This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 10.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/10.0.x by this push:
new 263b6e0 Align behaviour on MacOs with Linux/Windows
263b6e0 is described below
commit 263b6e0eef1a69a544c2a45db3b1bab37e09008e
Author: Mark Thomas <[email protected]>
AuthorDate: Wed Dec 1 16:39:31 2021 +0000
Align behaviour on MacOs with Linux/Windows
---
.../apache/tomcat/util/net/openssl/OpenSSLContext.java | 18 ++++++++++++++----
webapps/docs/changelog.xml | 5 +++++
2 files changed, 19 insertions(+), 4 deletions(-)
diff --git a/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
b/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
index ed0b5af..d942d4c 100644
--- a/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
+++ b/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
@@ -379,10 +379,20 @@ public class OpenSSLContext implements
org.apache.tomcat.util.net.SSLContext {
}
}
} else {
- // Client certificate verification based on trusted CA files
and dirs
- SSLContext.setCACertificate(ctx,
-
SSLHostConfig.adjustRelativePath(sslHostConfig.getCaCertificateFile()),
-
SSLHostConfig.adjustRelativePath(sslHostConfig.getCaCertificatePath()));
+ if (sslHostConfig.getCaCertificateFile() == null &&
sslHostConfig.getCaCertificatePath() == null) {
+ // No CA certificates configured. Reject all client
certificates.
+ SSLContext.setCertVerifyCallback(ctx, new
CertificateVerifier() {
+ @Override
+ public boolean verify(long ssl, byte[][] chain, String
auth) {
+ return false;
+ }
+ });
+ } else {
+ // Client certificate verification based on trusted CA
files and dirs
+ SSLContext.setCACertificate(ctx,
+
SSLHostConfig.adjustRelativePath(sslHostConfig.getCaCertificateFile()),
+
SSLHostConfig.adjustRelativePath(sslHostConfig.getCaCertificatePath()));
+ }
}
if (negotiableProtocols != null && negotiableProtocols.size() > 0)
{
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index a366fb1..9c047e3 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -172,6 +172,11 @@
and the first request received after starting is an HTTP request to a
TLS enabled NIO2 connector. (markt)
</fix>
+ <add>
+ Ensure that using NIO or NIO2 with OpenSSL for TLS behaves the same way
+ on MacOS as it does on Linux and Windows when no trusted certificate
+ authorities are configured and reject all client certificates. (markt)
+ </add>
</changelog>
</subsection>
</section>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
