You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2016/12/09 09:27:48 UTC

svn commit: r1773344 - in /tomcat/trunk: java/org/apache/tomcat/util/net/SSLHostConfig.java webapps/docs/changelog.xml webapps/docs/config/http.xml

Author: markt
Date: Fri Dec  9 09:27:48 2016
New Revision: 1773344

URL: http://svn.apache.org/viewvc?rev=1773344&view=rev
Log:
Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=60450
Improve the selection algorithm for the default trust store type for a TLS Virtual Host. In particular, don't use PKCS12 as a default trust store type.
Better document how the default trust store type is selected for a TLS virtual host.

Modified:
    tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java
    tomcat/trunk/webapps/docs/changelog.xml
    tomcat/trunk/webapps/docs/config/http.xml

Modified: tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java?rev=1773344&r1=1773343&r2=1773344&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java Fri Dec  9 09:27:48 2016
@@ -560,11 +560,11 @@ public class SSLHostConfig implements Se
 
     public String getTruststoreProvider() {
         if (truststoreProvider == null) {
-            if (defaultCertificate == null) {
-                return SSLHostConfigCertificate.DEFAULT_KEYSTORE_PROVIDER;
-            } else {
-                return defaultCertificate.getCertificateKeystoreProvider();
+            Set<SSLHostConfigCertificate> certificates = getCertificates();
+            if (certificates.size() == 1) {
+                return certificates.iterator().next().getCertificateKeystoreProvider();
             }
+            return SSLHostConfigCertificate.DEFAULT_KEYSTORE_PROVIDER;
         } else {
             return truststoreProvider;
         }
@@ -579,11 +579,16 @@ public class SSLHostConfig implements Se
 
     public String getTruststoreType() {
         if (truststoreType == null) {
-            if (defaultCertificate == null) {
-                return SSLHostConfigCertificate.DEFAULT_KEYSTORE_TYPE;
-            } else {
-                return defaultCertificate.getCertificateKeystoreType();
+            Set<SSLHostConfigCertificate> certificates = getCertificates();
+            if (certificates.size() == 1) {
+                String keystoreType = certificates.iterator().next().getCertificateKeystoreType();
+                // Don't use keystore type as the default if we know it is not
+                // going to be used as a trust store type
+                if (!"PKCS12".equalsIgnoreCase(keystoreType)) {
+                    return keystoreType;
+                }
             }
+            return SSLHostConfigCertificate.DEFAULT_KEYSTORE_TYPE;
         } else {
             return truststoreType;
         }

Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1773344&r1=1773343&r2=1773344&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Fri Dec  9 09:27:48 2016
@@ -57,6 +57,12 @@
         class that is used by all Endpoints. (markt)
       </scode>
       <fix>
+        <bug>60450</bug>: Improve the selection algorithm for the default trust
+        store type for a TLS Virtual Host. In particular, don't use
+        <code>PKCS12</code> as a default trust store type. Better document how
+        the default trust store type is selected for a TLS virtual host. (markt)
+      </fix>
+      <fix>
         <bug>60451</bug>: Correctly handle HTTP/2 header values that contain
         characters with unicode code points in the range 128 to 255. Reject
         with a clear error message HTTP/2 header values that contain characters

Modified: tomcat/trunk/webapps/docs/config/http.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/http.xml?rev=1773344&r1=1773343&r2=1773344&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/config/http.xml (original)
+++ tomcat/trunk/webapps/docs/config/http.xml Fri Dec  9 09:27:48 2016
@@ -1328,8 +1328,11 @@
       <p>JSSE only.</p>
       <p>The type of key store used for the trust store. The default is the
       value of the <code>javax.net.ssl.trustStoreType</code> system property. If
-      that property is null, the value of <code>keystoreType</code> is used as
-      the default.</p>
+      that property is null, a single certificate has been configured for this
+      TLS virtual host and that certificate has a <code>keystoreType</code> that
+      is not <code>PKCS12</code> then the default will be the
+      <code>keystoreType</code> of the single certificate. If none of these
+      identify a default, the default will be <code>JKS</code>.</p>
      </attribute>
 
   </attributes>



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org