Class CasEmbeddedApacheSslHostConfigProperties
- All Implemented Interfaces:
Serializable
- Since:
- 5.3.0
- See Also:
-
Constructor Summary
-
Method Summary
Modifier and TypeMethodDescriptionName of the file that contains the concatenated certificates for the trusted certificate authorities.List of certificates managed by the ssl host config.Set to required if you want the SSL stack to require a valid certificate chain from the client before accepting a connection.int
The maximum number of intermediate certificates that will be allowed when validating client certificates.The name of the SSL Host.The names of the protocols to support when communicating with clients.The SSL protocol(s) to use (a single value may enable multiple protocols - see the JVM documentation for details).boolean
Enable this host config.boolean
OpenSSL only.boolean
Should the JSSE provider enable certificate revocation checks? This attribute is intended to enable revocation checks that have been configured for the current JSSE provider via other means.setCaCertificateFile
(String caCertificateFile) Name of the file that contains the concatenated certificates for the trusted certificate authorities.List of certificates managed by the ssl host config.setCertificateVerification
(String certificateVerification) Set to required if you want the SSL stack to require a valid certificate chain from the client before accepting a connection.setCertificateVerificationDepth
(int certificateVerificationDepth) The maximum number of intermediate certificates that will be allowed when validating client certificates.setEnabled
(boolean enabled) Enable this host config.setHostName
(String hostName) The name of the SSL Host.setInsecureRenegotiation
(boolean insecureRenegotiation) OpenSSL only.setProtocols
(String protocols) The names of the protocols to support when communicating with clients.setRevocationEnabled
(boolean revocationEnabled) Should the JSSE provider enable certificate revocation checks? This attribute is intended to enable revocation checks that have been configured for the current JSSE provider via other means.setSslProtocol
(String sslProtocol) The SSL protocol(s) to use (a single value may enable multiple protocols - see the JVM documentation for details).
-
Constructor Details
-
CasEmbeddedApacheSslHostConfigProperties
public CasEmbeddedApacheSslHostConfigProperties()
-
-
Method Details
-
isEnabled
public boolean isEnabled()Enable this host config. -
isRevocationEnabled
public boolean isRevocationEnabled()Should the JSSE provider enable certificate revocation checks? This attribute is intended to enable revocation checks that have been configured for the current JSSE provider via other means. If not specified, a default of false is used. -
getCaCertificateFile
Name of the file that contains the concatenated certificates for the trusted certificate authorities. The format is PEM-encoded. -
getCertificateVerification
Set to required if you want the SSL stack to require a valid certificate chain from the client before accepting a connection. Set to optional if you want the SSL stack to request a client Certificate, but not fail if one isn't presented. Set to optionalNoCA if you want client certificates to be optional and you don't want Tomcat to check them against the list of trusted CAs. If the TLS provider doesn't support this option (OpenSSL does, JSSE does not) it is treated as if optional was specified. A none value (which is the default) will not require a certificate chain unless the client requests a resource protected by a security constraint that uses CLIENT-CERT authentication. -
getHostName
The name of the SSL Host. This should either be the fully qualified domain name (e.g. tomcat.apache.org) or a wild card domain name (e.g. *.apache.org). If not specified, the default value of _default_ will be used. -
getSslProtocol
The SSL protocol(s) to use (a single value may enable multiple protocols - see the JVM documentation for details). If not specified, the default is TLS. The permitted values may be obtained from the JVM documentation for the allowed values for algorithm when creating an SSLContext instance -
isInsecureRenegotiation
public boolean isInsecureRenegotiation()OpenSSL only. Configures if insecure renegotiation is allowed. The default is false. If the OpenSSL version used does not support configuring if insecure renegotiation is allowed then the default for that OpenSSL version will be used. -
getCertificateVerificationDepth
public int getCertificateVerificationDepth()The maximum number of intermediate certificates that will be allowed when validating client certificates. If not specified, the default value of 10 will be used. -
getProtocols
The names of the protocols to support when communicating with clients. This should be a list of any combination of the following:- SSLv2Hello
- SSLv3
- TLSv1
- TLSv1.1
- TLSv1.2
- TLSv1.3
- all
The token all is an alias for SSLv2Hello,TLSv1,TLSv1.1,TLSv1.2,TLSv1.3.
Note that TLSv1.3 is only supported for JSSE when using a JVM that implements TLSv1.3.
Note that SSLv2Hello will be ignored for OpenSSL based secure connectors. If more than one protocol is specified for an OpenSSL based secure connector it will always support SSLv2Hello. If a single protocol is specified it will not support SSLv2Hello.
Note that SSLv2 and SSLv3 are inherently unsafe.
If not specified, the default value of all will be used.
-
getCertificates
List of certificates managed by the ssl host config. -
setEnabled
Enable this host config.- Returns:
this
.
-
setRevocationEnabled
Should the JSSE provider enable certificate revocation checks? This attribute is intended to enable revocation checks that have been configured for the current JSSE provider via other means. If not specified, a default of false is used.- Returns:
this
.
-
setCaCertificateFile
Name of the file that contains the concatenated certificates for the trusted certificate authorities. The format is PEM-encoded.- Returns:
this
.
-
setCertificateVerification
public CasEmbeddedApacheSslHostConfigProperties setCertificateVerification(String certificateVerification) Set to required if you want the SSL stack to require a valid certificate chain from the client before accepting a connection. Set to optional if you want the SSL stack to request a client Certificate, but not fail if one isn't presented. Set to optionalNoCA if you want client certificates to be optional and you don't want Tomcat to check them against the list of trusted CAs. If the TLS provider doesn't support this option (OpenSSL does, JSSE does not) it is treated as if optional was specified. A none value (which is the default) will not require a certificate chain unless the client requests a resource protected by a security constraint that uses CLIENT-CERT authentication.- Returns:
this
.
-
setHostName
The name of the SSL Host. This should either be the fully qualified domain name (e.g. tomcat.apache.org) or a wild card domain name (e.g. *.apache.org). If not specified, the default value of _default_ will be used.- Returns:
this
.
-
setSslProtocol
The SSL protocol(s) to use (a single value may enable multiple protocols - see the JVM documentation for details). If not specified, the default is TLS. The permitted values may be obtained from the JVM documentation for the allowed values for algorithm when creating an SSLContext instance- Returns:
this
.
-
setInsecureRenegotiation
public CasEmbeddedApacheSslHostConfigProperties setInsecureRenegotiation(boolean insecureRenegotiation) OpenSSL only. Configures if insecure renegotiation is allowed. The default is false. If the OpenSSL version used does not support configuring if insecure renegotiation is allowed then the default for that OpenSSL version will be used.- Returns:
this
.
-
setCertificateVerificationDepth
public CasEmbeddedApacheSslHostConfigProperties setCertificateVerificationDepth(int certificateVerificationDepth) The maximum number of intermediate certificates that will be allowed when validating client certificates. If not specified, the default value of 10 will be used.- Returns:
this
.
-
setProtocols
The names of the protocols to support when communicating with clients. This should be a list of any combination of the following:- SSLv2Hello
- SSLv3
- TLSv1
- TLSv1.1
- TLSv1.2
- TLSv1.3
- all
The token all is an alias for SSLv2Hello,TLSv1,TLSv1.1,TLSv1.2,TLSv1.3.
Note that TLSv1.3 is only supported for JSSE when using a JVM that implements TLSv1.3.
Note that SSLv2Hello will be ignored for OpenSSL based secure connectors. If more than one protocol is specified for an OpenSSL based secure connector it will always support SSLv2Hello. If a single protocol is specified it will not support SSLv2Hello.
Note that SSLv2 and SSLv3 are inherently unsafe.
If not specified, the default value of all will be used.
- Returns:
this
.
-
setCertificates
public CasEmbeddedApacheSslHostConfigProperties setCertificates(List<CasEmbeddedApacheSslHostConfigCertificateProperties> certificates) List of certificates managed by the ssl host config.- Returns:
this
.
-