On Wed, Jun 19, 2024 at 6:49 PM Christopher Schultz <ch...@christopherschultz.net> wrote: > > Rémy, > > Michael-o has been pointing out that when fetching errors from OpenSSL, > it's important to get all of them because OpenSSL tends to queue them up. > > Instead of getting "last error" should we be getting "all errors" as a > list/array of error messages?
The important part is done (looping over all the errors to clear the stack). I wasn't super convinced that returning something more than the last error was very useful. Rémy > -chris > > On 6/18/24 10:41, r...@apache.org wrote: > > This is an automated email from the ASF dual-hosted git repository. > > > > remm pushed a commit to branch main > > in repository https://gitbox.apache.org/repos/asf/tomcat.git > > > > > > The following commit(s) were added to refs/heads/main by this push: > > new 6fcf6d333b Clear error earlier > > 6fcf6d333b is described below > > > > commit 6fcf6d333bec4855bd97494679a3d5272cd5786b > > Author: remm <r...@apache.org> > > AuthorDate: Tue Jun 18 16:40:41 2024 +0200 > > > > Clear error earlier > > --- > > .../tomcat/util/net/openssl/panama/LocalStrings.properties | 1 + > > .../apache/tomcat/util/net/openssl/panama/OpenSSLContext.java | 11 > > ++++++++++- > > 2 files changed, 11 insertions(+), 1 deletion(-) > > > > diff --git > > a/java/org/apache/tomcat/util/net/openssl/panama/LocalStrings.properties > > b/java/org/apache/tomcat/util/net/openssl/panama/LocalStrings.properties > > index b42309b801..ad0d1d4291 100644 > > --- a/java/org/apache/tomcat/util/net/openssl/panama/LocalStrings.properties > > +++ b/java/org/apache/tomcat/util/net/openssl/panama/LocalStrings.properties > > @@ -58,6 +58,7 @@ openssl.errorLoadingPassword=Error loading password file: > > [{0}] > > openssl.errorLoadingPrivateKey=Error loading private key: [{0}] > > openssl.errorLoadingCertificateRevocationListWithError=Error loading > > certificate revocation [{0}] with error [{1}] > > openssl.errorPrivateKeyCheck=Private key does not match the certificate > > public key: [{0}] > > +openssl.errorReadingPEMParameters=Failed reading PEM parameters [{0}] for > > certificate [{1}] > > openssl.errorSSLCtxInit=Error initializing SSL context > > openssl.invalidSslProtocol=An invalid value [{0}] was provided for the > > SSLProtocol attribute > > openssl.keyManagerMissing=No key manager found > > diff --git > > a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java > > b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java > > index 9a8ba2ea2b..3dedf0fd22 100644 > > --- a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java > > +++ b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java > > @@ -1068,6 +1068,10 @@ public class OpenSSLContext implements > > org.apache.tomcat.util.net.SSLContext { > > > > log.debug(sm.getString("openssl.setCustomDHParameters", > > Integer.valueOf(numBits), certificate.getCertificateFile())); > > } > > } else { > > + String errMessage = > > OpenSSLLibrary.getLastError(); > > + if (errMessage != null) { > > + > > log.debug(sm.getString("openssl.errorReadingPEMParameters", errMessage, > > certificate.getCertificateFile())); > > + } > > SSL_CTX_ctrl(state.sslCtx, > > SSL_CTRL_SET_DH_AUTO(), 1, MemorySegment.NULL); > > } > > } > > @@ -1220,9 +1224,14 @@ public class OpenSSLContext implements > > org.apache.tomcat.util.net.SSLContext { > > EVP_PKEY_free(pkey); > > } else { > > > > log.debug(sm.getString("openssl.setCustomDHParameters", > > Integer.valueOf(numBits), > > - certificate.getCertificateFile())); > > + x509KeyManager.toString())); > > } > > } else { > > + String errMessage = OpenSSLLibrary.getLastError(); > > + if (errMessage != null) { > > + > > log.debug(sm.getString("openssl.errorReadingPEMParameters", errMessage, > > + x509KeyManager.toString())); > > + } > > SSL_CTX_ctrl(state.sslCtx, > > SSL_CTRL_SET_DH_AUTO(), 1, MemorySegment.NULL); > > } > > } > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: dev-h...@tomcat.apache.org > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
