This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 11.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/11.0.x by this push:
new 2471e14e37 Improve warning for using OpenSSLConf with JSSE
implementations
2471e14e37 is described below
commit 2471e14e379337cb876d0a064b9660126dbcdc0c
Author: Mark Thomas <[email protected]>
AuthorDate: Tue Jan 6 08:57:06 2026 +0000
Improve warning for using OpenSSLConf with JSSE implementations
---
java/org/apache/tomcat/util/net/SSLHostConfig.java | 1 -
java/org/apache/tomcat/util/net/jsse/JSSEUtil.java | 5 +++++
java/org/apache/tomcat/util/net/jsse/LocalStrings.properties | 1 +
webapps/docs/changelog.xml | 4 ++++
webapps/docs/config/http.xml | 4 ++++
5 files changed, 14 insertions(+), 1 deletion(-)
diff --git a/java/org/apache/tomcat/util/net/SSLHostConfig.java
b/java/org/apache/tomcat/util/net/SSLHostConfig.java
index 600aa32f0a..e78a155230 100644
--- a/java/org/apache/tomcat/util/net/SSLHostConfig.java
+++ b/java/org/apache/tomcat/util/net/SSLHostConfig.java
@@ -310,7 +310,6 @@ public class SSLHostConfig implements Serializable {
} else if (openSslConf != null) {
throw new
IllegalArgumentException(sm.getString("sslHostConfig.opensslconf.alreadySet"));
}
- setProperty("<OpenSSLConf>", Type.OPENSSL);
openSslConf = conf;
}
diff --git a/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java
b/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java
index 93e47cd02a..17ae7991f4 100644
--- a/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java
+++ b/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java
@@ -142,6 +142,11 @@ public class JSSEUtil extends SSLUtilBase {
} else {
implementedCiphers = new
HashSet<>(Arrays.asList(implementedCipherSuiteArray));
}
+
+ if (sslHostConfig.getOpenSslConf() != null) {
+ log.warn(sm.getString("jsseUtil.opensslconf.present"));
+ }
+
initialized = true;
}
}
diff --git a/java/org/apache/tomcat/util/net/jsse/LocalStrings.properties
b/java/org/apache/tomcat/util/net/jsse/LocalStrings.properties
index 6e0c7e3cb7..47bf1bf90b 100644
--- a/java/org/apache/tomcat/util/net/jsse/LocalStrings.properties
+++ b/java/org/apache/tomcat/util/net/jsse/LocalStrings.properties
@@ -21,6 +21,7 @@ jsseSupport.clientCertError=Error trying to obtain a
certificate from the client
jsseUtil.excludeProtocol=The SSL protocol [{0}] which is supported in this JRE
was excluded from the protocols available to Tomcat
jsseUtil.noDefaultProtocols=Unable to determine a default for
sslEnabledProtocols. Set an explicit value to ensure the connector can start.
+jsseUtil.opensslconf.present=A connector is configured to use a JSSE TLS
implementation with OpenSSL specific OpenSSLConf configuration elements. The
OpenSSLConf configuration elements will be ignored.
pemFile.noMultiPrimes=The PKCS#1 certificate is in multi-prime format and Java
does not provide an API for constructing an RSA private key object from that
format
pemFile.noPassword=A password is required to decrypt the private key
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 5e60ba621a..3756780b4a 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -121,6 +121,10 @@
allows one configuration style to be used for the trust attributes and
a
different style for all the other attributes. (markt)
</fix>
+ <fix>
+ Better warning message when <code>OpenSSLConf</code> configuration
+ elements are used with a JSSE TLS implementation. (markt)
+ </fix>
</changelog>
</subsection>
<subsection name="Other">
diff --git a/webapps/docs/config/http.xml b/webapps/docs/config/http.xml
index 827a2e980a..d9e24defac 100644
--- a/webapps/docs/config/http.xml
+++ b/webapps/docs/config/http.xml
@@ -1250,6 +1250,10 @@
<p>The implementation used (JSSE or OpenSSL) is independent of the
configuration style used.</p>
+ <p>Any <code>OpenSSLConf</code> settings are only used with an OpenSSL
+ implementation and may override attributes set via <code>SSLHostConfig</code>
+ or <code>Certificate</code> elements.</p>
+
<p>Each secure connector must define at least one
<strong>SSLHostConfig</strong>. The names of the
<strong>SSLHostConfig</strong> elements must be unique and one of them must
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
