Gitblit devel
blame | history | patch | commit | commitdiff | ignore whitespace
James Moger
2013-01-05 9e186eedf1a09ca7ac4fbdea32b00e7e5331f7eb 
 src/com/gitblit/GitBlitServer.java


@@ -16,7 +16,9 @@


package com.gitblit;







import java.io.BufferedReader;



import java.io.BufferedWriter;



import java.io.File;



import java.io.FileWriter;



import java.io.IOException;



import java.io.InputStreamReader;



import java.io.OutputStream;



@@ -42,7 +44,6 @@


import org.eclipse.jetty.server.ssl.SslConnector;



import org.eclipse.jetty.server.ssl.SslSelectChannelConnector;



import org.eclipse.jetty.server.ssl.SslSocketConnector;



import org.eclipse.jetty.util.ssl.SslContextFactory;



import org.eclipse.jetty.util.thread.QueuedThreadPool;



import org.eclipse.jetty.webapp.WebAppContext;



import org.eclipse.jgit.storage.file.FileBasedConfig;



@@ -55,10 +56,12 @@


import com.beust.jcommander.Parameter;



import com.beust.jcommander.ParameterException;



import com.beust.jcommander.Parameters;



import com.gitblit.authority.GitblitAuthority;



import com.gitblit.authority.NewCertificateConfig;



import com.gitblit.utils.StringUtils;



import com.gitblit.utils.TimeUtils;



import com.gitblit.utils.X509Utils;



import com.gitblit.utils.X509Utils.X509Log;



import com.gitblit.utils.X509Utils.X509Metadata;



import com.unboundid.ldap.listener.InMemoryDirectoryServer;



import com.unboundid.ldap.listener.InMemoryDirectoryServerConfig;



@@ -194,7 +197,7 @@






      // conditionally configure the https connector



      if (params.securePort > 0) {



         File folder = new File(System.getProperty("user.dir"));



         final File folder = new File(System.getProperty("user.dir"));



         File certificatesConf = new File(folder, X509Utils.CA_CONFIG);



         File serverKeyStore = new File(folder, X509Utils.SERVER_KEY_STORE);



         File serverTrustStore = new File(folder, X509Utils.SERVER_TRUST_STORE);



@@ -215,10 +218,30 @@


         }



         



         metadata.notAfter = new Date(System.currentTimeMillis() + 10*TimeUtils.ONEYEAR);



         X509Utils.prepareX509Infrastructure(metadata, folder);



         X509Utils.prepareX509Infrastructure(metadata, folder, new X509Log() {



            @Override



            public void log(String message) {



               BufferedWriter writer = null;



               try {



                  writer = new BufferedWriter(new FileWriter(new File(folder, X509Utils.CERTS + File.separator + "log.txt"), true));



                  writer.write(MessageFormat.format("{0,date,yyyy-MM-dd HH:mm}: {1}", new Date(), message));



                  writer.newLine();



                  writer.flush();



               } catch (Exception e) {



                  LoggerFactory.getLogger(GitblitAuthority.class).error("Failed to append log entry!", e);



               } finally {



                  if (writer != null) {



                     try {



                        writer.close();



                     } catch (IOException e) {



                     }



                  }



               }



            }



         });







         if (serverKeyStore.exists()) {              



            Connector secureConnector = createSSLConnector(serverKeyStore, serverTrustStore, params.storePassword,



            Connector secureConnector = createSSLConnector(params.alias, serverKeyStore, serverTrustStore, params.storePassword,



                  caRevocationList, params.useNIO, params.securePort, params.requireClientCertificates);



            String bindInterface = settings.getString(Keys.server.httpsBindInterface, null);



            if (!StringUtils.isEmpty(bindInterface)) {



@@ -389,6 +412,7 @@


    * SSL renegotiation will be enabled if the JVM is 1.6.0_22 or later.



    * oracle.com/technetwork/java/javase/documentation/tlsreadme2-176330.html



    * 



    * @param certAlias



    * @param keyStore



    * @param clientTrustStore



    * @param storePassword



@@ -398,52 +422,31 @@


    * @param requireClientCertificates



    * @return an https connector



    */



   private static Connector createSSLConnector(File keyStore, File clientTrustStore,



   private static Connector createSSLConnector(String certAlias, File keyStore, File clientTrustStore,



         String storePassword, File caRevocationList, boolean useNIO, int port, 



         boolean requireClientCertificates) {



      SslContextFactory sslContext = new SslContextFactory(SslContextFactory.DEFAULT_KEYSTORE_PATH);



      GitblitSslContextFactory factory = new GitblitSslContextFactory(certAlias,



            keyStore, clientTrustStore, storePassword, caRevocationList);



      SslConnector connector;



      if (useNIO) {



         logger.info("Setting up NIO SslSelectChannelConnector on port " + port);



         SslSelectChannelConnector ssl = new SslSelectChannelConnector(sslContext);



         SslSelectChannelConnector ssl = new SslSelectChannelConnector(factory);



         ssl.setSoLingerTime(-1);



         if (requireClientCertificates) {



            sslContext.setNeedClientAuth(true);



            factory.setNeedClientAuth(true);



         } else {



            sslContext.setWantClientAuth(true);



            factory.setWantClientAuth(true);



         }



         ssl.setThreadPool(new QueuedThreadPool(20));



         connector = ssl;



      } else {



         logger.info("Setting up NIO SslSocketConnector on port " + port);



         SslSocketConnector ssl = new SslSocketConnector(sslContext);



         SslSocketConnector ssl = new SslSocketConnector(factory);



         connector = ssl;



      }



      // disable renegotiation unless this is a patched JVM



      boolean allowRenegotiation = false;



      String v = System.getProperty("java.version");



      if (v.startsWith("1.7")) {



         allowRenegotiation = true;



      } else if (v.startsWith("1.6")) {



         // 1.6.0_22 was first release with RFC-5746 implemented fix.



         if (v.indexOf('_') > -1) {



            String b = v.substring(v.indexOf('_') + 1);



            if (Integer.parseInt(b) >= 22) {



               allowRenegotiation = true;



            }



         }



      }



      if (allowRenegotiation) {



         logger.info("   allowing SSL renegotiation on Java " + v);



         sslContext.setAllowRenegotiate(allowRenegotiation);



      }



      sslContext.setKeyStorePath(keyStore.getAbsolutePath());



      sslContext.setKeyStorePassword(storePassword);



      sslContext.setTrustStore(clientTrustStore.getAbsolutePath());



      sslContext.setTrustStorePassword(storePassword);



      sslContext.setCrlPath(caRevocationList.getAbsolutePath());



      connector.setPort(port);



      connector.setMaxIdleTime(30000);







      return connector;



   }



   



@@ -572,6 +575,9 @@


      @Parameter(names = "--ajpPort", description = "AJP port to serve.  (port <= 0 will disable this connector)")



      public Integer ajpPort = FILESETTINGS.getInteger(Keys.server.ajpPort, 0);







      @Parameter(names = "--alias", description = "Alias of SSL certificate in keystore for serving https.")



      public String alias = FILESETTINGS.getString(Keys.server.certificateAlias, "");







      @Parameter(names = "--storePassword", description = "Password for SSL (https) keystore.")



      public String storePassword = FILESETTINGS.getString(Keys.server.storePassword, "");