michael-o opened a new pull request, #672:
URL: https://github.com/apache/tomcat/pull/672
NOTE: Disregard the `[TEMPORARY]` commits, they are for testing purposes
only and will *not* be merged.
Test matrix:
* OpenSSL: 1.1.1, 3.0
* Tomcat Native: 1.2, 2.0
* OS: Windows, HP-UX, FreeBSD
* Java versions: 8, 11, 21
* Combinations:
* NIO + JSSE + PEM
* NIO + JSSE + Keystore
* NIO + OpenSSL + PEM
* NIO + OpenSSL + Keystore
* APR + OpenSSL + PEM
* APR + OpenSSL + Keystore
* Password file combinations:
* valid password (`key-password`/`keystore-password`)
* non-existing file (`non-existing-password`)
* unreadable file (`key-perm-password`/`keystore-perm-password`)
* empty file (`empty-password`)
* invalid password (`invalid-password`)
* multiple lines (`key-multi-password`/`keystore-multi-password`)
* Certificates: self-signed and issued by our enterprise CA system
`server.xml` snippet:
```
<Connector port="20001" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true"
maxParameterCount="1000"
sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation">
<SSLHostConfig caCertificateFile="conf/cacerts.crt">
<Certificate certificateKeyFile="conf/certs-localhost/key.crt"
certificateKeyPasswordFile="conf/certs-localhost/key-password"
certificateFile="conf/certs-localhost/cert.crt"
type="RSA" />
</SSLHostConfig>
</Connector>
<Connector port="20002" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true"
maxParameterCount="1000"
sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation">
<SSLHostConfig>
<Certificate
certificateKeystoreFile="conf/certs-localhost/keystore.p12"
certificateKeystorePasswordFile="conf/certs-localhost/keystore-password"
certificateKeyAlias="localhost"
type="RSA" />
</SSLHostConfig>
</Connector>
<Connector port="20003" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true"
maxParameterCount="1000"
sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation">
<SSLHostConfig caCertificateFile="conf/cacerts.crt">
<Certificate certificateKeyFile="conf/certs-localhost/key.crt"
certificateKeyPasswordFile="conf/certs-localhost/key-password"
certificateFile="conf/certs-localhost/cert.crt"
type="RSA" />
</SSLHostConfig>
</Connector>
<Connector port="20004" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true"
maxParameterCount="1000"
sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation">
<SSLHostConfig>
<Certificate
certificateKeystoreFile="conf/certs-localhost/keystore.p12"
certificateKeystorePasswordFile="conf/certs-localhost/keystore-password"
certificateKeyAlias="localhost"
type="RSA" />
</SSLHostConfig>
</Connector>
<Connector port="30001" protocol="org.apache.coyote.http11.Http11AprProtocol"
maxThreads="150" SSLEnabled="true"
maxParameterCount="1000">
<SSLHostConfig caCertificateFile="conf/cacerts.crt">
<Certificate certificateKeyFile="conf/certs-localhost/key.crt"
certificateKeyPasswordFile="conf/certs-localhost/key-password"
certificateFile="conf/certs-localhost/cert.crt"
type="RSA" />
</SSLHostConfig>
</Connector>
<Connector port="30002" protocol="org.apache.coyote.http11.Http11AprProtocol"
maxThreads="150" SSLEnabled="true"
maxParameterCount="1000">
<SSLHostConfig>
<Certificate
certificateKeystoreFile="conf/certs-localhost/keystore.p12"
certificateKeystorePasswordFile="conf/certs-localhost/keystore-password"
certificateKeyAlias="localhost"
type="RSA" />
</SSLHostConfig>
</Connector>
```
This has also been tried with:
```
<Listener
className="org.apache.catalina.security.TLSCertificateReloadListener" />
```
It plays every nicely with the reloader and you can now swap everything:
key, cert *and* password as likely required by many. Full automation, if
desired.
I have tried all of the above combinations to the extend they are
available/possible. It just worked with positive and negative cases.
Found issues:
* https://bz.apache.org/bugzilla/show_bug.cgi?id=67675
* https://bz.apache.org/bugzilla/show_bug.cgi?id=67666
* https://bz.apache.org/bugzilla/show_bug.cgi?id=67628
* https://bz.apache.org/bugzilla/show_bug.cgi?id=67609
Important: First https://github.com/apache/tomcat-native/pull/20 needs to be
merged and released, then Tomcat branches synched and then this can be merged.
Approriate, ready-to-merge branches exist for all active versions.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
