You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by bu...@apache.org on 2018/03/01 08:38:11 UTC

[Bug 62146] New: Support to add customized KeyManager like "trustManagerClassName" did.

https://bz.apache.org/bugzilla/show_bug.cgi?id=62146

            Bug ID: 62146
           Summary: Support to add customized KeyManager like
                    "trustManagerClassName" did.
           Product: Tomcat 7
           Version: trunk
          Hardware: PC
                OS: Mac OS X 10.1
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Connectors
          Assignee: dev@tomcat.apache.org
          Reporter: 18616998458@163.com
  Target Milestone: ---

Tomcat already support "trustManagerClassName" to let users add customized
TrustManager. It's better to let Tomcat to support customized KeyManager too
via "keyManagerClassName".

We're trying to let Tomcat7 support hot reloading keystore file when keystore
file is get changed. One possible way is: add customized KeyManager to watch
file changes and reload it then. While current Tomcat7 haven't straight-forward
way to do it. If introduce a mechanism to add customized KeyManager, the
problem could be resolved.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 62146] Support to add customized KeyManager like "trustManagerClassName" did.

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=62146

--- Comment #6 from Wang, Simon <18...@163.com> ---
And is it possible to port reloadHostConfigs logic to 7.x?

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 62146] Support to add customized KeyManager like "trustManagerClassName" did.

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=62146

Mark Thomas <ma...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |WONTFIX
             Status|NEW                         |RESOLVED

--- Comment #7 from Mark Thomas <ma...@apache.org> ---
The patch looks OK. I don't see any reason why it wouldn't be safe to use in
production.

One minor comment is that it refers to local String
"jsse.invalidKeyManagerClassName" that doesn't exist.

Back-porting the reloading from 8.5.x isn't an option as it depends on some
major factoring that took place in 8.5.x.

I don't think we should add this feature to 7.0.x.
Adding the feature to 7.0.x would create the expectation that the feature would
also exist in 8.5.x onwards and there is - currently - no use case for this
feature in 8.5.x onwards.

I am therefore resolving this as WONTFIX.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 62146] Support to add customized KeyManager like "trustManagerClassName" did.

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=62146

--- Comment #4 from Mark Thomas <ma...@apache.org> ---
TLS config reloading implementation in AbstractEndpoint. See
reloadSslHostConfigs() etc.
Exposed via JMX and the Manager app.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 62146] Support to add customized KeyManager like "trustManagerClassName" did.

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=62146

Wang, Simon <18...@163.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 OS|Mac OS X 10.1               |All

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 62146] Support to add customized KeyManager like "trustManagerClassName" did.

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=62146

Mark Thomas <ma...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Severity|normal                      |enhancement

--- Comment #2 from Mark Thomas <ma...@apache.org> ---
Tomcat 8.5.x onwards supports re-reading the entire TLS config - including the
key store. I'd recommend a move to 8.5.x.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 62146] Support to add customized KeyManager like "trustManagerClassName" did.

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=62146

--- Comment #5 from Wang, Simon <18...@163.com> ---
I'll check that code in 8.5.x.

could you give a hand to review current PR too? Any potential risks?

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 62146] Support to add customized KeyManager like "trustManagerClassName" did.

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=62146

--- Comment #1 from Wang, Simon <18...@163.com> ---
I filed PR here:
https://github.com/apache/tomcat70/pull/15

Any guys could give a hand to take a look at it, whether that's ok?

I can file another PR for Tomcat trunk (latest version) separately. I'd prefer
to learn your guys feedbacks about this fix. Whether there is potential issues
or problems.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 62146] Support to add customized KeyManager like "trustManagerClassName" did.

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=62146

--- Comment #3 from Wang, Simon <18...@163.com> ---
Thanks for your comments. could you give more details about Tomcat-8.5
reloading TLS config?

Another concern is: that's big impact for us to upgrade Tomcat7 to Tomcat-8.5.
Could you give a hand to review my PR to see whether there are potential risk
for this patch. We could use this patch for ourselves first, then later upgrade
to Tomcat-8.5 after have thorough testing and evaluation on potential changes.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org