[tomcat] branch 8.5.x updated: Fix BZ 65848 Revert attempt to align behaviour as root cause was config

Wed, 02 Feb 2022 06:02:07 -0800 

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/8.5.x by this push:
     new a5d126c  Fix BZ 65848 Revert attempt to align behaviour as root cause 
was config
a5d126c is described below

commit a5d126c6f36f0bac24b05925e4b011ff71d1b7f2
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Wed Feb 2 12:16:43 2022 +0000

    Fix BZ 65848 Revert attempt to align behaviour as root cause was config
    
    https://bz.apache.org/bugzilla/show_bug.cgi?id=65848
---
 .../apache/tomcat/util/net/openssl/OpenSSLContext.java | 18 ++++--------------
 webapps/docs/changelog.xml                             | 10 ++++++++++
 2 files changed, 14 insertions(+), 14 deletions(-)

diff --git a/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java 
b/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
index 72fc840..6d98744 100644
--- a/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
+++ b/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
@@ -384,20 +384,10 @@ public class OpenSSLContext implements 
org.apache.tomcat.util.net.SSLContext {
                     }
                 }
             } else {
-                if (sslHostConfig.getCaCertificateFile() == null && 
sslHostConfig.getCaCertificatePath() == null) {
-                    // No CA certificates configured. Reject all client 
certificates.
-                    SSLContext.setCertVerifyCallback(ctx, new 
CertificateVerifier() {
-                        @Override
-                        public boolean verify(long ssl, byte[][] chain, String 
auth) {
-                            return false;
-                        }
-                    });
-                } else {
-                    // Client certificate verification based on trusted CA 
files and dirs
-                    SSLContext.setCACertificate(ctx,
-                            
SSLHostConfig.adjustRelativePath(sslHostConfig.getCaCertificateFile()),
-                            
SSLHostConfig.adjustRelativePath(sslHostConfig.getCaCertificatePath()));
-                }
+                // Client certificate verification based on trusted CA files 
and dirs
+                SSLContext.setCACertificate(ctx,
+                        
SSLHostConfig.adjustRelativePath(sslHostConfig.getCaCertificateFile()),
+                        
SSLHostConfig.adjustRelativePath(sslHostConfig.getCaCertificatePath()));
             }
 
             if (negotiableProtocols != null && negotiableProtocols.size() > 0) 
{
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 6519ee6..2206c12 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -119,6 +119,16 @@
       </add>
     </changelog>
   </subsection>
+  <subsection name="Coyote">
+    <changelog>
+      <fix>
+        <bug>65848</bug>: Revert the change that attempted to align the
+        behaviour of client certificate authentication with NIO or NIO2 with
+        OpenSSL for TLS between MacOS and Linux/Windows as the root cause was
+        traced to configuration differences. (markt)
+      </fix>
+    </changelog>
+  </subsection>
   <subsection name="Web applications">
     <changelog>
       <fix>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to