You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2016/12/05 21:00:22 UTC
svn commit: r1772805 - in /tomcat/tc8.5.x/trunk:
java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
webapps/docs/changelog.xml
Author: markt
Date: Mon Dec 5 21:00:22 2016
New Revision: 1772805
URL: http://svn.apache.org/viewvc?rev=1772805&view=rev
Log:
Expand the search process for a server certificate when OpenSSL is used with a JSSE connector and an explicit alias has not been configured.
Modified:
tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml
Modified: tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
URL: http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java?rev=1772805&r1=1772804&r2=1772805&view=diff
==============================================================================
--- tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java (original)
+++ tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java Mon Dec 5 21:00:22 2016
@@ -23,6 +23,8 @@ import java.security.cert.CertificateExc
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Iterator;
import java.util.List;
import java.util.concurrent.atomic.AtomicInteger;
@@ -47,6 +49,7 @@ import org.apache.tomcat.util.net.Abstra
import org.apache.tomcat.util.net.Constants;
import org.apache.tomcat.util.net.SSLHostConfig;
import org.apache.tomcat.util.net.SSLHostConfigCertificate;
+import org.apache.tomcat.util.net.SSLHostConfigCertificate.Type;
import org.apache.tomcat.util.net.jsse.JSSEKeyManager;
import org.apache.tomcat.util.net.openssl.ciphers.OpenSSLCipherConfigurationParser;
import org.apache.tomcat.util.res.StringManager;
@@ -276,6 +279,10 @@ public class OpenSSLContext implements o
alias = "tomcat";
}
X509Certificate[] chain = keyManager.getCertificateChain(alias);
+ if (chain == null) {
+ alias = findAlias(keyManager, certificate);
+ chain = keyManager.getCertificateChain(alias);
+ }
PrivateKey key = keyManager.getPrivateKey(alias);
StringBuilder sb = new StringBuilder(BEGIN_KEY);
String encoded = BASE64_ENCODER.encodeToString(key.getEncoded());
@@ -342,6 +349,33 @@ public class OpenSSLContext implements o
}
}
+ /*
+ * Find a valid alias when none was specified in the config.
+ */
+ private static String findAlias(X509KeyManager keyManager,
+ SSLHostConfigCertificate certificate) {
+
+ Type type = certificate.getType();
+ String result = null;
+
+ List<Type> candidiateTypes = new ArrayList<>();
+ if (Type.UNDEFINED.equals(type)) {
+ // Try all types to find an suitable alias
+ candidiateTypes.addAll(Arrays.asList(Type.values()));
+ candidiateTypes.remove(Type.UNDEFINED);
+ } else {
+ // Look for the specific type to find a suitable alias
+ candidiateTypes.add(type);
+ }
+
+ Iterator<Type> iter = candidiateTypes.iterator();
+ while (result == null && iter.hasNext()) {
+ result = keyManager.chooseServerAlias(iter.next().toString(), null, null);
+ }
+
+ return result;
+ }
+
private static X509KeyManager chooseKeyManager(KeyManager[] managers) throws Exception {
for (KeyManager manager : managers) {
if (manager instanceof JSSEKeyManager) {
Modified: tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml?rev=1772805&r1=1772804&r2=1772805&view=diff
==============================================================================
--- tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml Mon Dec 5 21:00:22 2016
@@ -45,6 +45,15 @@
issues do not "pop up" wrt. others).
-->
<section name="Tomcat 8.5.10 (markt)" rtext="in development">
+ <subsection name="Coyote">
+ <changelog>
+ <fix>
+ Expand the search process for a server certificate when OpenSSL is used
+ with a JSSE connector and an explicit alias has not been configured.
+ (markt)
+ </fix>
+ </changelog>
+ </subsection>
</section>
<section name="Tomcat 8.5.9 (markt)" rtext="release in progress">
<subsection name="Catalina">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org