[tomcat] branch 10.0.x updated: Align behaviour on MacOs with Linux/Windows

Wed, 01 Dec 2021 08:46:34 -0800 

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 10.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/10.0.x by this push:
     new 263b6e0  Align behaviour on MacOs with Linux/Windows
263b6e0 is described below

commit 263b6e0eef1a69a544c2a45db3b1bab37e09008e
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Wed Dec 1 16:39:31 2021 +0000

    Align behaviour on MacOs with Linux/Windows
---
 .../apache/tomcat/util/net/openssl/OpenSSLContext.java | 18 ++++++++++++++----
 webapps/docs/changelog.xml                             |  5 +++++
 2 files changed, 19 insertions(+), 4 deletions(-)

diff --git a/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java 
b/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
index ed0b5af..d942d4c 100644
--- a/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
+++ b/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
@@ -379,10 +379,20 @@ public class OpenSSLContext implements 
org.apache.tomcat.util.net.SSLContext {
                     }
                 }
             } else {
-                // Client certificate verification based on trusted CA files 
and dirs
-                SSLContext.setCACertificate(ctx,
-                        
SSLHostConfig.adjustRelativePath(sslHostConfig.getCaCertificateFile()),
-                        
SSLHostConfig.adjustRelativePath(sslHostConfig.getCaCertificatePath()));
+                if (sslHostConfig.getCaCertificateFile() == null && 
sslHostConfig.getCaCertificatePath() == null) {
+                    // No CA certificates configured. Reject all client 
certificates.
+                    SSLContext.setCertVerifyCallback(ctx, new 
CertificateVerifier() {
+                        @Override
+                        public boolean verify(long ssl, byte[][] chain, String 
auth) {
+                            return false;
+                        }
+                    });
+                } else {
+                    // Client certificate verification based on trusted CA 
files and dirs
+                    SSLContext.setCACertificate(ctx,
+                            
SSLHostConfig.adjustRelativePath(sslHostConfig.getCaCertificateFile()),
+                            
SSLHostConfig.adjustRelativePath(sslHostConfig.getCaCertificatePath()));
+                }
             }
 
             if (negotiableProtocols != null && negotiableProtocols.size() > 0) 
{
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index a366fb1..9c047e3 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -172,6 +172,11 @@
         and the first request received after starting is an HTTP request to a
         TLS enabled NIO2 connector. (markt)
       </fix>
+      <add>
+        Ensure that using NIO or NIO2 with OpenSSL for TLS behaves the same way
+        on MacOS as it does on Linux and Windows when no trusted certificate
+        authorities are configured and reject all client certificates. (markt)
+      </add>
     </changelog>
   </subsection>
 </section>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to