You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2015/03/25 16:06:22 UTC
[Bug 57759] New: keyAlias definition is incorrect, does not appear
to work properly
https://bz.apache.org/bugzilla/show_bug.cgi?id=57759
Bug ID: 57759
Summary: keyAlias definition is incorrect, does not appear to
work properly
Product: Tomcat 7
Version: trunk
Hardware: PC
OS: Mac OS X 10.1
Status: NEW
Severity: normal
Priority: P2
Component: Connectors
Assignee: dev@tomcat.apache.org
Reporter: andrewlanecarr@gmail.com
keyAlias Definition from:
https://tomcat.apache.org/tomcat-7.0-doc/config/http.html
The alias used to for the server certificate in the keystore. If not specified
the first key read in the keystore will be used.
Wouldn't this lead you to believe if no alias is specified it will use the
first key in the keystore? This is not the case.
Steps to recreate:
Create a keystore using the recommended method:
%JAVA_HOME%\bin\keytool" -genkey -alias tomcat -keyalg RSA
(This will generate ${user.home}/.keystore if it does not exist. If it does,
specify the keystore value.)
Start tomcat with the default SSL connector defined, no "keyAlias" value
specified, and the keystore we created previous specified as the keystoreFile.
It will use the cert in the file.
Add another cert (specify different name and values to differentiate between
the two) to the keystore with :
%JAVA_HOME%\bin\keytool" -genkey -alias tomcat2 -keyalg RSA
Shutdown and restart the tomcat instance.
Access the SSL site "localhost:8443", inspect the cert. You will see it is not
the first certificate in the keystore like the document leads you to believe,
but the last one added, no matter how many you add.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [Bug 57759] Clarify keyAlias definition to reduce likelihood
of readers making invalid assumptions
Posted by Mark Thomas <ma...@apache.org>.
On 29/03/2015 22:49, Andrew Carr wrote:
> You want me to do the backport?
Thanks for the offer but I have already done it (doc back-ports are
usually easy since the docs are generally consistent between versions).
> Do you do it for all versions that the
> keyAlias setting applies to?
How far back to back-port is a judgement call.
As a minimum, any fix needs to be back-ported as far as the version the
issue was reported in.
We only support back as far as 6.0.x so we never back-port further than
that.
Beyond that, whether or not to back-port depends on how serious the
problem is vs how invasive the patch it.
Mark
>
> On Sat, Mar 28, 2015 at 4:53 PM, <bu...@apache.org> wrote:
>
>> https://bz.apache.org/bugzilla/show_bug.cgi?id=57759
>>
>> --- Comment #4 from Mark Thomas <ma...@apache.org> ---
>> This is the right place and the patch looks good - it was just a couple of
>> hours late.
>>
>> Generally, patches should be against trunk and the committers will
>> back-port
>> them as necessary but any patch is helpful.
>>
>> --
>> You are receiving this mail because:
>> You are the assignee for the bug.
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: dev-help@tomcat.apache.org
>>
>>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [Bug 57759] Clarify keyAlias definition to reduce likelihood of
readers making invalid assumptions
Posted by Andrew Carr <an...@gmail.com>.
You want me to do the backport? Do you do it for all versions that the
keyAlias setting applies to? or back to 5.5/6?
On Sat, Mar 28, 2015 at 4:53 PM, <bu...@apache.org> wrote:
> https://bz.apache.org/bugzilla/show_bug.cgi?id=57759
>
> --- Comment #4 from Mark Thomas <ma...@apache.org> ---
> This is the right place and the patch looks good - it was just a couple of
> hours late.
>
> Generally, patches should be against trunk and the committers will
> back-port
> them as necessary but any patch is helpful.
>
> --
> You are receiving this mail because:
> You are the assignee for the bug.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>
--
With Regards,
Andrew Carr
e. andrewlanecarr@gmail.com
w. andrew.carr@openlogic.com
h. 4235255668
c. 4239489852
a. 101 Francis Drive, Greeneville, TN, 37743
[Bug 57759] Clarify keyAlias definition to reduce likelihood of
readers making invalid assumptions
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=57759
--- Comment #4 from Mark Thomas <ma...@apache.org> ---
This is the right place and the patch looks good - it was just a couple of
hours late.
Generally, patches should be against trunk and the committers will back-port
them as necessary but any patch is helpful.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 57759] Clarify keyAlias definition to reduce likelihood of
readers making invalid assumptions
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=57759
Andrew Lane Carr <an...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |andrewlanecarr@gmail.com
--- Comment #3 from Andrew Lane Carr <an...@gmail.com> ---
Created attachment 32620
--> https://bz.apache.org/bugzilla/attachment.cgi?id=32620&action=edit
Proposed patch to the documentation.
This is my first time patching the documentation. Should I have placed this
patch somewhere else?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 57759] Clarify keyAlias definition to reduce likelihood of
readers making invalid assumptions
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=57759
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Severity|normal |enhancement
Summary|keyAlias definition is |Clarify keyAlias definition
|incorrect, does not appear |to reduce likelihood of
|to work properly |readers making invalid
| |assumptions
--- Comment #1 from Mark Thomas <ma...@apache.org> ---
(In reply to Andrew Lane Carr from comment #0)
> keyAlias Definition from:
>
> https://tomcat.apache.org/tomcat-7.0-doc/config/http.html
>
> The alias used to for the server certificate in the keystore. If not
> specified the first key read in the keystore will be used.
>
> Wouldn't this lead you to believe if no alias is specified it will use the
> first key in the keystore?
No. The documentation states the first key read from the keystore is used. It
makes no statements regarding the relationship between the order the keys were
added to the store, the order the keys are stored in the store (if such a
concept makes sense - depening on the keystore it may not) and the order the
keys are read from the keystore. All of which will depend on the
implementation.
We can add a note to the documentation to clarify the above to reduce the
chances of future users making such invalid assumptions.
Generally, unless there is only a single key in the key store, it is advisable
to specify an alias. This advice can be added to the docs as well.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 57759] Clarify keyAlias definition to reduce likelihood of
readers making invalid assumptions
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=57759
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED
--- Comment #2 from Mark Thomas <ma...@apache.org> ---
Fixed in trunk, 8.0.x (for 8.0.22 onwards), 7.0.x (for 7.0.62 onwards) and
6.0.x (for 6.0.44 onwards).
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org