You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by bu...@apache.org on 2023/06/09 06:57:30 UTC

[Bug 66635] New: AbstractEndpoint#logCertificate() prints incorrect information

https://bz.apache.org/bugzilla/show_bug.cgi?id=66635

            Bug ID: 66635
           Summary: AbstractEndpoint#logCertificate() prints incorrect
                    information
           Product: Tomcat 8
           Version: 8.5.x-trunk
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Connectors
          Assignee: dev@tomcat.apache.org
          Reporter: michaelo@apache.org
  Target Milestone: ----

This applies to other Tomcat versions as well, but only verified in 8.5.
Coming from:
https://www.mail-archive.com/users@tomcat.apache.org/msg141656.html

Tomcat logs the following line:
> 2023-06-08T12:38:54.938 INFORMATION [main] org.apache.tomcat.util.net.AbstractEndpoint.logCertificate Connector [https-openssl-apr-8444], TLS virtual host [deblndw024v.ad001.siemens.net], certificate type [RSA] configured from [/net/home/smartld/.keystore] using alias [tomcat] and with trust store [null] 

But I have never configured a Java keystore, but solely use APR + OpenSSL style
config:
> <Connector port="8444" connectionTimeout="20000" keepAliveTimeout="300000" maxParameterCount="1000"
>   maxHttpHeaderSize="24576" maxThreads="250"
>   SSLEnabled="true" scheme="https" secure="true"
>   defaultSSLHostConfigName="deblndw024v.ad001.siemens.net">
>   <SSLHostConfig hostName="deblndw024v.ad001.siemens.net" protocols="TLSv1.2+TLSv1.3"
>     honorCipherOrder="true" disableSessionTickets="true"
>     ciphers="HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!DSS:!SHA1:!SHA256:!SHA384">
>     <Certificate certificateFile="/opt/openssl/deblndw024v.ad001.siemens.net/cert.crt"
>       certificateKeyFile="/opt/openssl/deblndw024v.ad001.siemens.net/key.crt"
>       certificateKeyPassword="..." type="RSA" />
>   </SSLHostConfig>
> </Connector>

The Java code emitting this message does not check for store type to print the
correct information. The keystore [/net/home/smartld/.keystore] does not exist.

The called class does differentiate internallyb between store types, so should
this printer.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 66635] AbstractEndpoint#logCertificate() prints incorrect information

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=66635

--- Comment #2 from Michael Osipov <mi...@apache.org> ---
Looks much better now:

> 2023-06-14T09:58:06.481 INFORMATION [main] org.apache.tomcat.util.net.AbstractEndpoint.logCertificate Connector [https-openssl-apr-8444], TLS virtual host [deblndw024v.ad001.siemens.net], certificate type [RSA] configured from key [/opt/openssl/deblndw024v.ad001.siemens.net/key.crt], certificate [/opt/openssl/deblndw024v.ad001.siemens.net/cert.crt] and certificate chain [null] with trust store [null]
> 2023-06-14T09:58:06.585 INFORMATION [main] org.apache.tomcat.util.net.AbstractEndpoint.logCertificate Connector [https-openssl-apr-18444], TLS virtual host [deblndw024v.ad001.siemens.net], certificate type [RSA] configured from key [/opt/openssl/deblndw024v.ad001.siemens.net/key.crt], certificate [/opt/openssl/deblndw024v.ad001.siemens.net/cert.crt] and certificate chain [null] with trust store [/opt/openssl/certs]

I wonder to what extend we need certificateChainFile these days because the
mod_ssl counterpart is deprecated for a long time:
https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslcertificatechainfile
as long as our code loads the file identially to mod_ssl.

Should I spawn a new issue for this?

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 66635] AbstractEndpoint#logCertificate() prints incorrect information

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=66635

--- Comment #4 from Michael Osipov <mi...@apache.org> ---
(In reply to Mark Thomas from comment #3)
> Yes. A new issue needs a new BZ entry.

Done in Bug 66647.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 66635] AbstractEndpoint#logCertificate() prints incorrect information

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=66635

--- Comment #3 from Mark Thomas <ma...@apache.org> ---
Yes. A new issue needs a new BZ entry.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 66635] AbstractEndpoint#logCertificate() prints incorrect information

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=66635

Michael Osipov <mi...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |michaelo@apache.org

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 66635] AbstractEndpoint#logCertificate() prints incorrect information

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=66635

Mark Thomas <ma...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|NEW                         |RESOLVED

--- Comment #1 from Mark Thomas <ma...@apache.org> ---
Fixed in:
- 11.0.x for 11.0.0-M8 onwards
- 10.1.x for 10.1.11 onwards
-  9.0.x for  9.0.77 onwards
-  8.5.x for  8.5.91 onwards

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org