This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 4adf369625cc1b58f5120e53488d6587783d8bad Author: Mark Thomas <[email protected]> AuthorDate: Tue Jan 6 08:57:06 2026 +0000 Improve warning for using OpenSSLConf with JSSE implementations --- java/org/apache/tomcat/util/net/SSLHostConfig.java | 1 - java/org/apache/tomcat/util/net/jsse/JSSEUtil.java | 5 +++++ java/org/apache/tomcat/util/net/jsse/LocalStrings.properties | 1 + webapps/docs/changelog.xml | 4 ++++ webapps/docs/config/http.xml | 4 ++++ 5 files changed, 14 insertions(+), 1 deletion(-) diff --git a/java/org/apache/tomcat/util/net/SSLHostConfig.java b/java/org/apache/tomcat/util/net/SSLHostConfig.java index 600aa32f0a..e78a155230 100644 --- a/java/org/apache/tomcat/util/net/SSLHostConfig.java +++ b/java/org/apache/tomcat/util/net/SSLHostConfig.java @@ -310,7 +310,6 @@ public class SSLHostConfig implements Serializable { } else if (openSslConf != null) { throw new IllegalArgumentException(sm.getString("sslHostConfig.opensslconf.alreadySet")); } - setProperty("<OpenSSLConf>", Type.OPENSSL); openSslConf = conf; } diff --git a/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java b/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java index 93e47cd02a..17ae7991f4 100644 --- a/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java +++ b/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java @@ -142,6 +142,11 @@ public class JSSEUtil extends SSLUtilBase { } else { implementedCiphers = new HashSet<>(Arrays.asList(implementedCipherSuiteArray)); } + + if (sslHostConfig.getOpenSslConf() != null) { + log.warn(sm.getString("jsseUtil.opensslconf.present")); + } + initialized = true; } } diff --git a/java/org/apache/tomcat/util/net/jsse/LocalStrings.properties b/java/org/apache/tomcat/util/net/jsse/LocalStrings.properties index d4cdaa1105..ef16a01b9e 100644 --- a/java/org/apache/tomcat/util/net/jsse/LocalStrings.properties +++ b/java/org/apache/tomcat/util/net/jsse/LocalStrings.properties @@ -18,6 +18,7 @@ jsseSupport.clientCertError=Error trying to obtain a certificate from the client jsseUtil.excludeProtocol=The SSL protocol [{0}] which is supported in this JRE was excluded from the protocols available to Tomcat jsseUtil.noDefaultProtocols=Unable to determine a default for sslEnabledProtocols. Set an explicit value to ensure the connector can start. +jsseUtil.opensslconf.present=A connector is configured to use a JSSE TLS implementation with OpenSSL specific OpenSSLConf configuration elements. The OpenSSLConf configuration elements will be ignored. pemFile.noMultiPrimes=The PKCS#1 certificate is in multi-prime format and Java does not provide an API for constructing an RSA private key object from that format pemFile.noPassword=A password is required to decrypt the private key diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index e5de9ebbbd..685d2c5ba1 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -237,6 +237,10 @@ allows one configuration style to be used for the trust attributes and a different style for all the other attributes. (markt) </fix> + <fix> + Better warning message when <code>OpenSSLConf</code> configuration + elements are used with a JSSE TLS implementation. (markt) + </fix> </changelog> </subsection> <subsection name="Jasper"> diff --git a/webapps/docs/config/http.xml b/webapps/docs/config/http.xml index c7e9c63b8a..eba04b451c 100644 --- a/webapps/docs/config/http.xml +++ b/webapps/docs/config/http.xml @@ -1166,6 +1166,10 @@ <p>The implementation used (JSSE or OpenSSL) is independent of the configuration style used.</p> + <p>Any <code>OpenSSLConf</code> settings are only used with an OpenSSL + implementation and may override attributes set via <code>SSLHostConfig</code> + or <code>Certificate</code> elements.</p> + <p>Each secure connector must define at least one <strong>SSLHostConfig</strong>. The names of the <strong>SSLHostConfig</strong> elements must be unique and one of them must --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
