} if caching of SSL sessions is enabled, {@code false}
      *         otherwise.
      */
-    public abstract boolean isSessionCacheEnabled();
+    public boolean isSessionCacheEnabled() {
+        return SSLContext.getSessionCacheMode(context) == SSL.SSL_SESS_CACHE_SERVER;
+    }
 
     /**
      * @return The statistics for this context.
@@ -82,6 +88,45 @@ public OpenSSLSessionStats stats() {
         return stats;
     }
 
+    @Override
+    public void setSessionTimeout(int seconds) {
+        if (seconds < 0) {
+            throw new IllegalArgumentException();
+        }
+        SSLContext.setSessionCacheTimeout(context, seconds);
+    }
+
+    @Override
+    public int getSessionTimeout() {
+        return (int) SSLContext.getSessionCacheTimeout(context);
+    }
+
+    @Override
+    public void setSessionCacheSize(int size) {
+        if (size < 0) {
+            throw new IllegalArgumentException();
+        }
+        SSLContext.setSessionCacheSize(context, size);
+    }
+
+    @Override
+    public int getSessionCacheSize() {
+        return (int) SSLContext.getSessionCacheSize(context);
+    }
+
+    /**
+     * Set the context within which session be reused (server side only)
+     * See <a href="http://www.openssl.org/docs/ssl/SSL_CTX_set_session_id_context.html">
+     *     man SSL_CTX_set_session_id_context</a>
+     *
+     * @param sidCtx can be any kind of binary data, it is therefore possible to use e.g. the name
+     *               of the application and/or the hostname and/or service name
+     * @return {@code true} if success, {@code false} otherwise.
+     */
+    public boolean setSessionIdContext(byte[] sidCtx) {
+        return SSLContext.setSessionIdContext(context, sidCtx);
+    }
+
     private static final class EmptyEnumeration implements Enumeration<byte[]> {
         @Override
         public boolean hasMoreElements() {

diff --git a/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java b/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java
@@ -98,6 +98,8 @@ public TrustManager[] getTrustManagers() throws Exception {
 
     @Override
     public void configureSessionContext(SSLSessionContext sslSessionContext) {
-        // do nothing. configuration is done in the init phase
+        if (jsseUtil != null) {
+            jsseUtil.configureSessionContext(sslSessionContext);
+        }
     }
 }
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
@@ -110,6 +110,9 @@
       <fix>
         Bad processing of handshake errors in NIO2. (remm)
       </fix>
+      <fix>
+        Use JSSE session configuration options with OpenSSL. (remm)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="WebSocket">