From acb63a082e9497e3a1e2541f5e44587eada7c60b Mon Sep 17 00:00:00 2001
From: James Moger <james.moger@gitblit.com>
Date: Wed, 05 Dec 2012 17:29:39 -0500
Subject: [PATCH] Added server setting to specify keystore alias for ssl certificate (issue 98)
---
src/com/gitblit/GitBlitServer.java | 12 ++++++++++--
docs/04_releases.mkd | 1 +
distrib/gitblit.properties | 7 +++++++
3 files changed, 18 insertions(+), 2 deletions(-)
diff --git a/distrib/gitblit.properties b/distrib/gitblit.properties
index e3d7221..ce269d2 100644
--- a/distrib/gitblit.properties
+++ b/distrib/gitblit.properties
@@ -1155,6 +1155,13 @@
# RESTART REQUIRED
server.ajpBindInterface = localhost
+# Alias of certificate to use for https/SSL serving. If blank the first
+# certificate found in the keystore will be used.
+#
+# SINCE 1.2.0
+# RESTART REQUIRED
+server.certificateAlias = localhost
+
# Password for SSL keystore.
# Keystore password and certificate password must match.
# This is provided for convenience, its probably more secure to set this value
diff --git a/docs/04_releases.mkd b/docs/04_releases.mkd
index 52bd51e..ef8a144 100644
--- a/docs/04_releases.mkd
+++ b/docs/04_releases.mkd
@@ -73,6 +73,7 @@
#### changes
+- Added server setting to specify keystore alias for ssl certificate (issue 98)
- Added optional global and per-repository activity page commit contribution throttle to help tame *really* active repositories (issue 173)
- Added support for symlinks in tree page and commit page (issue 171)
- All access restricted servlets (e.g. DownloadZip, RSS, etc) will try to authenticate using X509 certificates, container principals, cookies, and BASIC headers, in that order.
diff --git a/src/com/gitblit/GitBlitServer.java b/src/com/gitblit/GitBlitServer.java
index d98f891..5eaa4c9 100644
--- a/src/com/gitblit/GitBlitServer.java
+++ b/src/com/gitblit/GitBlitServer.java
@@ -242,7 +242,7 @@
});
if (serverKeyStore.exists()) {
- Connector secureConnector = createSSLConnector(serverKeyStore, serverTrustStore, params.storePassword,
+ Connector secureConnector = createSSLConnector(params.alias, serverKeyStore, serverTrustStore, params.storePassword,
caRevocationList, params.useNIO, params.securePort, params.requireClientCertificates);
String bindInterface = settings.getString(Keys.server.httpsBindInterface, null);
if (!StringUtils.isEmpty(bindInterface)) {
@@ -413,6 +413,7 @@
* SSL renegotiation will be enabled if the JVM is 1.6.0_22 or later.
* oracle.com/technetwork/java/javase/documentation/tlsreadme2-176330.html
*
+ * @param certAlias
* @param keyStore
* @param clientTrustStore
* @param storePassword
@@ -422,7 +423,7 @@
* @param requireClientCertificates
* @return an https connector
*/
- private static Connector createSSLConnector(File keyStore, File clientTrustStore,
+ private static Connector createSSLConnector(String certAlias, File keyStore, File clientTrustStore,
String storePassword, File caRevocationList, boolean useNIO, int port,
boolean requireClientCertificates) {
SslContextFactory sslContext = new SslContextFactory(SslContextFactory.DEFAULT_KEYSTORE_PATH);
@@ -466,6 +467,10 @@
sslContext.setTrustStore(clientTrustStore.getAbsolutePath());
sslContext.setTrustStorePassword(storePassword);
sslContext.setCrlPath(caRevocationList.getAbsolutePath());
+ if (!StringUtils.isEmpty(certAlias)) {
+ logger.info(" certificate alias = " + certAlias);
+ sslContext.setCertAlias(certAlias);
+ }
connector.setPort(port);
connector.setMaxIdleTime(30000);
return connector;
@@ -596,6 +601,9 @@
@Parameter(names = "--ajpPort", description = "AJP port to serve. (port <= 0 will disable this connector)")
public Integer ajpPort = FILESETTINGS.getInteger(Keys.server.ajpPort, 0);
+ @Parameter(names = "--alias", description = "Alias of SSL certificate in keystore for serving https.")
+ public String alias = FILESETTINGS.getString(Keys.server.certificateAlias, "");
+
@Parameter(names = "--storePassword", description = "Password for SSL (https) keystore.")
public String storePassword = FILESETTINGS.getString(Keys.server.storePassword, "");
--
Gitblit v1.9.1