https://issues.apache.org/bugzilla/show_bug.cgi?id=48545
Summary: truststorePass used in JSSESocketFactory should be
optional (nillable)
Product: Tomcat 6
Version: 6.0.20
Platform: PC
OS/Version: Linux
Status: NEW
Severity: normal
Priority: P2
Component: Catalina
AssignedTo: dev@tomcat.apache.org
ReportedBy: smmwp...@postfinance.ch
Created an attachment (id=24845)
--> (https://issues.apache.org/bugzilla/attachment.cgi?id=24845)
Patched JSSESocketFactory.java based on Tomcat 6.0.20
For the moment, a user must set the "truststorePass" in the SSL connector, even
if this is not required by the JSEE API (Keystore.load() with null password is
possible for truststores) and is also unwanted in a production environment with
"real" truststores, because this may give someone the possibility to manipulate
a productive trustore file or give more information than needed.
If the "truststorePass" is not set in the connector element, the current
implementation will use the "keystorePass" as the value for "truststorePass"
(strange wrong behaviour) and this will lead to an exception.
Proposal: do not set the "truststorePass" if omitted, leave it with null and
the SSL connector still works.
This should also not affect old tomcat configurations, where the truststore
password equals to the keystore password.
See my attached JSSESocketFactory patch (based on 6.0.20)
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
