You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2022/03/24 13:23:51 UTC
[tomcat] branch 8.5.x updated: Log a warning if a Connector is configured with h2 + optional cert auth
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/8.5.x by this push:
new 9869266 Log a warning if a Connector is configured with h2 + optional cert auth
9869266 is described below
commit 9869266bfff043245b39fb12ec6a23818105b8c8
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Thu Mar 24 13:22:31 2022 +0000
Log a warning if a Connector is configured with h2 + optional cert auth
The HTTP/2 specification (RFC 7540) explicitly disallows renegotiation
for TLS 1.2 and RFC 8740 explicitly disallows PHA with TLS 1.3 and
HTTP/2
---
.../apache/tomcat/util/net/AbstractJsseEndpoint.java | 8 ++++++++
.../org/apache/tomcat/util/net/LocalStrings.properties | 3 ++-
java/org/apache/tomcat/util/net/SSLHostConfig.java | 18 ++++++++++++++----
webapps/docs/changelog.xml | 6 ++++++
4 files changed, 30 insertions(+), 5 deletions(-)
diff --git a/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java b/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
index 9cf780f..abbdba8 100644
--- a/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
+++ b/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
@@ -84,6 +84,14 @@ public abstract class AbstractJsseEndpoint<S,U> extends AbstractEndpoint<S,U> {
@Override
protected void createSSLContext(SSLHostConfig sslHostConfig) throws IllegalArgumentException {
+
+ // HTTP/2 does not permit optional certificate authentication with any
+ // version of TLS.
+ if (sslHostConfig.getCertificateVerification().isOptional() &&
+ negotiableProtocols.contains("h2")) {
+ getLog().warn(sm.getString("sslHostConfig.certificateVerificationWithHttp2", sslHostConfig.getHostName()));
+ }
+
boolean firstCertificate = true;
for (SSLHostConfigCertificate certificate : sslHostConfig.getCertificates(true)) {
SSLUtil sslUtil = sslImplementation.getSSLUtil(certificate);
diff --git a/java/org/apache/tomcat/util/net/LocalStrings.properties b/java/org/apache/tomcat/util/net/LocalStrings.properties
index 22a161d..1f8f1c3 100644
--- a/java/org/apache/tomcat/util/net/LocalStrings.properties
+++ b/java/org/apache/tomcat/util/net/LocalStrings.properties
@@ -155,6 +155,7 @@ socketWrapper.writeTimeout=Write timeout
sslHostConfig.certificate.notype=Multiple certificates were specified and at least one is missing the required attribute type
sslHostConfig.certificateVerificationInvalid=The certificate verification value [{0}] is not recognised
+sslHostConfig.certificateVerificationWithHttp2=The TLS virtual host [{0}] is configured for optional certificate verification and the enclosing connector is configured to support upgrade to h2. HTTP/2 over TLS does not permit optional certificate verification.
sslHostConfig.fileNotFound=Configured file [{0}] does not exist
sslHostConfig.invalid_truststore_password=The provided trust store password could not be used to unlock and/or validate the trust store. Retrying to access the trust store with a null password which will skip validation.
sslHostConfig.mismatch=The property [{0}] was set on the SSLHostConfig named [{1}] and is for the [{2}] configuration syntax but the SSLHostConfig is being used with the [{3}] configuration syntax
@@ -178,6 +179,6 @@ sslUtilBase.noVerificationDepth=The truststoreProvider [{0}] does not support th
sslUtilBase.noneSupported=None of the [{0}] specified are supported by the SSL engine : [{1}]
sslUtilBase.skipped=Some of the specified [{0}] are not supported by the SSL engine and have been skipped: [{1}]
sslUtilBase.ssl3=SSLv3 has been explicitly enabled. This protocol is known to be insecure.
-sslUtilBase.tls13.auth=The JSSE TLS 1.3 implementation does not support authentication after the initial handshake and is therefore incompatible with optional client authentication
+sslUtilBase.tls13.auth=The JSSE TLS 1.3 implementation does not support post handshake authentication (PHA) and is therefore incompatible with optional certificate authentication
sslUtilBase.trustedCertNotChecked=The validity dates of the trusted certificate with alias [{0}] were not checked as the certificate was of an unknown type
sslUtilBase.trustedCertNotValid=The trusted certificate with alias [{0}] and DN [{1}] is not valid due to [{2}]. Certificates signed by this trusted certificate WILL be accepted
diff --git a/java/org/apache/tomcat/util/net/SSLHostConfig.java b/java/org/apache/tomcat/util/net/SSLHostConfig.java
index 56d7b6a..ed097ea 100644
--- a/java/org/apache/tomcat/util/net/SSLHostConfig.java
+++ b/java/org/apache/tomcat/util/net/SSLHostConfig.java
@@ -910,10 +910,20 @@ public class SSLHostConfig implements Serializable {
public enum CertificateVerification {
- NONE,
- OPTIONAL_NO_CA,
- OPTIONAL,
- REQUIRED;
+ NONE(false),
+ OPTIONAL_NO_CA(true),
+ OPTIONAL(true),
+ REQUIRED(false);
+
+ private final boolean optional;
+
+ private CertificateVerification(boolean optional) {
+ this.optional = optional;
+ }
+
+ public boolean isOptional() {
+ return optional;
+ }
public static CertificateVerification fromString(String value) {
if ("true".equalsIgnoreCase(value) ||
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 0eb5f60..3df88a55 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -124,6 +124,12 @@
<pr>487</pr>: Improve logging of unknown settings frames. Pull request
by Thomas Hoffmann. (remm)
</fix>
+ <add>
+ <bug>65975</bug>: Add a warning if a TLS vitual host is configured with
+ optional certificate authentication and the containing connector is also
+ configured to support HTTP/2 as HTTP/2 does not permit optional
+ certificate authentication. (markt)
+ </add>
</changelog>
</subsection>
<subsection name="Jasper">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org