Re: [tomcat] branch master updated: Avoid keystores with OpenSSL and regular certificates

Thu, 07 Mar 2019 04:48:46 -0800 

On 07/03/2019 12:18, r...@apache.org wrote:
> This is an automated email from the ASF dual-hosted git repository.
> 
> remm pushed a commit to branch master
> in repository https://gitbox.apache.org/repos/asf/tomcat.git
> 
> 
> The following commit(s) were added to refs/heads/master by this push:
>      new e87cf37  Avoid keystores with OpenSSL and regular certificates

Thanks for finding and fixing this.

Mark


> e87cf37 is described below
> 
> commit e87cf37c16c162db6f6c546dcfd40dcc568bb648
> Author: remm <r...@apache.org>
> AuthorDate: Thu Mar 7 13:18:48 2019 +0100
> 
>     Avoid keystores with OpenSSL and regular certificates
>     
>     The new harmonization code always processes certificates through a
>     keystore, even if the certificates will later be simply given to
>     OpenSSL. The problem is that this then restricts certificates to those
>     that JSSE can process.
> ---
>  java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java | 14 ++++++++++++++
>  1 file changed, 14 insertions(+)
> 
> diff --git a/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java 
> b/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java
> index 3d1e0eb..514aef2 100644
> --- a/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java
> +++ b/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java
> @@ -80,6 +80,9 @@ public class OpenSSLUtil extends SSLUtilBase {
>  
>  
>      public static X509KeyManager chooseKeyManager(KeyManager[] managers) 
> throws Exception {
> +        if (managers == null) {
> +            return null;
> +        }
>          for (KeyManager manager : managers) {
>              if (manager instanceof JSSEKeyManager) {
>                  return (JSSEKeyManager) manager;
> @@ -92,4 +95,15 @@ public class OpenSSLUtil extends SSLUtilBase {
>          }
>          throw new 
> IllegalStateException(sm.getString("openssl.keyManagerMissing"));
>      }
> +
> +
> +    @Override
> +    public KeyManager[] getKeyManagers() throws Exception {
> +        if (certificate.getCertificateFile() == null) {
> +            return super.getKeyManagers();
> +        } else {
> +            return null;
> +        }
> +    }
> +
>  }
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: dev-h...@tomcat.apache.org
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to