You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2019/07/12 15:35:24 UTC
[tomcat] 01/02: Fix
https://bz.apache.org/bugzilla/show_bug.cgi?id=63524 part 1 of 2
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 9a03cbc0c86438979e644942c0443857f37b86c1
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Fri Jul 12 16:18:17 2019 +0100
Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=63524 part 1 of 2
Adding a key to the in-memory key store is required for private keys.
Improve the handling of the case when it is not present.
---
.../util/net/openssl/LocalStrings.properties | 1 +
.../tomcat/util/net/openssl/OpenSSLUtil.java | 22 ++++++++++++++++------
2 files changed, 17 insertions(+), 6 deletions(-)
diff --git a/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties b/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties
index 1dca2b5..eb037b9 100644
--- a/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties
+++ b/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties
@@ -51,6 +51,7 @@ openssl.errorSSLCtxInit=Error initializing SSL context
openssl.keyManagerMissing=No key manager found
openssl.makeConf=Creating OpenSSLConf context
openssl.nonJsseCertficate=The certificate [{0}] or its private key [{1}] could not be processed using a JSSE key manager and will be given directly to OpenSSL
+openssl.nonJsseChain=The certificate chain [{0}] was not specified or was not valid and JSSE requires a valid certificate chain so attempting to use OpenSSL directly
openssl.trustManagerMissing=No trust manager found
opensslconf.applyCommand=OpenSSLConf applying command (name [{0}], value [{1}])
diff --git a/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java b/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java
index e8f0b9b..fada2ca 100644
--- a/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java
+++ b/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java
@@ -96,16 +96,26 @@ public class OpenSSLUtil extends SSLUtilBase {
public KeyManager[] getKeyManagers() throws Exception {
try {
return super.getKeyManagers();
+ } catch (IllegalArgumentException e) {
+ // No (or invalid?) certificate chain was provided for the cert
+ String msg = sm.getString("openssl.nonJsseChain", certificate.getCertificateChainFile());
+ if (log.isDebugEnabled()) {
+ log.info(msg, e);
+ } else {
+ log.info(msg);
+ }
+ return null;
} catch (KeyStoreException | IOException e) {
- // Depending on what is presented, JSSE may throw either of the
- // above exceptions if it doesn't understand the provided file.
+ // Depending on what is presented, JSSE may also throw
+ // KeyStoreException or IOException if it doesn't understand the
+ // provided file.
if (certificate.getCertificateFile() != null) {
+ String msg = sm.getString("openssl.nonJsseCertficate",
+ certificate.getCertificateFile(), certificate.getCertificateKeyFile());
if (log.isDebugEnabled()) {
- log.info(sm.getString("openssl.nonJsseCertficate",
- certificate.getCertificateFile(), certificate.getCertificateKeyFile()), e);
+ log.info(msg, e);
} else {
- log.info(sm.getString("openssl.nonJsseCertficate",
- certificate.getCertificateFile(), certificate.getCertificateKeyFile()));
+ log.info(msg);
}
// Assume JSSE processing of the certificate failed, try again with OpenSSL
// without a key manager
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org