This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit da9b88e56a9da87ac6d9faf81990332dd6519366 Author: Mark Thomas <[email protected]> AuthorDate: Tue Jan 6 08:37:08 2026 +0000 Reduce warnings when running TLS tests --- .../apache/tomcat/util/net/LocalStrings.properties | 1 + java/org/apache/tomcat/util/net/SSLHostConfig.java | 42 +++++++++++++++++----- webapps/docs/changelog.xml | 6 ++++ webapps/docs/config/http.xml | 14 +++++--- 4 files changed, 50 insertions(+), 13 deletions(-) diff --git a/java/org/apache/tomcat/util/net/LocalStrings.properties b/java/org/apache/tomcat/util/net/LocalStrings.properties index 1886680130..a07a8866f0 100644 --- a/java/org/apache/tomcat/util/net/LocalStrings.properties +++ b/java/org/apache/tomcat/util/net/LocalStrings.properties @@ -149,6 +149,7 @@ sslHostConfig.certificateVerificationInvalid=The certificate verification value sslHostConfig.fileNotFound=Configured file [{0}] does not exist sslHostConfig.invalid_truststore_password=The provided trust store password could not be used to unlock and/or validate the trust store. Retrying to access the trust store with a null password which will skip validation. sslHostConfig.mismatch=The property [{0}] was set on the SSLHostConfig named [{1}] and is for the [{2}] configuration syntax but the SSLHostConfig is being used with the [{3}] configuration syntax +sslHostConfig.mismatch.trust=The trust configuration property [{0}] was set on the SSLHostConfig named [{1}] and is for the [{2}] configuration syntax but the SSLHostConfig is being used with the [{3}] trust configuration syntax sslHostConfig.opensslconf.alreadyset=Attempt to set another OpenSSLConf ignored sslHostConfig.opensslconf.null=Attempt to set null OpenSSLConf ignored sslHostConfig.prefix_missing=The protocol [{0}] was added to the list of protocols on the SSLHostConfig named [{1}]. Check if a +/- prefix is missing. diff --git a/java/org/apache/tomcat/util/net/SSLHostConfig.java b/java/org/apache/tomcat/util/net/SSLHostConfig.java index 1ab4233439..600aa32f0a 100644 --- a/java/org/apache/tomcat/util/net/SSLHostConfig.java +++ b/java/org/apache/tomcat/util/net/SSLHostConfig.java @@ -80,6 +80,7 @@ public class SSLHostConfig implements Serializable { } private Type configType = null; + private Type trustConfigType = null; private String hostName = DEFAULT_SSL_HOST_NAME; @@ -188,7 +189,7 @@ public class SSLHostConfig implements Serializable { * @param name the property name * @param configType the configuration type * - * @return true if the property belongs to the current configuration, and false otherwise + * @return true if the property belongs to the current configuration type, and false otherwise */ boolean setProperty(String name, Type configType) { if (this.configType == null) { @@ -203,6 +204,28 @@ public class SSLHostConfig implements Serializable { } + /** + * Set property which belongs to the specified trust configuration type. + * + * @param name the property name + * @param trustConfigType the trust configuration type + * + * @return true if the property belongs to the current trust configuration type, and false otherwise + */ + boolean setTrustProperty(String name, Type trustConfigType) { + if (this.trustConfigType == null) { + this.trustConfigType = trustConfigType; + } else { + if (trustConfigType != this.trustConfigType) { + log.warn(sm.getString("sslHostConfig.mismatch.trust", name, getHostName(), trustConfigType, + this.trustConfigType)); + return false; + } + } + return true; + } + + // ----------------------------------------------------- Internal properties /** @@ -606,7 +629,7 @@ public class SSLHostConfig implements Serializable { public void setTrustManagerClassName(String trustManagerClassName) { - setProperty("trustManagerClassName", Type.JSSE); + setTrustProperty("trustManagerClassName", Type.JSSE); this.trustManagerClassName = trustManagerClassName; } @@ -617,7 +640,7 @@ public class SSLHostConfig implements Serializable { public void setTruststoreAlgorithm(String truststoreAlgorithm) { - setProperty("truststoreAlgorithm", Type.JSSE); + setTrustProperty("truststoreAlgorithm", Type.JSSE); this.truststoreAlgorithm = truststoreAlgorithm; } @@ -628,7 +651,7 @@ public class SSLHostConfig implements Serializable { public void setTruststoreFile(String truststoreFile) { - setProperty("truststoreFile", Type.JSSE); + setTrustProperty("truststoreFile", Type.JSSE); this.truststoreFile = truststoreFile; } @@ -639,7 +662,7 @@ public class SSLHostConfig implements Serializable { public void setTruststorePassword(String truststorePassword) { - setProperty("truststorePassword", Type.JSSE); + setTrustProperty("truststorePassword", Type.JSSE); this.truststorePassword = truststorePassword; } @@ -650,7 +673,7 @@ public class SSLHostConfig implements Serializable { public void setTruststoreProvider(String truststoreProvider) { - setProperty("truststoreProvider", Type.JSSE); + setTrustProperty("truststoreProvider", Type.JSSE); this.truststoreProvider = truststoreProvider; } @@ -669,7 +692,7 @@ public class SSLHostConfig implements Serializable { public void setTruststoreType(String truststoreType) { - setProperty("truststoreType", Type.JSSE); + setTrustProperty("truststoreType", Type.JSSE); this.truststoreType = truststoreType; } @@ -693,6 +716,7 @@ public class SSLHostConfig implements Serializable { public void setTrustStore(KeyStore truststore) { + setTrustProperty("trustStore", Type.JSSE); this.truststore = truststore; } @@ -737,7 +761,7 @@ public class SSLHostConfig implements Serializable { public void setCaCertificateFile(String caCertificateFile) { - if (setProperty("caCertificateFile", Type.OPENSSL)) { + if (setTrustProperty("caCertificateFile", Type.OPENSSL)) { // Reset default JSSE trust store if not a JSSE configuration if (truststoreFile != null) { truststoreFile = null; @@ -753,7 +777,7 @@ public class SSLHostConfig implements Serializable { public void setCaCertificatePath(String caCertificatePath) { - if (setProperty("caCertificatePath", Type.OPENSSL)) { + if (setTrustProperty("caCertificatePath", Type.OPENSSL)) { // Reset default JSSE trust store if not a JSSE configuration if (truststoreFile != null) { truststoreFile = null; diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index 6b12acd8d7..963e365291 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -231,6 +231,12 @@ <bug>69910</bug>: Dereference TLS objects right after closing a socket to improve memory efficiency. (remm) </fix> + <fix> + Relax the JSSE vs OpenSSL configuration style checks on + <code>SSLHostConfig</code> to reflect the existing implementation that + allows one configuration style to be used for the trust attributes and a + different style for all the other attributes. (markt) + </fix> </changelog> </subsection> <subsection name="Jasper"> diff --git a/webapps/docs/config/http.xml b/webapps/docs/config/http.xml index 627122a3cc..d1b17d48ba 100644 --- a/webapps/docs/config/http.xml +++ b/webapps/docs/config/http.xml @@ -1155,10 +1155,16 @@ <p>The NIO connector uses either the JSSE Java SSL implementation or an OpenSSL implementation. As far as possible, common configuration attributes - are used for both JSSE and OpenSSL. You cannot mix JSSE specific configuration - attributes and OpenSSL specific configuration attributes on the same - connector. However, you may use either the JSSE or the OpenSSL configuration - style with either the JSSE and OpenSSL implementations.</p> + are used for both JSSE and OpenSSL. You must use a consistent configuration + style (JSSE specific attributes or OpenSSL specfic attributes) for each of the + following groups of configuration attributes but you may use a different + configuration style for each group:</p> + <ul> + <li>trust attributes</li> + <li>all other attributes</li> + </ul> + <p>The implementation used (JSSE or the OpenSSL) is independent of the + configuration style used.</p> <p>Each secure connector must define at least one <strong>SSLHostConfig</strong>. The names of the --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
