diff options
| author | James Moger <james.moger@gitblit.com> | 2012-12-05 17:29:39 -0500 |
|---|---|---|
| committer | James Moger <james.moger@gitblit.com> | 2012-12-05 17:29:39 -0500 |
| commit | acb63a082e9497e3a1e2541f5e44587eada7c60b (patch) | |
| tree | ce99d24bc7480b162c108aa1599cb9925ec8e735 | |
| parent | e521a7d031fab2655ec6f8eba9876829a4d300b2 (diff) | |
| download | gitblit-acb63a082e9497e3a1e2541f5e44587eada7c60b.tar.gz gitblit-acb63a082e9497e3a1e2541f5e44587eada7c60b.zip | |
Added server setting to specify keystore alias for ssl certificate (issue 98)
| -rw-r--r-- | distrib/gitblit.properties | 7 | ||||
| -rw-r--r-- | docs/04_releases.mkd | 1 | ||||
| -rw-r--r-- | src/com/gitblit/GitBlitServer.java | 12 |
3 files changed, 18 insertions, 2 deletions
diff --git a/distrib/gitblit.properties b/distrib/gitblit.properties index e3d72211..ce269d2c 100644 --- a/distrib/gitblit.properties +++ b/distrib/gitblit.properties @@ -1155,6 +1155,13 @@ server.httpsBindInterface = localhost # RESTART REQUIRED
server.ajpBindInterface = localhost
+# Alias of certificate to use for https/SSL serving. If blank the first
+# certificate found in the keystore will be used.
+#
+# SINCE 1.2.0
+# RESTART REQUIRED
+server.certificateAlias = localhost
+
# Password for SSL keystore.
# Keystore password and certificate password must match.
# This is provided for convenience, its probably more secure to set this value
diff --git a/docs/04_releases.mkd b/docs/04_releases.mkd index 52bd51e7..ef8a1446 100644 --- a/docs/04_releases.mkd +++ b/docs/04_releases.mkd @@ -73,6 +73,7 @@ This is extreme and should be considered carefully since it affects every https #### changes
+- Added server setting to specify keystore alias for ssl certificate (issue 98)
- Added optional global and per-repository activity page commit contribution throttle to help tame *really* active repositories (issue 173)
- Added support for symlinks in tree page and commit page (issue 171)
- All access restricted servlets (e.g. DownloadZip, RSS, etc) will try to authenticate using X509 certificates, container principals, cookies, and BASIC headers, in that order.
diff --git a/src/com/gitblit/GitBlitServer.java b/src/com/gitblit/GitBlitServer.java index d98f8916..5eaa4c90 100644 --- a/src/com/gitblit/GitBlitServer.java +++ b/src/com/gitblit/GitBlitServer.java @@ -242,7 +242,7 @@ public class GitBlitServer { });
if (serverKeyStore.exists()) {
- Connector secureConnector = createSSLConnector(serverKeyStore, serverTrustStore, params.storePassword,
+ Connector secureConnector = createSSLConnector(params.alias, serverKeyStore, serverTrustStore, params.storePassword,
caRevocationList, params.useNIO, params.securePort, params.requireClientCertificates);
String bindInterface = settings.getString(Keys.server.httpsBindInterface, null);
if (!StringUtils.isEmpty(bindInterface)) {
@@ -413,6 +413,7 @@ public class GitBlitServer { * SSL renegotiation will be enabled if the JVM is 1.6.0_22 or later.
* oracle.com/technetwork/java/javase/documentation/tlsreadme2-176330.html
*
+ * @param certAlias
* @param keyStore
* @param clientTrustStore
* @param storePassword
@@ -422,7 +423,7 @@ public class GitBlitServer { * @param requireClientCertificates
* @return an https connector
*/
- private static Connector createSSLConnector(File keyStore, File clientTrustStore,
+ private static Connector createSSLConnector(String certAlias, File keyStore, File clientTrustStore,
String storePassword, File caRevocationList, boolean useNIO, int port,
boolean requireClientCertificates) {
SslContextFactory sslContext = new SslContextFactory(SslContextFactory.DEFAULT_KEYSTORE_PATH);
@@ -466,6 +467,10 @@ public class GitBlitServer { sslContext.setTrustStore(clientTrustStore.getAbsolutePath());
sslContext.setTrustStorePassword(storePassword);
sslContext.setCrlPath(caRevocationList.getAbsolutePath());
+ if (!StringUtils.isEmpty(certAlias)) {
+ logger.info(" certificate alias = " + certAlias);
+ sslContext.setCertAlias(certAlias);
+ }
connector.setPort(port);
connector.setMaxIdleTime(30000);
return connector;
@@ -596,6 +601,9 @@ public class GitBlitServer { @Parameter(names = "--ajpPort", description = "AJP port to serve. (port <= 0 will disable this connector)")
public Integer ajpPort = FILESETTINGS.getInteger(Keys.server.ajpPort, 0);
+ @Parameter(names = "--alias", description = "Alias of SSL certificate in keystore for serving https.")
+ public String alias = FILESETTINGS.getString(Keys.server.certificateAlias, "");
+
@Parameter(names = "--storePassword", description = "Password for SSL (https) keystore.")
public String storePassword = FILESETTINGS.getString(Keys.server.storePassword, "");
|