From 5f64d01c9004029929772e7e59d8e8029f36ec9e Mon Sep 17 00:00:00 2001 From: Travis Tomsu Date: Thu, 27 Jul 2017 12:24:40 -0400 Subject: [PATCH] fix(ssl): Fix some issues found when testing Gate with SSL (#89) --- build.gradle | 2 +- .../spinnaker/config/TomcatConfiguration.groovy | 10 +++++++--- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/build.gradle b/build.gradle index d1c5de135..85b0bc1ef 100644 --- a/build.gradle +++ b/build.gradle @@ -34,7 +34,7 @@ allprojects { group = 'com.netflix.spinnaker.kork' ext { - spinnakerDependenciesVersion = project.hasProperty('spinnakerDependenciesVersion') ? project.property('spinnakerDependenciesVersion') : '0.106.0-rc.1-springBoot154' + spinnakerDependenciesVersion = project.hasProperty('spinnakerDependenciesVersion') ? project.property('spinnakerDependenciesVersion') : '0.106.0-rc.4-springBoot154' } def checkLocalVersions = [spinnakerDependenciesVersion: spinnakerDependenciesVersion] diff --git a/kork-web/src/main/groovy/com/netflix/spinnaker/config/TomcatConfiguration.groovy b/kork-web/src/main/groovy/com/netflix/spinnaker/config/TomcatConfiguration.groovy index 05bb448ee..b7d2a0087 100644 --- a/kork-web/src/main/groovy/com/netflix/spinnaker/config/TomcatConfiguration.groovy +++ b/kork-web/src/main/groovy/com/netflix/spinnaker/config/TomcatConfiguration.groovy @@ -18,6 +18,7 @@ package com.netflix.spinnaker.config import com.netflix.spinnaker.okhttp.OkHttpClientConfigurationProperties import com.netflix.spinnaker.tomcat.x509.BlacklistingSSLImplementation +import com.netflix.spinnaker.tomcat.x509.BlacklistingX509TrustManager import com.netflix.spinnaker.tomcat.x509.SslExtensionConfigurationProperties import groovy.util.logging.Slf4j import org.apache.catalina.connector.Connector @@ -62,13 +63,16 @@ class TomcatConfiguration { def handler = connector.getProtocolHandler() if (handler instanceof AbstractHttp11JsseProtocol) { if (handler.isSSLEnabled()) { - SSLHostConfig sslHostConfig = new SSLHostConfig(); + def sslConfigs = connector.findSslHostConfigs() + if (sslConfigs.size() != 1) { + throw new RuntimeException("Ssl configs: found ${sslConfigs.size()}, expected 1.") + } + handler.setSslImplementationName(BlacklistingSSLImplementation.name) + SSLHostConfig sslHostConfig = sslConfigs.first() sslHostConfig.setHonorCipherOrder("true") sslHostConfig.ciphers = okHttpClientConfigurationProperties.cipherSuites.join(",") sslHostConfig.setProtocols(okHttpClientConfigurationProperties.tlsVersions.join(",")) - sslHostConfig.setTrustManagerClassName(BlacklistingSSLImplementation.name) sslHostConfig.setCertificateRevocationListFile(sslExtensionConfigurationProperties.getCrlFile()) - handler.addSslHostConfig(sslHostConfig) } } }