You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by bu...@apache.org on 2016/12/07 12:36:24 UTC

[Bug 60450] New: Setting keystore type shouldn't override the truststore type

https://bz.apache.org/bugzilla/show_bug.cgi?id=60450

            Bug ID: 60450
           Summary: Setting keystore type shouldn't override the
                    truststore type
           Product: Tomcat 8
           Version: 8.5.x-trunk
          Hardware: PC
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Util
          Assignee: dev@tomcat.apache.org
          Reporter: axel@boxfuse.com
  Target Milestone: ----

Say I have a keystore in PKCS12 format and a truststore in the default JKS
format.

By setting the keystore type (PKCS12) and NOT explicitly overriding the default
truststore type (JKS), the truststore type now also gets changed to PKCS12 and
fails to load.

This line is the issue:
https://github.com/apache/tomcat/blob/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java#L585

This behavior is currently very unintuitive and not documented anywhere. I
strongly believe change the keystore type should not secretly alter the
truststore type.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 60450] Setting keystore type shouldn't override the truststore type

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=60450

--- Comment #2 from Axel Fontaine <ax...@boxfuse.com> ---
Or couldn't this whole setting simply default to autodetection? After all we
can now simply set it to  JKS and this will autodetect both PKCS12 and JKS (see
https://bugs.openjdk.java.net/browse/JDK-8062552)

Therefore I believe a default of JKS should be a fine one, instead of the
current behavior where setting the keystore type to PKCS12 without overriding
the default truststore type almost invariably results in a cryptic and hard to
debug failure.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 60450] Setting keystore type shouldn't override the truststore type

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=60450

Mark Thomas <ma...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|NEW                         |RESOLVED

--- Comment #3 from Mark Thomas <ma...@apache.org> ---
Auto detection is not an option. Tomcat 8.x has a minimum Java requirement of 7
where that feature is not (yet?) available. Tomcat 9 needs to run on any Java 8
version so requiring a minimum point release to support PKCS12 via auto
detection is not acceptable. Finally, not everyone uses Oracle's JSSE
implementation and we need to support all of those as well.

While looking into this I discovered that Tomcat wasn't consistently using the
key store type as the default trust store type so this needs fixing too.

I've now fixed the inconsistencies in using the key store type as the default,
ensured PKCS12 won't be used as the default and updated the docs to make clear
how the default is selected.

Fixed in:
- trunk for 9.0.0.M15 onwards
- 8.5.x for 8.5.10 onwards

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 60450] Setting keystore type shouldn't override the truststore type

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=60450

Mark Thomas <ma...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 OS|                            |All

--- Comment #1 from Mark Thomas <ma...@apache.org> ---
From the 8.5.x documentation:

<quote>
truststoreType  
JSSE only.

The type of key store used for the trust store. The default is the value of the
javax.net.ssl.trustStoreType system property. If that property is null, the
value of keystoreType is used as the default.
</quote>

Those docs could do with an update to make clear it is the key store type of
the default certificate that is used.

PKCS12 is somewhat of a special case since the trust store is unlikely to be in
the same format as the key store.

I'm currently leaning towards WONTFIX for the original request in this report
since the behaviour is documented and makes sense for key store types other
than PKCS12.

A possible enhancement could be for the trust store type to default to JKS if
the keys store type is PKCS12. However, that would add complexity.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org