[Bug 65975] CLIENT-CERT authentication does not request cert from client and always denies access (401)

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=65975

--- Comment #3 from Mark Thomas  ---
Tomcat has unit tests for this which have been passing consistently for as long
as I can remember. This is also at least one test in the Servlet TCK for this
that Tomcat also passes.

TLS 1.3 changed how client certificate authentication works. It uses a new
process called post handshake authentication. JSSE does not support this on the
server side and currently has no plans to since HTTP/2 does not allow it.

I suspect one of two causes:
1. TLS v1.3 + JSSE
2. Misconfiguration

Tomcat emits a warning if you use certificateVerification="want" with TLS 1.3.

I suspect we need a similar warning for TLS 1.3 +
certificateVerification="none" + CLIENT-CERT

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[GitHub] [tomcat] markt-asf commented on pull request #488: Donating EL Translations

[GitBox]

markt-asf commented on pull request #488:
URL: https://github.com/apache/tomcat/pull/488#issuecomment-1077355222


   The files use unicode escapes rather than UTF-8. They should use UTF-8 as 
this makes them easier for native speakers to review.
   
   Tomcat uses POEditor to [manage 
translations](https://cwiki.apache.org/confluence/x/vIPzBQ). POEditor is our 
preferred route for receiving translation updates. Given the volume of updates 
here, we can jump through the additional hoops necessary to accept these 
contribution as a PR but would ask that any future updates go via POEditor.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[GitHub] [tomcat] markt-asf commented on pull request #488: Donating EL Translations

[GitBox]

markt-asf commented on pull request #488:
URL: https://github.com/apache/tomcat/pull/488#issuecomment-1077358709


   Please rebase the PR. The "writeable" -> "writable" change was made last 
year.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 65975] CLIENT-CERT authentication does not request cert from client and always denies access (401)

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=65975

--- Comment #4 from Martin Stangl  ---
1)
Reconfigured to only use TLS1.2 and verified that OpenSSL is used:
>From stderr:
  APR/OpenSSL configuration: useAprConnector [false], useOpenSSL [true]
  OpenSSL successfully initialized [OpenSSL 1.1.1l  24 Aug 2021]
The used TLS version is not shown in the logs - probably need to change some
log config to see it.

Result is still the same.

Full stderr:
2022-03-24 10:25:50 Apache Commons Daemon procrun stderr initialized.
24-Mar-2022 10:25:51.720 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Server version name:  
Apache Tomcat/9.0.60
24-Mar-2022 10:25:51.726 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Server built: 
Mar 9 2022 14:52:25 UTC
24-Mar-2022 10:25:51.726 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Server version number:
9.0.60.0
24-Mar-2022 10:25:51.726 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log OS Name:  
Windows 10
24-Mar-2022 10:25:51.726 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log OS Version:   
10.0
24-Mar-2022 10:25:51.726 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Architecture: 
amd64
24-Mar-2022 10:25:51.727 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Java Home:
C:\Program Files\OpenJDK\jdk-17.0.2
24-Mar-2022 10:25:51.727 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log JVM Version:  
17.0.2+8-86
24-Mar-2022 10:25:51.727 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log JVM Vendor:   
Oracle Corporation
24-Mar-2022 10:25:51.727 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log CATALINA_BASE:
C:\Program Files\Apache Software Foundation\Tomcat 9.0
24-Mar-2022 10:25:51.727 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log CATALINA_HOME:
C:\Program Files\Apache Software Foundation\Tomcat 9.0
24-Mar-2022 10:25:51.752 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line argument:
-Dcatalina.home=C:\Program Files\Apache Software Foundation\Tomcat 9.0
24-Mar-2022 10:25:51.752 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line argument:
-Dcatalina.base=C:\Program Files\Apache Software Foundation\Tomcat 9.0
24-Mar-2022 10:25:51.752 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line argument:
-Djava.io.tmpdir=C:\Program Files\Apache Software Foundation\Tomcat 9.0\temp
24-Mar-2022 10:25:51.752 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line argument:
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
24-Mar-2022 10:25:51.753 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line argument:
-Djava.util.logging.config.file=C:\Program Files\Apache Software
Foundation\Tomcat 9.0\conf\logging.properties
24-Mar-2022 10:25:51.753 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line argument:
-Djavax.net.debug=all
24-Mar-2022 10:25:51.753 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line argument:
-Duser.language=en -Duser.region=US
24-Mar-2022 10:25:51.753 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line argument:
--add-opens=java.base/java.lang=ALL-UNNAMED
24-Mar-2022 10:25:51.753 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line argument:
--add-opens=java.base/java.io=ALL-UNNAMED
24-Mar-2022 10:25:51.753 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line argument:
--add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED
24-Mar-2022 10:25:51.753 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line argument:
exit
24-Mar-2022 10:25:51.753 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line argument:
abort
24-Mar-2022 10:25:51.753 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line argument:
-Xms128m
24-Mar-2022 10:25:51.753 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line argument:
-Xmx256m
24-Mar-2022 10:25:51.763 INFO [main]
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded Apache
Tomcat Native library [1.2.31] using APR version [1.7.0].
24-Mar-2022 10:25:51.763 INFO [main]
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR capabilities:
IPv6 [true], sendfile [true], accept filters [false], random [true], UDS
[true].
24-Mar-2022 10:25:51.763 INFO [main]
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR/OpenSSL
configuration: useAprConnector [false], useOpenSSL [true]
24-Mar-2022 10:25:51.777 INFO [main]
org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL
successfully initialized [OpenSSL 1.1.1l  24 Aug 2021]
24-Mar-2022 10:25:52.164 INFO [main]
org.apache.coyote.ht

[Bug 65975] CLIENT-CERT authentication does not request cert from client and always denies access (401)

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=65975

--- Comment #5 from Mark Thomas  ---
Looking at the tested configuration, none of them will work.

Http11NioProtocol - JSSE - Fails due to TLS 1.3 PHA isn't supported
Http11AprProtocol - HTTP/2 - Fails as HTTP/2 doesn't permit PHA

You need to:
- Configure TLS 1.2 only
- Not configure HTTP/2

then it should work with any connector (NIO, NIO2 or APR/Native) and any TLS
implementation (JSSE or OpenSSL).

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[tomcat] branch main updated: The javadoc needs to be reproducible.

[markt]

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/main by this push:
 new 61194ee  The javadoc needs to be reproducible.
61194ee is described below

commit 61194eebde1d5466ddaf48f161623141a14d81a2
Author: Mark Thomas 
AuthorDate: Wed Mar 23 12:52:58 2022 +

The javadoc needs to be reproducible.

Some files generated by Javadoc have platform specific line endings
The zip files generated by Javadoc are platform specific as well as
having current last modified times. Re-build the zip files in a
platform neutral format with fixed last mofified times.
---
 build.xml  |  20 +++-
 .../apache/tomcat/buildutil/RepeatableArchive.java | 114 +
 2 files changed, 133 insertions(+), 1 deletion(-)

diff --git a/build.xml b/build.xml
index 902ade5..a231c17 100644
--- a/build.xml
+++ b/build.xml
@@ -2865,7 +2865,25 @@ skip.installer property in build.properties" />
   
 
 
-
+
+
+
+ 
+
+
+
+  
+  
+
+
+
+  
+
+  
+
 
   
 
diff --git a/java/org/apache/tomcat/buildutil/RepeatableArchive.java 
b/java/org/apache/tomcat/buildutil/RepeatableArchive.java
new file mode 100644
index 000..2997588
--- /dev/null
+++ b/java/org/apache/tomcat/buildutil/RepeatableArchive.java
@@ -0,0 +1,114 @@
+/*
+* Licensed to the Apache Software Foundation (ASF) under one or more
+* contributor license agreements.  See the NOTICE file distributed with
+* this work for additional information regarding copyright ownership.
+* The ASF licenses this file to You under the Apache License, Version 2.0
+* (the "License"); you may not use this file except in compliance with
+* the License.  You may obtain a copy of the License at
+*
+* http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+package org.apache.tomcat.buildutil;
+
+import java.io.File;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.nio.file.Files;
+import java.nio.file.StandardCopyOption;
+import java.nio.file.attribute.FileTime;
+import java.util.Enumeration;
+import java.util.LinkedList;
+import java.util.List;
+import java.util.zip.ZipEntry;
+import java.util.zip.ZipFile;
+import java.util.zip.ZipOutputStream;
+
+import org.apache.tools.ant.BuildException;
+import org.apache.tools.ant.DirectoryScanner;
+import org.apache.tools.ant.Task;
+import org.apache.tools.ant.types.FileSet;
+
+/**
+ * Ant task to assist with repeatable builds.
+ * 
+ * While originally written to address an issue with Javadoc output, this task
+ * takes a generic approach that could be used with any archive. The task takes
+ * a set of zip (or jar, war etc) files as its input and sets the last modified
+ * time of every file in the archive to be the same as the last modified time
+ * of the archive.
+ */
+public class RepeatableArchive extends Task {
+
+private final List filesets = new LinkedList<>();
+
+private long datetime;
+
+/**
+ * Sets the files to be processed
+ *
+ * @param fs The fileset to be processed.
+ */
+public void addFileset(FileSet fs) {
+filesets.add(fs);
+}
+
+
+public void setDatetime(long datetime) {
+this.datetime = datetime;
+}
+
+
+@Override
+public void execute() throws BuildException {
+
+byte[] buf = new byte[8192];
+FileTime lastModified = FileTime.fromMillis(datetime);
+
+for (FileSet fs : filesets) {
+DirectoryScanner ds = fs.getDirectoryScanner(getProject());
+File basedir = ds.getBasedir();
+String[] files = ds.getIncludedFiles();
+for (String file : files) {
+File archive = new File(basedir, file);
+File oldArchive = new File(basedir, file + ".old");
+
+try {
+Files.move(archive.toPath(), oldArchive.toPath(), 
StandardCopyOption.ATOMIC_MOVE);
+
+try (ZipFile oldZipFile = new ZipFile(oldArchive);
+ZipOutputStream zipOut = new ZipOutputStream(new 
FileOutputStream(archive))) {
+
+Enumeration oldEntries = 
oldZipFile.entries();
+while (oldEntries.hasMoreElements()) {
+ZipEntry oldEntry = oldEntries.nextElement();
+
+ZipEntry entry = new ZipEntry(oldEntry.getName());
+entry.setLastModifie

[tomcat] branch 10.0.x updated: The javadoc needs to be reproducible.

[markt]

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 10.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/10.0.x by this push:
 new 59fe4a4  The javadoc needs to be reproducible.
59fe4a4 is described below

commit 59fe4a45178fa937c530ee9cabec53bb59e9f566
Author: Mark Thomas 
AuthorDate: Wed Mar 23 12:52:58 2022 +

The javadoc needs to be reproducible.

Some files generated by Javadoc have platform specific line endings
The zip files generated by Javadoc are platform specific as well as
having current last modified times. Re-build the zip files in a
platform neutral format with fixed last mofified times.
---
 build.xml  |  20 +++-
 .../apache/tomcat/buildutil/RepeatableArchive.java | 114 +
 2 files changed, 133 insertions(+), 1 deletion(-)

diff --git a/build.xml b/build.xml
index e92ee2b..0564170 100644
--- a/build.xml
+++ b/build.xml
@@ -2826,7 +2826,25 @@ skip.installer property in build.properties" />
   
 
 
-
+
+
+
+ 
+
+
+
+  
+  
+
+
+
+  
+
+  
+
 
   
 
diff --git a/java/org/apache/tomcat/buildutil/RepeatableArchive.java 
b/java/org/apache/tomcat/buildutil/RepeatableArchive.java
new file mode 100644
index 000..2997588
--- /dev/null
+++ b/java/org/apache/tomcat/buildutil/RepeatableArchive.java
@@ -0,0 +1,114 @@
+/*
+* Licensed to the Apache Software Foundation (ASF) under one or more
+* contributor license agreements.  See the NOTICE file distributed with
+* this work for additional information regarding copyright ownership.
+* The ASF licenses this file to You under the Apache License, Version 2.0
+* (the "License"); you may not use this file except in compliance with
+* the License.  You may obtain a copy of the License at
+*
+* http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+package org.apache.tomcat.buildutil;
+
+import java.io.File;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.nio.file.Files;
+import java.nio.file.StandardCopyOption;
+import java.nio.file.attribute.FileTime;
+import java.util.Enumeration;
+import java.util.LinkedList;
+import java.util.List;
+import java.util.zip.ZipEntry;
+import java.util.zip.ZipFile;
+import java.util.zip.ZipOutputStream;
+
+import org.apache.tools.ant.BuildException;
+import org.apache.tools.ant.DirectoryScanner;
+import org.apache.tools.ant.Task;
+import org.apache.tools.ant.types.FileSet;
+
+/**
+ * Ant task to assist with repeatable builds.
+ * 
+ * While originally written to address an issue with Javadoc output, this task
+ * takes a generic approach that could be used with any archive. The task takes
+ * a set of zip (or jar, war etc) files as its input and sets the last modified
+ * time of every file in the archive to be the same as the last modified time
+ * of the archive.
+ */
+public class RepeatableArchive extends Task {
+
+private final List filesets = new LinkedList<>();
+
+private long datetime;
+
+/**
+ * Sets the files to be processed
+ *
+ * @param fs The fileset to be processed.
+ */
+public void addFileset(FileSet fs) {
+filesets.add(fs);
+}
+
+
+public void setDatetime(long datetime) {
+this.datetime = datetime;
+}
+
+
+@Override
+public void execute() throws BuildException {
+
+byte[] buf = new byte[8192];
+FileTime lastModified = FileTime.fromMillis(datetime);
+
+for (FileSet fs : filesets) {
+DirectoryScanner ds = fs.getDirectoryScanner(getProject());
+File basedir = ds.getBasedir();
+String[] files = ds.getIncludedFiles();
+for (String file : files) {
+File archive = new File(basedir, file);
+File oldArchive = new File(basedir, file + ".old");
+
+try {
+Files.move(archive.toPath(), oldArchive.toPath(), 
StandardCopyOption.ATOMIC_MOVE);
+
+try (ZipFile oldZipFile = new ZipFile(oldArchive);
+ZipOutputStream zipOut = new ZipOutputStream(new 
FileOutputStream(archive))) {
+
+Enumeration oldEntries = 
oldZipFile.entries();
+while (oldEntries.hasMoreElements()) {
+ZipEntry oldEntry = oldEntries.nextElement();
+
+ZipEntry entry = new ZipEntry(oldEntry.getName());
+entry.setLastMod

[tomcat] branch 9.0.x updated: The javadoc needs to be reproducible.

[markt]

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/9.0.x by this push:
 new 0794aba  The javadoc needs to be reproducible.
0794aba is described below

commit 0794aba85359f3e30c305ec6f555e55a02f8
Author: Mark Thomas 
AuthorDate: Wed Mar 23 12:52:58 2022 +

The javadoc needs to be reproducible.

Some files generated by Javadoc have platform specific line endings
The zip files generated by Javadoc are platform specific as well as
having current last modified times. Re-build the zip files in a
platform neutral format with fixed last mofified times.
---
 build.xml  |  20 +++-
 .../apache/tomcat/buildutil/RepeatableArchive.java | 114 +
 2 files changed, 133 insertions(+), 1 deletion(-)

diff --git a/build.xml b/build.xml
index 7778105..78554c4 100644
--- a/build.xml
+++ b/build.xml
@@ -2808,7 +2808,25 @@ skip.installer property in build.properties" />
   
 
 
-
+
+
+
+ 
+
+
+
+  
+  
+
+
+
+  
+
+  
+
 
   
 
diff --git a/java/org/apache/tomcat/buildutil/RepeatableArchive.java 
b/java/org/apache/tomcat/buildutil/RepeatableArchive.java
new file mode 100644
index 000..2997588
--- /dev/null
+++ b/java/org/apache/tomcat/buildutil/RepeatableArchive.java
@@ -0,0 +1,114 @@
+/*
+* Licensed to the Apache Software Foundation (ASF) under one or more
+* contributor license agreements.  See the NOTICE file distributed with
+* this work for additional information regarding copyright ownership.
+* The ASF licenses this file to You under the Apache License, Version 2.0
+* (the "License"); you may not use this file except in compliance with
+* the License.  You may obtain a copy of the License at
+*
+* http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+package org.apache.tomcat.buildutil;
+
+import java.io.File;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.nio.file.Files;
+import java.nio.file.StandardCopyOption;
+import java.nio.file.attribute.FileTime;
+import java.util.Enumeration;
+import java.util.LinkedList;
+import java.util.List;
+import java.util.zip.ZipEntry;
+import java.util.zip.ZipFile;
+import java.util.zip.ZipOutputStream;
+
+import org.apache.tools.ant.BuildException;
+import org.apache.tools.ant.DirectoryScanner;
+import org.apache.tools.ant.Task;
+import org.apache.tools.ant.types.FileSet;
+
+/**
+ * Ant task to assist with repeatable builds.
+ * 
+ * While originally written to address an issue with Javadoc output, this task
+ * takes a generic approach that could be used with any archive. The task takes
+ * a set of zip (or jar, war etc) files as its input and sets the last modified
+ * time of every file in the archive to be the same as the last modified time
+ * of the archive.
+ */
+public class RepeatableArchive extends Task {
+
+private final List filesets = new LinkedList<>();
+
+private long datetime;
+
+/**
+ * Sets the files to be processed
+ *
+ * @param fs The fileset to be processed.
+ */
+public void addFileset(FileSet fs) {
+filesets.add(fs);
+}
+
+
+public void setDatetime(long datetime) {
+this.datetime = datetime;
+}
+
+
+@Override
+public void execute() throws BuildException {
+
+byte[] buf = new byte[8192];
+FileTime lastModified = FileTime.fromMillis(datetime);
+
+for (FileSet fs : filesets) {
+DirectoryScanner ds = fs.getDirectoryScanner(getProject());
+File basedir = ds.getBasedir();
+String[] files = ds.getIncludedFiles();
+for (String file : files) {
+File archive = new File(basedir, file);
+File oldArchive = new File(basedir, file + ".old");
+
+try {
+Files.move(archive.toPath(), oldArchive.toPath(), 
StandardCopyOption.ATOMIC_MOVE);
+
+try (ZipFile oldZipFile = new ZipFile(oldArchive);
+ZipOutputStream zipOut = new ZipOutputStream(new 
FileOutputStream(archive))) {
+
+Enumeration oldEntries = 
oldZipFile.entries();
+while (oldEntries.hasMoreElements()) {
+ZipEntry oldEntry = oldEntries.nextElement();
+
+ZipEntry entry = new ZipEntry(oldEntry.getName());
+entry.setLastModif

[tomcat] branch 8.5.x updated: The javadoc needs to be reproducible.

[markt]

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/8.5.x by this push:
 new 91963d0  The javadoc needs to be reproducible.
91963d0 is described below

commit 91963d02ee9692e579b0e76ca7929dfd0b866b66
Author: Mark Thomas 
AuthorDate: Wed Mar 23 12:52:58 2022 +

The javadoc needs to be reproducible.

Some files generated by Javadoc have platform specific line endings
The zip files generated by Javadoc are platform specific as well as
having current last modified times. Re-build the zip files in a
platform neutral format with fixed last mofified times.
---
 build.xml  |  20 +++-
 .../apache/tomcat/buildutil/RepeatableArchive.java | 114 +
 2 files changed, 133 insertions(+), 1 deletion(-)

diff --git a/build.xml b/build.xml
index 75c9b34..4719bd0 100644
--- a/build.xml
+++ b/build.xml
@@ -2498,7 +2498,25 @@ skip.installer property in build.properties" />
   
 
 
-
+
+
+
+ 
+
+
+
+  
+  
+
+
+
+  
+
+  
+
 
   
 
diff --git a/java/org/apache/tomcat/buildutil/RepeatableArchive.java 
b/java/org/apache/tomcat/buildutil/RepeatableArchive.java
new file mode 100644
index 000..2997588
--- /dev/null
+++ b/java/org/apache/tomcat/buildutil/RepeatableArchive.java
@@ -0,0 +1,114 @@
+/*
+* Licensed to the Apache Software Foundation (ASF) under one or more
+* contributor license agreements.  See the NOTICE file distributed with
+* this work for additional information regarding copyright ownership.
+* The ASF licenses this file to You under the Apache License, Version 2.0
+* (the "License"); you may not use this file except in compliance with
+* the License.  You may obtain a copy of the License at
+*
+* http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+package org.apache.tomcat.buildutil;
+
+import java.io.File;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.nio.file.Files;
+import java.nio.file.StandardCopyOption;
+import java.nio.file.attribute.FileTime;
+import java.util.Enumeration;
+import java.util.LinkedList;
+import java.util.List;
+import java.util.zip.ZipEntry;
+import java.util.zip.ZipFile;
+import java.util.zip.ZipOutputStream;
+
+import org.apache.tools.ant.BuildException;
+import org.apache.tools.ant.DirectoryScanner;
+import org.apache.tools.ant.Task;
+import org.apache.tools.ant.types.FileSet;
+
+/**
+ * Ant task to assist with repeatable builds.
+ * 
+ * While originally written to address an issue with Javadoc output, this task
+ * takes a generic approach that could be used with any archive. The task takes
+ * a set of zip (or jar, war etc) files as its input and sets the last modified
+ * time of every file in the archive to be the same as the last modified time
+ * of the archive.
+ */
+public class RepeatableArchive extends Task {
+
+private final List filesets = new LinkedList<>();
+
+private long datetime;
+
+/**
+ * Sets the files to be processed
+ *
+ * @param fs The fileset to be processed.
+ */
+public void addFileset(FileSet fs) {
+filesets.add(fs);
+}
+
+
+public void setDatetime(long datetime) {
+this.datetime = datetime;
+}
+
+
+@Override
+public void execute() throws BuildException {
+
+byte[] buf = new byte[8192];
+FileTime lastModified = FileTime.fromMillis(datetime);
+
+for (FileSet fs : filesets) {
+DirectoryScanner ds = fs.getDirectoryScanner(getProject());
+File basedir = ds.getBasedir();
+String[] files = ds.getIncludedFiles();
+for (String file : files) {
+File archive = new File(basedir, file);
+File oldArchive = new File(basedir, file + ".old");
+
+try {
+Files.move(archive.toPath(), oldArchive.toPath(), 
StandardCopyOption.ATOMIC_MOVE);
+
+try (ZipFile oldZipFile = new ZipFile(oldArchive);
+ZipOutputStream zipOut = new ZipOutputStream(new 
FileOutputStream(archive))) {
+
+Enumeration oldEntries = 
oldZipFile.entries();
+while (oldEntries.hasMoreElements()) {
+ZipEntry oldEntry = oldEntries.nextElement();
+
+ZipEntry entry = new ZipEntry(oldEntry.getName());
+entry.setLastModif

[Bug 65975] CLIENT-CERT authentication does not request cert from client and always denies access (401)

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=65975

--- Comment #6 from Martin Stangl  ---
Hi Mark,

this did the trick. You definitely know your stuff. Thanks a lot.

I used TLS1.2 and the OpenSSL TLS implemntation and tested both
org.apache.coyote.http11.Http11NioProtocol and
org.apache.coyote.http11.Http11AprProtocol.

Both worked.

org.apache.coyote.http11.Http11NioProtocol perfectly so. Authentication and
response from Tomcat happened immediately after selecting the certificate in
the browser. Felt almost faster than delivering a static page.

org.apache.coyote.http11.Http11AprProtocol had a delay of 1 minute after
selecting the certificate in the browser. 

Tested with Chrome, Edge and Postman with identical results.

I am happy with Nio working. 
But if you want to look into the issue with
org.apache.coyote.http11.Http11AprProtocol, I am willing to support with
testing.

stderr excerpt for org.apache.coyote.http11.Http11AprProtocol with OpenSSL. 
Pauses after "Calling authenticate()":

24-Mar-2022 12:42:07.712 FINE [https-openssl-apr-443-exec-7]
org.apache.catalina.authenticator.AuthenticatorBase.invoke Security checking
request GET /examples/jsp/security/protected/index.jsp
24-Mar-2022 12:42:07.713 FINE [https-openssl-apr-443-exec-7]
org.apache.catalina.realm.RealmBase.findSecurityConstraints   Checking
constraint 'SecurityConstraint[Protected Area]' against GET
/jsp/security/protected/index.jsp --> true
24-Mar-2022 12:42:07.713 FINE [https-openssl-apr-443-exec-7]
org.apache.catalina.realm.RealmBase.findSecurityConstraints   Checking
constraint 'SecurityConstraint[Protected Area]' against GET
/jsp/security/protected/index.jsp --> true
24-Mar-2022 12:42:07.713 FINE [https-openssl-apr-443-exec-7]
org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling
hasUserDataPermission()
24-Mar-2022 12:42:07.713 FINE [https-openssl-apr-443-exec-7]
org.apache.catalina.realm.RealmBase.hasUserDataPermission   User data
constraint already satisfied
24-Mar-2022 12:42:07.713 FINE [https-openssl-apr-443-exec-7]
org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling
authenticate()
24-Mar-2022 12:43:07.754 FINE [https-openssl-apr-443-exec-7]
org.apache.catalina.realm.CombinedRealm.authenticate Attempting to authenticate
user [EMAILADDRESS=martin.sta...@t-base.pro, CN=Martin Stangl, CN=Users,
DC=intranet, DC=t-base, DC=pro] with realm
[org.apache.catalina.realm.UserDatabaseRealm]
24-Mar-2022 12:43:07.755 FINE [https-openssl-apr-443-exec-7]
org.apache.catalina.realm.RealmBase.authenticate Authenticating client
certificate chain
24-Mar-2022 12:43:07.755 FINE [https-openssl-apr-443-exec-7]
org.apache.catalina.realm.RealmBase.authenticate  Checking validity for
'EMAILADDRESS=martin.sta...@t-base.pro, CN=Martin Stangl, CN=Users,
DC=intranet, DC=t-base, DC=pro'
24-Mar-2022 12:43:07.756 FINE [https-openssl-apr-443-exec-7]
org.apache.catalina.realm.RealmBase.authenticate  Checking validity for
'CN=T-base-CA, DC=intranet, DC=t-base, DC=pro'
24-Mar-2022 12:43:07.756 FINE [https-openssl-apr-443-exec-7]
org.apache.catalina.realm.RealmBase.getPrincipal Got user name from X509
certificate: [EMAILADDRESS=martin.sta...@t-base.pro, CN=Martin Stangl,
CN=Users, DC=intranet, DC=t-base, DC=pro]
24-Mar-2022 12:43:07.756 FINE [https-openssl-apr-443-exec-7]
org.apache.catalina.realm.CombinedRealm.authenticate Authenticated user
[EMAILADDRESS=martin.sta...@t-base.pro, CN=Martin Stangl, CN=Users,
DC=intranet, DC=t-base, DC=pro] with realm
[org.apache.catalina.realm.UserDatabaseRealm]
24-Mar-2022 12:43:07.756 FINE [https-openssl-apr-443-exec-7]
org.apache.catalina.authenticator.AuthenticatorBase.register Authenticated
'EMAILADDRESS=martin.sta...@t-base.pro, CN=Martin Stangl, CN=Users,
DC=intranet, DC=t-base, DC=pro' with type 'CLIENT_CERT'
24-Mar-2022 12:43:07.756 FINE [https-openssl-apr-443-exec-7]
org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling
accessControl()
24-Mar-2022 12:43:07.756 FINE [https-openssl-apr-443-exec-7]
org.apache.catalina.realm.RealmBase.hasResourcePermission   Checking roles
GenericPrincipal[EMAILADDRESS=martin.sta...@t-base.pro, CN=Martin Stangl,
CN=Users, DC=intranet, DC=t-base, DC=pro()]
24-Mar-2022 12:43:07.757 FINE [https-openssl-apr-443-exec-7]
org.apache.catalina.realm.RealmBase.hasRole Username
[EMAILADDRESS=martin.sta...@t-base.pro, CN=Martin Stangl, CN=Users,
DC=intranet, DC=t-base, DC=pro] has role [user]
24-Mar-2022 12:43:07.757 FINE [https-openssl-apr-443-exec-7]
org.apache.catalina.realm.RealmBase.hasResourcePermission Role found:  user
24-Mar-2022 12:43:07.757 FINE [https-openssl-apr-443-exec-7]
org.apache.catalina.authenticator.AuthenticatorBase.invoke Successfully passed
all security constraints

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[tomcat] branch main updated: Log a warning if a Connector is configured with h2 + optional cert auth

[markt]

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/main by this push:
 new 1edc9d8  Log a warning if a Connector is configured with h2 + optional 
cert auth
1edc9d8 is described below

commit 1edc9d81e4bcb4ad8ca927af8d5222dfc5b418ba
Author: Mark Thomas 
AuthorDate: Thu Mar 24 13:22:31 2022 +

Log a warning if a Connector is configured with h2 + optional cert auth

The HTTP/2 specification (RFC 7540) explicitly disallows renegotiation
for TLS 1.2 and RFC 8740 explicitly disallows PHA with TLS 1.3 and
HTTP/2
---
 .../apache/tomcat/util/net/AbstractJsseEndpoint.java   |  8 
 .../org/apache/tomcat/util/net/LocalStrings.properties |  3 ++-
 java/org/apache/tomcat/util/net/SSLHostConfig.java | 18 ++
 webapps/docs/changelog.xml |  6 ++
 4 files changed, 30 insertions(+), 5 deletions(-)

diff --git a/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java 
b/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
index b28f1e2..43fc71d 100644
--- a/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
+++ b/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
@@ -82,6 +82,14 @@ public abstract class AbstractJsseEndpoint extends 
AbstractEndpoint {
 
 @Override
 protected void createSSLContext(SSLHostConfig sslHostConfig) throws 
IllegalArgumentException {
+
+// HTTP/2 does not permit optional certificate authentication with any
+// version of TLS.
+if (sslHostConfig.getCertificateVerification().isOptional() &&
+negotiableProtocols.contains("h2")) {
+
getLog().warn(sm.getString("sslHostConfig.certificateVerificationWithHttp2", 
sslHostConfig.getHostName()));
+}
+
 boolean firstCertificate = true;
 for (SSLHostConfigCertificate certificate : 
sslHostConfig.getCertificates(true)) {
 SSLUtil sslUtil = sslImplementation.getSSLUtil(certificate);
diff --git a/java/org/apache/tomcat/util/net/LocalStrings.properties 
b/java/org/apache/tomcat/util/net/LocalStrings.properties
index 8c22c84..7a93d14 100644
--- a/java/org/apache/tomcat/util/net/LocalStrings.properties
+++ b/java/org/apache/tomcat/util/net/LocalStrings.properties
@@ -139,6 +139,7 @@ socketWrapper.writeTimeout=Write timeout
 
 sslHostConfig.certificate.notype=Multiple certificates were specified and at 
least one is missing the required attribute type
 sslHostConfig.certificateVerificationInvalid=The certificate verification 
value [{0}] is not recognised
+sslHostConfig.certificateVerificationWithHttp2=The TLS virtual host [{0}] is 
configured for optional certificate verification and the enclosing connector is 
configured to support upgrade to h2. HTTP/2 over TLS does not permit optional 
certificate verification.
 sslHostConfig.fileNotFound=Configured file [{0}] does not exist
 sslHostConfig.invalid_truststore_password=The provided trust store password 
could not be used to unlock and/or validate the trust store. Retrying to access 
the trust store with a null password which will skip validation.
 sslHostConfig.mismatch=The property [{0}] was set on the SSLHostConfig named 
[{1}] and is for the [{2}] configuration syntax but the SSLHostConfig is being 
used with the [{3}] configuration syntax
@@ -162,6 +163,6 @@ sslUtilBase.noVerificationDepth=The truststoreProvider 
[{0}] does not support th
 sslUtilBase.noneSupported=None of the [{0}] specified are supported by the SSL 
engine : [{1}]
 sslUtilBase.skipped=Some of the specified [{0}] are not supported by the SSL 
engine and have been skipped: [{1}]
 sslUtilBase.ssl3=SSLv3 has been explicitly enabled. This protocol is known to 
be insecure.
-sslUtilBase.tls13.auth=The JSSE TLS 1.3 implementation does not support 
authentication after the initial handshake and is therefore incompatible with 
optional client authentication
+sslUtilBase.tls13.auth=The JSSE TLS 1.3 implementation does not support post 
handshake authentication (PHA) and is therefore incompatible with optional 
certificate authentication
 sslUtilBase.trustedCertNotChecked=The validity dates of the trusted 
certificate with alias [{0}] were not checked as the certificate was of an 
unknown type
 sslUtilBase.trustedCertNotValid=The trusted certificate with alias [{0}] and 
DN [{1}] is not valid due to [{2}]. Certificates signed by this trusted 
certificate WILL be accepted
diff --git a/java/org/apache/tomcat/util/net/SSLHostConfig.java 
b/java/org/apache/tomcat/util/net/SSLHostConfig.java
index af60ecc..81552f4 100644
--- a/java/org/apache/tomcat/util/net/SSLHostConfig.java
+++ b/java/org/apache/tomcat/util/net/SSLHostConfig.java
@@ -774,10 +774,20 @@ public class SSLHostConfig implements Serializable {
 
 
 public enum CertificateVerification {
-NONE,
-OPTIONAL_NO_CA,
-   

[tomcat] branch 10.0.x updated: Log a warning if a Connector is configured with h2 + optional cert auth

[markt]

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 10.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/10.0.x by this push:
 new 94e24b9  Log a warning if a Connector is configured with h2 + optional 
cert auth
94e24b9 is described below

commit 94e24b9b4fada2b08d166cf60b5b24af64f4de62
Author: Mark Thomas 
AuthorDate: Thu Mar 24 13:22:31 2022 +

Log a warning if a Connector is configured with h2 + optional cert auth

The HTTP/2 specification (RFC 7540) explicitly disallows renegotiation
for TLS 1.2 and RFC 8740 explicitly disallows PHA with TLS 1.3 and
HTTP/2
---
 .../apache/tomcat/util/net/AbstractJsseEndpoint.java   |  8 
 .../org/apache/tomcat/util/net/LocalStrings.properties |  3 ++-
 java/org/apache/tomcat/util/net/SSLHostConfig.java | 18 ++
 webapps/docs/changelog.xml |  6 ++
 4 files changed, 30 insertions(+), 5 deletions(-)

diff --git a/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java 
b/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
index 925e91d..10fdbdc 100644
--- a/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
+++ b/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
@@ -83,6 +83,14 @@ public abstract class AbstractJsseEndpoint extends 
AbstractEndpoint {
 
 @Override
 protected void createSSLContext(SSLHostConfig sslHostConfig) throws 
IllegalArgumentException {
+
+// HTTP/2 does not permit optional certificate authentication with any
+// version of TLS.
+if (sslHostConfig.getCertificateVerification().isOptional() &&
+negotiableProtocols.contains("h2")) {
+
getLog().warn(sm.getString("sslHostConfig.certificateVerificationWithHttp2", 
sslHostConfig.getHostName()));
+}
+
 boolean firstCertificate = true;
 for (SSLHostConfigCertificate certificate : 
sslHostConfig.getCertificates(true)) {
 SSLUtil sslUtil = sslImplementation.getSSLUtil(certificate);
diff --git a/java/org/apache/tomcat/util/net/LocalStrings.properties 
b/java/org/apache/tomcat/util/net/LocalStrings.properties
index a8c8eb7..ecc2e9d 100644
--- a/java/org/apache/tomcat/util/net/LocalStrings.properties
+++ b/java/org/apache/tomcat/util/net/LocalStrings.properties
@@ -160,6 +160,7 @@ socketWrapper.writeTimeout=Write timeout
 
 sslHostConfig.certificate.notype=Multiple certificates were specified and at 
least one is missing the required attribute type
 sslHostConfig.certificateVerificationInvalid=The certificate verification 
value [{0}] is not recognised
+sslHostConfig.certificateVerificationWithHttp2=The TLS virtual host [{0}] is 
configured for optional certificate verification and the enclosing connector is 
configured to support upgrade to h2. HTTP/2 over TLS does not permit optional 
certificate verification.
 sslHostConfig.fileNotFound=Configured file [{0}] does not exist
 sslHostConfig.invalid_truststore_password=The provided trust store password 
could not be used to unlock and/or validate the trust store. Retrying to access 
the trust store with a null password which will skip validation.
 sslHostConfig.mismatch=The property [{0}] was set on the SSLHostConfig named 
[{1}] and is for the [{2}] configuration syntax but the SSLHostConfig is being 
used with the [{3}] configuration syntax
@@ -183,6 +184,6 @@ sslUtilBase.noVerificationDepth=The truststoreProvider 
[{0}] does not support th
 sslUtilBase.noneSupported=None of the [{0}] specified are supported by the SSL 
engine : [{1}]
 sslUtilBase.skipped=Some of the specified [{0}] are not supported by the SSL 
engine and have been skipped: [{1}]
 sslUtilBase.ssl3=SSLv3 has been explicitly enabled. This protocol is known to 
be insecure.
-sslUtilBase.tls13.auth=The JSSE TLS 1.3 implementation does not support 
authentication after the initial handshake and is therefore incompatible with 
optional client authentication
+sslUtilBase.tls13.auth=The JSSE TLS 1.3 implementation does not support post 
handshake authentication (PHA) and is therefore incompatible with optional 
certificate authentication
 sslUtilBase.trustedCertNotChecked=The validity dates of the trusted 
certificate with alias [{0}] were not checked as the certificate was of an 
unknown type
 sslUtilBase.trustedCertNotValid=The trusted certificate with alias [{0}] and 
DN [{1}] is not valid due to [{2}]. Certificates signed by this trusted 
certificate WILL be accepted
diff --git a/java/org/apache/tomcat/util/net/SSLHostConfig.java 
b/java/org/apache/tomcat/util/net/SSLHostConfig.java
index af60ecc..81552f4 100644
--- a/java/org/apache/tomcat/util/net/SSLHostConfig.java
+++ b/java/org/apache/tomcat/util/net/SSLHostConfig.java
@@ -774,10 +774,20 @@ public class SSLHostConfig implements Serializable {
 
 
 public enum CertificateVerification {
-NONE,
-OPTIONAL_NO_CA,

[tomcat] branch 9.0.x updated: Log a warning if a Connector is configured with h2 + optional cert auth

[markt]

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/9.0.x by this push:
 new c2a0d12  Log a warning if a Connector is configured with h2 + optional 
cert auth
c2a0d12 is described below

commit c2a0d12fc9093c503838895369d6ffeb6f03acaa
Author: Mark Thomas 
AuthorDate: Thu Mar 24 13:22:31 2022 +

Log a warning if a Connector is configured with h2 + optional cert auth

The HTTP/2 specification (RFC 7540) explicitly disallows renegotiation
for TLS 1.2 and RFC 8740 explicitly disallows PHA with TLS 1.3 and
HTTP/2
---
 .../apache/tomcat/util/net/AbstractJsseEndpoint.java   |  8 
 .../org/apache/tomcat/util/net/LocalStrings.properties |  3 ++-
 java/org/apache/tomcat/util/net/SSLHostConfig.java | 18 ++
 webapps/docs/changelog.xml |  6 ++
 4 files changed, 30 insertions(+), 5 deletions(-)

diff --git a/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java 
b/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
index d43ea54..08518f8 100644
--- a/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
+++ b/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
@@ -83,6 +83,14 @@ public abstract class AbstractJsseEndpoint extends 
AbstractEndpoint {
 
 @Override
 protected void createSSLContext(SSLHostConfig sslHostConfig) throws 
IllegalArgumentException {
+
+// HTTP/2 does not permit optional certificate authentication with any
+// version of TLS.
+if (sslHostConfig.getCertificateVerification().isOptional() &&
+negotiableProtocols.contains("h2")) {
+
getLog().warn(sm.getString("sslHostConfig.certificateVerificationWithHttp2", 
sslHostConfig.getHostName()));
+}
+
 boolean firstCertificate = true;
 for (SSLHostConfigCertificate certificate : 
sslHostConfig.getCertificates(true)) {
 SSLUtil sslUtil = sslImplementation.getSSLUtil(certificate);
diff --git a/java/org/apache/tomcat/util/net/LocalStrings.properties 
b/java/org/apache/tomcat/util/net/LocalStrings.properties
index a8c8eb7..ecc2e9d 100644
--- a/java/org/apache/tomcat/util/net/LocalStrings.properties
+++ b/java/org/apache/tomcat/util/net/LocalStrings.properties
@@ -160,6 +160,7 @@ socketWrapper.writeTimeout=Write timeout
 
 sslHostConfig.certificate.notype=Multiple certificates were specified and at 
least one is missing the required attribute type
 sslHostConfig.certificateVerificationInvalid=The certificate verification 
value [{0}] is not recognised
+sslHostConfig.certificateVerificationWithHttp2=The TLS virtual host [{0}] is 
configured for optional certificate verification and the enclosing connector is 
configured to support upgrade to h2. HTTP/2 over TLS does not permit optional 
certificate verification.
 sslHostConfig.fileNotFound=Configured file [{0}] does not exist
 sslHostConfig.invalid_truststore_password=The provided trust store password 
could not be used to unlock and/or validate the trust store. Retrying to access 
the trust store with a null password which will skip validation.
 sslHostConfig.mismatch=The property [{0}] was set on the SSLHostConfig named 
[{1}] and is for the [{2}] configuration syntax but the SSLHostConfig is being 
used with the [{3}] configuration syntax
@@ -183,6 +184,6 @@ sslUtilBase.noVerificationDepth=The truststoreProvider 
[{0}] does not support th
 sslUtilBase.noneSupported=None of the [{0}] specified are supported by the SSL 
engine : [{1}]
 sslUtilBase.skipped=Some of the specified [{0}] are not supported by the SSL 
engine and have been skipped: [{1}]
 sslUtilBase.ssl3=SSLv3 has been explicitly enabled. This protocol is known to 
be insecure.
-sslUtilBase.tls13.auth=The JSSE TLS 1.3 implementation does not support 
authentication after the initial handshake and is therefore incompatible with 
optional client authentication
+sslUtilBase.tls13.auth=The JSSE TLS 1.3 implementation does not support post 
handshake authentication (PHA) and is therefore incompatible with optional 
certificate authentication
 sslUtilBase.trustedCertNotChecked=The validity dates of the trusted 
certificate with alias [{0}] were not checked as the certificate was of an 
unknown type
 sslUtilBase.trustedCertNotValid=The trusted certificate with alias [{0}] and 
DN [{1}] is not valid due to [{2}]. Certificates signed by this trusted 
certificate WILL be accepted
diff --git a/java/org/apache/tomcat/util/net/SSLHostConfig.java 
b/java/org/apache/tomcat/util/net/SSLHostConfig.java
index 61917d6..c381c4d 100644
--- a/java/org/apache/tomcat/util/net/SSLHostConfig.java
+++ b/java/org/apache/tomcat/util/net/SSLHostConfig.java
@@ -900,10 +900,20 @@ public class SSLHostConfig implements Serializable {
 
 
 public enum CertificateVerification {
-NONE,
-OPTIONAL_NO_CA,
- 

[tomcat] branch 8.5.x updated: Log a warning if a Connector is configured with h2 + optional cert auth

[markt]

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/8.5.x by this push:
 new 9869266  Log a warning if a Connector is configured with h2 + optional 
cert auth
9869266 is described below

commit 9869266bfff043245b39fb12ec6a23818105b8c8
Author: Mark Thomas 
AuthorDate: Thu Mar 24 13:22:31 2022 +

Log a warning if a Connector is configured with h2 + optional cert auth

The HTTP/2 specification (RFC 7540) explicitly disallows renegotiation
for TLS 1.2 and RFC 8740 explicitly disallows PHA with TLS 1.3 and
HTTP/2
---
 .../apache/tomcat/util/net/AbstractJsseEndpoint.java   |  8 
 .../org/apache/tomcat/util/net/LocalStrings.properties |  3 ++-
 java/org/apache/tomcat/util/net/SSLHostConfig.java | 18 ++
 webapps/docs/changelog.xml |  6 ++
 4 files changed, 30 insertions(+), 5 deletions(-)

diff --git a/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java 
b/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
index 9cf780f..abbdba8 100644
--- a/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
+++ b/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
@@ -84,6 +84,14 @@ public abstract class AbstractJsseEndpoint extends 
AbstractEndpoint {
 
 @Override
 protected void createSSLContext(SSLHostConfig sslHostConfig) throws 
IllegalArgumentException {
+
+// HTTP/2 does not permit optional certificate authentication with any
+// version of TLS.
+if (sslHostConfig.getCertificateVerification().isOptional() &&
+negotiableProtocols.contains("h2")) {
+
getLog().warn(sm.getString("sslHostConfig.certificateVerificationWithHttp2", 
sslHostConfig.getHostName()));
+}
+
 boolean firstCertificate = true;
 for (SSLHostConfigCertificate certificate : 
sslHostConfig.getCertificates(true)) {
 SSLUtil sslUtil = sslImplementation.getSSLUtil(certificate);
diff --git a/java/org/apache/tomcat/util/net/LocalStrings.properties 
b/java/org/apache/tomcat/util/net/LocalStrings.properties
index 22a161d..1f8f1c3 100644
--- a/java/org/apache/tomcat/util/net/LocalStrings.properties
+++ b/java/org/apache/tomcat/util/net/LocalStrings.properties
@@ -155,6 +155,7 @@ socketWrapper.writeTimeout=Write timeout
 
 sslHostConfig.certificate.notype=Multiple certificates were specified and at 
least one is missing the required attribute type
 sslHostConfig.certificateVerificationInvalid=The certificate verification 
value [{0}] is not recognised
+sslHostConfig.certificateVerificationWithHttp2=The TLS virtual host [{0}] is 
configured for optional certificate verification and the enclosing connector is 
configured to support upgrade to h2. HTTP/2 over TLS does not permit optional 
certificate verification.
 sslHostConfig.fileNotFound=Configured file [{0}] does not exist
 sslHostConfig.invalid_truststore_password=The provided trust store password 
could not be used to unlock and/or validate the trust store. Retrying to access 
the trust store with a null password which will skip validation.
 sslHostConfig.mismatch=The property [{0}] was set on the SSLHostConfig named 
[{1}] and is for the [{2}] configuration syntax but the SSLHostConfig is being 
used with the [{3}] configuration syntax
@@ -178,6 +179,6 @@ sslUtilBase.noVerificationDepth=The truststoreProvider 
[{0}] does not support th
 sslUtilBase.noneSupported=None of the [{0}] specified are supported by the SSL 
engine : [{1}]
 sslUtilBase.skipped=Some of the specified [{0}] are not supported by the SSL 
engine and have been skipped: [{1}]
 sslUtilBase.ssl3=SSLv3 has been explicitly enabled. This protocol is known to 
be insecure.
-sslUtilBase.tls13.auth=The JSSE TLS 1.3 implementation does not support 
authentication after the initial handshake and is therefore incompatible with 
optional client authentication
+sslUtilBase.tls13.auth=The JSSE TLS 1.3 implementation does not support post 
handshake authentication (PHA) and is therefore incompatible with optional 
certificate authentication
 sslUtilBase.trustedCertNotChecked=The validity dates of the trusted 
certificate with alias [{0}] were not checked as the certificate was of an 
unknown type
 sslUtilBase.trustedCertNotValid=The trusted certificate with alias [{0}] and 
DN [{1}] is not valid due to [{2}]. Certificates signed by this trusted 
certificate WILL be accepted
diff --git a/java/org/apache/tomcat/util/net/SSLHostConfig.java 
b/java/org/apache/tomcat/util/net/SSLHostConfig.java
index 56d7b6a..ed097ea 100644
--- a/java/org/apache/tomcat/util/net/SSLHostConfig.java
+++ b/java/org/apache/tomcat/util/net/SSLHostConfig.java
@@ -910,10 +910,20 @@ public class SSLHostConfig implements Serializable {
 
 
 public enum CertificateVerification {
-NONE,
-OPTIONAL_NO_CA,
- 

[tomcat] branch main updated: Remove incorrect comment

[markt]

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/main by this push:
 new 00767d3  Remove incorrect comment
00767d3 is described below

commit 00767d30843237510181a6ece2547a34dd42b785
Author: Mark Thomas 
AuthorDate: Thu Mar 24 14:00:37 2022 +

Remove incorrect comment
---
 java/org/apache/catalina/authenticator/SSLAuthenticator.java | 2 --
 1 file changed, 2 deletions(-)

diff --git a/java/org/apache/catalina/authenticator/SSLAuthenticator.java 
b/java/org/apache/catalina/authenticator/SSLAuthenticator.java
index bb5ffcd..9844b22 100644
--- a/java/org/apache/catalina/authenticator/SSLAuthenticator.java
+++ b/java/org/apache/catalina/authenticator/SSLAuthenticator.java
@@ -35,8 +35,6 @@ import org.apache.coyote.ActionCode;
  */
 public class SSLAuthenticator extends AuthenticatorBase {
 
-// - Public Methods
-
 /**
  * Authenticate the user by checking for the existence of a certificate
  * chain, validating it against the trust manager for the connector and 
then

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[tomcat] branch 10.0.x updated: Remove incorrect comment

[markt]

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 10.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/10.0.x by this push:
 new e97f882  Remove incorrect comment
e97f882 is described below

commit e97f882d9ed471a5b36a4541946f32e98b5e
Author: Mark Thomas 
AuthorDate: Thu Mar 24 14:00:37 2022 +

Remove incorrect comment
---
 java/org/apache/catalina/authenticator/SSLAuthenticator.java | 2 --
 1 file changed, 2 deletions(-)

diff --git a/java/org/apache/catalina/authenticator/SSLAuthenticator.java 
b/java/org/apache/catalina/authenticator/SSLAuthenticator.java
index bb5ffcd..9844b22 100644
--- a/java/org/apache/catalina/authenticator/SSLAuthenticator.java
+++ b/java/org/apache/catalina/authenticator/SSLAuthenticator.java
@@ -35,8 +35,6 @@ import org.apache.coyote.ActionCode;
  */
 public class SSLAuthenticator extends AuthenticatorBase {
 
-// - Public Methods
-
 /**
  * Authenticate the user by checking for the existence of a certificate
  * chain, validating it against the trust manager for the connector and 
then

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[tomcat] branch 9.0.x updated: Remove incorrect comment

[markt]

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/9.0.x by this push:
 new b5076fe  Remove incorrect comment
b5076fe is described below

commit b5076feb6c7580db784f8d4993374d9a5a05f9eb
Author: Mark Thomas 
AuthorDate: Thu Mar 24 14:00:37 2022 +

Remove incorrect comment
---
 java/org/apache/catalina/authenticator/SSLAuthenticator.java | 2 --
 1 file changed, 2 deletions(-)

diff --git a/java/org/apache/catalina/authenticator/SSLAuthenticator.java 
b/java/org/apache/catalina/authenticator/SSLAuthenticator.java
index ee771c4..c484424 100644
--- a/java/org/apache/catalina/authenticator/SSLAuthenticator.java
+++ b/java/org/apache/catalina/authenticator/SSLAuthenticator.java
@@ -35,8 +35,6 @@ import org.apache.coyote.ActionCode;
  */
 public class SSLAuthenticator extends AuthenticatorBase {
 
-// - Public Methods
-
 /**
  * Authenticate the user by checking for the existence of a certificate
  * chain, validating it against the trust manager for the connector and 
then

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[tomcat] branch 8.5.x updated: Remove incorrect comment

[markt]

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/8.5.x by this push:
 new 5136cd6  Remove incorrect comment
5136cd6 is described below

commit 5136cd601f870163105f2a90171e558780e83a01
Author: Mark Thomas 
AuthorDate: Thu Mar 24 14:00:37 2022 +

Remove incorrect comment
---
 java/org/apache/catalina/authenticator/SSLAuthenticator.java | 2 --
 1 file changed, 2 deletions(-)

diff --git a/java/org/apache/catalina/authenticator/SSLAuthenticator.java 
b/java/org/apache/catalina/authenticator/SSLAuthenticator.java
index ee771c4..c484424 100644
--- a/java/org/apache/catalina/authenticator/SSLAuthenticator.java
+++ b/java/org/apache/catalina/authenticator/SSLAuthenticator.java
@@ -35,8 +35,6 @@ import org.apache.coyote.ActionCode;
  */
 public class SSLAuthenticator extends AuthenticatorBase {
 
-// - Public Methods
-
 /**
  * Authenticate the user by checking for the existence of a certificate
  * chain, validating it against the trust manager for the connector and 
then

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[GitHub] [tomcat] volosied commented on pull request #488: Donating EL Translations

[GitBox]

volosied commented on pull request #488:
URL: https://github.com/apache/tomcat/pull/488#issuecomment-1077702530


   Hey Mark,  these translations where done with files prior to the `writeable" 
-> "writable` change (which I had updated manually for this PR)  I squashed the 
two commits. 
   
   I went ahead an made a new commit which converted the unicode escapes 
characters to UTF8.  
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[tomcat] branch main updated: Log a warning for CLIENT-CERT + JSSE TLS 1.3 as PHA is not supported

[markt]

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/main by this push:
 new 43df99e  Log a warning for CLIENT-CERT + JSSE TLS 1.3 as PHA is not 
supported
43df99e is described below

commit 43df99e05cfa4d0eaed30cb03f65ee687ff0ce54
Author: Mark Thomas 
AuthorDate: Thu Mar 24 16:19:09 2022 +

Log a warning for CLIENT-CERT + JSSE TLS 1.3 as PHA is not supported

CLIENT-CERT requires post-handshake authentication (PHA) to work with
TLS 1.3 but the JSSE TLS 1.3 implementation does not support PHA.
---
 .../catalina/authenticator/LocalStrings.properties |  3 +
 .../catalina/authenticator/SSLAuthenticator.java   | 70 ++
 java/org/apache/tomcat/util/net/SSLHostConfig.java | 12 
 java/org/apache/tomcat/util/net/SSLUtilBase.java   |  6 +-
 webapps/docs/changelog.xml | 10 +++-
 5 files changed, 98 insertions(+), 3 deletions(-)

diff --git a/java/org/apache/catalina/authenticator/LocalStrings.properties 
b/java/org/apache/catalina/authenticator/LocalStrings.properties
index 0030ce3..81acc29 100644
--- a/java/org/apache/catalina/authenticator/LocalStrings.properties
+++ b/java/org/apache/catalina/authenticator/LocalStrings.properties
@@ -70,3 +70,6 @@ spnegoAuthenticator.authHeaderNoToken=The Negotiate 
authorization header sent by
 spnegoAuthenticator.authHeaderNotNego=The authorization header sent by the 
client did not start with Negotiate
 spnegoAuthenticator.serviceLoginFail=Unable to login as the service principal
 spnegoAuthenticator.ticketValidateFail=Failed to validate client supplied 
ticket
+
+sslAuthenticatorValve.http2=The context [{0}] in virtual host [{1}] is 
configured to use CLIENT-CERT authentication and [{2}] is configured to support 
HTTP/2. Use of CLIENT-CERT authentication is not compatible with the use of 
HTTP/2.
+sslAuthenticatorValve.tls13=The context [{0}] in virtual host [{1}] is 
configured to use CLIENT-CERT authentication and [{2}] is configured to support 
TLS 1.3 using JSSE. Use of CLIENT-CERT authentication is not compatible with 
the use of TLS 1.3 and JSSE.
diff --git a/java/org/apache/catalina/authenticator/SSLAuthenticator.java 
b/java/org/apache/catalina/authenticator/SSLAuthenticator.java
index 9844b22..30344b9 100644
--- a/java/org/apache/catalina/authenticator/SSLAuthenticator.java
+++ b/java/org/apache/catalina/authenticator/SSLAuthenticator.java
@@ -23,9 +23,20 @@ import java.security.cert.X509Certificate;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
 
+import org.apache.catalina.Container;
+import org.apache.catalina.Context;
+import org.apache.catalina.Engine;
 import org.apache.catalina.Globals;
+import org.apache.catalina.Host;
+import org.apache.catalina.LifecycleException;
+import org.apache.catalina.connector.Connector;
 import org.apache.catalina.connector.Request;
 import org.apache.coyote.ActionCode;
+import org.apache.coyote.UpgradeProtocol;
+import org.apache.juli.logging.Log;
+import org.apache.juli.logging.LogFactory;
+import org.apache.tomcat.util.net.Constants;
+import org.apache.tomcat.util.net.SSLHostConfig;
 
 /**
  * An Authenticator and Valve implementation of authentication
@@ -35,6 +46,8 @@ import org.apache.coyote.ActionCode;
  */
 public class SSLAuthenticator extends AuthenticatorBase {
 
+private final Log log = LogFactory.getLog(SSLAuthenticator.class); // must 
not be static
+
 /**
  * Authenticate the user by checking for the existence of a certificate
  * chain, validating it against the trust manager for the connector and 
then
@@ -137,4 +150,61 @@ public class SSLAuthenticator extends AuthenticatorBase {
 
 return certs;
 }
+
+
+@Override
+protected synchronized void startInternal() throws LifecycleException {
+
+super.startInternal();
+
+/*
+ * This Valve should only ever be added to a Context and if the Context
+ * is started there should always be a Host and an Engine but test at
+ * each stage to be safe.
+ */
+Container container = getContainer();
+if (!(container instanceof Context)) {
+return;
+}
+Context context = (Context) container;
+
+container = context.getParent();
+if (!(container instanceof Host)) {
+return;
+}
+Host host = (Host) container;
+
+container = host.getParent();
+if (!(container instanceof Engine)) {
+return;
+}
+Engine engine = (Engine) container;
+
+
+Connector[] connectors = engine.getService().findConnectors();
+
+for (Connector connector : connectors) {
+// First check for upgrade
+UpgradeProtocol[] upgradeProtocols = 
connector.findUpgradeProtocols();
+for (Upg

[tomcat] branch 10.0.x updated: Log a warning for CLIENT-CERT + JSSE TLS 1.3 as PHA is not supported

[markt]

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 10.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/10.0.x by this push:
 new 0d5fdc3  Log a warning for CLIENT-CERT + JSSE TLS 1.3 as PHA is not 
supported
0d5fdc3 is described below

commit 0d5fdc30f379c060fe5ccb7301231152f4341f16
Author: Mark Thomas 
AuthorDate: Thu Mar 24 16:19:09 2022 +

Log a warning for CLIENT-CERT + JSSE TLS 1.3 as PHA is not supported

CLIENT-CERT requires post-handshake authentication (PHA) to work with
TLS 1.3 but the JSSE TLS 1.3 implementation does not support PHA.
---
 .../catalina/authenticator/LocalStrings.properties |  3 +
 .../catalina/authenticator/SSLAuthenticator.java   | 70 ++
 java/org/apache/tomcat/util/net/SSLHostConfig.java | 12 
 java/org/apache/tomcat/util/net/SSLUtilBase.java   |  6 +-
 webapps/docs/changelog.xml | 10 +++-
 5 files changed, 98 insertions(+), 3 deletions(-)

diff --git a/java/org/apache/catalina/authenticator/LocalStrings.properties 
b/java/org/apache/catalina/authenticator/LocalStrings.properties
index 0030ce3..81acc29 100644
--- a/java/org/apache/catalina/authenticator/LocalStrings.properties
+++ b/java/org/apache/catalina/authenticator/LocalStrings.properties
@@ -70,3 +70,6 @@ spnegoAuthenticator.authHeaderNoToken=The Negotiate 
authorization header sent by
 spnegoAuthenticator.authHeaderNotNego=The authorization header sent by the 
client did not start with Negotiate
 spnegoAuthenticator.serviceLoginFail=Unable to login as the service principal
 spnegoAuthenticator.ticketValidateFail=Failed to validate client supplied 
ticket
+
+sslAuthenticatorValve.http2=The context [{0}] in virtual host [{1}] is 
configured to use CLIENT-CERT authentication and [{2}] is configured to support 
HTTP/2. Use of CLIENT-CERT authentication is not compatible with the use of 
HTTP/2.
+sslAuthenticatorValve.tls13=The context [{0}] in virtual host [{1}] is 
configured to use CLIENT-CERT authentication and [{2}] is configured to support 
TLS 1.3 using JSSE. Use of CLIENT-CERT authentication is not compatible with 
the use of TLS 1.3 and JSSE.
diff --git a/java/org/apache/catalina/authenticator/SSLAuthenticator.java 
b/java/org/apache/catalina/authenticator/SSLAuthenticator.java
index 9844b22..30344b9 100644
--- a/java/org/apache/catalina/authenticator/SSLAuthenticator.java
+++ b/java/org/apache/catalina/authenticator/SSLAuthenticator.java
@@ -23,9 +23,20 @@ import java.security.cert.X509Certificate;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
 
+import org.apache.catalina.Container;
+import org.apache.catalina.Context;
+import org.apache.catalina.Engine;
 import org.apache.catalina.Globals;
+import org.apache.catalina.Host;
+import org.apache.catalina.LifecycleException;
+import org.apache.catalina.connector.Connector;
 import org.apache.catalina.connector.Request;
 import org.apache.coyote.ActionCode;
+import org.apache.coyote.UpgradeProtocol;
+import org.apache.juli.logging.Log;
+import org.apache.juli.logging.LogFactory;
+import org.apache.tomcat.util.net.Constants;
+import org.apache.tomcat.util.net.SSLHostConfig;
 
 /**
  * An Authenticator and Valve implementation of authentication
@@ -35,6 +46,8 @@ import org.apache.coyote.ActionCode;
  */
 public class SSLAuthenticator extends AuthenticatorBase {
 
+private final Log log = LogFactory.getLog(SSLAuthenticator.class); // must 
not be static
+
 /**
  * Authenticate the user by checking for the existence of a certificate
  * chain, validating it against the trust manager for the connector and 
then
@@ -137,4 +150,61 @@ public class SSLAuthenticator extends AuthenticatorBase {
 
 return certs;
 }
+
+
+@Override
+protected synchronized void startInternal() throws LifecycleException {
+
+super.startInternal();
+
+/*
+ * This Valve should only ever be added to a Context and if the Context
+ * is started there should always be a Host and an Engine but test at
+ * each stage to be safe.
+ */
+Container container = getContainer();
+if (!(container instanceof Context)) {
+return;
+}
+Context context = (Context) container;
+
+container = context.getParent();
+if (!(container instanceof Host)) {
+return;
+}
+Host host = (Host) container;
+
+container = host.getParent();
+if (!(container instanceof Engine)) {
+return;
+}
+Engine engine = (Engine) container;
+
+
+Connector[] connectors = engine.getService().findConnectors();
+
+for (Connector connector : connectors) {
+// First check for upgrade
+UpgradeProtocol[] upgradeProtocols = 
connector.findUpgradeProtocols();
+for 

[tomcat] branch 9.0.x updated: Log a warning for CLIENT-CERT + JSSE TLS 1.3 as PHA is not supported

[markt]

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/9.0.x by this push:
 new ec422ee  Log a warning for CLIENT-CERT + JSSE TLS 1.3 as PHA is not 
supported
ec422ee is described below

commit ec422eed9929aea8328879b741e7ed785ed0df51
Author: Mark Thomas 
AuthorDate: Thu Mar 24 16:19:09 2022 +

Log a warning for CLIENT-CERT + JSSE TLS 1.3 as PHA is not supported

CLIENT-CERT requires post-handshake authentication (PHA) to work with
TLS 1.3 but the JSSE TLS 1.3 implementation does not support PHA.
---
 .../catalina/authenticator/LocalStrings.properties |  3 +
 .../catalina/authenticator/SSLAuthenticator.java   | 70 ++
 java/org/apache/tomcat/util/net/SSLHostConfig.java | 12 
 java/org/apache/tomcat/util/net/SSLUtilBase.java   |  6 +-
 webapps/docs/changelog.xml | 10 +++-
 5 files changed, 98 insertions(+), 3 deletions(-)

diff --git a/java/org/apache/catalina/authenticator/LocalStrings.properties 
b/java/org/apache/catalina/authenticator/LocalStrings.properties
index 0030ce3..81acc29 100644
--- a/java/org/apache/catalina/authenticator/LocalStrings.properties
+++ b/java/org/apache/catalina/authenticator/LocalStrings.properties
@@ -70,3 +70,6 @@ spnegoAuthenticator.authHeaderNoToken=The Negotiate 
authorization header sent by
 spnegoAuthenticator.authHeaderNotNego=The authorization header sent by the 
client did not start with Negotiate
 spnegoAuthenticator.serviceLoginFail=Unable to login as the service principal
 spnegoAuthenticator.ticketValidateFail=Failed to validate client supplied 
ticket
+
+sslAuthenticatorValve.http2=The context [{0}] in virtual host [{1}] is 
configured to use CLIENT-CERT authentication and [{2}] is configured to support 
HTTP/2. Use of CLIENT-CERT authentication is not compatible with the use of 
HTTP/2.
+sslAuthenticatorValve.tls13=The context [{0}] in virtual host [{1}] is 
configured to use CLIENT-CERT authentication and [{2}] is configured to support 
TLS 1.3 using JSSE. Use of CLIENT-CERT authentication is not compatible with 
the use of TLS 1.3 and JSSE.
diff --git a/java/org/apache/catalina/authenticator/SSLAuthenticator.java 
b/java/org/apache/catalina/authenticator/SSLAuthenticator.java
index c484424..a406061 100644
--- a/java/org/apache/catalina/authenticator/SSLAuthenticator.java
+++ b/java/org/apache/catalina/authenticator/SSLAuthenticator.java
@@ -23,9 +23,20 @@ import java.security.cert.X509Certificate;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.apache.catalina.Container;
+import org.apache.catalina.Context;
+import org.apache.catalina.Engine;
 import org.apache.catalina.Globals;
+import org.apache.catalina.Host;
+import org.apache.catalina.LifecycleException;
+import org.apache.catalina.connector.Connector;
 import org.apache.catalina.connector.Request;
 import org.apache.coyote.ActionCode;
+import org.apache.coyote.UpgradeProtocol;
+import org.apache.juli.logging.Log;
+import org.apache.juli.logging.LogFactory;
+import org.apache.tomcat.util.net.Constants;
+import org.apache.tomcat.util.net.SSLHostConfig;
 
 /**
  * An Authenticator and Valve implementation of authentication
@@ -35,6 +46,8 @@ import org.apache.coyote.ActionCode;
  */
 public class SSLAuthenticator extends AuthenticatorBase {
 
+private final Log log = LogFactory.getLog(SSLAuthenticator.class); // must 
not be static
+
 /**
  * Authenticate the user by checking for the existence of a certificate
  * chain, validating it against the trust manager for the connector and 
then
@@ -137,4 +150,61 @@ public class SSLAuthenticator extends AuthenticatorBase {
 
 return certs;
 }
+
+
+@Override
+protected synchronized void startInternal() throws LifecycleException {
+
+super.startInternal();
+
+/*
+ * This Valve should only ever be added to a Context and if the Context
+ * is started there should always be a Host and an Engine but test at
+ * each stage to be safe.
+ */
+Container container = getContainer();
+if (!(container instanceof Context)) {
+return;
+}
+Context context = (Context) container;
+
+container = context.getParent();
+if (!(container instanceof Host)) {
+return;
+}
+Host host = (Host) container;
+
+container = host.getParent();
+if (!(container instanceof Engine)) {
+return;
+}
+Engine engine = (Engine) container;
+
+
+Connector[] connectors = engine.getService().findConnectors();
+
+for (Connector connector : connectors) {
+// First check for upgrade
+UpgradeProtocol[] upgradeProtocols = 
connector.findUpgradeProtocols();
+for (Upgra

[tomcat] branch 8.5.x updated: Log a warning for CLIENT-CERT + JSSE TLS 1.3 as PHA is not supported

[markt]

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/8.5.x by this push:
 new 2c0d8c3  Log a warning for CLIENT-CERT + JSSE TLS 1.3 as PHA is not 
supported
2c0d8c3 is described below

commit 2c0d8c3c9cf2309ca045f49de7ddf6221b397934
Author: Mark Thomas 
AuthorDate: Thu Mar 24 16:19:09 2022 +

Log a warning for CLIENT-CERT + JSSE TLS 1.3 as PHA is not supported

CLIENT-CERT requires post-handshake authentication (PHA) to work with
TLS 1.3 but the JSSE TLS 1.3 implementation does not support PHA.
---
 .../catalina/authenticator/LocalStrings.properties |  3 +
 .../catalina/authenticator/SSLAuthenticator.java   | 70 ++
 java/org/apache/tomcat/util/net/SSLHostConfig.java | 12 
 java/org/apache/tomcat/util/net/SSLUtilBase.java   |  6 +-
 webapps/docs/changelog.xml | 10 +++-
 5 files changed, 98 insertions(+), 3 deletions(-)

diff --git a/java/org/apache/catalina/authenticator/LocalStrings.properties 
b/java/org/apache/catalina/authenticator/LocalStrings.properties
index 0030ce3..81acc29 100644
--- a/java/org/apache/catalina/authenticator/LocalStrings.properties
+++ b/java/org/apache/catalina/authenticator/LocalStrings.properties
@@ -70,3 +70,6 @@ spnegoAuthenticator.authHeaderNoToken=The Negotiate 
authorization header sent by
 spnegoAuthenticator.authHeaderNotNego=The authorization header sent by the 
client did not start with Negotiate
 spnegoAuthenticator.serviceLoginFail=Unable to login as the service principal
 spnegoAuthenticator.ticketValidateFail=Failed to validate client supplied 
ticket
+
+sslAuthenticatorValve.http2=The context [{0}] in virtual host [{1}] is 
configured to use CLIENT-CERT authentication and [{2}] is configured to support 
HTTP/2. Use of CLIENT-CERT authentication is not compatible with the use of 
HTTP/2.
+sslAuthenticatorValve.tls13=The context [{0}] in virtual host [{1}] is 
configured to use CLIENT-CERT authentication and [{2}] is configured to support 
TLS 1.3 using JSSE. Use of CLIENT-CERT authentication is not compatible with 
the use of TLS 1.3 and JSSE.
diff --git a/java/org/apache/catalina/authenticator/SSLAuthenticator.java 
b/java/org/apache/catalina/authenticator/SSLAuthenticator.java
index c484424..a406061 100644
--- a/java/org/apache/catalina/authenticator/SSLAuthenticator.java
+++ b/java/org/apache/catalina/authenticator/SSLAuthenticator.java
@@ -23,9 +23,20 @@ import java.security.cert.X509Certificate;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.apache.catalina.Container;
+import org.apache.catalina.Context;
+import org.apache.catalina.Engine;
 import org.apache.catalina.Globals;
+import org.apache.catalina.Host;
+import org.apache.catalina.LifecycleException;
+import org.apache.catalina.connector.Connector;
 import org.apache.catalina.connector.Request;
 import org.apache.coyote.ActionCode;
+import org.apache.coyote.UpgradeProtocol;
+import org.apache.juli.logging.Log;
+import org.apache.juli.logging.LogFactory;
+import org.apache.tomcat.util.net.Constants;
+import org.apache.tomcat.util.net.SSLHostConfig;
 
 /**
  * An Authenticator and Valve implementation of authentication
@@ -35,6 +46,8 @@ import org.apache.coyote.ActionCode;
  */
 public class SSLAuthenticator extends AuthenticatorBase {
 
+private final Log log = LogFactory.getLog(SSLAuthenticator.class); // must 
not be static
+
 /**
  * Authenticate the user by checking for the existence of a certificate
  * chain, validating it against the trust manager for the connector and 
then
@@ -137,4 +150,61 @@ public class SSLAuthenticator extends AuthenticatorBase {
 
 return certs;
 }
+
+
+@Override
+protected synchronized void startInternal() throws LifecycleException {
+
+super.startInternal();
+
+/*
+ * This Valve should only ever be added to a Context and if the Context
+ * is started there should always be a Host and an Engine but test at
+ * each stage to be safe.
+ */
+Container container = getContainer();
+if (!(container instanceof Context)) {
+return;
+}
+Context context = (Context) container;
+
+container = context.getParent();
+if (!(container instanceof Host)) {
+return;
+}
+Host host = (Host) container;
+
+container = host.getParent();
+if (!(container instanceof Engine)) {
+return;
+}
+Engine engine = (Engine) container;
+
+
+Connector[] connectors = engine.getService().findConnectors();
+
+for (Connector connector : connectors) {
+// First check for upgrade
+UpgradeProtocol[] upgradeProtocols = 
connector.findUpgradeProtocols();
+for (Upgra

[tomcat] branch main updated: Fix build when ant.tstamp.now is not specified

[markt]

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/main by this push:
 new f7b9a00  Fix build when ant.tstamp.now is not specified
f7b9a00 is described below

commit f7b9a00893c3958ec290b206e14d7dfae8f0c760
Author: Mark Thomas 
AuthorDate: Thu Mar 24 17:00:22 2022 +

Fix build when ant.tstamp.now is not specified
---
 build.xml  |  2 +-
 .../apache/tomcat/buildutil/RepeatableArchive.java | 23 +++---
 2 files changed, 21 insertions(+), 4 deletions(-)

diff --git a/build.xml b/build.xml
index a231c17..b0f96d3 100644
--- a/build.xml
+++ b/build.xml
@@ -2879,7 +2879,7 @@ skip.installer property in build.properties" />
 
-
+
   
 
   
diff --git a/java/org/apache/tomcat/buildutil/RepeatableArchive.java 
b/java/org/apache/tomcat/buildutil/RepeatableArchive.java
index 2997588..1348ee6 100644
--- a/java/org/apache/tomcat/buildutil/RepeatableArchive.java
+++ b/java/org/apache/tomcat/buildutil/RepeatableArchive.java
@@ -23,6 +23,9 @@ import java.io.InputStream;
 import java.nio.file.Files;
 import java.nio.file.StandardCopyOption;
 import java.nio.file.attribute.FileTime;
+import java.text.ParseException;
+import java.text.SimpleDateFormat;
+import java.util.Date;
 import java.util.Enumeration;
 import java.util.LinkedList;
 import java.util.List;
@@ -48,7 +51,8 @@ public class RepeatableArchive extends Task {
 
 private final List filesets = new LinkedList<>();
 
-private long datetime;
+private String datetime;
+private String pattern;
 
 /**
  * Sets the files to be processed
@@ -60,16 +64,29 @@ public class RepeatableArchive extends Task {
 }
 
 
-public void setDatetime(long datetime) {
+public void setDatetime(String datetime) {
 this.datetime = datetime;
 }
 
 
+public void setPattern(String pattern) {
+this.pattern = pattern;
+}
+
+
 @Override
 public void execute() throws BuildException {
 
+SimpleDateFormat sdf = new SimpleDateFormat(pattern);
+Date date;
+try {
+date = sdf.parse(datetime);
+} catch (ParseException e) {
+throw new BuildException(e);
+}
+
 byte[] buf = new byte[8192];
-FileTime lastModified = FileTime.fromMillis(datetime);
+FileTime lastModified = FileTime.fromMillis(date.getTime());
 
 for (FileSet fs : filesets) {
 DirectoryScanner ds = fs.getDirectoryScanner(getProject());

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[tomcat] branch 9.0.x updated: Fix build when ant.tstamp.now is not specified

[markt]

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/9.0.x by this push:
 new 5d0d5d8  Fix build when ant.tstamp.now is not specified
5d0d5d8 is described below

commit 5d0d5d80e2063c7eb250dedd1ef124379762ff5c
Author: Mark Thomas 
AuthorDate: Thu Mar 24 17:00:22 2022 +

Fix build when ant.tstamp.now is not specified
---
 build.xml  |  2 +-
 .../apache/tomcat/buildutil/RepeatableArchive.java | 23 +++---
 2 files changed, 21 insertions(+), 4 deletions(-)

diff --git a/build.xml b/build.xml
index 78554c4..f922ee1 100644
--- a/build.xml
+++ b/build.xml
@@ -2822,7 +2822,7 @@ skip.installer property in build.properties" />
 
-
+
   
 
   
diff --git a/java/org/apache/tomcat/buildutil/RepeatableArchive.java 
b/java/org/apache/tomcat/buildutil/RepeatableArchive.java
index 2997588..1348ee6 100644
--- a/java/org/apache/tomcat/buildutil/RepeatableArchive.java
+++ b/java/org/apache/tomcat/buildutil/RepeatableArchive.java
@@ -23,6 +23,9 @@ import java.io.InputStream;
 import java.nio.file.Files;
 import java.nio.file.StandardCopyOption;
 import java.nio.file.attribute.FileTime;
+import java.text.ParseException;
+import java.text.SimpleDateFormat;
+import java.util.Date;
 import java.util.Enumeration;
 import java.util.LinkedList;
 import java.util.List;
@@ -48,7 +51,8 @@ public class RepeatableArchive extends Task {
 
 private final List filesets = new LinkedList<>();
 
-private long datetime;
+private String datetime;
+private String pattern;
 
 /**
  * Sets the files to be processed
@@ -60,16 +64,29 @@ public class RepeatableArchive extends Task {
 }
 
 
-public void setDatetime(long datetime) {
+public void setDatetime(String datetime) {
 this.datetime = datetime;
 }
 
 
+public void setPattern(String pattern) {
+this.pattern = pattern;
+}
+
+
 @Override
 public void execute() throws BuildException {
 
+SimpleDateFormat sdf = new SimpleDateFormat(pattern);
+Date date;
+try {
+date = sdf.parse(datetime);
+} catch (ParseException e) {
+throw new BuildException(e);
+}
+
 byte[] buf = new byte[8192];
-FileTime lastModified = FileTime.fromMillis(datetime);
+FileTime lastModified = FileTime.fromMillis(date.getTime());
 
 for (FileSet fs : filesets) {
 DirectoryScanner ds = fs.getDirectoryScanner(getProject());

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[tomcat] branch 8.5.x updated: Fix build when ant.tstamp.now is not specified

[markt]

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/8.5.x by this push:
 new 9762d19  Fix build when ant.tstamp.now is not specified
9762d19 is described below

commit 9762d1980656772267128da09a452a4116322557
Author: Mark Thomas 
AuthorDate: Thu Mar 24 17:00:22 2022 +

Fix build when ant.tstamp.now is not specified
---
 build.xml  |  2 +-
 .../apache/tomcat/buildutil/RepeatableArchive.java | 23 +++---
 2 files changed, 21 insertions(+), 4 deletions(-)

diff --git a/build.xml b/build.xml
index 4719bd0..1b3774a 100644
--- a/build.xml
+++ b/build.xml
@@ -2512,7 +2512,7 @@ skip.installer property in build.properties" />
 
-
+
   
 
   
diff --git a/java/org/apache/tomcat/buildutil/RepeatableArchive.java 
b/java/org/apache/tomcat/buildutil/RepeatableArchive.java
index 2997588..1348ee6 100644
--- a/java/org/apache/tomcat/buildutil/RepeatableArchive.java
+++ b/java/org/apache/tomcat/buildutil/RepeatableArchive.java
@@ -23,6 +23,9 @@ import java.io.InputStream;
 import java.nio.file.Files;
 import java.nio.file.StandardCopyOption;
 import java.nio.file.attribute.FileTime;
+import java.text.ParseException;
+import java.text.SimpleDateFormat;
+import java.util.Date;
 import java.util.Enumeration;
 import java.util.LinkedList;
 import java.util.List;
@@ -48,7 +51,8 @@ public class RepeatableArchive extends Task {
 
 private final List filesets = new LinkedList<>();
 
-private long datetime;
+private String datetime;
+private String pattern;
 
 /**
  * Sets the files to be processed
@@ -60,16 +64,29 @@ public class RepeatableArchive extends Task {
 }
 
 
-public void setDatetime(long datetime) {
+public void setDatetime(String datetime) {
 this.datetime = datetime;
 }
 
 
+public void setPattern(String pattern) {
+this.pattern = pattern;
+}
+
+
 @Override
 public void execute() throws BuildException {
 
+SimpleDateFormat sdf = new SimpleDateFormat(pattern);
+Date date;
+try {
+date = sdf.parse(datetime);
+} catch (ParseException e) {
+throw new BuildException(e);
+}
+
 byte[] buf = new byte[8192];
-FileTime lastModified = FileTime.fromMillis(datetime);
+FileTime lastModified = FileTime.fromMillis(date.getTime());
 
 for (FileSet fs : filesets) {
 DirectoryScanner ds = fs.getDirectoryScanner(getProject());

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[tomcat] branch 10.0.x updated: Fix build when ant.tstamp.now is not specified

[markt]

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 10.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/10.0.x by this push:
 new 986d898  Fix build when ant.tstamp.now is not specified
986d898 is described below

commit 986d898d6e3dfc3f3bd0d0762a4380b7c65b419a
Author: Mark Thomas 
AuthorDate: Thu Mar 24 17:00:22 2022 +

Fix build when ant.tstamp.now is not specified
---
 build.xml  |  2 +-
 .../apache/tomcat/buildutil/RepeatableArchive.java | 23 +++---
 2 files changed, 21 insertions(+), 4 deletions(-)

diff --git a/build.xml b/build.xml
index 0564170..855e05d 100644
--- a/build.xml
+++ b/build.xml
@@ -2840,7 +2840,7 @@ skip.installer property in build.properties" />
 
-
+
   
 
   
diff --git a/java/org/apache/tomcat/buildutil/RepeatableArchive.java 
b/java/org/apache/tomcat/buildutil/RepeatableArchive.java
index 2997588..1348ee6 100644
--- a/java/org/apache/tomcat/buildutil/RepeatableArchive.java
+++ b/java/org/apache/tomcat/buildutil/RepeatableArchive.java
@@ -23,6 +23,9 @@ import java.io.InputStream;
 import java.nio.file.Files;
 import java.nio.file.StandardCopyOption;
 import java.nio.file.attribute.FileTime;
+import java.text.ParseException;
+import java.text.SimpleDateFormat;
+import java.util.Date;
 import java.util.Enumeration;
 import java.util.LinkedList;
 import java.util.List;
@@ -48,7 +51,8 @@ public class RepeatableArchive extends Task {
 
 private final List filesets = new LinkedList<>();
 
-private long datetime;
+private String datetime;
+private String pattern;
 
 /**
  * Sets the files to be processed
@@ -60,16 +64,29 @@ public class RepeatableArchive extends Task {
 }
 
 
-public void setDatetime(long datetime) {
+public void setDatetime(String datetime) {
 this.datetime = datetime;
 }
 
 
+public void setPattern(String pattern) {
+this.pattern = pattern;
+}
+
+
 @Override
 public void execute() throws BuildException {
 
+SimpleDateFormat sdf = new SimpleDateFormat(pattern);
+Date date;
+try {
+date = sdf.parse(datetime);
+} catch (ParseException e) {
+throw new BuildException(e);
+}
+
 byte[] buf = new byte[8192];
-FileTime lastModified = FileTime.fromMillis(datetime);
+FileTime lastModified = FileTime.fromMillis(date.getTime());
 
 for (FileSet fs : filesets) {
 DirectoryScanner ds = fs.getDirectoryScanner(getProject());

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org