Author: jfrederic.clere(a)jboss.com Date: 2011-07-04 05:12:56 -0400 (Mon, 04 Jul 2011) New Revision: 1759 Modified: trunk/webapps/docs/config/project.xml trunk/webapps/docs/config/ssl.xml Log: Arrange ssl element part. Modified: trunk/webapps/docs/config/project.xml =================================================================== --- trunk/webapps/docs/config/project.xml 2011-07-04 07:57:20 UTC (rev 1758) +++ trunk/webapps/docs/config/project.xml 2011-07-04 09:12:56 UTC (rev 1759) @@ -23,7 +23,7 @@ <menu name="Connectors"> <item name="HTTP" href="http.html"/> <item name="AJP" href="ajp.html"/> - <item name="HPTTPS" href="ssl.html"/> + <item name="HTTPS" href="ssl.html"/> <item name="Native" href="native.html"/> </menu> Modified: trunk/webapps/docs/config/ssl.xml =================================================================== --- trunk/webapps/docs/config/ssl.xml 2011-07-04 07:57:20 UTC (rev 1758) +++ trunk/webapps/docs/config/ssl.xml 2011-07-04 09:12:56 UTC (rev 1759) @@ -44,8 +44,7 @@ When present you will want to set the <code>scheme</code> and the <code>secure</code> attributes as well to pass the correct <code>request.getScheme()</code> and - <code>request.isSecure()</code> values to the servlets - See <a href="#SSL Support">SSL Support</a> for more information. + <code>request.isSecure()</code> values to the servlets. </p> </attribute> @@ -133,18 +132,16 @@ <p>You can enable SSL support for a particular instance of this <strong>Connector</strong> by setting the <code>secure</code> attribute to <code>true</code>. In addition, you may need to configure the following - attributes:</p> + <code>ssl</code>attributes:</p> <attributes> - <attribute name="algorithm" required="false"> - <p>The certificate encoding algorithm to be used. This defaults to the Sun - implementation (<code>SunX509</code>). For IBM JVMs you should use the - value <code>IbmX509</code>. For other vendors, consult the JVM - documentation for the correct value.</p> + <attribute name="name" required="true"> + <p>name of the <code>ssl</code> element.</p> </attribute> - <attribute name="clientAuth" required="false"> + <attribute name="verify-client" required="false"> + <p>that is OpenSSL SSLVerifyClient (optional,require,optionalNoCA,none) and clientAuth (true=require/false=none)i</p> <p>Set to <code>true</code> if you want the SSL stack to require a valid certificate chain from the client before accepting a connection. Set to <code>want</code> if you want the SSL stack to request a client @@ -155,78 +152,70 @@ <a href="../ssl-howto.html">SSL HowTo</a> for an example.</p> </attribute> - <attribute name="keystoreFile" required="false"> + <attribute name="verify-depth" required="false"> + Maximum number of intermediate certificate issuers checked before deciding that the clients + don't have a valid certificate. + The default value is "<code>10</code>". + </attribute> + + <attribute name="certificate-key-file" required="false"> <p>The pathname of the keystore file where you have stored the - server certificate to be loaded. By default, the pathname is - the file "<code>.keystore</code>" in the operating system home + server certificate to be loaded. + When using JSSE that could be the only file, with OpenSSL there several files. + By default, the pathname is + the file "<code>${user.home}/.keystore</code>" in the operating system home directory of the user that is running JBoss Web. If your <code>keystoreType</code> doesn't need a file use <code>""</code> (empty string) for this parameter.</p> </attribute> - <attribute name="keystorePass" required="false"> - <p>The password used to access the server certificate from the - specified keystore file. The default value is "<code>changeit</code>". + <attribute name="certificate-file" required="false"> + <p>Only in the OpenSSL (JSSE keystore contains both key and certificate). + That is the name of the file containing the server certificate. </p> </attribute> - - <attribute name="keystoreProvider" required="false"> - <p>The name of the keystore provider to be used for the server - certificate. If not specified, the list of registered providers is - traversed in preference order and the first provider that supports the - <code>keystoreType</code> is used. + <attribute name="password" required="false"> + <p>Password for both trustore and keystore + The default value is "<code>changeit</code>". </p> </attribute> - <attribute name="keystoreType" required="false"> - <p>The type of keystore file to be used for the server certificate. - If not specified, the default value is "<code>JKS</code>".</p> - </attribute> - - <attribute name="sslProtocol" required="false"> + <attribute name="protocol" required="false"> <p>The version of the SSL protocol to use. If not specified, - the default is "<code>TLS</code>".</p> + Supported values: SSLv2, SSLv3, TLSv1, SSLv2+SSLv3 and ALL. + the default is "<code>ALL</code>".</p> </attribute> <attribute name="ciphers" required="false"> - <p>A comma seperated list of the encryption ciphers that may be used. - If not specified, then any available cipher may be used.</p> + <p>A comma seperated list of the encryption ciphers that may be used, + that MUST NOT be the JVM default in of JSSE as contains weak ciphers. + that is SSLCipherSuite when using OpenSSL (APR). + If not specified, then any available "safe" ciphers may be used.</p> </attribute> - <attribute name="keyAlias" required="false"> - <p>The alias used to for the server certificate in the keystore. If not - specified the first key read in the keystore will be used.</p> + <attribute name="key-alias" required="false"> + <p>The alias used to for the server certificate in the keystore. + the default is "<code>tomcat</code>".</p> </attribute> - <attribute name="truststoreFile" required="false"> - <p>The TrustStore file to use to validate client certificates.</p> + <attribute name="ca-certificate-file" required="false"> + <p>The file containing the CA certificates, truststoreFile in JSSE, note the password it same as the keystore password. + The <code>ca-certificate-file</code> file to use to validate client certificates.</p> </attribute> - <attribute name="truststorePass" required="false"> - <p>The password to access the TrustStore. This defaults to the value - of <code>keystorePass</code>.</p> + <attribute name="ca-certificate-file" required="false"> + <p>A file or URL to get the revocation list. (actually: crlFile is JSSE and SSLCARevocationFile in OpenSSL)</p> </attribute> - <attribute name="truststoreProvider" required="false"> - <p>The name of the truststore provider to be used for the server - certificate. If not specified, the list of registered providers is - traversed in preference order and the first provider that supports the - <code>truststoreType</code> is used. - </p> + <attribute name="session-cache-size" required="false"> + <p>Size of the SSLSession cache. + the default is <code>0</code>: Dissabled.</p> </attribute> - <attribute name="truststoreType" required="false"> - <p>Add this element if your are using a different format for the - TrustStore then you are using for the KeyStore.</p> - </attribute> - - <attribute name="allowUnsafeLegacyRenegotiation" required="false"> - <p>Is unsafe legacy TLS renegotiation allowed which is likely to expose - users to CVE-2009-3555, a man-in-the-middle vulnerability in the TLS - protocol that allows an attacker to inject arbitrary data into the user's - request. If not specified, a default of <code>false</code> is used.</p> - </attribute> - + <attribute name="session-timeout" required="false"> + <p>Timeout of a cached SSLSession. + the default is <code>86400</code>: 24 hours.</p> + </attribute> </attributes> <p>For more information, see the