Author: markt Date: Tue May 2 10:34:37 2017 New Revision: 1793460 URL: http://svn.apache.org/viewvc?rev=1793460&view=rev Log: When a TrustManager is configured that does not support certificateVerificationDepth only log a warning about that lack of support when certificateVerificationDepth has been explicitly set.
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java tomcat/trunk/webapps/docs/changelog.xml Modified: tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java?rev=1793460&r1=1793459&r2=1793460&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java (original) +++ tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java Tue May 2 10:34:37 2017 @@ -86,6 +86,8 @@ public class SSLHostConfig implements Se private String certificateRevocationListFile; private CertificateVerification certificateVerification = CertificateVerification.NONE; private int certificateVerificationDepth = 10; + // Used to track if certificateVerificationDepth has been explicitly set + private boolean certificateVerificationDepthConfigured = false; private String ciphers = "HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA"; private LinkedHashSet<Cipher> cipherList = null; private List<String> jsseCipherNames = null; @@ -286,6 +288,7 @@ public class SSLHostConfig implements Se public void setCertificateVerificationDepth(int certificateVerificationDepth) { this.certificateVerificationDepth = certificateVerificationDepth; + certificateVerificationDepthConfigured = true; } @@ -294,6 +297,11 @@ public class SSLHostConfig implements Se } + public boolean isCertificateVerificationDepthConfigured() { + return certificateVerificationDepthConfigured; + } + + /** * Set the new cipher configuration. Note: Regardless of the format used to * set the configuration, it is always stored in OpenSSL format. Modified: tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java?rev=1793460&r1=1793459&r2=1793460&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java (original) +++ tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java Tue May 2 10:34:37 2017 @@ -273,7 +273,10 @@ public class JSSEUtil extends SSLUtilBas if (crlf != null && crlf.length() > 0) { throw new CRLException(sm.getString("jsseUtil.noCrlSupport", algorithm)); } - log.warn(sm.getString("jsseUtil.noVerificationDepth", algorithm)); + // Only warn if the attribute has been explicitly configured + if (sslHostConfig.isCertificateVerificationDepthConfigured()) { + log.warn(sm.getString("jsseUtil.noVerificationDepth", algorithm)); + } } } Modified: tomcat/trunk/webapps/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1793460&r1=1793459&r2=1793460&view=diff ============================================================================== --- tomcat/trunk/webapps/docs/changelog.xml (original) +++ tomcat/trunk/webapps/docs/changelog.xml Tue May 2 10:34:37 2017 @@ -85,6 +85,16 @@ </scode> </changelog> </subsection> + <subsection name="Coyote"> + <changelog> + <fix> + When a <code>TrustManager</code> is configured that does not support + <code>certificateVerificationDepth</code> only log a warning about that + lack of support when <code>certificateVerificationDepth</code> has been + explicitly set. (markt) + </fix> + </changelog> + </subsection> <subsection name="Jasper"> <changelog> <fix> --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org