This is an automated email from the ASF dual-hosted git repository.
rmaucher pushed a commit to branch 11.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/11.0.x by this push:
new 6ecfa23ea3 Only add OpenSSL commands once
6ecfa23ea3 is described below
commit 6ecfa23ea39307cd6f887b1a478104e4c6f84eee
Author: remm <[email protected]>
AuthorDate: Tue May 26 11:47:27 2026 +0200
Only add OpenSSL commands once
---
.../tomcat/util/net/openssl/OpenSSLContext.java | 36 ++++++++++++++++------
1 file changed, 26 insertions(+), 10 deletions(-)
diff --git a/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
b/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
index 49f38fb241..2e5ba460dc 100644
--- a/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
+++ b/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
@@ -407,19 +407,35 @@ public class OpenSSLContext implements
org.apache.tomcat.util.net.SSLContext {
SSLContext.setCACertificate(state.ctx,
SSLHostConfig.adjustRelativePath(sslHostConfig.getCaCertificateFile()),
SSLHostConfig.adjustRelativePath(sslHostConfig.getCaCertificatePath()));
- sslHostConfig.getOpenSslConf().addCmd(new
OpenSSLConfCmd(OpenSSLConfCmd.NO_OCSP_CHECK,
- Boolean.toString(!sslHostConfig.getOcspEnabled())));
- sslHostConfig.getOpenSslConf().addCmd(new
OpenSSLConfCmd(OpenSSLConfCmd.OCSP_SOFT_FAIL,
- Boolean.toString(sslHostConfig.getOcspSoftFail())));
- sslHostConfig.getOpenSslConf().addCmd(new
OpenSSLConfCmd(OpenSSLConfCmd.OCSP_TIMEOUT,
- Integer.toString(sslHostConfig.getOcspTimeout())));
- sslHostConfig.getOpenSslConf().addCmd(new
OpenSSLConfCmd(OpenSSLConfCmd.OCSP_VERIFY_FLAGS,
- Integer.toString(sslHostConfig.getOcspVerifyFlags())));
+ boolean foundOcspConfig = false;
+ for (OpenSSLConfCmd command :
sslHostConfig.getOpenSslConf().getCommands()) {
+ if
(OpenSSLConfCmd.NO_OCSP_CHECK.equals(command.getName())) {
+ foundOcspConfig = true;
+ }
+ }
+ if (!foundOcspConfig) {
+ sslHostConfig.getOpenSslConf().addCmd(new
OpenSSLConfCmd(OpenSSLConfCmd.NO_OCSP_CHECK,
+
Boolean.toString(!sslHostConfig.getOcspEnabled())));
+ sslHostConfig.getOpenSslConf().addCmd(new
OpenSSLConfCmd(OpenSSLConfCmd.OCSP_SOFT_FAIL,
+
Boolean.toString(sslHostConfig.getOcspSoftFail())));
+ sslHostConfig.getOpenSslConf().addCmd(new
OpenSSLConfCmd(OpenSSLConfCmd.OCSP_TIMEOUT,
+ Integer.toString(sslHostConfig.getOcspTimeout())));
+ sslHostConfig.getOpenSslConf().addCmd(new
OpenSSLConfCmd(OpenSSLConfCmd.OCSP_VERIFY_FLAGS,
+
Integer.toString(sslHostConfig.getOcspVerifyFlags())));
+ }
}
if (sslHostConfig.getGroupList() != null) {
- sslHostConfig.getOpenSslConf().addCmd(new
OpenSSLConfCmd(OpenSSLConfCmd.GROUPS,
- sslHostConfig.getGroups().replace(',', ':')));
+ boolean foundGroupsConfig = false;
+ for (OpenSSLConfCmd command :
sslHostConfig.getOpenSslConf().getCommands()) {
+ if (OpenSSLConfCmd.GROUPS.equals(command.getName())) {
+ foundGroupsConfig = true;
+ }
+ }
+ if (!foundGroupsConfig) {
+ sslHostConfig.getOpenSslConf().addCmd(new
OpenSSLConfCmd(OpenSSLConfCmd.GROUPS,
+ sslHostConfig.getGroups().replace(',', ':')));
+ }
}
if (negotiableProtocols != null && !negotiableProtocols.isEmpty())
{
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
