| | |
|---|
| | | import org.eclipse.jetty.server.ssl.SslConnector;
|
|---|
| | | import org.eclipse.jetty.server.ssl.SslSelectChannelConnector;
|
|---|
| | | import org.eclipse.jetty.server.ssl.SslSocketConnector;
|
|---|
| | | import org.eclipse.jetty.util.ssl.SslContextFactory;
|
|---|
| | | import org.eclipse.jetty.util.thread.QueuedThreadPool;
|
|---|
| | | import org.eclipse.jetty.webapp.WebAppContext;
|
|---|
| | | import org.eclipse.jgit.storage.file.FileBasedConfig;
|
|---|
| | |
|---|
| | | });
|
|---|
| | |
|
|---|
| | | if (serverKeyStore.exists()) {
|
|---|
| | | Connector secureConnector = createSSLConnector(serverKeyStore, serverTrustStore, params.storePassword,
|
|---|
| | | Connector secureConnector = createSSLConnector(params.alias, serverKeyStore, serverTrustStore, params.storePassword,
|
|---|
| | | caRevocationList, params.useNIO, params.securePort, params.requireClientCertificates);
|
|---|
| | | String bindInterface = settings.getString(Keys.server.httpsBindInterface, null);
|
|---|
| | | if (!StringUtils.isEmpty(bindInterface)) {
|
|---|
| | |
|---|
| | | * SSL renegotiation will be enabled if the JVM is 1.6.0_22 or later.
|
|---|
| | | * oracle.com/technetwork/java/javase/documentation/tlsreadme2-176330.html
|
|---|
| | | *
|
|---|
| | | * @param certAlias
|
|---|
| | | * @param keyStore
|
|---|
| | | * @param clientTrustStore
|
|---|
| | | * @param storePassword
|
|---|
| | |
|---|
| | | * @param requireClientCertificates
|
|---|
| | | * @return an https connector
|
|---|
| | | */
|
|---|
| | | private static Connector createSSLConnector(File keyStore, File clientTrustStore,
|
|---|
| | | private static Connector createSSLConnector(String certAlias, File keyStore, File clientTrustStore,
|
|---|
| | | String storePassword, File caRevocationList, boolean useNIO, int port,
|
|---|
| | | boolean requireClientCertificates) {
|
|---|
| | | SslContextFactory sslContext = new SslContextFactory(SslContextFactory.DEFAULT_KEYSTORE_PATH);
|
|---|
| | | GitblitSslContextFactory factory = new GitblitSslContextFactory(certAlias,
|
|---|
| | | keyStore, clientTrustStore, storePassword, caRevocationList);
|
|---|
| | | SslConnector connector;
|
|---|
| | | if (useNIO) {
|
|---|
| | | logger.info("Setting up NIO SslSelectChannelConnector on port " + port);
|
|---|
| | | SslSelectChannelConnector ssl = new SslSelectChannelConnector(sslContext);
|
|---|
| | | SslSelectChannelConnector ssl = new SslSelectChannelConnector(factory);
|
|---|
| | | ssl.setSoLingerTime(-1);
|
|---|
| | | if (requireClientCertificates) {
|
|---|
| | | sslContext.setNeedClientAuth(true);
|
|---|
| | | factory.setNeedClientAuth(true);
|
|---|
| | | } else {
|
|---|
| | | sslContext.setWantClientAuth(true);
|
|---|
| | | factory.setWantClientAuth(true);
|
|---|
| | | }
|
|---|
| | | ssl.setThreadPool(new QueuedThreadPool(20));
|
|---|
| | | connector = ssl;
|
|---|
| | | } else {
|
|---|
| | | logger.info("Setting up NIO SslSocketConnector on port " + port);
|
|---|
| | | SslSocketConnector ssl = new SslSocketConnector(sslContext);
|
|---|
| | | SslSocketConnector ssl = new SslSocketConnector(factory);
|
|---|
| | | connector = ssl;
|
|---|
| | | }
|
|---|
| | | // disable renegotiation unless this is a patched JVM
|
|---|
| | | boolean allowRenegotiation = false;
|
|---|
| | | String v = System.getProperty("java.version");
|
|---|
| | | if (v.startsWith("1.7")) {
|
|---|
| | | allowRenegotiation = true;
|
|---|
| | | } else if (v.startsWith("1.6")) {
|
|---|
| | | // 1.6.0_22 was first release with RFC-5746 implemented fix.
|
|---|
| | | if (v.indexOf('_') > -1) {
|
|---|
| | | String b = v.substring(v.indexOf('_') + 1);
|
|---|
| | | if (Integer.parseInt(b) >= 22) {
|
|---|
| | | allowRenegotiation = true;
|
|---|
| | | }
|
|---|
| | | }
|
|---|
| | | }
|
|---|
| | | if (allowRenegotiation) {
|
|---|
| | | logger.info(" allowing SSL renegotiation on Java " + v);
|
|---|
| | | sslContext.setAllowRenegotiate(allowRenegotiation);
|
|---|
| | | }
|
|---|
| | | sslContext.setKeyStorePath(keyStore.getAbsolutePath());
|
|---|
| | | sslContext.setKeyStorePassword(storePassword);
|
|---|
| | | sslContext.setTrustStore(clientTrustStore.getAbsolutePath());
|
|---|
| | | sslContext.setTrustStorePassword(storePassword);
|
|---|
| | | sslContext.setCrlPath(caRevocationList.getAbsolutePath());
|
|---|
| | | connector.setPort(port);
|
|---|
| | | connector.setMaxIdleTime(30000);
|
|---|
| | |
|
|---|
| | | return connector;
|
|---|
| | | }
|
|---|
| | |
|
|---|
| | |
|---|
| | | @Parameter(names = "--ajpPort", description = "AJP port to serve. (port <= 0 will disable this connector)")
|
|---|
| | | public Integer ajpPort = FILESETTINGS.getInteger(Keys.server.ajpPort, 0);
|
|---|
| | |
|
|---|
| | | @Parameter(names = "--alias", description = "Alias of SSL certificate in keystore for serving https.")
|
|---|
| | | public String alias = FILESETTINGS.getString(Keys.server.certificateAlias, "");
|
|---|
| | |
|
|---|
| | | @Parameter(names = "--storePassword", description = "Password for SSL (https) keystore.")
|
|---|
| | | public String storePassword = FILESETTINGS.getString(Keys.server.storePassword, "");
|
|---|
| | |
|
|---|
