Re: [tomcat] branch master updated: Avoid keystores with OpenSSL and regular certificates

Thu, 07 Mar 2019 05:32:39 -0800 

On Thu, Mar 7, 2019 at 1:48 PM Mark Thomas <ma...@apache.org> wrote:

> On 07/03/2019 12:18, r...@apache.org wrote:
> > This is an automated email from the ASF dual-hosted git repository.
> >
> > remm pushed a commit to branch master
> > in repository https://gitbox.apache.org/repos/asf/tomcat.git
> >
> >
> > The following commit(s) were added to refs/heads/master by this push:
> >      new e87cf37  Avoid keystores with OpenSSL and regular certificates
>
> Thanks for finding and fixing this.
>

No problem. I'll try to improve a bit on it, then I'll port it to 8.5.

Rémy


>
> Mark
>
>
> > e87cf37 is described below
> >
> > commit e87cf37c16c162db6f6c546dcfd40dcc568bb648
> > Author: remm <r...@apache.org>
> > AuthorDate: Thu Mar 7 13:18:48 2019 +0100
> >
> >     Avoid keystores with OpenSSL and regular certificates
> >
> >     The new harmonization code always processes certificates through a
> >     keystore, even if the certificates will later be simply given to
> >     OpenSSL. The problem is that this then restricts certificates to
> those
> >     that JSSE can process.
> > ---
> >  java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java | 14
> ++++++++++++++
> >  1 file changed, 14 insertions(+)
> >
> > diff --git a/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java
> b/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java
> > index 3d1e0eb..514aef2 100644
> > --- a/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java
> > +++ b/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java
> > @@ -80,6 +80,9 @@ public class OpenSSLUtil extends SSLUtilBase {
> >
> >
> >      public static X509KeyManager chooseKeyManager(KeyManager[]
> managers) throws Exception {
> > +        if (managers == null) {
> > +            return null;
> > +        }
> >          for (KeyManager manager : managers) {
> >              if (manager instanceof JSSEKeyManager) {
> >                  return (JSSEKeyManager) manager;
> > @@ -92,4 +95,15 @@ public class OpenSSLUtil extends SSLUtilBase {
> >          }
> >          throw new
> IllegalStateException(sm.getString("openssl.keyManagerMissing"));
> >      }
> > +
> > +
> > +    @Override
> > +    public KeyManager[] getKeyManagers() throws Exception {
> > +        if (certificate.getCertificateFile() == null) {
> > +            return super.getKeyManagers();
> > +        } else {
> > +            return null;
> > +        }
> > +    }
> > +
> >  }
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: dev-h...@tomcat.apache.org
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: dev-h...@tomcat.apache.org
>
>

Reply via email to