You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2016/12/09 09:27:48 UTC
svn commit: r1773344 - in /tomcat/trunk:
java/org/apache/tomcat/util/net/SSLHostConfig.java
webapps/docs/changelog.xml webapps/docs/config/http.xml
Author: markt
Date: Fri Dec 9 09:27:48 2016
New Revision: 1773344
URL: http://svn.apache.org/viewvc?rev=1773344&view=rev
Log:
Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=60450
Improve the selection algorithm for the default trust store type for a TLS Virtual Host. In particular, don't use PKCS12 as a default trust store type.
Better document how the default trust store type is selected for a TLS virtual host.
Modified:
tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java
tomcat/trunk/webapps/docs/changelog.xml
tomcat/trunk/webapps/docs/config/http.xml
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java?rev=1773344&r1=1773343&r2=1773344&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java Fri Dec 9 09:27:48 2016
@@ -560,11 +560,11 @@ public class SSLHostConfig implements Se
public String getTruststoreProvider() {
if (truststoreProvider == null) {
- if (defaultCertificate == null) {
- return SSLHostConfigCertificate.DEFAULT_KEYSTORE_PROVIDER;
- } else {
- return defaultCertificate.getCertificateKeystoreProvider();
+ Set<SSLHostConfigCertificate> certificates = getCertificates();
+ if (certificates.size() == 1) {
+ return certificates.iterator().next().getCertificateKeystoreProvider();
}
+ return SSLHostConfigCertificate.DEFAULT_KEYSTORE_PROVIDER;
} else {
return truststoreProvider;
}
@@ -579,11 +579,16 @@ public class SSLHostConfig implements Se
public String getTruststoreType() {
if (truststoreType == null) {
- if (defaultCertificate == null) {
- return SSLHostConfigCertificate.DEFAULT_KEYSTORE_TYPE;
- } else {
- return defaultCertificate.getCertificateKeystoreType();
+ Set<SSLHostConfigCertificate> certificates = getCertificates();
+ if (certificates.size() == 1) {
+ String keystoreType = certificates.iterator().next().getCertificateKeystoreType();
+ // Don't use keystore type as the default if we know it is not
+ // going to be used as a trust store type
+ if (!"PKCS12".equalsIgnoreCase(keystoreType)) {
+ return keystoreType;
+ }
}
+ return SSLHostConfigCertificate.DEFAULT_KEYSTORE_TYPE;
} else {
return truststoreType;
}
Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1773344&r1=1773343&r2=1773344&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Fri Dec 9 09:27:48 2016
@@ -57,6 +57,12 @@
class that is used by all Endpoints. (markt)
</scode>
<fix>
+ <bug>60450</bug>: Improve the selection algorithm for the default trust
+ store type for a TLS Virtual Host. In particular, don't use
+ <code>PKCS12</code> as a default trust store type. Better document how
+ the default trust store type is selected for a TLS virtual host. (markt)
+ </fix>
+ <fix>
<bug>60451</bug>: Correctly handle HTTP/2 header values that contain
characters with unicode code points in the range 128 to 255. Reject
with a clear error message HTTP/2 header values that contain characters
Modified: tomcat/trunk/webapps/docs/config/http.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/http.xml?rev=1773344&r1=1773343&r2=1773344&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/config/http.xml (original)
+++ tomcat/trunk/webapps/docs/config/http.xml Fri Dec 9 09:27:48 2016
@@ -1328,8 +1328,11 @@
<p>JSSE only.</p>
<p>The type of key store used for the trust store. The default is the
value of the <code>javax.net.ssl.trustStoreType</code> system property. If
- that property is null, the value of <code>keystoreType</code> is used as
- the default.</p>
+ that property is null, a single certificate has been configured for this
+ TLS virtual host and that certificate has a <code>keystoreType</code> that
+ is not <code>PKCS12</code> then the default will be the
+ <code>keystoreType</code> of the single certificate. If none of these
+ identify a default, the default will be <code>JKS</code>.</p>
</attribute>
</attributes>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org