(tomcat) branch 11.0.x updated: Reduce warnings when running TLS tests

Tue, 06 Jan 2026 01:58:16 -0800 

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 11.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/11.0.x by this push:
     new 3cff6ef4f7 Reduce warnings when running TLS tests
3cff6ef4f7 is described below

commit 3cff6ef4f7fe494919a01dfde382bc7b7c7721ee
Author: Mark Thomas <[email protected]>
AuthorDate: Tue Jan 6 08:37:08 2026 +0000

    Reduce warnings when running TLS tests
---
 .../apache/tomcat/util/net/LocalStrings.properties |  1 +
 java/org/apache/tomcat/util/net/SSLHostConfig.java | 42 +++++++++++++++++-----
 webapps/docs/changelog.xml                         |  6 ++++
 webapps/docs/config/http.xml                       | 14 +++++---
 4 files changed, 50 insertions(+), 13 deletions(-)

diff --git a/java/org/apache/tomcat/util/net/LocalStrings.properties 
b/java/org/apache/tomcat/util/net/LocalStrings.properties
index fd52feedad..f9eb84189e 100644
--- a/java/org/apache/tomcat/util/net/LocalStrings.properties
+++ b/java/org/apache/tomcat/util/net/LocalStrings.properties
@@ -156,6 +156,7 @@ sslHostConfig.certificateVerificationInvalid=The 
certificate verification value
 sslHostConfig.fileNotFound=Configured file [{0}] does not exist
 sslHostConfig.invalid_truststore_password=The provided trust store password 
could not be used to unlock and/or validate the trust store. Retrying to access 
the trust store with a null password which will skip validation.
 sslHostConfig.mismatch=The property [{0}] was set on the SSLHostConfig named 
[{1}] and is for the [{2}] configuration syntax but the SSLHostConfig is being 
used with the [{3}] configuration syntax
+sslHostConfig.mismatch.trust=The trust configuration property [{0}] was set on 
the SSLHostConfig named [{1}] and is for the [{2}] configuration syntax but the 
SSLHostConfig is being used with the [{3}] trust configuration syntax
 sslHostConfig.opensslconf.alreadyset=Attempt to set another OpenSSLConf ignored
 sslHostConfig.opensslconf.null=Attempt to set null OpenSSLConf ignored
 sslHostConfig.prefix_missing=The protocol [{0}] was added to the list of 
protocols on the SSLHostConfig named [{1}]. Check if a +/- prefix is missing.
diff --git a/java/org/apache/tomcat/util/net/SSLHostConfig.java 
b/java/org/apache/tomcat/util/net/SSLHostConfig.java
index 1ab4233439..600aa32f0a 100644
--- a/java/org/apache/tomcat/util/net/SSLHostConfig.java
+++ b/java/org/apache/tomcat/util/net/SSLHostConfig.java
@@ -80,6 +80,7 @@ public class SSLHostConfig implements Serializable {
     }
 
     private Type configType = null;
+    private Type trustConfigType = null;
 
     private String hostName = DEFAULT_SSL_HOST_NAME;
 
@@ -188,7 +189,7 @@ public class SSLHostConfig implements Serializable {
      * @param name       the property name
      * @param configType the configuration type
      *
-     * @return true if the property belongs to the current configuration, and 
false otherwise
+     * @return true if the property belongs to the current configuration type, 
and false otherwise
      */
     boolean setProperty(String name, Type configType) {
         if (this.configType == null) {
@@ -203,6 +204,28 @@ public class SSLHostConfig implements Serializable {
     }
 
 
+    /**
+     * Set property which belongs to the specified trust configuration type.
+     *
+     * @param name            the property name
+     * @param trustConfigType the trust configuration type
+     *
+     * @return true if the property belongs to the current trust configuration 
type, and false otherwise
+     */
+    boolean setTrustProperty(String name, Type trustConfigType) {
+        if (this.trustConfigType == null) {
+            this.trustConfigType = trustConfigType;
+        } else {
+            if (trustConfigType != this.trustConfigType) {
+                log.warn(sm.getString("sslHostConfig.mismatch.trust", name, 
getHostName(), trustConfigType,
+                        this.trustConfigType));
+                return false;
+            }
+        }
+        return true;
+    }
+
+
     // ----------------------------------------------------- Internal 
properties
 
     /**
@@ -606,7 +629,7 @@ public class SSLHostConfig implements Serializable {
 
 
     public void setTrustManagerClassName(String trustManagerClassName) {
-        setProperty("trustManagerClassName", Type.JSSE);
+        setTrustProperty("trustManagerClassName", Type.JSSE);
         this.trustManagerClassName = trustManagerClassName;
     }
 
@@ -617,7 +640,7 @@ public class SSLHostConfig implements Serializable {
 
 
     public void setTruststoreAlgorithm(String truststoreAlgorithm) {
-        setProperty("truststoreAlgorithm", Type.JSSE);
+        setTrustProperty("truststoreAlgorithm", Type.JSSE);
         this.truststoreAlgorithm = truststoreAlgorithm;
     }
 
@@ -628,7 +651,7 @@ public class SSLHostConfig implements Serializable {
 
 
     public void setTruststoreFile(String truststoreFile) {
-        setProperty("truststoreFile", Type.JSSE);
+        setTrustProperty("truststoreFile", Type.JSSE);
         this.truststoreFile = truststoreFile;
     }
 
@@ -639,7 +662,7 @@ public class SSLHostConfig implements Serializable {
 
 
     public void setTruststorePassword(String truststorePassword) {
-        setProperty("truststorePassword", Type.JSSE);
+        setTrustProperty("truststorePassword", Type.JSSE);
         this.truststorePassword = truststorePassword;
     }
 
@@ -650,7 +673,7 @@ public class SSLHostConfig implements Serializable {
 
 
     public void setTruststoreProvider(String truststoreProvider) {
-        setProperty("truststoreProvider", Type.JSSE);
+        setTrustProperty("truststoreProvider", Type.JSSE);
         this.truststoreProvider = truststoreProvider;
     }
 
@@ -669,7 +692,7 @@ public class SSLHostConfig implements Serializable {
 
 
     public void setTruststoreType(String truststoreType) {
-        setProperty("truststoreType", Type.JSSE);
+        setTrustProperty("truststoreType", Type.JSSE);
         this.truststoreType = truststoreType;
     }
 
@@ -693,6 +716,7 @@ public class SSLHostConfig implements Serializable {
 
 
     public void setTrustStore(KeyStore truststore) {
+        setTrustProperty("trustStore", Type.JSSE);
         this.truststore = truststore;
     }
 
@@ -737,7 +761,7 @@ public class SSLHostConfig implements Serializable {
 
 
     public void setCaCertificateFile(String caCertificateFile) {
-        if (setProperty("caCertificateFile", Type.OPENSSL)) {
+        if (setTrustProperty("caCertificateFile", Type.OPENSSL)) {
             // Reset default JSSE trust store if not a JSSE configuration
             if (truststoreFile != null) {
                 truststoreFile = null;
@@ -753,7 +777,7 @@ public class SSLHostConfig implements Serializable {
 
 
     public void setCaCertificatePath(String caCertificatePath) {
-        if (setProperty("caCertificatePath", Type.OPENSSL)) {
+        if (setTrustProperty("caCertificatePath", Type.OPENSSL)) {
             // Reset default JSSE trust store if not a JSSE configuration
             if (truststoreFile != null) {
                 truststoreFile = null;
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 3ce451a95d..066407cfef 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -115,6 +115,12 @@
         <bug>69910</bug>: Dereference TLS objects right after closing a socket
         to improve memory efficiency. (remm)
       </fix>
+      <fix>
+        Relax the JSSE vs OpenSSL configuration style checks on
+        <code>SSLHostConfig</code> to reflect the existing implementation that
+        allows one configuration style to be used for the trust attributes and 
a
+        different style for all the other attributes. (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Other">
diff --git a/webapps/docs/config/http.xml b/webapps/docs/config/http.xml
index eada835b1d..32e29bfc30 100644
--- a/webapps/docs/config/http.xml
+++ b/webapps/docs/config/http.xml
@@ -1238,10 +1238,16 @@
 
   <p>The NIO and NIO2 connectors use either the JSSE Java SSL implementation or
   an OpenSSL implementation. As far as possible, common configuration 
attributes
-  are used for both JSSE and OpenSSL. You cannot mix JSSE specific 
configuration
-  attributes and OpenSSL specific configuration attributes on the same
-  connector. However, you may use either the JSSE or the OpenSSL configuration
-  style with either the JSSE and OpenSSL implementations.</p>
+  are used for both JSSE and OpenSSL. You must use a consistent configuration
+  style (JSSE specific attributes or OpenSSL specfic attributes) for each of 
the
+  following groups of configuration attributes but you may use a different
+  configuration style for each group:</p>
+  <ul>
+    <li>trust attributes</li>
+    <li>all other attributes</li>
+  </ul>
+  <p>The implementation used (JSSE or the OpenSSL) is independent of the
+  configuration style used.</p>
 
   <p>Each secure connector must define at least one
   <strong>SSLHostConfig</strong>. The names of the


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to