You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2016/08/30 22:21:38 UTC
svn commit: r1758483 - in /tomcat/trunk:
java/org/apache/tomcat/util/net/jsse/JSSEUtil.java
java/org/apache/tomcat/util/net/jsse/LocalStrings.properties
webapps/docs/changelog.xml
Author: markt
Date: Tue Aug 30 22:21:38 2016
New Revision: 1758483
URL: http://svn.apache.org/viewvc?rev=1758483&view=rev
Log:
Log a warning at start up if a JSSE TLS connector is configured with a trusted certificate that is either not yet valid or has expired.
Modified:
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/LocalStrings.properties
tomcat/trunk/webapps/docs/changelog.xml
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java?rev=1758483&r1=1758482&r2=1758483&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java Tue Aug 30 22:21:38 2016
@@ -28,13 +28,18 @@ import java.security.cert.CertStore;
import java.security.cert.CertStoreParameters;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
+import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateFactory;
+import java.security.cert.CertificateNotYetValidException;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.X509CertSelector;
+import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
+import java.util.Date;
+import java.util.Enumeration;
import java.util.HashSet;
import java.util.List;
import java.util.Locale;
@@ -259,6 +264,7 @@ public class JSSEUtil extends SSLUtilBas
KeyStore trustStore = sslHostConfig.getTruststore();
if (trustStore != null) {
+ checkTrustStoreEntries(trustStore);
String algorithm = sslHostConfig.getTruststoreAlgorithm();
String crlf = sslHostConfig.getCertificateRevocationListFile();
@@ -282,6 +288,38 @@ public class JSSEUtil extends SSLUtilBas
return tms;
}
+
+ private void checkTrustStoreEntries(KeyStore trustStore) throws Exception {
+ Enumeration<String> aliases = trustStore.aliases();
+ if (aliases != null) {
+ Date now = new Date();
+ while (aliases.hasMoreElements()) {
+ String alias = aliases.nextElement();
+ if (trustStore.isCertificateEntry(alias)) {
+ Certificate cert = trustStore.getCertificate(alias);
+ if (cert instanceof X509Certificate) {
+ try {
+ ((X509Certificate) cert).checkValidity(now);
+ } catch (CertificateExpiredException | CertificateNotYetValidException e) {
+ String msg = sm.getString("jsseUtil.trustedCertNotValid", alias,
+ ((X509Certificate) cert).getSubjectDN(), e.getMessage());
+ if (log.isDebugEnabled()) {
+ log.debug(msg, e);
+ } else {
+ log.warn(msg);
+ }
+ }
+ } else {
+ if (log.isDebugEnabled()) {
+ log.debug(sm.getString("jsseUtil.trustedCertNotChecked", alias));
+ }
+ }
+ }
+ }
+ }
+ }
+
+
@Override
public void configureSessionContext(SSLSessionContext sslSessionContext) {
sslSessionContext.setSessionCacheSize(sslHostConfig.getSessionCacheSize());
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/jsse/LocalStrings.properties
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/LocalStrings.properties?rev=1758483&r1=1758482&r2=1758483&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/jsse/LocalStrings.properties (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/jsse/LocalStrings.properties Tue Aug 30 22:21:38 2016
@@ -33,5 +33,8 @@ jsseSupport.unexpectedData=Unexpected da
jsse.openssl.unknownElement=Unknown element in cipher string: {0}
jsse.openssl.effectiveCiphers=Ciphers used: {0}
+jsseUtil.invalidTrustCert=The certificate for [{0}] in the trust store is not valid and has, therefore, been excluded in the list of certificates sent to the client
jsseUtil.noCrlSupport=The truststoreProvider [{0}] does not support the certificateRevocationFile configuration option
-jsseUtil.noVerificationDepth=The truststoreProvider [{0}] does not support the certificateVerificationDepth configuration option
\ No newline at end of file
+jsseUtil.noVerificationDepth=The truststoreProvider [{0}] does not support the certificateVerificationDepth configuration option
+jsseUtil.trustedCertNotChecked=The validity dates of the trusted certificate with alias [{0}] were not checked as the certificate was of an unknown type
+jsseUtil.trustedCertNotValid=The trusted certificate with alias [{0}] and DN [{1}] is not valid due to [{2}]. Certificates signed by this trusted certificate WILL be accepted
\ No newline at end of file
Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1758483&r1=1758482&r2=1758483&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Tue Aug 30 22:21:38 2016
@@ -242,6 +242,11 @@
<bug>60035</bug>: Fix a potential connection leak if the client drops a
TLS connection before the handshake completes. (markt)
</fix>
+ <add>
+ Log a warning at start up if a JSSE TLS connector is configured with
+ a trusted certificate that is either not yet valid or has expired.
+ (markt)
+ </add>
</changelog>
</subsection>
<subsection name="Jasper">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org