Folks, I am running of 8.5.88 and noticed these lines in my catalina.out:
2023-06-08T12:38:54.938 INFORMATION [main] org.apache.tomcat.util.net.AbstractEndpoint.logCertificate Connector [https-openssl-apr-8444], TLS virtual host [deblndw024v.ad001.siemens.net], certificate type [RSA] configured from [/net/home/smartld/.keystore] using alias [tomcat] and with trust store [null] 2023-06-08T12:38:55.036 INFORMATION [main] org.apache.tomcat.util.net.AbstractEndpoint.logCertificate Connector [https-openssl-apr-18444], TLS virtual host [deblndw024v.ad001.siemens.net], certificate type [RSA] configured from [/net/home/smartld/.keystore] using alias [tomcat] and with trust store [/opt/openssl/certs]
I have two connectors configured (both APR and OpenSSL), the only difference is that the second one (18444) requires TLS client certificates:
<Connector port="8444" connectionTimeout="20000" keepAliveTimeout="300000" maxParameterCount="1000" maxHttpHeaderSize="24576" maxThreads="250" SSLEnabled="true" scheme="https" secure="true" defaultSSLHostConfigName="deblndw024v.ad001.siemens.net"> <SSLHostConfig hostName="deblndw024v.ad001.siemens.net" protocols="TLSv1.2+TLSv1.3" honorCipherOrder="true" disableSessionTickets="true" ciphers="HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!DSS:!SHA1:!SHA256:!SHA384"> <Certificate certificateFile="/opt/openssl/deblndw024v.ad001.siemens.net/cert.crt" certificateKeyFile="/opt/openssl/deblndw024v.ad001.siemens.net/key.crt" certificateKeyPassword="..." type="RSA" /> </SSLHostConfig> </Connector>
and
<Connector port="18444" connectionTimeout="20000" keepAliveTimeout="7200000" maxParameterCount="1000" maxHttpHeaderSize="24576" maxThreads="250" SSLEnabled="true" scheme="https" secure="true" defaultSSLHostConfigName="deblndw024v.ad001.siemens.net"> <SSLHostConfig hostName="deblndw024v.ad001.siemens.net" protocols="TLSv1.2+TLSv1.3" honorCipherOrder="true" disableSessionTickets="true" certificateVerification="optional" certificateVerificationDepth="5" caCertificatePath="/opt/openssl/certs" ciphers="HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!DSS:!SHA1:!SHA256:!SHA384"> <Certificate certificateFile="/opt/openssl/deblndw024v.ad001.siemens.net/cert.crt" certificateKeyFile="/opt/openssl/deblndw024v.ad001.siemens.net/key.crt" certificateKeyPassword="..." type="RSA" /> <OpenSSLConf> <OpenSSLConfCmd name="RequestCAFile" value="/opt/openssl/siemens-medium+strong-clientcert-cacerts.crt" /> </OpenSSLConf> </SSLHostConfig> </Connector>
The information displayed is partially wrong. It missed to differentiate between store types (org.apache.tomcat.util.net.SSLHostConfigCertificate.StoreType).
Moreover, from my PoV it makes little sense to print "trust store [null]" if no verification is requested, no? It causes, at least, confusion that a user/admin has missed to configure something.
Should I file a bug? Michael --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org