You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by re...@apache.org on 2019/03/07 14:02:10 UTC
[tomcat] branch master updated: Try to process certificates using
JSSE before OpenSSL
This is an automated email from the ASF dual-hosted git repository.
remm pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/master by this push:
new 7b41d6e Try to process certificates using JSSE before OpenSSL
7b41d6e is described below
commit 7b41d6edaf1f37c8741a06b1ac496e7faa8d1863
Author: remm <re...@apache.org>
AuthorDate: Thu Mar 7 15:02:00 2019 +0100
Try to process certificates using JSSE before OpenSSL
Add logging if there is a key manager issue at info level (also with the
exception if at debug level). For example the issue occurred with a test
config with a PKCS1 private key (so pretty old) which couldn't be
processed with the JSSE code. Although valid, the user could probably
update to something more modern and the message gives a hint.
---
.../tomcat/util/net/openssl/LocalStrings.properties | 1 +
.../apache/tomcat/util/net/openssl/OpenSSLUtil.java | 19 ++++++++++++++++---
2 files changed, 17 insertions(+), 3 deletions(-)
diff --git a/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties b/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties
index ff294c6..1dca2b5 100644
--- a/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties
+++ b/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties
@@ -50,6 +50,7 @@ openssl.errMakeConf=Could not create OpenSSLConf context
openssl.errorSSLCtxInit=Error initializing SSL context
openssl.keyManagerMissing=No key manager found
openssl.makeConf=Creating OpenSSLConf context
+openssl.nonJsseCertficate=The certificate [{0}] or its private key [{1}] could not be processed using a JSSE key manager and will be given directly to OpenSSL
openssl.trustManagerMissing=No trust manager found
opensslconf.applyCommand=OpenSSLConf applying command (name [{0}], value [{1}])
diff --git a/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java b/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java
index 514aef2..6878deb 100644
--- a/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java
+++ b/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java
@@ -16,6 +16,7 @@
*/
package org.apache.tomcat.util.net.openssl;
+import java.security.KeyStoreException;
import java.util.List;
import java.util.Set;
@@ -99,10 +100,22 @@ public class OpenSSLUtil extends SSLUtilBase {
@Override
public KeyManager[] getKeyManagers() throws Exception {
- if (certificate.getCertificateFile() == null) {
+ try {
return super.getKeyManagers();
- } else {
- return null;
+ } catch (KeyStoreException e) {
+ if (certificate.getCertificateFile() != null) {
+ if (log.isDebugEnabled()) {
+ log.info(sm.getString("openssl.nonJsseCertficate",
+ certificate.getCertificateFile(), certificate.getCertificateKeyFile()), e);
+ } else {
+ log.info(sm.getString("openssl.nonJsseCertficate",
+ certificate.getCertificateFile(), certificate.getCertificateKeyFile()));
+ }
+ // Assume JSSE processing of the certificate failed, try again with OpenSSL
+ // without a key manager
+ return null;
+ }
+ throw e;
}
}
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org