On 2023-06-08 14:45, Mark Thomas wrote:
On 08/06/2023 12:25, Osipov, Michael (SMD IT IN) wrote:
Folks,
I am running of 8.5.88 and noticed these lines in my catalina.out:
2023-06-08T12:38:54.938 INFORMATION [main]
org.apache.tomcat.util.net.AbstractEndpoint.logCertificate Connector
[https-openssl-apr-8444], TLS virtual host
[deblndw024v.ad001.siemens.net], certificate type [RSA] configured
from [/net/home/smartld/.keystore] using alias [tomcat] and with
trust store [null]
2023-06-08T12:38:55.036 INFORMATION [main]
org.apache.tomcat.util.net.AbstractEndpoint.logCertificate Connector
[https-openssl-apr-18444], TLS virtual host
[deblndw024v.ad001.siemens.net], certificate type [RSA] configured
from [/net/home/smartld/.keystore] using alias [tomcat] and with
trust store [/opt/openssl/certs]
I have two connectors configured (both APR and OpenSSL), the only
difference is that the second one (18444) requires TLS client
certificates:
<Connector port="8444" connectionTimeout="20000"
keepAliveTimeout="300000" maxParameterCount="1000"
maxHttpHeaderSize="24576" maxThreads="250"
SSLEnabled="true" scheme="https" secure="true"
defaultSSLHostConfigName="deblndw024v.ad001.siemens.net">
<SSLHostConfig hostName="deblndw024v.ad001.siemens.net"
protocols="TLSv1.2+TLSv1.3"
honorCipherOrder="true" disableSessionTickets="true"
ciphers="HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!DSS:!SHA1:!SHA256:!SHA384">
<Certificate
certificateFile="/opt/openssl/deblndw024v.ad001.siemens.net/cert.crt"
certificateKeyFile="/opt/openssl/deblndw024v.ad001.siemens.net/key.crt"
certificateKeyPassword="..." type="RSA" />
</SSLHostConfig>
</Connector>
and
<Connector port="18444" connectionTimeout="20000"
keepAliveTimeout="7200000" maxParameterCount="1000"
maxHttpHeaderSize="24576" maxThreads="250"
SSLEnabled="true" scheme="https" secure="true"
defaultSSLHostConfigName="deblndw024v.ad001.siemens.net">
<SSLHostConfig hostName="deblndw024v.ad001.siemens.net"
protocols="TLSv1.2+TLSv1.3"
honorCipherOrder="true" disableSessionTickets="true"
certificateVerification="optional" certificateVerificationDepth="5"
caCertificatePath="/opt/openssl/certs"
ciphers="HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!DSS:!SHA1:!SHA256:!SHA384">
<Certificate
certificateFile="/opt/openssl/deblndw024v.ad001.siemens.net/cert.crt"
certificateKeyFile="/opt/openssl/deblndw024v.ad001.siemens.net/key.crt"
certificateKeyPassword="..." type="RSA" />
<OpenSSLConf>
<OpenSSLConfCmd name="RequestCAFile"
value="/opt/openssl/siemens-medium+strong-clientcert-cacerts.crt" />
</OpenSSLConf>
</SSLHostConfig>
</Connector>
The information displayed is partially wrong. It missed to
differentiate between store types
(org.apache.tomcat.util.net.SSLHostConfigCertificate.StoreType).
I disagree with the characterization that the data is wrong. There are
many TLS configuration attributes. A few are displayed, most are not.
StoreType is one of those that is not.
The aim isn't to display the full configuration (admins can look at
server.xml for that). The intention is to make clear, for each
configured server certificate, which configuration files are being used.
The idea being that you can then examine the relevant files and/or
server.xml if there is an issue.
I'm not seeing much of a case for adding StoreType.
..and that's the problem. Neither [/net/home/smartld/.keystore] nor
[tomcat] is used because I have never configured it. I don't expect full
display, but correct display. I rather see no information than incorrect
information. I don't insist on printing the storeType at all, it needs
to be used in Java code to determine what configuration has to be printed.
Moreover, from my PoV it makes little sense to print "trust store
[null]" if no verification is requested, no? It causes, at least,
confusion that a user/admin has missed to configure something.
Only if the admin doesn't understand the purpose of the trust store. I'd
prefer to keep it. It makes it explicit that one hasn't been configured.
I see your point, yet only a fraction will use TLS client cert, so for
those who don't this is just (confusion) log junk.
While the latter is debatable, I consider the former wrong when not
KEYSTORE is used.
M
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
