You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2022/02/02 14:01:54 UTC
[tomcat] branch 8.5.x updated: Fix BZ 65848 Revert attempt to align behaviour as root cause was config
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/8.5.x by this push:
new a5d126c Fix BZ 65848 Revert attempt to align behaviour as root cause was config
a5d126c is described below
commit a5d126c6f36f0bac24b05925e4b011ff71d1b7f2
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Wed Feb 2 12:16:43 2022 +0000
Fix BZ 65848 Revert attempt to align behaviour as root cause was config
https://bz.apache.org/bugzilla/show_bug.cgi?id=65848
---
.../apache/tomcat/util/net/openssl/OpenSSLContext.java | 18 ++++--------------
webapps/docs/changelog.xml | 10 ++++++++++
2 files changed, 14 insertions(+), 14 deletions(-)
diff --git a/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java b/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
index 72fc840..6d98744 100644
--- a/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
+++ b/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
@@ -384,20 +384,10 @@ public class OpenSSLContext implements org.apache.tomcat.util.net.SSLContext {
}
}
} else {
- if (sslHostConfig.getCaCertificateFile() == null && sslHostConfig.getCaCertificatePath() == null) {
- // No CA certificates configured. Reject all client certificates.
- SSLContext.setCertVerifyCallback(ctx, new CertificateVerifier() {
- @Override
- public boolean verify(long ssl, byte[][] chain, String auth) {
- return false;
- }
- });
- } else {
- // Client certificate verification based on trusted CA files and dirs
- SSLContext.setCACertificate(ctx,
- SSLHostConfig.adjustRelativePath(sslHostConfig.getCaCertificateFile()),
- SSLHostConfig.adjustRelativePath(sslHostConfig.getCaCertificatePath()));
- }
+ // Client certificate verification based on trusted CA files and dirs
+ SSLContext.setCACertificate(ctx,
+ SSLHostConfig.adjustRelativePath(sslHostConfig.getCaCertificateFile()),
+ SSLHostConfig.adjustRelativePath(sslHostConfig.getCaCertificatePath()));
}
if (negotiableProtocols != null && negotiableProtocols.size() > 0) {
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 6519ee6..2206c12 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -119,6 +119,16 @@
</add>
</changelog>
</subsection>
+ <subsection name="Coyote">
+ <changelog>
+ <fix>
+ <bug>65848</bug>: Revert the change that attempted to align the
+ behaviour of client certificate authentication with NIO or NIO2 with
+ OpenSSL for TLS between MacOS and Linux/Windows as the root cause was
+ traced to configuration differences. (markt)
+ </fix>
+ </changelog>
+ </subsection>
<subsection name="Web applications">
<changelog>
<fix>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org