From: James Moger Date: Wed, 5 Dec 2012 22:29:39 +0000 (-0500) Subject: Added server setting to specify keystore alias for ssl certificate (issue 98) X-Git-Tag: v1.2.0~21 X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=acb63a082e9497e3a1e2541f5e44587eada7c60b;p=gitblit.git Added server setting to specify keystore alias for ssl certificate (issue 98) --- diff --git a/distrib/gitblit.properties b/distrib/gitblit.properties index e3d72211..ce269d2c 100644 --- a/distrib/gitblit.properties +++ b/distrib/gitblit.properties @@ -1155,6 +1155,13 @@ server.httpsBindInterface = localhost # RESTART REQUIRED server.ajpBindInterface = localhost +# Alias of certificate to use for https/SSL serving. If blank the first +# certificate found in the keystore will be used. +# +# SINCE 1.2.0 +# RESTART REQUIRED +server.certificateAlias = localhost + # Password for SSL keystore. # Keystore password and certificate password must match. # This is provided for convenience, its probably more secure to set this value diff --git a/docs/04_releases.mkd b/docs/04_releases.mkd index 52bd51e7..ef8a1446 100644 --- a/docs/04_releases.mkd +++ b/docs/04_releases.mkd @@ -73,6 +73,7 @@ This is extreme and should be considered carefully since it affects every https #### changes +- Added server setting to specify keystore alias for ssl certificate (issue 98) - Added optional global and per-repository activity page commit contribution throttle to help tame *really* active repositories (issue 173) - Added support for symlinks in tree page and commit page (issue 171) - All access restricted servlets (e.g. DownloadZip, RSS, etc) will try to authenticate using X509 certificates, container principals, cookies, and BASIC headers, in that order. diff --git a/src/com/gitblit/GitBlitServer.java b/src/com/gitblit/GitBlitServer.java index d98f8916..5eaa4c90 100644 --- a/src/com/gitblit/GitBlitServer.java +++ b/src/com/gitblit/GitBlitServer.java @@ -242,7 +242,7 @@ public class GitBlitServer { }); if (serverKeyStore.exists()) { - Connector secureConnector = createSSLConnector(serverKeyStore, serverTrustStore, params.storePassword, + Connector secureConnector = createSSLConnector(params.alias, serverKeyStore, serverTrustStore, params.storePassword, caRevocationList, params.useNIO, params.securePort, params.requireClientCertificates); String bindInterface = settings.getString(Keys.server.httpsBindInterface, null); if (!StringUtils.isEmpty(bindInterface)) { @@ -413,6 +413,7 @@ public class GitBlitServer { * SSL renegotiation will be enabled if the JVM is 1.6.0_22 or later. * oracle.com/technetwork/java/javase/documentation/tlsreadme2-176330.html * + * @param certAlias * @param keyStore * @param clientTrustStore * @param storePassword @@ -422,7 +423,7 @@ public class GitBlitServer { * @param requireClientCertificates * @return an https connector */ - private static Connector createSSLConnector(File keyStore, File clientTrustStore, + private static Connector createSSLConnector(String certAlias, File keyStore, File clientTrustStore, String storePassword, File caRevocationList, boolean useNIO, int port, boolean requireClientCertificates) { SslContextFactory sslContext = new SslContextFactory(SslContextFactory.DEFAULT_KEYSTORE_PATH); @@ -466,6 +467,10 @@ public class GitBlitServer { sslContext.setTrustStore(clientTrustStore.getAbsolutePath()); sslContext.setTrustStorePassword(storePassword); sslContext.setCrlPath(caRevocationList.getAbsolutePath()); + if (!StringUtils.isEmpty(certAlias)) { + logger.info(" certificate alias = " + certAlias); + sslContext.setCertAlias(certAlias); + } connector.setPort(port); connector.setMaxIdleTime(30000); return connector; @@ -596,6 +601,9 @@ public class GitBlitServer { @Parameter(names = "--ajpPort", description = "AJP port to serve. (port <= 0 will disable this connector)") public Integer ajpPort = FILESETTINGS.getInteger(Keys.server.ajpPort, 0); + @Parameter(names = "--alias", description = "Alias of SSL certificate in keystore for serving https.") + public String alias = FILESETTINGS.getString(Keys.server.certificateAlias, ""); + @Parameter(names = "--storePassword", description = "Password for SSL (https) keystore.") public String storePassword = FILESETTINGS.getString(Keys.server.storePassword, "");