Package org.apereo.cas.configuration.model.core.web.tomcat

Class CasEmbeddedApacheSslHostConfigProperties

java.lang.Object
org.apereo.cas.configuration.model.core.web.tomcat.CasEmbeddedApacheSslHostConfigProperties
All Implemented Interfaces:
Serializable
@RequiresModule(name="cas-server-webapp-tomcat") public class CasEmbeddedApacheSslHostConfigProperties extends Object implements Serializable
This is CasEmbeddedApacheSslHostConfigProperties.
Since:
5.3.0
See Also:

  • Constructor Details

    • CasEmbeddedApacheSslHostConfigProperties

      public CasEmbeddedApacheSslHostConfigProperties()

  • Method Details

    • isEnabled

      public boolean isEnabled()
      Enable this host config.

    • isRevocationEnabled

      public boolean isRevocationEnabled()
      Should the JSSE provider enable certificate revocation checks? This attribute is intended to enable revocation checks that have been configured for the current JSSE provider via other means. If not specified, a default of false is used.

    • getCaCertificateFile

      public String getCaCertificateFile()
      Name of the file that contains the concatenated certificates for the trusted certificate authorities. The format is PEM-encoded.

    • getCertificateVerification

      public String getCertificateVerification()
      Set to required if you want the SSL stack to require a valid certificate chain from the client before accepting a connection. Set to optional if you want the SSL stack to request a client Certificate, but not fail if one isn't presented. Set to optionalNoCA if you want client certificates to be optional and you don't want Tomcat to check them against the list of trusted CAs. If the TLS provider doesn't support this option (OpenSSL does, JSSE does not) it is treated as if optional was specified. A none value (which is the default) will not require a certificate chain unless the client requests a resource protected by a security constraint that uses CLIENT-CERT authentication.

    • getHostName

      public String getHostName()
      The name of the SSL Host. This should either be the fully qualified domain name (e.g. tomcat.apache.org) or a wild card domain name (e.g. *.apache.org). If not specified, the default value of _default_ will be used.

    • getSslProtocol

      public String getSslProtocol()
      The SSL protocol(s) to use (a single value may enable multiple protocols - see the JVM documentation for details). If not specified, the default is TLS. The permitted values may be obtained from the JVM documentation for the allowed values for algorithm when creating an SSLContext instance

    • isInsecureRenegotiation

      public boolean isInsecureRenegotiation()
      OpenSSL only. Configures if insecure renegotiation is allowed. The default is false. If the OpenSSL version used does not support configuring if insecure renegotiation is allowed then the default for that OpenSSL version will be used.

    • getCertificateVerificationDepth

      public int getCertificateVerificationDepth()
      The maximum number of intermediate certificates that will be allowed when validating client certificates. If not specified, the default value of 10 will be used.

    • getProtocols

      public String getProtocols()
      The names of the protocols to support when communicating with clients. This should be a list of any combination of the following:
      • SSLv2Hello
      • SSLv3
      • TLSv1
      • TLSv1.1
      • TLSv1.2
      • TLSv1.3
      • all
      Each token in the list can be prefixed with a plus sign ("+") or a minus sign ("-"). A plus sign adds the protocol, a minus sign removes it form the current list. The list is built starting from an empty list.

      The token all is an alias for SSLv2Hello,TLSv1,TLSv1.1,TLSv1.2,TLSv1.3.

      Note that TLSv1.3 is only supported for JSSE when using a JVM that implements TLSv1.3.

      Note that SSLv2Hello will be ignored for OpenSSL based secure connectors. If more than one protocol is specified for an OpenSSL based secure connector it will always support SSLv2Hello. If a single protocol is specified it will not support SSLv2Hello.

      Note that SSLv2 and SSLv3 are inherently unsafe.

      If not specified, the default value of all will be used.

    • getCertificates

      public List<CasEmbeddedApacheSslHostConfigCertificateProperties> getCertificates()
      List of certificates managed by the ssl host config.

    • setEnabled

      public CasEmbeddedApacheSslHostConfigProperties setEnabled(boolean enabled)
      Enable this host config.
      Returns:
      this.

    • setRevocationEnabled

      public CasEmbeddedApacheSslHostConfigProperties setRevocationEnabled(boolean revocationEnabled)
      Should the JSSE provider enable certificate revocation checks? This attribute is intended to enable revocation checks that have been configured for the current JSSE provider via other means. If not specified, a default of false is used.
      Returns:
      this.

    • setCaCertificateFile

      public CasEmbeddedApacheSslHostConfigProperties setCaCertificateFile(String caCertificateFile)
      Name of the file that contains the concatenated certificates for the trusted certificate authorities. The format is PEM-encoded.
      Returns:
      this.

    • setCertificateVerification

      public CasEmbeddedApacheSslHostConfigProperties setCertificateVerification(String certificateVerification)
      Set to required if you want the SSL stack to require a valid certificate chain from the client before accepting a connection. Set to optional if you want the SSL stack to request a client Certificate, but not fail if one isn't presented. Set to optionalNoCA if you want client certificates to be optional and you don't want Tomcat to check them against the list of trusted CAs. If the TLS provider doesn't support this option (OpenSSL does, JSSE does not) it is treated as if optional was specified. A none value (which is the default) will not require a certificate chain unless the client requests a resource protected by a security constraint that uses CLIENT-CERT authentication.
      Returns:
      this.

    • setHostName

      public CasEmbeddedApacheSslHostConfigProperties setHostName(String hostName)
      The name of the SSL Host. This should either be the fully qualified domain name (e.g. tomcat.apache.org) or a wild card domain name (e.g. *.apache.org). If not specified, the default value of _default_ will be used.
      Returns:
      this.

    • setSslProtocol

      public CasEmbeddedApacheSslHostConfigProperties setSslProtocol(String sslProtocol)
      The SSL protocol(s) to use (a single value may enable multiple protocols - see the JVM documentation for details). If not specified, the default is TLS. The permitted values may be obtained from the JVM documentation for the allowed values for algorithm when creating an SSLContext instance
      Returns:
      this.

    • setInsecureRenegotiation

      public CasEmbeddedApacheSslHostConfigProperties setInsecureRenegotiation(boolean insecureRenegotiation)
      OpenSSL only. Configures if insecure renegotiation is allowed. The default is false. If the OpenSSL version used does not support configuring if insecure renegotiation is allowed then the default for that OpenSSL version will be used.
      Returns:
      this.

    • setCertificateVerificationDepth

      public CasEmbeddedApacheSslHostConfigProperties setCertificateVerificationDepth(int certificateVerificationDepth)
      The maximum number of intermediate certificates that will be allowed when validating client certificates. If not specified, the default value of 10 will be used.
      Returns:
      this.

    • setProtocols

      public CasEmbeddedApacheSslHostConfigProperties setProtocols(String protocols)
      The names of the protocols to support when communicating with clients. This should be a list of any combination of the following:
      • SSLv2Hello
      • SSLv3
      • TLSv1
      • TLSv1.1
      • TLSv1.2
      • TLSv1.3
      • all
      Each token in the list can be prefixed with a plus sign ("+") or a minus sign ("-"). A plus sign adds the protocol, a minus sign removes it form the current list. The list is built starting from an empty list.

      The token all is an alias for SSLv2Hello,TLSv1,TLSv1.1,TLSv1.2,TLSv1.3.

      Note that TLSv1.3 is only supported for JSSE when using a JVM that implements TLSv1.3.

      Note that SSLv2Hello will be ignored for OpenSSL based secure connectors. If more than one protocol is specified for an OpenSSL based secure connector it will always support SSLv2Hello. If a single protocol is specified it will not support SSLv2Hello.

      Note that SSLv2 and SSLv3 are inherently unsafe.

      If not specified, the default value of all will be used.

      Returns:
      this.

    • setCertificates

      public CasEmbeddedApacheSslHostConfigProperties setCertificates(List<CasEmbeddedApacheSslHostConfigCertificateProperties> certificates)
      List of certificates managed by the ssl host config.
      Returns:
      this.