Rémy,
Michael-o has been pointing out that when fetching errors from OpenSSL,
it's important to get all of them because OpenSSL tends to queue them up.
Instead of getting "last error" should we be getting "all errors" as a
list/array of error messages?
-chris
On 6/18/24 10:41, r...@apache.org wrote:
This is an automated email from the ASF dual-hosted git repository.
remm pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new 6fcf6d333b Clear error earlier
6fcf6d333b is described below
commit 6fcf6d333bec4855bd97494679a3d5272cd5786b
Author: remm <r...@apache.org>
AuthorDate: Tue Jun 18 16:40:41 2024 +0200
Clear error earlier
---
.../tomcat/util/net/openssl/panama/LocalStrings.properties | 1 +
.../apache/tomcat/util/net/openssl/panama/OpenSSLContext.java | 11 ++++++++++-
2 files changed, 11 insertions(+), 1 deletion(-)
diff --git
a/java/org/apache/tomcat/util/net/openssl/panama/LocalStrings.properties
b/java/org/apache/tomcat/util/net/openssl/panama/LocalStrings.properties
index b42309b801..ad0d1d4291 100644
--- a/java/org/apache/tomcat/util/net/openssl/panama/LocalStrings.properties
+++ b/java/org/apache/tomcat/util/net/openssl/panama/LocalStrings.properties
@@ -58,6 +58,7 @@ openssl.errorLoadingPassword=Error loading password file:
[{0}]
openssl.errorLoadingPrivateKey=Error loading private key: [{0}]
openssl.errorLoadingCertificateRevocationListWithError=Error loading
certificate revocation [{0}] with error [{1}]
openssl.errorPrivateKeyCheck=Private key does not match the certificate
public key: [{0}]
+openssl.errorReadingPEMParameters=Failed reading PEM parameters [{0}] for
certificate [{1}]
openssl.errorSSLCtxInit=Error initializing SSL context
openssl.invalidSslProtocol=An invalid value [{0}] was provided for the
SSLProtocol attribute
openssl.keyManagerMissing=No key manager found
diff --git a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
index 9a8ba2ea2b..3dedf0fd22 100644
--- a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
+++ b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
@@ -1068,6 +1068,10 @@ public class OpenSSLContext implements
org.apache.tomcat.util.net.SSLContext {
log.debug(sm.getString("openssl.setCustomDHParameters",
Integer.valueOf(numBits), certificate.getCertificateFile()));
}
} else {
+ String errMessage = OpenSSLLibrary.getLastError();
+ if (errMessage != null) {
+
log.debug(sm.getString("openssl.errorReadingPEMParameters", errMessage,
certificate.getCertificateFile()));
+ }
SSL_CTX_ctrl(state.sslCtx,
SSL_CTRL_SET_DH_AUTO(), 1, MemorySegment.NULL);
}
}
@@ -1220,9 +1224,14 @@ public class OpenSSLContext implements
org.apache.tomcat.util.net.SSLContext {
EVP_PKEY_free(pkey);
} else {
log.debug(sm.getString("openssl.setCustomDHParameters",
Integer.valueOf(numBits),
- certificate.getCertificateFile()));
+ x509KeyManager.toString()));
}
} else {
+ String errMessage = OpenSSLLibrary.getLastError();
+ if (errMessage != null) {
+
log.debug(sm.getString("openssl.errorReadingPEMParameters", errMessage,
+ x509KeyManager.toString()));
+ }
SSL_CTX_ctrl(state.sslCtx, SSL_CTRL_SET_DH_AUTO(), 1,
MemorySegment.NULL);
}
}
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
