DO NOT REPLY [Bug 48532] New: try to read truststore even when clientauth is false

Tue, 12 Jan 2010 22:26:29 -0800 

https://issues.apache.org/bugzilla/show_bug.cgi?id=48532

           Summary: try to read truststore even when clientauth is false
           Product: Tomcat 6
           Version: unspecified
          Platform: PC
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Connectors
        AssignedTo: dev@tomcat.apache.org
        ReportedBy: k...@cpttm.org.mo


When people try to set up SSL with Tomcat, most of them don't need client
authentication and thus won't set the truststoreFile, truststorePass and etc.
However, Tomcat (or rather, JSSESocketFactory) will always try to load the
trust store. Somehow it got a valid path but the password (by default set to
that for the keystore) is incorrect and will throw an exception like below.
This is very
confusing as people will keep checking the password of their keystore (and
don't know anything about trust store).

I'd recommend the following solutions (most preferred listed first):
1) don't load the trust store if client authentication is false.
2) if a trust store is not specified, use the keystore.
3) the SSL howto should emphasize that a trust store must be set up.

sample stack trace:

java.io.IOException: Keystore was tampered with, or password was incorrect
        at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:771)
        at
sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:3
8)
        at java.security.KeyStore.load(KeyStore.java:1185)
        at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocket
Factory.java:287)
        at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.getTrustStore(JSSES
ocketFactory.java:261)
        at
org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.getTrustManagers(
JSSE14SocketFactory.java:175)
        at
org.apache.tomcat.util.net.jsse.JSSE15SocketFactory.getTrustManagers(
JSSE15SocketFactory.java:69)

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to