You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2010/01/14 16:58:50 UTC
DO NOT REPLY [Bug 48545] New: truststorePass used in
JSSESocketFactory should be optional (nillable)
https://issues.apache.org/bugzilla/show_bug.cgi?id=48545
Summary: truststorePass used in JSSESocketFactory should be
optional (nillable)
Product: Tomcat 6
Version: 6.0.20
Platform: PC
OS/Version: Linux
Status: NEW
Severity: normal
Priority: P2
Component: Catalina
AssignedTo: dev@tomcat.apache.org
ReportedBy: smmwpf54@postfinance.ch
Created an attachment (id=24845)
--> (https://issues.apache.org/bugzilla/attachment.cgi?id=24845)
Patched JSSESocketFactory.java based on Tomcat 6.0.20
For the moment, a user must set the "truststorePass" in the SSL connector, even
if this is not required by the JSEE API (Keystore.load() with null password is
possible for truststores) and is also unwanted in a production environment with
"real" truststores, because this may give someone the possibility to manipulate
a productive trustore file or give more information than needed.
If the "truststorePass" is not set in the connector element, the current
implementation will use the "keystorePass" as the value for "truststorePass"
(strange wrong behaviour) and this will lead to an exception.
Proposal: do not set the "truststorePass" if omitted, leave it with null and
the SSL connector still works.
This should also not affect old tomcat configurations, where the truststore
password equals to the keystore password.
See my attached JSSESocketFactory patch (based on 6.0.20)
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 48545] truststorePass used in JSSESocketFactory
should be optional (nillable)
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=48545
--- Comment #3 from Konstantin Kolinko <kn...@gmail.com> 2010-11-08 03:25:58 EST ---
Created an attachment (id=26268)
--> (https://issues.apache.org/bugzilla/attachment.cgi?id=26268)
2010-11-08_tc6_bug48545.patch - Updated version of the patch
I'm attaching a slightly improved version of Mark's patch. The changes are:
- Do not retry with null password if the password was already null, or if there
was a FileNotFoundException.
- Log the "jsse.keystore_load_failed" message in getKeystore() and
getTrustStore(), when getStore() does not log it anymore.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 48545] truststorePass used in JSSESocketFactory
should be optional (nillable)
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=48545
--- Comment #1 from Mark Thomas <ma...@apache.org> 2010-02-15 17:17:34 UTC ---
Thanks for the patch. It has been applied to 7.0.x and proposed for 6.0.x
For future reference, please provide patches in diff -u format as they are
easier to work with. Also, patches should update documentation where
appropriate and should delete code rather than comment it out.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 48545] truststorePass used in JSSESocketFactory
should be optional (nillable)
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=48545
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #24845|0 |1
is obsolete| |
--- Comment #2 from Mark Thomas <ma...@apache.org> 2010-08-05 12:49:56 EDT ---
Created an attachment (id=25848)
--> (https://issues.apache.org/bugzilla/attachment.cgi?id=25848)
Patch that provides better backwards compatibility
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 48545] truststorePass used in JSSESocketFactory
should be optional (nillable)
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=48545
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |FIXED
--- Comment #4 from Mark Thomas <ma...@apache.org> 2010-11-25 11:03:09 EST ---
The updated patch has been applied to 6.0.x and will be included in 6.0.30
onwards.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 48545] truststorePass used in JSSESocketFactory
should be optional (nillable)
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=48545
smmwpf54@postfinance.ch changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |smmwpf54@postfinance.ch
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org