This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/10.1.x by this push:
new 0695e1bfc3 For OpenSSL+FFM, only configure CA certs if configuration
is present
0695e1bfc3 is described below
commit 0695e1bfc3901b1cde5769d41fce73461d986047
Author: Mark Thomas <[email protected]>
AuthorDate: Tue Jan 6 09:12:36 2026 +0000
For OpenSSL+FFM, only configure CA certs if configuration is present
---
.../org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java | 8 +++-----
webapps/docs/changelog.xml | 5 +++++
2 files changed, 8 insertions(+), 5 deletions(-)
diff --git a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
index 56bf0989d5..25e2d5acc7 100644
--- a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
+++ b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
@@ -557,7 +557,7 @@ public class OpenSSLContext implements
org.apache.tomcat.util.net.SSLContext {
SSL_CTX_set_verify(state.sslCtx, value,
SSL_CTX_set_verify$callback.allocate(new
OpenSSLEngine.VerifyCallback(), contextArena));
- // Trust and certificate verification
+ // Trust and certificate verification (optional - may not be
configured)
if (tms != null) {
// Client certificate verification based on custom trust
managers
x509TrustManager = chooseTrustManager(tms);
@@ -580,7 +580,7 @@ public class OpenSSLContext implements
org.apache.tomcat.util.net.SSLContext {
log.debug(sm.getString("openssl.addedClientCaCert",
caCert.toString()));
}
}
- } else {
+ } else if (sslHostConfig.getCaCertificateFile() != null ||
sslHostConfig.getCaCertificatePath() != null) {
// Client certificate verification based on trusted CA files
and dirs
MemorySegment caCertificateFileNative =
sslHostConfig.getCaCertificateFile() != null ?
localArena
@@ -590,9 +590,7 @@ public class OpenSSLContext implements
org.apache.tomcat.util.net.SSLContext {
localArena
.allocateFrom(SSLHostConfig.adjustRelativePath(sslHostConfig.getCaCertificatePath()))
:
MemorySegment.NULL;
- if ((sslHostConfig.getCaCertificateFile() != null ||
sslHostConfig.getCaCertificatePath() != null) &&
- SSL_CTX_load_verify_locations(state.sslCtx,
caCertificateFileNative,
- caCertificatePathNative) <= 0) {
+ if (SSL_CTX_load_verify_locations(state.sslCtx,
caCertificateFileNative, caCertificatePathNative) <= 0) {
logLastError("openssl.errorConfiguringLocations");
} else {
var caCerts = SSL_CTX_get_client_CA_list(state.sslCtx);
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index e50090fe00..7ea8292ea8 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -128,6 +128,11 @@
Better warning message when <code>OpenSSLConf</code> configuration
elements are used with a JSSE TLS implementation. (markt)
</fix>
+ <fix>
+ When using OpenSSL via FFM, don't log a warning about missing CA
+ certificates unless CA certificates were configured and the
+ configuration failed. (markt)
+ </fix>
</changelog>
</subsection>
<subsection name="Other">
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
