Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding support for sslhostconfig options #569

Merged
merged 4 commits into from
Oct 10, 2024
Merged

Adding support for sslhostconfig options #569

merged 4 commits into from
Oct 10, 2024
+60 −4

Conversation

malikparvez
Copy link
Member

@malikparvez malikparvez commented Sep 23, 2024
edited
Loading

Summary

Adding support for sslhostconfig options.

 <SSLHostConfig>
    <Certificate
        certificateKeyFile="conf/localhost-rsa-key.pem"
        certificateFile="conf/localhost-rsa-cert.pem"
        certificateChainFile="conf/localhost-rsa-chain.pem"
        type="RSA"
        />
  </SSLHostConfig>

read more about it in tomcat docs

Additional Context

Add any additional context about the problem here.

  • Root cause and the steps to reproduce. (If applicable)
  • Thought process behind the implementation.

Related Issues (if any)

Mention any related issues or pull requests.

Checklist

  • 🟢 Spec tests.
  • 🟢 Acceptance tests.
  • Manually verified. (For example puppet apply)

@malikparvez malikparvez requested a review from a team as a code owner September 23, 2024 06:34
Ramesh7
Ramesh7 previously approved these changes Sep 26, 2024
View reviewed changes
Copy link
Contributor

@Ramesh7 Ramesh7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The changes looks good, would like to have another review from cummunity.

@tedgarb
Copy link

tedgarb commented Sep 27, 2024

Thanks, this looks like a good first pass at fixing #545, have a couple pieces of immediate feedback.

I will need to get a working test environment together to validate my belief, but at first blush this does not look right to me. To use the doc example, it should be:

<Connector
    protocol="org.apache.coyote.http11.Http11NioProtocol"
    port="8443"
    maxThreads="150"
    SSLEnabled="true"
    maxParameterCount="1000"
    >
  <SSLHostConfig>
    <Certificate
        certificateKeyFile="conf/localhost-rsa-key.pem"
        certificateFile="conf/localhost-rsa-cert.pem"
        certificateChainFile="conf/localhost-rsa-chain.pem"
        type="RSA"
        />
  </SSLHostConfig>
</Connector>

It looks like the code here is referring to a path with bits like

$sslhostconfig_path = "Server/Service/Connector[#attribute/port='${port}']"
"set ${sslhostconfig_path}/Certificate/#attribute/certificateKeyFile ${cert_key_file}",

So the implied path is Server/Service/Connector[#attribute/port='${port}']/Certificate/#attribute/certificateKeyFile ${cert_key_file}, I think it is supposed to be Server/Service/Connector[#attribute/port='${port}']/SSLHostConfig/Certificate/#attribute/certificateKeyFile ${cert_key_file}.

Other obvious issue is if $cert_key_file and $cert_file and $cert_chain_file in the logic, which means if you specify some but not all of the values, it silently does nothing but does not produce any hint unless you read the code here.

@malikparvez
Copy link
Member Author

malikparvez commented Oct 1, 2024
edited
Loading

Thanks, this looks like a good first pass at fixing #545, have a couple pieces of immediate feedback.

I will need to get a working test environment together to validate my belief, but at first blush this does not look right to me. To use the doc example, it should be:

<Connector
    protocol="org.apache.coyote.http11.Http11NioProtocol"
    port="8443"
    maxThreads="150"
    SSLEnabled="true"
    maxParameterCount="1000"
    >
  <SSLHostConfig>
    <Certificate
        certificateKeyFile="conf/localhost-rsa-key.pem"
        certificateFile="conf/localhost-rsa-cert.pem"
        certificateChainFile="conf/localhost-rsa-chain.pem"
        type="RSA"
        />
  </SSLHostConfig>
</Connector>

It looks like the code here is referring to a path with bits like

$sslhostconfig_path = "Server/Service/Connector[#attribute/port='${port}']"
"set ${sslhostconfig_path}/Certificate/#attribute/certificateKeyFile ${cert_key_file}",

So the implied path is Server/Service/Connector[#attribute/port='${port}']/Certificate/#attribute/certificateKeyFile ${cert_key_file}, I think it is supposed to be ``Server/Service/Connector[#attribute/port='${port}']/SSLHostConfig/Certificate/#attribute/certificateKeyFile ${cert_key_file}.

Other obvious issue is if $cert_key_file and $cert_file and $cert_chain_file in the logic, which means if you specify some but not all of the values, it silently does nothing but does not produce any hint unless you read the code here.

Hello @tedgarb thank you so much for your review, your right somehow I got wrapped into the xml and missed this.
here is the updated config file

<Server>
	<Service>
		<Connector port="8443">
			<SSLHostConfig>
				<Certificate certificateKeyFile="/path/me/key.pem" certificateFile="/path/me/cert.pem" certificateChainFile="/path/me/chain.pem" type="PEM"></Certificate>
			</SSLHostConfig>
		</Connector>
	</Service>
	<Service>
		<Connector protocol="HTTP/1.1"></Connector>
	</Service>
</Server>

and sure i will add notify to let the user know if the all required params are not passed and the changes has not been applied
.

Thank you so much for your review

@malikparvez
Copy link
Member Author

@tedgarb Please review with the changes as you suggested...

@tedgarb
Copy link

tedgarb commented Oct 2, 2024

The fixes to the XML pass the eyeball test, but I haven't tested on an actual machine yet.

I am still not sure the notice is quite right for two reasons:

  1. it emits on any connector without these params, which is a bit aggressive/noisy in general
  2. What I was hoping for is more "you have defined some but not all of these, either define all or none," potentially with this state being an outright error, though I'd welcome others to express opinions here

@malikparvez
Copy link
Member Author

The fixes to the XML pass the eyeball test, but I haven't tested on an actual machine yet.

I am still not sure the notice is quite right for two reasons:

  1. it emits on any connector without these params, which is a bit aggressive/noisy in general
  2. What I was hoping for is more "you have defined some but not all of these, either define all or none," potentially with this state being an outright error, though I'd welcome others to express opinions here

Agree with the first point this is going to be noise so removed the notify. About 2nd point I am not exactly sure how to handle this.

@malikparvez malikparvez merged commit 1ac22b2 into main Oct 10, 2024
41 of 42 checks passed
@malikparvez malikparvez deleted the sslhostconfig branch October 10, 2024 11:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rajat-puppet rajat-puppet rajat-puppet approved these changes

@Ramesh7 Ramesh7 Ramesh7 left review comments

Assignees
No one assigned
Labels
feature
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@malikparvez @tedgarb @Ramesh7 @rajat-puppet