On 2023-06-08 15:36, Mark Thomas wrote:
On 08/06/2023 14:22, Osipov, Michael (SMD IT IN) wrote:
On 2023-06-08 14:45, Mark Thomas wrote:
On 08/06/2023 12:25, Osipov, Michael (SMD IT IN) wrote:
Folks,
I am running of 8.5.88 and noticed these lines in my catalina.out:
2023-06-08T12:38:54.938 INFORMATION [main]
org.apache.tomcat.util.net.AbstractEndpoint.logCertificate
Connector [https-openssl-apr-8444], TLS virtual host
[deblndw024v.ad001.siemens.net], certificate type [RSA] configured
from [/net/home/smartld/.keystore] using alias [tomcat] and with
trust store [null]
2023-06-08T12:38:55.036 INFORMATION [main]
org.apache.tomcat.util.net.AbstractEndpoint.logCertificate
Connector [https-openssl-apr-18444], TLS virtual host
[deblndw024v.ad001.siemens.net], certificate type [RSA] configured
from [/net/home/smartld/.keystore] using alias [tomcat] and with
trust store [/opt/openssl/certs]
I have two connectors configured (both APR and OpenSSL), the only
difference is that the second one (18444) requires TLS client
certificates:
<Connector port="8444" connectionTimeout="20000"
keepAliveTimeout="300000" maxParameterCount="1000"
maxHttpHeaderSize="24576" maxThreads="250"
SSLEnabled="true" scheme="https" secure="true"
defaultSSLHostConfigName="deblndw024v.ad001.siemens.net">
<SSLHostConfig hostName="deblndw024v.ad001.siemens.net"
protocols="TLSv1.2+TLSv1.3"
honorCipherOrder="true" disableSessionTickets="true"
ciphers="HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!DSS:!SHA1:!SHA256:!SHA384">
<Certificate
certificateFile="/opt/openssl/deblndw024v.ad001.siemens.net/cert.crt"
certificateKeyFile="/opt/openssl/deblndw024v.ad001.siemens.net/key.crt"
certificateKeyPassword="..." type="RSA" />
</SSLHostConfig>
</Connector>
and
<Connector port="18444" connectionTimeout="20000"
keepAliveTimeout="7200000" maxParameterCount="1000"
maxHttpHeaderSize="24576" maxThreads="250"
SSLEnabled="true" scheme="https" secure="true"
defaultSSLHostConfigName="deblndw024v.ad001.siemens.net">
<SSLHostConfig hostName="deblndw024v.ad001.siemens.net"
protocols="TLSv1.2+TLSv1.3"
honorCipherOrder="true" disableSessionTickets="true"
certificateVerification="optional"
certificateVerificationDepth="5"
caCertificatePath="/opt/openssl/certs"
ciphers="HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!DSS:!SHA1:!SHA256:!SHA384">
<Certificate
certificateFile="/opt/openssl/deblndw024v.ad001.siemens.net/cert.crt"
certificateKeyFile="/opt/openssl/deblndw024v.ad001.siemens.net/key.crt"
certificateKeyPassword="..." type="RSA" />
<OpenSSLConf>
<OpenSSLConfCmd name="RequestCAFile"
value="/opt/openssl/siemens-medium+strong-clientcert-cacerts.crt" />
</OpenSSLConf>
</SSLHostConfig>
</Connector>
The information displayed is partially wrong. It missed to
differentiate between store types
(org.apache.tomcat.util.net.SSLHostConfigCertificate.StoreType).
I disagree with the characterization that the data is wrong. There
are many TLS configuration attributes. A few are displayed, most are
not. StoreType is one of those that is not.
The aim isn't to display the full configuration (admins can look at
server.xml for that). The intention is to make clear, for each
configured server certificate, which configuration files are being
used. The idea being that you can then examine the relevant files
and/or server.xml if there is an issue.
I'm not seeing much of a case for adding StoreType.
..and that's the problem. Neither [/net/home/smartld/.keystore] nor
[tomcat] is used because I have never configured it. I don't expect
full display, but correct display. I rather see no information than
incorrect information. I don't insist on printing the storeType at
all, it needs to be used in Java code to determine what configuration
has to be printed.
Got it. Yep - open a bug report for that.
Done: https://bz.apache.org/bugzilla/show_bug.cgi?id=66635
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
