You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2023/06/09 06:57:30 UTC
[Bug 66635] New: AbstractEndpoint#logCertificate() prints incorrect information
https://bz.apache.org/bugzilla/show_bug.cgi?id=66635
Bug ID: 66635
Summary: AbstractEndpoint#logCertificate() prints incorrect
information
Product: Tomcat 8
Version: 8.5.x-trunk
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: P2
Component: Connectors
Assignee: dev@tomcat.apache.org
Reporter: michaelo@apache.org
Target Milestone: ----
This applies to other Tomcat versions as well, but only verified in 8.5.
Coming from:
https://www.mail-archive.com/users@tomcat.apache.org/msg141656.html
Tomcat logs the following line:
> 2023-06-08T12:38:54.938 INFORMATION [main] org.apache.tomcat.util.net.AbstractEndpoint.logCertificate Connector [https-openssl-apr-8444], TLS virtual host [deblndw024v.ad001.siemens.net], certificate type [RSA] configured from [/net/home/smartld/.keystore] using alias [tomcat] and with trust store [null]
But I have never configured a Java keystore, but solely use APR + OpenSSL style
config:
> <Connector port="8444" connectionTimeout="20000" keepAliveTimeout="300000" maxParameterCount="1000"
> maxHttpHeaderSize="24576" maxThreads="250"
> SSLEnabled="true" scheme="https" secure="true"
> defaultSSLHostConfigName="deblndw024v.ad001.siemens.net">
> <SSLHostConfig hostName="deblndw024v.ad001.siemens.net" protocols="TLSv1.2+TLSv1.3"
> honorCipherOrder="true" disableSessionTickets="true"
> ciphers="HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!DSS:!SHA1:!SHA256:!SHA384">
> <Certificate certificateFile="/opt/openssl/deblndw024v.ad001.siemens.net/cert.crt"
> certificateKeyFile="/opt/openssl/deblndw024v.ad001.siemens.net/key.crt"
> certificateKeyPassword="..." type="RSA" />
> </SSLHostConfig>
> </Connector>
The Java code emitting this message does not check for store type to print the
correct information. The keystore [/net/home/smartld/.keystore] does not exist.
The called class does differentiate internallyb between store types, so should
this printer.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 66635] AbstractEndpoint#logCertificate() prints incorrect information
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=66635
--- Comment #2 from Michael Osipov <mi...@apache.org> ---
Looks much better now:
> 2023-06-14T09:58:06.481 INFORMATION [main] org.apache.tomcat.util.net.AbstractEndpoint.logCertificate Connector [https-openssl-apr-8444], TLS virtual host [deblndw024v.ad001.siemens.net], certificate type [RSA] configured from key [/opt/openssl/deblndw024v.ad001.siemens.net/key.crt], certificate [/opt/openssl/deblndw024v.ad001.siemens.net/cert.crt] and certificate chain [null] with trust store [null]
> 2023-06-14T09:58:06.585 INFORMATION [main] org.apache.tomcat.util.net.AbstractEndpoint.logCertificate Connector [https-openssl-apr-18444], TLS virtual host [deblndw024v.ad001.siemens.net], certificate type [RSA] configured from key [/opt/openssl/deblndw024v.ad001.siemens.net/key.crt], certificate [/opt/openssl/deblndw024v.ad001.siemens.net/cert.crt] and certificate chain [null] with trust store [/opt/openssl/certs]
I wonder to what extend we need certificateChainFile these days because the
mod_ssl counterpart is deprecated for a long time:
https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslcertificatechainfile
as long as our code loads the file identially to mod_ssl.
Should I spawn a new issue for this?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 66635] AbstractEndpoint#logCertificate() prints incorrect information
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=66635
--- Comment #4 from Michael Osipov <mi...@apache.org> ---
(In reply to Mark Thomas from comment #3)
> Yes. A new issue needs a new BZ entry.
Done in Bug 66647.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 66635] AbstractEndpoint#logCertificate() prints incorrect information
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=66635
--- Comment #3 from Mark Thomas <ma...@apache.org> ---
Yes. A new issue needs a new BZ entry.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 66635] AbstractEndpoint#logCertificate() prints incorrect information
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=66635
Michael Osipov <mi...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |michaelo@apache.org
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 66635] AbstractEndpoint#logCertificate() prints incorrect information
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=66635
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Status|NEW |RESOLVED
--- Comment #1 from Mark Thomas <ma...@apache.org> ---
Fixed in:
- 11.0.x for 11.0.0-M8 onwards
- 10.1.x for 10.1.11 onwards
- 9.0.x for 9.0.77 onwards
- 8.5.x for 8.5.91 onwards
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org