You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2017/05/02 10:34:38 UTC

svn commit: r1793460 - in /tomcat/trunk: java/org/apache/tomcat/util/net/SSLHostConfig.java java/org/apache/tomcat/util/net/jsse/JSSEUtil.java webapps/docs/changelog.xml

Author: markt
Date: Tue May  2 10:34:37 2017
New Revision: 1793460

URL: http://svn.apache.org/viewvc?rev=1793460&view=rev
Log:
When a TrustManager is configured that does not support certificateVerificationDepth only log a warning about that lack of support when certificateVerificationDepth has been explicitly set.

Modified:
    tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java
    tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java
    tomcat/trunk/webapps/docs/changelog.xml

Modified: tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java?rev=1793460&r1=1793459&r2=1793460&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java Tue May  2 10:34:37 2017
@@ -86,6 +86,8 @@ public class SSLHostConfig implements Se
     private String certificateRevocationListFile;
     private CertificateVerification certificateVerification = CertificateVerification.NONE;
     private int certificateVerificationDepth = 10;
+    // Used to track if certificateVerificationDepth has been explicitly set
+    private boolean certificateVerificationDepthConfigured = false;
     private String ciphers = "HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA";
     private LinkedHashSet<Cipher> cipherList = null;
     private List<String> jsseCipherNames = null;
@@ -286,6 +288,7 @@ public class SSLHostConfig implements Se
 
     public void setCertificateVerificationDepth(int certificateVerificationDepth) {
         this.certificateVerificationDepth = certificateVerificationDepth;
+        certificateVerificationDepthConfigured = true;
     }
 
 
@@ -294,6 +297,11 @@ public class SSLHostConfig implements Se
     }
 
 
+    public boolean isCertificateVerificationDepthConfigured() {
+        return certificateVerificationDepthConfigured;
+    }
+
+
     /**
      * Set the new cipher configuration. Note: Regardless of the format used to
      * set the configuration, it is always stored in OpenSSL format.

Modified: tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java?rev=1793460&r1=1793459&r2=1793460&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java Tue May  2 10:34:37 2017
@@ -273,7 +273,10 @@ public class JSSEUtil extends SSLUtilBas
                 if (crlf != null && crlf.length() > 0) {
                     throw new CRLException(sm.getString("jsseUtil.noCrlSupport", algorithm));
                 }
-                log.warn(sm.getString("jsseUtil.noVerificationDepth", algorithm));
+                // Only warn if the attribute has been explicitly configured
+                if (sslHostConfig.isCertificateVerificationDepthConfigured()) {
+                    log.warn(sm.getString("jsseUtil.noVerificationDepth", algorithm));
+                }
             }
         }
 

Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1793460&r1=1793459&r2=1793460&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Tue May  2 10:34:37 2017
@@ -85,6 +85,16 @@
       </scode>
     </changelog>
   </subsection>
+  <subsection name="Coyote">
+    <changelog>
+      <fix>
+        When a <code>TrustManager</code> is configured that does not support
+        <code>certificateVerificationDepth</code> only log a warning about that
+        lack of support when <code>certificateVerificationDepth</code> has been
+        explicitly set. (markt)
+      </fix>
+    </changelog>
+  </subsection>
   <subsection name="Jasper">
     <changelog>
       <fix>



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org