This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 80d938f3d43d5b1b2a157d3fbb76b81b238e89b9 Author: Mark Thomas <[email protected]> AuthorDate: Tue Jan 6 09:12:36 2026 +0000 For OpenSSL+FFM, only configure CA certs if configuration is present --- .../org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java | 8 +++----- webapps/docs/changelog.xml | 5 +++++ 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java index 56bf0989d5..25e2d5acc7 100644 --- a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java +++ b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java @@ -557,7 +557,7 @@ public class OpenSSLContext implements org.apache.tomcat.util.net.SSLContext { SSL_CTX_set_verify(state.sslCtx, value, SSL_CTX_set_verify$callback.allocate(new OpenSSLEngine.VerifyCallback(), contextArena)); - // Trust and certificate verification + // Trust and certificate verification (optional - may not be configured) if (tms != null) { // Client certificate verification based on custom trust managers x509TrustManager = chooseTrustManager(tms); @@ -580,7 +580,7 @@ public class OpenSSLContext implements org.apache.tomcat.util.net.SSLContext { log.debug(sm.getString("openssl.addedClientCaCert", caCert.toString())); } } - } else { + } else if (sslHostConfig.getCaCertificateFile() != null || sslHostConfig.getCaCertificatePath() != null) { // Client certificate verification based on trusted CA files and dirs MemorySegment caCertificateFileNative = sslHostConfig.getCaCertificateFile() != null ? localArena @@ -590,9 +590,7 @@ public class OpenSSLContext implements org.apache.tomcat.util.net.SSLContext { localArena .allocateFrom(SSLHostConfig.adjustRelativePath(sslHostConfig.getCaCertificatePath())) : MemorySegment.NULL; - if ((sslHostConfig.getCaCertificateFile() != null || sslHostConfig.getCaCertificatePath() != null) && - SSL_CTX_load_verify_locations(state.sslCtx, caCertificateFileNative, - caCertificatePathNative) <= 0) { + if (SSL_CTX_load_verify_locations(state.sslCtx, caCertificateFileNative, caCertificatePathNative) <= 0) { logLastError("openssl.errorConfiguringLocations"); } else { var caCerts = SSL_CTX_get_client_CA_list(state.sslCtx); diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index 685d2c5ba1..3c04124ddb 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -241,6 +241,11 @@ Better warning message when <code>OpenSSLConf</code> configuration elements are used with a JSSE TLS implementation. (markt) </fix> + <fix> + When using OpenSSL via FFM, don't log a warning about missing CA + certificates unless CA certificates were configured and the + configuration failed. (markt) + </fix> </changelog> </subsection> <subsection name="Jasper"> --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
