diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..e655dd6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/tomcatjss-7.2.1.tar.gz diff --git a/.tomcatjss.metadata b/.tomcatjss.metadata new file mode 100644 index 0000000..f50e322 --- /dev/null +++ b/.tomcatjss.metadata @@ -0,0 +1 @@ +45e28de0d84a01b8e8dd4ee72737fa9426ac7109 SOURCES/tomcatjss-7.2.1.tar.gz diff --git a/README.md b/README.md deleted file mode 100644 index 0e7897f..0000000 --- a/README.md +++ /dev/null @@ -1,5 +0,0 @@ -The master branch has no content - -Look at the c7 branch if you are working with CentOS-7, or the c4/c5/c6 branch for CentOS-4, 5 or 6 - -If you find this file in a distro specific branch, it means that no content has been checked in yet diff --git a/SOURCES/tomcatjss-Comply-with-ASF-trademark-rules.patch b/SOURCES/tomcatjss-Comply-with-ASF-trademark-rules.patch new file mode 100644 index 0000000..f2ed9ba --- /dev/null +++ b/SOURCES/tomcatjss-Comply-with-ASF-trademark-rules.patch @@ -0,0 +1,56 @@ +From 7ace773ac5a46704c131bd1cc788d6db4568e401 Mon Sep 17 00:00:00 2001 +From: Matthew Harmsen +Date: Mon, 12 Jun 2017 16:05:21 -0600 +Subject: [PATCH] Comply with ASF trademark rules + +- tomcatjss Pagure Issue #10 - Comply with ASF trademark rules (mharmsen) +--- + README | 26 ++++++++++++++++---------- + 1 file changed, 16 insertions(+), 10 deletions(-) + +diff --git a/README b/README +index b8f3860..b3912ba 100644 +--- a/README ++++ b/README +@@ -1,23 +1,29 @@ +-tomcatjss, a JSSE module for Tomcat that uses JSS, a Java interface to +-Network Security Services(NSS). ++JSS Connector for Apache Tomcat, installed via the tomcatjss package, ++is a Java Secure Socket Extension (JSSE) module for Apache Tomcat that ++uses Java Security Services (JSS), a Java interface to Network Security ++Services (NSS). + +-tomcatjss defines a number of attributes for a Connector including: ++JSS Connector for Apache Tomcat defines a number of attributes for a Connector ++including: + + clientauth: specify if client authentication is required in the connector (or + port), it can be true or false. If true then client authentication is required. + + sslOptions: specify a comma-delimited list of ssl options to pass into the ssl + implementation. Each option takes the form of: option=[true|false]. +-tomcatjss supports the options: ssl2, ssl3, tls. ++JSS Connector for Apache Tomcat supports the options: ssl2, ssl3, tls. + +-ssl2Ciphers: specify a list of SSL2 ciphers that tomcatjss should accept +-or reject from the client. You can use + to denote "accept", - means "reject". ++ssl2Ciphers: specify a list of SSL2 ciphers that JSS Connector for ++Apache Tomcat should accept or reject from the client. You can use + to ++denote "accept", - means "reject" + +-ssl3Ciphers: specifies a list of SSL3 ciphers that tomcatjss should accept +-or reject from the client. You can use + to denote "accept", - means "reject". ++ssl3Ciphers: specifies a list of SSL3 ciphers that JSS Connector for ++Apache Tomcat should accept or reject from the client. You can use + to ++denote "accept", - means "reject". + +-tlsCiphers: specifies a list of TLS ciphers that tomcatjss should accept +-or reject from the client. You can use + to denote "accept", - means "reject". ++tlsCiphers: specifies a list of TLS ciphers that JSS Connector for ++Apache Tomcat should accept or reject from the client. You can use + to ++denote "accept", - means "reject". + + serverCertNickFile: a file in which specify the nickname of the + server certificate. The file should contain a single line that contains +-- +2.9.4 diff --git a/SOURCES/tomcatjss-Fixed-SSL-cipher-list-parser.patch b/SOURCES/tomcatjss-Fixed-SSL-cipher-list-parser.patch new file mode 100644 index 0000000..f948210 --- /dev/null +++ b/SOURCES/tomcatjss-Fixed-SSL-cipher-list-parser.patch @@ -0,0 +1,94 @@ +From c14c8ec6b077721eddeddb125b9a4b0141e5e4aa Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Thu, 1 Jun 2017 00:29:37 +0200 +Subject: [PATCH] Fixed SSL cipher list parser. + +The SSL cipher list parsers have been modified to ignore spaces +to allow more user-friendly formatting. + +https://pagure.io/tomcatjss/issue/9 + +Change-Id: Ic21f0347e06e20f64ef37de95f9d1f1ac3d1f0d2 +--- + .../apache/tomcat/util/net/jss/JSSImplementation.java | 5 +++-- + src/org/apache/tomcat/util/net/jss/JSSSocketFactory.java | 16 ++++++++++++++-- + 2 files changed, 17 insertions(+), 4 deletions(-) + +diff --git a/src/org/apache/tomcat/util/net/jss/JSSImplementation.java b/src/org/apache/tomcat/util/net/jss/JSSImplementation.java +index 42dc8d2..8721844 100644 +--- a/src/org/apache/tomcat/util/net/jss/JSSImplementation.java ++++ b/src/org/apache/tomcat/util/net/jss/JSSImplementation.java +@@ -25,6 +25,8 @@ import java.io.IOException; + import java.net.Socket; + import java.util.Properties; + ++import org.apache.commons.logging.Log; ++import org.apache.commons.logging.LogFactory; + import org.apache.tomcat.util.net.AbstractEndpoint; + import org.apache.tomcat.util.net.SSLImplementation; + import org.apache.tomcat.util.net.SSLSupport; +@@ -35,8 +37,7 @@ public class JSSImplementation extends SSLImplementation { + static final String JSSFactory = "org.apache.tomcat.util.net.jss.JSSFactory"; + static final String SSLSocketClass = "org.mozilla.jss.ssl.SSLSocket"; + +- static org.apache.commons.logging.Log logger = org.apache.commons.logging.LogFactory +- .getLog(JSSImplementation.class); ++ static Log logger = LogFactory.getLog(JSSImplementation.class); + + private JSSFactory factory = null; + +diff --git a/src/org/apache/tomcat/util/net/jss/JSSSocketFactory.java b/src/org/apache/tomcat/util/net/jss/JSSSocketFactory.java +index 4992600..f974a89 100644 +--- a/src/org/apache/tomcat/util/net/jss/JSSSocketFactory.java ++++ b/src/org/apache/tomcat/util/net/jss/JSSSocketFactory.java +@@ -42,6 +42,8 @@ import javax.net.ssl.SSLContext; + import javax.net.ssl.TrustManager; + + import org.apache.commons.lang.StringUtils; ++import org.apache.commons.logging.Log; ++import org.apache.commons.logging.LogFactory; + // Imports required to "implement" Tomcat 7 Interface + import org.apache.tomcat.util.net.AbstractEndpoint; + import org.mozilla.jss.CertDatabaseException; +@@ -61,6 +63,8 @@ public class JSSSocketFactory implements + org.apache.tomcat.util.net.ServerSocketFactory, + org.apache.tomcat.util.net.SSLUtil { + ++ static Log logger = LogFactory.getLog(JSSSocketFactory.class); ++ + private static HashMap cipherMap = new HashMap(); + static { + // SSLv2 +@@ -382,9 +386,13 @@ public class JSSSocketFactory implements + debugWrite("JSSSocketFactory setSSLCiphers: " + attr + " not found"); + return; + } +- StringTokenizer st = new StringTokenizer(ciphers, ","); ++ ++ logger.debug("Processing " + attr + ":"); ++ StringTokenizer st = new StringTokenizer(ciphers, ", "); + while (st.hasMoreTokens()) { + String cipherstr = st.nextToken(); ++ logger.debug(" - " + cipherstr); ++ + int cipherid = 0; + String text; + boolean state; +@@ -456,9 +464,13 @@ public class JSSSocketFactory implements + debugWrite("no sslOptions specified"); + return; + } +- StringTokenizer st = new StringTokenizer(options, ","); ++ ++ logger.debug("Processing sslOptions:"); ++ StringTokenizer st = new StringTokenizer(options, ", "); + while (st.hasMoreTokens()) { + String option = st.nextToken(); ++ logger.debug(" - " + option); ++ + StringTokenizer st1 = new StringTokenizer(option, "="); + String name = st1.nextToken(); + String value = st1.nextToken(); +-- +1.8.3.1 + diff --git a/SOURCES/tomcatjss-add-TLS-SHA384-ciphers.patch b/SOURCES/tomcatjss-add-TLS-SHA384-ciphers.patch new file mode 100644 index 0000000..bf55593 --- /dev/null +++ b/SOURCES/tomcatjss-add-TLS-SHA384-ciphers.patch @@ -0,0 +1,98 @@ +From 1970d6bf47e4ce3a43de370ada5c3e882d7a7cb0 Mon Sep 17 00:00:00 2001 +From: Christina Fu +Date: Fri, 29 Jun 2018 15:04:43 -0700 +Subject: [PATCH] Ticket #11 Add support for TLS_*_SHA384 ciphers + +This patch adds support for TLS_*_SHA384 ciphers which NSS now supports. + +fixes: https://pagure.io/tomcatjss/issue/11 +--- + .../tomcat/util/net/jss/JSSSocketFactory.java | 43 +++++++++++++++++++++- + 1 file changed, 41 insertions(+), 2 deletions(-) + +diff --git a/src/org/apache/tomcat/util/net/jss/JSSSocketFactory.java b/src/org/apache/tomcat/util/net/jss/JSSSocketFactory.java +index f974a89..b38b091 100644 +--- a/src/org/apache/tomcat/util/net/jss/JSSSocketFactory.java ++++ b/src/org/apache/tomcat/util/net/jss/JSSSocketFactory.java +@@ -290,6 +290,22 @@ public class JSSSocketFactory implements + SSLSocket.TLS_ECDH_RSA_WITH_AES_128_CBC_SHA); + cipherMap.put("TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA", + SSLSocket.TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA); ++ ++ // TLS_*_SHA384 ++ cipherMap.put("TLS_RSA_WITH_AES_256_GCM_SHA384", ++ SSLSocket.TLS_RSA_WITH_AES_256_GCM_SHA384); ++ cipherMap.put("TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", ++ SSLSocket.TLS_DHE_RSA_WITH_AES_256_GCM_SHA384); ++ cipherMap.put("TLS_DHE_DSS_WITH_AES_256_GCM_SHA384", ++ SSLSocket.TLS_DHE_DSS_WITH_AES_256_GCM_SHA384); ++ cipherMap.put("TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", ++ SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384); ++ cipherMap.put("TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", ++ SSLSocket.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384); ++ cipherMap.put("TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", ++ SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384); ++ cipherMap.put("TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", ++ SSLSocket.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384); + } + + private static HashMap eccCipherMap = new HashMap(); +@@ -338,6 +354,22 @@ public class JSSSocketFactory implements + eccCipherMap.put(SSLSocket.TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, + "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256"); + */ ++ ++ // TLS_*_SHA384 ++ eccCipherMap.put(SSLSocket.TLS_RSA_WITH_AES_256_GCM_SHA384, ++ "TLS_RSA_WITH_AES_256_GCM_SHA384"); ++ eccCipherMap.put(SSLSocket.TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, ++ "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384"); ++ eccCipherMap.put(SSLSocket.TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, ++ "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384"); ++ eccCipherMap.put(SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, ++ "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384"); ++ eccCipherMap.put(SSLSocket.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, ++ "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"); ++ eccCipherMap.put(SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, ++ "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"); ++ eccCipherMap.put(SSLSocket.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, ++ "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"); + } + + private AbstractEndpoint endpoint; +@@ -429,23 +461,30 @@ public class JSSSocketFactory implements + } + if (cipherid != 0) { + try { +- debugWrite("JSSSocketFactory setSSLCiphers: " + cipherstr ++ debugWrite("JSSSocketFactory setSSLCiphers: setting: " + cipherstr + + ": 0x" + Integer.toHexString(cipherid) + "\n"); + SSLSocket.setCipherPreferenceDefault(cipherid, state); ++ debugWrite("JSSSocketFactory setSSLCiphers: done setting: " + cipherstr ++ + ": 0x" + Integer.toHexString(cipherid) + "\n"); + } catch (Exception e) { +- System.err.println("SSLSocket.setCipherPreferenceDefault exception:" +e); ++ String errMsg = "SSLSocket.setCipherPreferenceDefault exception on: " + cipherstr + " : " +e; ++ System.err.println(errMsg); ++ debugWrite("JSSSocketFactory setSSLCiphers: " + errMsg); + if (eccCipherMap.containsKey(cipherid)) { ++ debugWrite("JSSSocketFactory setSSLCiphers: Warning: cipher exists in eccCipherMap"); + System.err + .println("Warning: SSL ECC cipher \"" + + text + + "\" unsupported by NSS. " + + "This is probably O.K. unless ECC support has been installed."); + } else { ++ debugWrite("JSSSocketFactory setSSLCiphers: Error: cipher does not exist in eccCipherMap"); + System.err.println("Error: SSL cipher \"" + text + + "\" unsupported by NSS"); + } + } + } else { ++ debugWrite("JSSSocketFactory setSSLCiphers: Error: cipher not recognized by tomcatjss"); + System.err.println("Error: SSL cipher \"" + text + + "\" not recognized by tomcatjss"); + } +-- +2.14.4 + diff --git a/SOURCES/tomcatjss-support-for-event-API.patch b/SOURCES/tomcatjss-support-for-event-API.patch new file mode 100644 index 0000000..f38a2f1 --- /dev/null +++ b/SOURCES/tomcatjss-support-for-event-API.patch @@ -0,0 +1,294 @@ +From c410c7a35b4aa78e7c35d11a72cc96ff932df982 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Fri, 3 Mar 2017 09:19:58 +0100 +Subject: [PATCH 1/2] Renamed getEndpointAttribute(). + +The getEndpointAttribute() in JSSSocketFactory has been renamed +to getProperty() for clarity. +--- + .../tomcat/util/net/jss/JSSSocketFactory.java | 44 +++++++++++----------- + 1 file changed, 22 insertions(+), 22 deletions(-) + +diff --git a/src/org/apache/tomcat/util/net/jss/JSSSocketFactory.java b/src/org/apache/tomcat/util/net/jss/JSSSocketFactory.java +index ebf5505..bc096c1 100644 +--- a/src/org/apache/tomcat/util/net/jss/JSSSocketFactory.java ++++ b/src/org/apache/tomcat/util/net/jss/JSSSocketFactory.java +@@ -377,7 +377,7 @@ public class JSSSocketFactory implements + } + + public void setSSLCiphers(String attr) throws SocketException, IOException { +- String ciphers = getEndpointAttribute(attr); ++ String ciphers = getProperty(attr); + if (StringUtils.isEmpty(ciphers)) { + debugWrite("JSSSocketFactory setSSLCiphers: " + attr + " not found"); + return; +@@ -451,7 +451,7 @@ public class JSSSocketFactory implements + * parameter is ignored. + */ + public void setSSLOptions() throws SocketException, IOException { +- String options = getEndpointAttribute("sslOptions"); ++ String options = getProperty("sslOptions"); + if (StringUtils.isEmpty(options)) { + debugWrite("no sslOptions specified"); + return; +@@ -562,7 +562,7 @@ public class JSSSocketFactory implements + return -1; + } + +- String getEndpointAttribute(String tag) { ++ String getProperty(String tag) { + + // check /conf/server.xml + String value = (String)endpoint.getAttribute(tag); +@@ -575,8 +575,8 @@ public class JSSSocketFactory implements + return value; + } + +- String getEndpointAttribute(String tag, String defaultValue) { +- String value = getEndpointAttribute(tag); ++ String getProperty(String tag, String defaultValue) { ++ String value = getProperty(tag); + if (value == null) { + return defaultValue; + } +@@ -585,7 +585,7 @@ public class JSSSocketFactory implements + + void init() throws IOException { + // debug enabled? +- String deb = getEndpointAttribute("debug"); ++ String deb = getProperty("debug"); + if (StringUtils.equals(deb, "true")) { + debug = true; + debugFile = new FileWriter("/tmp/tomcatjss.log", true); +@@ -613,14 +613,14 @@ public class JSSSocketFactory implements + + // MUST look for "clientauth" (ALL lowercase) since "clientAuth" + // (camel case) has already been processed by Tomcat 7 +- String clientAuthStr = getEndpointAttribute("clientauth"); ++ String clientAuthStr = getProperty("clientauth"); + if (clientAuthStr == null) { + debugWrite("JSSSocketFactory init - \"clientauth\" not found, default to want."); + clientAuthStr = "want"; + } + File file = null; + try { +- mServerCertNickPath = getEndpointAttribute("serverCertNickFile"); ++ mServerCertNickPath = getProperty("serverCertNickFile"); + if (mServerCertNickPath == null) { + throw new IOException("serverCertNickFile not specified"); + } +@@ -656,7 +656,7 @@ public class JSSSocketFactory implements + "JSSSocketFactory: no serverCertNickFile defined"); + } + +- // serverCertNick = (String)getEndpointAttribute("serverCert"); ++ // serverCertNick = (String)getProperty("serverCert"); + if (clientAuthStr.equalsIgnoreCase("true") + || clientAuthStr.equalsIgnoreCase("yes")) { + requireClientAuth = true; +@@ -670,7 +670,7 @@ public class JSSSocketFactory implements + && ocspConfigured == false) { + debugWrite("JSSSocketFactory init - checking for OCSP settings. \n"); + boolean enableOCSP = false; +- String doOCSP = getEndpointAttribute("enableOCSP"); ++ String doOCSP = getProperty("enableOCSP"); + + debugWrite("JSSSocketFactory init - doOCSP flag:" + doOCSP + " \n"); + +@@ -682,10 +682,10 @@ public class JSSSocketFactory implements + + "\n"); + + if (enableOCSP == true) { +- String ocspResponderURL = getEndpointAttribute("ocspResponderURL"); ++ String ocspResponderURL = getProperty("ocspResponderURL"); + debugWrite("JSSSocketFactory init - ocspResponderURL " + + ocspResponderURL + "\n"); +- String ocspResponderCertNickname = getEndpointAttribute( ++ String ocspResponderCertNickname = getProperty( + "ocspResponderCertNickname"); + debugWrite("JSSSocketFactory init - ocspResponderCertNickname" + + ocspResponderCertNickname + "\n"); +@@ -700,9 +700,9 @@ public class JSSSocketFactory implements + int ocspMinCacheEntryDuration_i = 3600; + int ocspMaxCacheEntryDuration_i = 86400; + +- String ocspCacheSize = getEndpointAttribute("ocspCacheSize"); +- String ocspMinCacheEntryDuration = getEndpointAttribute("ocspMinCacheEntryDuration"); +- String ocspMaxCacheEntryDuration = getEndpointAttribute("ocspMaxCacheEntryDuration"); ++ String ocspCacheSize = getProperty("ocspCacheSize"); ++ String ocspMinCacheEntryDuration = getProperty("ocspMinCacheEntryDuration"); ++ String ocspMaxCacheEntryDuration = getProperty("ocspMaxCacheEntryDuration"); + + if (ocspCacheSize != null + || ocspMinCacheEntryDuration != null +@@ -729,7 +729,7 @@ public class JSSSocketFactory implements + } + + // defualt to 60 seconds; +- String ocspTimeout = getEndpointAttribute("ocspTimeout"); ++ String ocspTimeout = getProperty("ocspTimeout"); + if (ocspTimeout != null) { + debugWrite("JSSSocketFactory init - ocspTimeout= \n" + ocspTimeout); + int ocspTimeout_i = Integer.parseInt(ocspTimeout); +@@ -760,7 +760,7 @@ public class JSSSocketFactory implements + // 12 hours = 43200 seconds + SSLServerSocket.configServerSessionIDCache(0, 43200, 43200, null); + +- String strictCiphersStr = getEndpointAttribute("strictCiphers"); ++ String strictCiphersStr = getProperty("strictCiphers"); + if (StringUtils.equalsIgnoreCase(strictCiphersStr, "true") + || StringUtils.equalsIgnoreCase(strictCiphersStr, "yes")) { + mStrictCiphers = true; +@@ -773,7 +773,7 @@ public class JSSSocketFactory implements + debugWrite("SSSocketFactory init - before setSSLCiphers, strictCiphers is false\n"); + } + +- String sslVersionRangeStream = getEndpointAttribute("sslVersionRangeStream"); ++ String sslVersionRangeStream = getProperty("sslVersionRangeStream"); + if ((sslVersionRangeStream != null) + && !sslVersionRangeStream.equals("")) { + debugWrite("SSSocketFactory init - calling setSSLVersionRangeDefault() for type STREAM\n"); +@@ -783,7 +783,7 @@ public class JSSSocketFactory implements + debugWrite("SSSocketFactory init - after setSSLVersionRangeDefault() for type STREAM\n"); + } + +- String sslVersionRangeDatagram = getEndpointAttribute("sslVersionRangeDatagram"); ++ String sslVersionRangeDatagram = getProperty("sslVersionRangeDatagram"); + if ((sslVersionRangeDatagram != null) + && !sslVersionRangeDatagram.equals("")) { + debugWrite("SSSocketFactory init - calling setSSLVersionRangeDefault() for type DATA_GRAM\n"); +@@ -854,11 +854,11 @@ public class JSSSocketFactory implements + + private void initializePasswordStore() throws InstantiationException, IllegalAccessException, + ClassNotFoundException, IOException { +- mPwdClass = getEndpointAttribute("passwordClass"); ++ mPwdClass = getProperty("passwordClass"); + if (mPwdClass == null) { + throw new IOException("Misconfiguration: passwordClass is not defined"); + } +- mPwdPath = getEndpointAttribute("passwordFile"); ++ mPwdPath = getProperty("passwordFile"); + + mPasswordStore = (IPasswordStore) Class.forName(mPwdClass).newInstance(); + debugWrite("JSSSocketFactory init - password reader initialized\n"); +@@ -869,7 +869,7 @@ public class JSSSocketFactory implements + + private CryptoManager getCryptoManager() throws KeyDatabaseException, CertDatabaseException, + GeneralSecurityException, NotInitializedException, IOException { +- String certDir = getEndpointAttribute("certdbDir"); ++ String certDir = getProperty("certdbDir"); + if (certDir == null) { + throw new IOException("Misconfiguration: certdir not defined"); + } +-- +1.8.3.1 + + +From 7612272aa337c413ac4b96cd13d5a1384b80b5aa Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Fri, 27 Jan 2017 04:31:41 +0100 +Subject: [PATCH 2/2] Added SSLSocketListener registry. + +A new TomcatJSS class has been added as a mechanism to register +SSLSocketListeners for all SSLSockets created by TomcatJSS. + +https://pagure.io/tomcatjss/issue/4 +--- + .../tomcat/util/net/jss/JSSSocketFactory.java | 4 ++ + src/org/apache/tomcat/util/net/jss/TomcatJSS.java | 69 ++++++++++++++++++++++ + 2 files changed, 73 insertions(+) + create mode 100644 src/org/apache/tomcat/util/net/jss/TomcatJSS.java + +diff --git a/src/org/apache/tomcat/util/net/jss/JSSSocketFactory.java b/src/org/apache/tomcat/util/net/jss/JSSSocketFactory.java +index bc096c1..4992600 100644 +--- a/src/org/apache/tomcat/util/net/jss/JSSSocketFactory.java ++++ b/src/org/apache/tomcat/util/net/jss/JSSSocketFactory.java +@@ -934,6 +934,10 @@ public class JSSSocketFactory implements + SSLSocket asock = null; + try { + asock = (SSLSocket) socket.accept(); ++ ++ TomcatJSS tomcatjss = TomcatJSS.getInstance(); ++ asock.addSocketListener(tomcatjss); ++ + if (wantClientAuth || requireClientAuth) { + asock.requestClientAuth(true); + if (requireClientAuth == true) { +diff --git a/src/org/apache/tomcat/util/net/jss/TomcatJSS.java b/src/org/apache/tomcat/util/net/jss/TomcatJSS.java +new file mode 100644 +index 0000000..9717921 +--- /dev/null ++++ b/src/org/apache/tomcat/util/net/jss/TomcatJSS.java +@@ -0,0 +1,69 @@ ++/* BEGIN COPYRIGHT BLOCK ++ * This library is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU Lesser General Public ++ * License as published by the Free Software Foundation; either ++ * version 2.1 of the License, or (at your option) any later version. ++ * ++ * This library is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * Lesser General Public License for more details. ++ * ++ * You should have received a copy of the GNU Lesser General Public ++ * License along with this library; if not, write to the Free Software ++ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA ++ * ++ * Copyright (C) 2017 Red Hat, Inc. ++ * All rights reserved. ++ * END COPYRIGHT BLOCK */ ++ ++package org.apache.tomcat.util.net.jss; ++ ++import java.util.ArrayList; ++import java.util.Collection; ++ ++import org.mozilla.jss.ssl.SSLAlertEvent; ++import org.mozilla.jss.ssl.SSLHandshakeCompletedEvent; ++import org.mozilla.jss.ssl.SSLSocketListener; ++ ++public class TomcatJSS implements SSLSocketListener { ++ ++ public final static TomcatJSS INSTANCE = new TomcatJSS(); ++ ++ public static TomcatJSS getInstance() { return INSTANCE; } ++ ++ Collection socketListeners = new ArrayList(); ++ ++ public void addSocketListener(SSLSocketListener listener) { ++ socketListeners.add(listener); ++ } ++ ++ public void removeSocketListener(SSLSocketListener listener) { ++ socketListeners.remove(listener); ++ } ++ ++ public Collection getSocketListeners() { ++ return socketListeners; ++ } ++ ++ @Override ++ public void alertReceived(SSLAlertEvent event) { ++ for (SSLSocketListener listener : socketListeners) { ++ listener.alertReceived(event); ++ } ++ } ++ ++ @Override ++ public void alertSent(SSLAlertEvent event) { ++ for (SSLSocketListener listener : socketListeners) { ++ listener.alertSent(event); ++ } ++ } ++ ++ @Override ++ public void handshakeCompleted(SSLHandshakeCompletedEvent event) { ++ for (SSLSocketListener listener : socketListeners) { ++ listener.handshakeCompleted(event); ++ } ++ } ++} +-- +1.8.3.1 + diff --git a/SPECS/tomcatjss.spec b/SPECS/tomcatjss.spec new file mode 100644 index 0000000..e3bcced --- /dev/null +++ b/SPECS/tomcatjss.spec @@ -0,0 +1,238 @@ +Name: tomcatjss +Version: 7.2.1 +Release: 7%{?dist} +Summary: JSS Connector for Apache Tomcat, a JSSE module for Apache Tomcat that uses JSS +URL: http://pki.fedoraproject.org/ +License: LGPLv2+ +Group: System Environment/Libraries + +BuildArch: noarch +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-buildroot + +Source0: http://pki.fedoraproject.org/pki/sources/%{name}/%{name}-%{version}.tar.gz + +# jpackage-utils requires versioning to meet both build and runtime requirements +# jss requires versioning to meet both build and runtime requirements +# tomcat requires versioning to meet both build and runtime requirements +Conflicts: pki-base < 10.4.0 +BuildRequires: ant +BuildRequires: apache-commons-lang +BuildRequires: java-devel +BuildRequires: jpackage-utils >= 0:1.7.5-15 +%if 0%{?fedora} +BuildRequires: jss >= 4.4.4-3 +%else +BuildRequires: jss >= 4.4.0-13 +%endif +%if 0%{?fedora} >= 23 +BuildRequires: tomcat >= 8.0.18 +%else +BuildRequires: tomcat >= 7.0.68 +%endif + +Requires: apache-commons-lang +%if 0%{?fedora} >= 21 +Requires: java-headless +%else +Requires: java +%endif +Requires: jpackage-utils >= 0:1.7.5-15 +%if 0%{?fedora} +Requires: jss >= 4.4.4-3 +%else +Requires: jss >= 4.4.0-13 +%endif +%if 0%{?fedora} >= 23 +Requires: tomcat >= 8.0.18 +%else +Requires: tomcat >= 7.0.68 +%endif + +####################### +## tomcatjss-7.2.1-3 +####################### +Patch1: tomcatjss-support-for-event-API.patch +####################### +## tomcatjss-7.2.1-4 +####################### +Patch2: tomcatjss-Fixed-SSL-cipher-list-parser.patch +####################### +## tomcatjss-7.2.1-5 +####################### +Patch3: tomcatjss-Comply-with-ASF-trademark-rules.patch +####################### +## tomcatjss-7.2.1-7 +####################### +Patch4: tomcatjss-add-TLS-SHA384-ciphers.patch + +# The 'tomcatjss' package conflicts with the 'tomcat-native' package +# because it uses an underlying NSS security model rather than the +# OpenSSL security model, so these two packages may not co-exist. +# (see Bugzilla Bug #441974 for details) +Conflicts: tomcat-native + +%if 0%{?rhel} +# For EPEL, override the '_sharedstatedir' macro on RHEL +%define _sharedstatedir /var/lib +%endif + +%description +JSS Connector for Apache Tomcat, installed via the tomcatjss package, +is a Java Secure Socket Extension (JSSE) module for Apache Tomcat that +uses Java Security Services (JSS), a Java interface to Network Security +Services (NSS). + +NOTE: The 'tomcatjss' package conflicts with the 'tomcat-native' package + because it uses an underlying NSS security model rather than the + OpenSSL security model, so these two packages may not co-exist. + +%prep + +%setup -q +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 +chmod -c -x LICENSE README + +%build + +ant -f build.xml -Djnidir=%{_jnidir} +ant -f build.xml -Djnidir=%{_jnidir} dist + +%install +rm -rf %{buildroot} + +# Unpack the files we just built +cd dist/binary +unzip %{name}-%{version}.zip -d %{buildroot} + +# Install our files +cd %{buildroot}%{_javadir} +%if 0%{?rhel} || 0%{?fedora} < 21 +mv %{name}.jar %{name}-%{version}.jar +ln -s %{name}-%{version}.jar %{name}.jar +%endif + +%clean +rm -rf %{buildroot} + +%files +%defattr(-,root,root) +%doc README LICENSE +%{_javadir}/* + +%changelog +* Mon Jul 2 2018 Matthew Harmsen 7.2.1-7 +- Updated jss build and runtime dependencies +- Bugzilla Bug #1597180 - Tomcatjss: Add support for TLS_*_SHA384 ciphers + [rhel-7.5.z] (cfu) + +* Mon Jun 12 2017 Matthew Harmsen 7.2.1-6 +- Bugzilla Bug #1460040 - Comply with ASF trademark rules (mharmsen) + +* Mon Jun 12 2017 Matthew Harmsen 7.2.1-5 +- Bugzilla Bug #1460037 - Comply with ASF trademark rules (mharmsen) + +* Mon Jun 5 2017 Endi Sukma Dewata 7.2.1-4 +- Bugzilla Bug #1457524 - Problem parsing formatted cipher list (edewata) + +* Mon Mar 27 2017 Matthew Harmsen - 7.2.1-3 +- Bugzilla Bug #1394416 - Rebase tomcatjss to 7.2.x in RHEL 7.4 (mharmsen) +- ## 'tomcatjss-support-for-event-API.patch' resolves the following issues + ## ported from upstream: +- tomcatjss Pagure Issue #4 - Support for Event API (edewata) + +* Tue Mar 21 2017 Matthew Harmsen - 7.2.1-2 +- Added Conflicts statement due to incompatibility with pki-base < 10.4.0 + +* Tue Mar 14 2017 Matthew Harmsen 7.2.1-1 +- Updated jss build and runtime dependencies +- Bumped version due to corrupted tarball + +* Mon Mar 13 2017 Matthew Harmsen 7.2.0-2 +- Changed build so that it did not package and depend upon the specfile being + included inside the tarball + +* Sun Mar 12 2017 Matthew Harmsen 7.2.0-1 +- tomcatjss Pagure Issue #6 - Rebase tomcatjss to 7.2.0 in Fedora 25+ (mharmsen) +- Bugzilla Bug #1394416 - Rebase tomcatjss to 7.2.0 in RHEL 7.4 (mharmsen) + +* Wed Jun 29 2016 Christina Fu 7.1.2-3 +- Bugzilla Bug #1203407 - missing ciphers (cfu) + +* Wed Mar 16 2016 Endi Sukma Dewata 7.1.2-2 +- Bugzilla Bug #1344804 - Build failure on RHEL 7.3 + (patch for Bugzilla Bug #1245786 - Build failure on F23 was backported to + RHEL 7 to coincide with Apache Tomcat version change to 7.0.68+) + +* Wed Mar 4 2015 Endi Sukma Dewata 7.1.2-1 +- Bugzilla Bug #1198450 - Support for Apache Tomcat 8 +- Bugzilla Bug #1214858 - Add nuxwdog support (alee) + +* Tue Sep 30 2014 Christina Fu 7.1.1-1 +- Bugzilla Bug #1058366 NullPointerException in tomcatjss searching + for attribute "clientauth" (cfu) +- Bugzilla Bug #871171 - Provide Apache Tomcat support for TLS v1.1 and + TLS v1.2 (cfu) +- Bumped revision to 7.1.1 + +* Sun Jun 08 2014 Fedora Release Engineering - 7.1.0-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Tue Mar 25 2014 Mikolaj Izdebski - 7.1.0-5 +- Move to java-headless +- Resolves: rhbz#1068567 + +* Tue Jan 07 2014 Michael Simacek - 7.1.0-5 +- Remove versioned symlink (rhbz#1022167) + +* Fri Aug 2 2013 Ville Skyttä - 7.1.0-4 +- Simplify installation of docs. + +* Thu Jun 13 2013 Matthew Harmsen 7.1.0-3 +- Updated tomcatjss to utilize tomcat-7.0.40. +- Updated JNIDIR to /usr/lib/java. + +* Fri Feb 15 2013 Fedora Release Engineering - 7.1.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Wed Dec 19 2012 Christina Fu 7.1.0-1 +- Bugzila Bug #819554 tomcatjss: Please migrate from tomcat6 to tomcat7 + +* Thu Aug 2 2012 Matthew Harmsen 7.0.0-3 +- PKI TRAC Ticket #283 - Dogtag 10: Integrate Apache Tomcat 6 'tomcatjss.jar' + and Apache Tomcat 7 'tomcat7jss.jar' in Fedora 18 tomcatjss package + +* Thu Jul 26 2012 Matthew Harmsen 7.0.0-2 +- Fixed runtime 'Requires' cut/paste typos + +* Wed Jun 06 2012 Matthew Harmsen 7.0.0-1 +- Bugzilla Bug #819554 - tomcatjss: Please migrate from tomcat6 to tomcat7 + +* Thu Sep 22 2011 Matthew Harmsen 6.0.2-1 +- Bugzilla Bug #734590 - Refactor JNI libraries for Fedora 16+ . . . (mharmsen) +- Bugzilla Bug #699809 - Convert CS to use systemd (alee) + +* Mon Sep 12 2011 Matthew Harmsen 6.0.1-1 +- Bugzilla Bug #734590 - Refactor JNI libraries for Fedora 16+ . . . + +* Thu Jul 14 2011 Matthew Harmsen - 6.0.0-1 +- Bugzilla Bug #702716 - rhcs80 cannot do client auth with pkiconsole + (ok with 7.3) (jmagne) +- Require "jss >= 4.2.6-17" as a build and runtime requirement +- Bump version 2.1.1 --> 6.0.0 (to better coincide with tomcat6) + +* Fri Mar 25 2011 Matthew Harmsen - 2.1.1-1 +- Require "jss >= 4.2.6-15" as a build and runtime requirement +- Require "tomcat6 >= 6.0.30-6" as a build and runtime requirement + for Fedora 15 and later platforms + +* Wed Jan 12 2011 John Dennis - 2.1.0-1 +- bump version to 2.1.0 + Bug #588323 - Failed to enable cipher 0xc001 (svn rev 105) + Bug #634375 - Build tomcatjss against tomcat6 (svn rev 106) + Bug #655915 - Disable socket timeouts when socket is first created. (svn rev 107) + +* Tue Dec 14 2010 John Dennis +- Updated 'tomcatjss' to utilize 'tomcat6'.