This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 10.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/10.0.x by this push:
new 94e24b9 Log a warning if a Connector is configured with h2 + optional
cert auth
94e24b9 is described below
commit 94e24b9b4fada2b08d166cf60b5b24af64f4de62
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Thu Mar 24 13:22:31 2022 +0000
Log a warning if a Connector is configured with h2 + optional cert auth
The HTTP/2 specification (RFC 7540) explicitly disallows renegotiation
for TLS 1.2 and RFC 8740 explicitly disallows PHA with TLS 1.3 and
HTTP/2
---
.../apache/tomcat/util/net/AbstractJsseEndpoint.java | 8 ++++++++
.../org/apache/tomcat/util/net/LocalStrings.properties | 3 ++-
java/org/apache/tomcat/util/net/SSLHostConfig.java | 18 ++++++++++++++----
webapps/docs/changelog.xml | 6 ++++++
4 files changed, 30 insertions(+), 5 deletions(-)
diff --git a/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
b/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
index 925e91d..10fdbdc 100644
--- a/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
+++ b/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
@@ -83,6 +83,14 @@ public abstract class AbstractJsseEndpoint<S,U> extends
AbstractEndpoint<S,U> {
@Override
protected void createSSLContext(SSLHostConfig sslHostConfig) throws
IllegalArgumentException {
+
+ // HTTP/2 does not permit optional certificate authentication with any
+ // version of TLS.
+ if (sslHostConfig.getCertificateVerification().isOptional() &&
+ negotiableProtocols.contains("h2")) {
+
getLog().warn(sm.getString("sslHostConfig.certificateVerificationWithHttp2",
sslHostConfig.getHostName()));
+ }
+
boolean firstCertificate = true;
for (SSLHostConfigCertificate certificate :
sslHostConfig.getCertificates(true)) {
SSLUtil sslUtil = sslImplementation.getSSLUtil(certificate);
diff --git a/java/org/apache/tomcat/util/net/LocalStrings.properties
b/java/org/apache/tomcat/util/net/LocalStrings.properties
index a8c8eb7..ecc2e9d 100644
--- a/java/org/apache/tomcat/util/net/LocalStrings.properties
+++ b/java/org/apache/tomcat/util/net/LocalStrings.properties
@@ -160,6 +160,7 @@ socketWrapper.writeTimeout=Write timeout
sslHostConfig.certificate.notype=Multiple certificates were specified and at
least one is missing the required attribute type
sslHostConfig.certificateVerificationInvalid=The certificate verification
value [{0}] is not recognised
+sslHostConfig.certificateVerificationWithHttp2=The TLS virtual host [{0}] is
configured for optional certificate verification and the enclosing connector is
configured to support upgrade to h2. HTTP/2 over TLS does not permit optional
certificate verification.
sslHostConfig.fileNotFound=Configured file [{0}] does not exist
sslHostConfig.invalid_truststore_password=The provided trust store password
could not be used to unlock and/or validate the trust store. Retrying to access
the trust store with a null password which will skip validation.
sslHostConfig.mismatch=The property [{0}] was set on the SSLHostConfig named
[{1}] and is for the [{2}] configuration syntax but the SSLHostConfig is being
used with the [{3}] configuration syntax
@@ -183,6 +184,6 @@ sslUtilBase.noVerificationDepth=The truststoreProvider
[{0}] does not support th
sslUtilBase.noneSupported=None of the [{0}] specified are supported by the SSL
engine : [{1}]
sslUtilBase.skipped=Some of the specified [{0}] are not supported by the SSL
engine and have been skipped: [{1}]
sslUtilBase.ssl3=SSLv3 has been explicitly enabled. This protocol is known to
be insecure.
-sslUtilBase.tls13.auth=The JSSE TLS 1.3 implementation does not support
authentication after the initial handshake and is therefore incompatible with
optional client authentication
+sslUtilBase.tls13.auth=The JSSE TLS 1.3 implementation does not support post
handshake authentication (PHA) and is therefore incompatible with optional
certificate authentication
sslUtilBase.trustedCertNotChecked=The validity dates of the trusted
certificate with alias [{0}] were not checked as the certificate was of an
unknown type
sslUtilBase.trustedCertNotValid=The trusted certificate with alias [{0}] and
DN [{1}] is not valid due to [{2}]. Certificates signed by this trusted
certificate WILL be accepted
diff --git a/java/org/apache/tomcat/util/net/SSLHostConfig.java
b/java/org/apache/tomcat/util/net/SSLHostConfig.java
index af60ecc..81552f4 100644
--- a/java/org/apache/tomcat/util/net/SSLHostConfig.java
+++ b/java/org/apache/tomcat/util/net/SSLHostConfig.java
@@ -774,10 +774,20 @@ public class SSLHostConfig implements Serializable {
public enum CertificateVerification {
- NONE,
- OPTIONAL_NO_CA,
- OPTIONAL,
- REQUIRED;
+ NONE(false),
+ OPTIONAL_NO_CA(true),
+ OPTIONAL(true),
+ REQUIRED(false);
+
+ private final boolean optional;
+
+ private CertificateVerification(boolean optional) {
+ this.optional = optional;
+ }
+
+ public boolean isOptional() {
+ return optional;
+ }
public static CertificateVerification fromString(String value) {
if ("true".equalsIgnoreCase(value) ||
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 90dde11..e02fbd1 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -124,6 +124,12 @@
<pr>487</pr>: Improve logging of unknown settings frames. Pull request
by Thomas Hoffmann. (remm)
</fix>
+ <add>
+ <bug>65975</bug>: Add a warning if a TLS vitual host is configured with
+ optional certificate authentication and the containing connector is
also
+ configured to support HTTP/2 as HTTP/2 does not permit optional
+ certificate authentication. (markt)
+ </add>
</changelog>
</subsection>
<subsection name="Jasper">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
