[Bug 61566] Expose TLS Certificate and Trusted Authority details through the Manager TLS
https://bz.apache.org/bugzilla/show_bug.cgi?id=61566 --- Comment #5 from Mark Thomas --- For the feature to work, all of the following must be true: - HTTP connector - NIO or NIO2 implementation - JSSE style TLS configuration (key stores) used It does not work for the HTTP APR/native connector. It does not work if OpenSSL style configuration is used. Whether or not it works is independent of the TLS implementation (JSSE or OpenSSL) used. It does not apply to AJP connectors. The TLS information is extracted during the configuration phase. Hence the configuration style is important. When the OpenSSL configuration style is used, the same information isn't available in the same form at the same point. Rather than extracting it in the right form from OpenSSL (which would require JNI changes) it should be possible to derive it from the configuration files and cache it. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 61566] Expose TLS Certificate and Trusted Authority details through the Manager TLS
https://bz.apache.org/bugzilla/show_bug.cgi?id=61566 --- Comment #4 from Christopher Schultz --- (In reply to Mark Thomas from comment #3) > This has been implemented for connectors that use either the JSSE or OpenSSL > implementation that are configured with key stores. > > Providing the information for OpenSSL style configuration would require > changes to Tomcat Native and, as previously stated, I'm not sure OpenSSL > exposes the information. Can you please clarify this? I think the issue is whether the certificate information is available to the Java components instead of coming from native/APR right? So the information should be available to any Java-based connector (NIO, NIO2) regardless of the "configuration style" that is being used, and the APR connector won't report this information (at least, not yet). -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 61566] Expose TLS Certificate and Trusted Authority details through the Manager TLS
https://bz.apache.org/bugzilla/show_bug.cgi?id=61566 Mark Thomas changed: What|Removed |Added Status|NEW |RESOLVED Resolution|--- |FIXED --- Comment #3 from Mark Thomas --- This has been implemented for connectors that use either the JSSE or OpenSSL implementation that are configured with key stores. Providing the information for OpenSSL style configuration would require changes to Tomcat Native and, as previously stated, I'm not sure OpenSSL exposes the information. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 61566] Expose TLS Certificate and Trusted Authority details through the Manager TLS
https://bz.apache.org/bugzilla/show_bug.cgi?id=61566 --- Comment #2 from Christopher Schultz --- (In reply to Mark Thomas from comment #1) > Given that it is possible the APR/native connector will be removed in Tomcat > 10, just providing this information for NIO and NIO2 could be considered. +1 Even if the APR connector remains, exposing this information for Java-based connectors is worthwhile. If we get desperate, we can re-read the configuration from the and re-load the certificates from the cert store. It won't always be 100% accurate (because you'll be reading the config and not the active cert from memory) but it will get the job done much of the time. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 61566] Expose TLS Certificate and Trusted Authority details through the Manager TLS
https://bz.apache.org/bugzilla/show_bug.cgi?id=61566 --- Comment #1 from Mark Thomas --- This doesn't look as if it will be as easy as I'd hoped. While the information is fairly easy to get at for NIO and NIO2, it isn't for APR/native. Additional methods would need to be added to the JNI API and I'm not 100% sure the required information is accessible via the OpenSSL API. Given that it is possible the APR/native connector will be removed in Tomcat 10, just providing this information for NIO and NIO2 could be considered. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org