AbstractEndpoint#logCertificate() prints incorrect information

Thu, 08 Jun 2023 04:25:52 -0700 

Folks,

I am running of 8.5.88 and noticed these lines in my catalina.out:

2023-06-08T12:38:54.938 INFORMATION [main] 
org.apache.tomcat.util.net.AbstractEndpoint.logCertificate Connector 
[https-openssl-apr-8444], TLS virtual host [deblndw024v.ad001.siemens.net], 
certificate type [RSA] configured from [/net/home/smartld/.keystore] using 
alias [tomcat] and with trust store [null]
2023-06-08T12:38:55.036 INFORMATION [main] 
org.apache.tomcat.util.net.AbstractEndpoint.logCertificate Connector 
[https-openssl-apr-18444], TLS virtual host [deblndw024v.ad001.siemens.net], 
certificate type [RSA] configured from [/net/home/smartld/.keystore] using 
alias [tomcat] and with trust store [/opt/openssl/certs]



I have two connectors configured (both APR and OpenSSL), the only 
difference is that the second one (18444) requires TLS client certificates:

<Connector port="8444" connectionTimeout="20000" keepAliveTimeout="300000" 
maxParameterCount="1000"
  maxHttpHeaderSize="24576" maxThreads="250"
  SSLEnabled="true" scheme="https" secure="true"
  defaultSSLHostConfigName="deblndw024v.ad001.siemens.net">
  <SSLHostConfig hostName="deblndw024v.ad001.siemens.net" 
protocols="TLSv1.2+TLSv1.3"
    honorCipherOrder="true" disableSessionTickets="true"
    
ciphers="HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!DSS:!SHA1:!SHA256:!SHA384">
    <Certificate 
certificateFile="/opt/openssl/deblndw024v.ad001.siemens.net/cert.crt"
      certificateKeyFile="/opt/openssl/deblndw024v.ad001.siemens.net/key.crt"
      certificateKeyPassword="..." type="RSA" />
  </SSLHostConfig>
</Connector>


and


<Connector port="18444" connectionTimeout="20000" keepAliveTimeout="7200000" 
maxParameterCount="1000"
  maxHttpHeaderSize="24576" maxThreads="250"
  SSLEnabled="true" scheme="https" secure="true"
  defaultSSLHostConfigName="deblndw024v.ad001.siemens.net">
  <SSLHostConfig hostName="deblndw024v.ad001.siemens.net" 
protocols="TLSv1.2+TLSv1.3"
    honorCipherOrder="true" disableSessionTickets="true"
    certificateVerification="optional" certificateVerificationDepth="5"
    caCertificatePath="/opt/openssl/certs"
    
ciphers="HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!DSS:!SHA1:!SHA256:!SHA384">
    <Certificate 
certificateFile="/opt/openssl/deblndw024v.ad001.siemens.net/cert.crt"
      certificateKeyFile="/opt/openssl/deblndw024v.ad001.siemens.net/key.crt"
      certificateKeyPassword="..." type="RSA" />
    <OpenSSLConf>
      <OpenSSLConfCmd name="RequestCAFile" 
value="/opt/openssl/siemens-medium+strong-clientcert-cacerts.crt" />
    </OpenSSLConf>
  </SSLHostConfig>
</Connector>



The information displayed is partially wrong. It missed to differentiate 
between store types 
(org.apache.tomcat.util.net.SSLHostConfigCertificate.StoreType).



Moreover, from my PoV it makes little sense to print "trust store 
[null]" if no verification is requested, no? It causes, at least, 
confusion that a user/admin has missed to configure something.


Should I file a bug?

Michael

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org























					Reply via email to