Author: markt
Date: Mon Aug 21 14:00:32 2017
New Revision: 1805637
URL: http://svn.apache.org/viewvc?rev=1805637&view=rev
Log:
Handle the case when OpenSSL resumes a TLS session using a ticket and the full
client certificate chain is not available. In this case the client certificate
without the chain will be presented to the application.
Modified:
tomcat/trunk/java/org/apache/tomcat/util/net/AprSSLSupport.java
tomcat/trunk/webapps/docs/changelog.xml
tomcat/trunk/webapps/docs/config/http.xml
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/AprSSLSupport.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/AprSSLSupport.java?rev=1805637&r1=1805636&r2=1805637&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/AprSSLSupport.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/AprSSLSupport.java Mon Aug 21
14:00:32 2017
@@ -54,11 +54,17 @@ public class AprSSLSupport implements SS
@Override
public X509Certificate[] getPeerCertificateChain() throws IOException {
try {
- // certLength == -1 indicates an error
+ // certLength == -1 indicates an error unless TLS session tickets
+ // are in use in which case OpenSSL won't store the chain in the
+ // ticket.
int certLength =
socketWrapper.getSSLInfoI(SSL.SSL_INFO_CLIENT_CERT_CHAIN);
byte[] clientCert =
socketWrapper.getSSLInfoB(SSL.SSL_INFO_CLIENT_CERT);
X509Certificate[] certs = null;
- if (clientCert != null && certLength > -1) {
+
+ if (clientCert != null) {
+ if (certLength < 0) {
+ certLength = 0;
+ }
certs = new X509Certificate[certLength + 1];
CertificateFactory cf;
if (clientCertProvider == null) {
Modified: tomcat/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1805637&r1=1805636&r2=1805637&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Mon Aug 21 14:00:32 2017
@@ -106,6 +106,12 @@
Ensure that the APR/native connector uses blocking I/O for TLS
renegotiation. (markt)
</fix>
+ <fix>
+ <bug>58244</bug>: Handle the case when OpenSSL resumes a TLS session
+ using a ticket and the full client certificate chain is not available.
+ In this case the client certificate without the chain will be presented
+ to the application. (markt)
+ </fix>
</changelog>
</subsection>
<subsection name="Other">
Modified: tomcat/trunk/webapps/docs/config/http.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/http.xml?rev=1805637&r1=1805636&r2=1805637&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/config/http.xml (original)
+++ tomcat/trunk/webapps/docs/config/http.xml Mon Aug 21 14:00:32 2017
@@ -1192,8 +1192,12 @@
<attribute name="disableSessionTickets" required="false">
<p>OpenSSL only.</p>
- <p>Disables use of TLS Session Tickets (RFC 4507) if set to
- <code>true</code>. Default is <code>false</code>.</p>
+ <p>Disables use of TLS session tickets (RFC 5077) if set to
+ <code>true</code>. Default is <code>false</code>. Note that when TLS
+ session tickets are in use, the full peer certificate chain will only be
+ available on the first connection. Subsequent connections (that use a
+ ticket to estrablish the TLS session) will only have the peer
certificate,
+ not the full chain.</p>
</attribute>
<attribute name="honorCipherOrder" required="false">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
