This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/9.0.x by this push:
new af39a9a306 Reduce warnings when running TLS tests
af39a9a306 is described below
commit af39a9a3065f8d2f2e58235619e045b0bac05d11
Author: Mark Thomas <[email protected]>
AuthorDate: Tue Jan 6 08:37:08 2026 +0000
Reduce warnings when running TLS tests
---
.../apache/tomcat/util/net/LocalStrings.properties | 1 +
java/org/apache/tomcat/util/net/SSLHostConfig.java | 42 +++++++++++++++++-----
webapps/docs/changelog.xml | 6 ++++
webapps/docs/config/http.xml | 22 +++++++-----
4 files changed, 53 insertions(+), 18 deletions(-)
diff --git a/java/org/apache/tomcat/util/net/LocalStrings.properties
b/java/org/apache/tomcat/util/net/LocalStrings.properties
index 2746156921..e41129c3d3 100644
--- a/java/org/apache/tomcat/util/net/LocalStrings.properties
+++ b/java/org/apache/tomcat/util/net/LocalStrings.properties
@@ -178,6 +178,7 @@ sslHostConfig.certificateVerificationInvalid=The
certificate verification value
sslHostConfig.fileNotFound=Configured file [{0}] does not exist
sslHostConfig.invalid_truststore_password=The provided trust store password
could not be used to unlock and/or validate the trust store. Retrying to access
the trust store with a null password which will skip validation.
sslHostConfig.mismatch=The property [{0}] was set on the SSLHostConfig named
[{1}] and is for the [{2}] configuration syntax but the SSLHostConfig is being
used with the [{3}] configuration syntax
+sslHostConfig.mismatch.trust=The trust configuration property [{0}] was set on
the SSLHostConfig named [{1}] and is for the [{2}] configuration syntax but the
SSLHostConfig is being used with the [{3}] trust configuration syntax
sslHostConfig.opensslconf.alreadyset=Attempt to set another OpenSSLConf ignored
sslHostConfig.opensslconf.null=Attempt to set null OpenSSLConf ignored
sslHostConfig.prefix_missing=The protocol [{0}] was added to the list of
protocols on the SSLHostConfig named [{1}]. Check if a +/- prefix is missing.
diff --git a/java/org/apache/tomcat/util/net/SSLHostConfig.java
b/java/org/apache/tomcat/util/net/SSLHostConfig.java
index ad85978dde..87aa657bab 100644
--- a/java/org/apache/tomcat/util/net/SSLHostConfig.java
+++ b/java/org/apache/tomcat/util/net/SSLHostConfig.java
@@ -78,6 +78,7 @@ public class SSLHostConfig implements Serializable {
}
private Type configType = null;
+ private Type trustConfigType = null;
private String hostName = DEFAULT_SSL_HOST_NAME;
@@ -186,7 +187,7 @@ public class SSLHostConfig implements Serializable {
* @param name the property name
* @param configType the configuration type
*
- * @return true if the property belongs to the current configuration, and
false otherwise
+ * @return true if the property belongs to the current configuration type,
and false otherwise
*/
boolean setProperty(String name, Type configType) {
if (this.configType == null) {
@@ -201,6 +202,28 @@ public class SSLHostConfig implements Serializable {
}
+ /**
+ * Set property which belongs to the specified trust configuration type.
+ *
+ * @param name the property name
+ * @param trustConfigType the trust configuration type
+ *
+ * @return true if the property belongs to the current trust configuration
type, and false otherwise
+ */
+ boolean setTrustProperty(String name, Type trustConfigType) {
+ if (this.trustConfigType == null) {
+ this.trustConfigType = trustConfigType;
+ } else {
+ if (trustConfigType != this.trustConfigType) {
+ log.warn(sm.getString("sslHostConfig.mismatch.trust", name,
getHostName(), trustConfigType,
+ this.trustConfigType));
+ return false;
+ }
+ }
+ return true;
+ }
+
+
// ----------------------------------------------------- Internal
properties
/**
@@ -818,7 +841,7 @@ public class SSLHostConfig implements Serializable {
public void setTrustManagerClassName(String trustManagerClassName) {
- setProperty("trustManagerClassName", Type.JSSE);
+ setTrustProperty("trustManagerClassName", Type.JSSE);
this.trustManagerClassName = trustManagerClassName;
}
@@ -829,7 +852,7 @@ public class SSLHostConfig implements Serializable {
public void setTruststoreAlgorithm(String truststoreAlgorithm) {
- setProperty("truststoreAlgorithm", Type.JSSE);
+ setTrustProperty("truststoreAlgorithm", Type.JSSE);
this.truststoreAlgorithm = truststoreAlgorithm;
}
@@ -840,7 +863,7 @@ public class SSLHostConfig implements Serializable {
public void setTruststoreFile(String truststoreFile) {
- setProperty("truststoreFile", Type.JSSE);
+ setTrustProperty("truststoreFile", Type.JSSE);
this.truststoreFile = truststoreFile;
}
@@ -851,7 +874,7 @@ public class SSLHostConfig implements Serializable {
public void setTruststorePassword(String truststorePassword) {
- setProperty("truststorePassword", Type.JSSE);
+ setTrustProperty("truststorePassword", Type.JSSE);
this.truststorePassword = truststorePassword;
}
@@ -862,7 +885,7 @@ public class SSLHostConfig implements Serializable {
public void setTruststoreProvider(String truststoreProvider) {
- setProperty("truststoreProvider", Type.JSSE);
+ setTrustProperty("truststoreProvider", Type.JSSE);
this.truststoreProvider = truststoreProvider;
}
@@ -881,7 +904,7 @@ public class SSLHostConfig implements Serializable {
public void setTruststoreType(String truststoreType) {
- setProperty("truststoreType", Type.JSSE);
+ setTrustProperty("truststoreType", Type.JSSE);
this.truststoreType = truststoreType;
}
@@ -905,6 +928,7 @@ public class SSLHostConfig implements Serializable {
public void setTrustStore(KeyStore truststore) {
+ setTrustProperty("trustStore", Type.JSSE);
this.truststore = truststore;
}
@@ -994,7 +1018,7 @@ public class SSLHostConfig implements Serializable {
public void setCaCertificateFile(String caCertificateFile) {
- if (setProperty("caCertificateFile", Type.OPENSSL)) {
+ if (setTrustProperty("caCertificateFile", Type.OPENSSL)) {
// Reset default JSSE trust store if not a JSSE configuration
if (truststoreFile != null) {
truststoreFile = null;
@@ -1010,7 +1034,7 @@ public class SSLHostConfig implements Serializable {
public void setCaCertificatePath(String caCertificatePath) {
- if (setProperty("caCertificatePath", Type.OPENSSL)) {
+ if (setTrustProperty("caCertificatePath", Type.OPENSSL)) {
// Reset default JSSE trust store if not a JSSE configuration
if (truststoreFile != null) {
truststoreFile = null;
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 7bb509b44a..8ae0d110fd 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -118,6 +118,12 @@
<bug>69910</bug>: Dereference TLS objects right after closing a socket
to improve memory efficiency. (remm)
</fix>
+ <fix>
+ Relax the JSSE vs OpenSSL configuration style checks on
+ <code>SSLHostConfig</code> to reflect the existing implementation that
+ allows one configuration style to be used for the trust attributes and
a
+ different style for all the other attributes. (markt)
+ </fix>
</changelog>
</subsection>
<subsection name="Other">
diff --git a/webapps/docs/config/http.xml b/webapps/docs/config/http.xml
index 6e9d16a0c4..1f4acf5b11 100644
--- a/webapps/docs/config/http.xml
+++ b/webapps/docs/config/http.xml
@@ -1360,15 +1360,19 @@
attributes to the values <code>https</code> and <code>true</code>
respectively, to pass correct information to the servlets.</p>
- <p>The NIO and NIO2 connectors use either the JSSE Java SSL implementation or
- an OpenSSL implementation whereas the APR/native connector uses OpenSSL only.
- Prior to Tomcat 8.5, different configuration attributes were used for JSSE
and
- OpenSSL. From Tomcat 8.5 onwards, and as far as possible, common
configuration
- attributes are used for both JSSE and OpenSSL. You cannot mix JSSE specific
- configuration attributes and OpenSSL specific configuration attributes on the
- same NIO or NIO2 connector. However, you may use either the JSSE or the
OpenSSL
- configuration style with the NIO and NIO2 connectors with either the JSSE or
- OpenSSL implementations.</p>
+ <p>The NIO and NIO2 connectors may be configured to use either a JSSE Java
SSL
+ implementation or an OpenSSL implementation whereas the APR/native connector
+ uses OpenSSL only. As far as possible, common configuration attributes are
+ used for both JSSE and OpenSSL. For each Connector, you must use a consistent
+ configuration style (JSSE specific attributes or OpenSSL specfic attributes)
+ for each of the following groups of configuration attributes but you may use
a
+ different configuration style for each group:</p>
+ <ul>
+ <li>trust attributes</li>
+ <li>all other attributes</li>
+ </ul>
+ <p>The implementation used (JSSE or the OpenSSL) is independent of the
+ configuration style used.</p>
<p>Each secure connector must define at least one
<strong>SSLHostConfig</strong>. The names of the
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
