[tomcat] branch 9.0.x updated: Fix BZ 67666 - Fix PEM files and TLSCertificateReloadListener

Tue, 24 Oct 2023 14:48:08 -0700 

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/9.0.x by this push:
     new 768c62df1b Fix BZ 67666 - Fix PEM files and 
TLSCertificateReloadListener
768c62df1b is described below

commit 768c62df1bfee0675b2987f2f334c85606dd5078
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Tue Oct 24 22:47:50 2023 +0100

    Fix BZ 67666 - Fix PEM files and TLSCertificateReloadListener
    
    Most should now work. The few that do not will log a warning.
---
 .../apache/tomcat/util/net/openssl/LocalStrings.properties |  1 +
 .../org/apache/tomcat/util/net/openssl/OpenSSLContext.java |  7 ++++---
 java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java   | 14 ++++++++++++--
 webapps/docs/changelog.xml                                 |  5 +++++
 4 files changed, 22 insertions(+), 5 deletions(-)

diff --git a/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties 
b/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties
index 34ec880c41..db09d853fd 100644
--- a/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties
+++ b/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties
@@ -47,6 +47,7 @@ openssl.errCheckConf=Error during OpenSSLConf check
 openssl.errMakeConf=Could not create OpenSSLConf context
 openssl.errorSSLCtxInit=Error initializing SSL context
 openssl.keyManagerMissing=No key manager found
+openssl.keyManagerMissing.warn=No key manager found. TLS will work but the 
certificate will not be visible to Tomcat so management/monitoring features 
will not work for this certificate
 openssl.makeConf=Creating OpenSSLConf context
 openssl.nonJsseCertificate=The certificate [{0}] or its private key [{1}] 
could not be processed using a JSSE key manager and will be given directly to 
OpenSSL
 openssl.nonJsseChain=The certificate chain [{0}] was not specified or was not 
valid and JSSE requires a valid certificate chain so attempting to use OpenSSL 
directly
diff --git a/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java 
b/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
index 5d8ca84d6c..195f270f04 100644
--- a/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
+++ b/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
@@ -332,9 +332,10 @@ public class OpenSSLContext implements 
org.apache.tomcat.util.net.SSLContext {
             // List the ciphers that the client is permitted to negotiate
             SSLContext.setCipherSuite(ctx, sslHostConfig.getCiphers());
 
-            if (certificate.getCertificateFile() == null) {
-                
certificate.setCertificateKeyManager(OpenSSLUtil.chooseKeyManager(kms));
-            }
+            // If there is no certificate file must be using a KeyStore so a 
KeyManager is required.
+            // If there is a certificate file a KeyManager is helpful but not 
strictly necessary.
+            certificate.setCertificateKeyManager(
+                    OpenSSLUtil.chooseKeyManager(kms, 
certificate.getCertificateFile() == null));
 
             addCertificate(certificate);
 
diff --git a/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java 
b/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java
index 8336ecf695..1e5edcd6fe 100644
--- a/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java
+++ b/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java
@@ -73,8 +73,13 @@ public class OpenSSLUtil extends SSLUtilBase {
         return new OpenSSLContext(certificate, negotiableProtocols);
     }
 
-
+    @Deprecated
     public static X509KeyManager chooseKeyManager(KeyManager[] managers) 
throws Exception {
+        return chooseKeyManager(managers, true);
+    }
+
+
+    public static X509KeyManager chooseKeyManager(KeyManager[] managers, 
boolean throwOnMissing) throws Exception {
         if (managers == null) {
             return null;
         }
@@ -88,7 +93,12 @@ public class OpenSSLUtil extends SSLUtilBase {
                 return (X509KeyManager) manager;
             }
         }
-        throw new 
IllegalStateException(sm.getString("openssl.keyManagerMissing"));
+        if (throwOnMissing) {
+            throw new 
IllegalStateException(sm.getString("openssl.keyManagerMissing"));
+        }
+
+        log.warn(sm.getString("openssl.keyManagerMissing.warn"));
+        return null;
     }
 
 
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 3f46719f49..35cf047197 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -134,6 +134,11 @@
         automatically call
         <code>setCertificateKeystoreType(ks.getType())</code>. (markt)
       </add>
+      <fix>
+        <bug>67666</bug>: Ensure TLS connectors using PEM files either work 
with
+        the <code>TLSCertificateReloadListener</code> or, in the rare case that
+        they do not, log a warning on Connector start. (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Other">


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to