On Sun, Feb 16, 2020 at 3:46 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:
> > + truststoreFile = null; + } + }
> > this.caCertificateFile = caCertificateFile; }
>
> Also, is this the best way to do this? Instead of defaulting to
> javax.ssl.trustStore for the JSSE TrustStore, should we not apply the
> default when it's needed?
>
> Like when configuring the SSLContext, check for a null TrustStore and
> inherit the JVM default?
>
> I think that would b a little cleaner than blanking-out the default
> value of *another* configuration when a different (but related)
> configuration option is set.
>
> There is also the possibility that truststoreFile != null, but
> truststoreFile is also not set to the JVM default.
>
> What if we throw an exception if both of the configuration options are
> present? We won't know which one to use, anyway.
>
If the value is not set to the system property, then the configuration type
will be JSSE. Mixing configuration types is handled as it was (a warning is
logged).
So I think this works and is the best way (will not cause changes/problems
...).
Rémy
>
> > @@ -673,7 +688,12 @@ public class SSLHostConfig implements
> > Serializable {
> >
> >
> > public void setCaCertificatePath(String caCertificatePath) { -
> > setProperty("caCertificatePath", Type.OPENSSL); + if
> > (setProperty("caCertificatePath", Type.OPENSSL)) { + //
> > Reset default JSSE trust store if not a JSSE configuration +
> > if (truststoreFile != null) { + truststoreFile =
> > null; + } + } this.caCertificatePath =
> > caCertificatePath; }
> >
> > diff --git a/webapps/docs/changelog.xml
> > b/webapps/docs/changelog.xml index 753fb4c..e0673d1 100644 ---
> > a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@
> > -51,6 +51,10 @@ Fix support of native jakarta servlet attributes in
> > AJP connector. (remm) </fix> + <fix> +
> > <bug>64141</bug>: If using a CA certificate, remove a default
> > value + for the truststore file when not using a JSSE
> > configuration. (remm) + </fix> </changelog> </subsection>
> > </section>
> >
> >
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5JVccACgkQHPApP6U8
> pFhjKRAAo0Nscss8xqlihW7kzjY5tb6JotdVnMzvVRHo1OsYeS93jaCsqNID6+wY
> Q9dEXP58CJy05W72ftWltvB1npRV+90pSB3tOOFoQ1QTjjTuVBw9vDp8nfR8bSnW
> 0G+3ClxQX0f5bWJLZbe4ws0z7fPyvu0XS267NpsMIhHCuWkw7CQE0re3f319FPOV
> 6fHZj82enI9YuRbuLTNCeuv87XSiY5mi3usyZl+lUH0oOqVrQFsk1qRTz/T+5ZQw
> vHmJ5Ei1/4JOOJiHd5HeRKtNh3uUR3wSWmdlDKP44v2FXb4Ozj6ztDDMy4orIDX+
> nRKOXsq5YajGpwd1A4hj8wbXDBlyvVtbjOe5iAeoDmXveI7Z3PqZsryFQXhWnr65
> d/oJGZg8wo/Dh+1G2yEfR83c9Z6pPKd3HNMPqRQCc7nqDiKraKPVUv8ZiDJaD5+i
> hFAo4DQccy9++6o72ZPQp4ylxfoq5AhD5bbvn3mkSUd7b7DGoFgXgaC2NqlmHGmI
> SeNnZrrUpSsVxVyePsTYcPtt6KRY8TNoId0FuB++L8s4Nth0MF1m/cLhir2U7dgU
> paUIyLzHgyn6AQe/Ve+JLKgiqKXffy6K3uImwHNSGO3AYCgWU4q6SBw99xSIyPmk
> QrR51PVNwc2txwhYG5wZ745rAXqw2/J5F5/5q+k/jzlHBotgzM8=
> =pS2Q
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: dev-h...@tomcat.apache.org
>
>
