This is an automated email from the ASF dual-hosted git repository.
markt-asf pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/10.1.x by this push:
new e33b8b265c Fix BZ 69988 - post handshake authentication for TLS 1.3
e33b8b265c is described below
commit e33b8b265c443e0807ef767fa61cbf1698455e66
Author: Mark Thomas <[email protected]>
AuthorDate: Thu Jun 11 15:16:47 2026 +0100
Fix BZ 69988 - post handshake authentication for TLS 1.3
The OpenSSL change that broke it was:
https://github.com/openssl/openssl/commit/4af5836b
---
java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java | 8 ++++++--
webapps/docs/changelog.xml | 4 ++++
2 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
b/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
index 96cb5ceeee..5f8b88ae0f 100644
--- a/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
+++ b/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
@@ -933,8 +933,10 @@ public final class OpenSSLEngine extends SSLEngine
implements SSLUtil.ProtocolIn
int code;
if (SSL.getVersion(state.ssl).equals(Constants.SSL_PROTO_TLSv1_3)) {
code = SSL.verifyClientPostHandshake(state.ssl);
+ currentHandshake = SSL.getHandshakeCount(state.ssl) - 1;
} else {
code = SSL.renegotiate(state.ssl);
+ currentHandshake = SSL.getHandshakeCount(state.ssl);
}
if (code <= 0) {
checkLastError();
@@ -942,7 +944,6 @@ public final class OpenSSLEngine extends SSLEngine
implements SSLUtil.ProtocolIn
handshakeFinished = false;
peerCerts = null;
x509PeerCerts = null;
- currentHandshake = SSL.getHandshakeCount(state.ssl);
int code2 = SSL.doHandshake(state.ssl);
if (code2 <= 0) {
checkLastError();
@@ -1019,7 +1020,10 @@ public final class OpenSSLEngine extends SSLEngine
implements SSLUtil.ProtocolIn
/*
* Tomcat Native stores a count of the completed handshakes in the
SSL instance and increments it every time
* a handshake is completed. Comparing the handshake count when
the handshake started to the current
- * handshake count enables this code to detect when the handshake
has completed.
+ * handshake count enables this code to detect when the handshake
has completed. Post handshake
+ * authentication DOES NOT increase this count. See
https://github.com/openssl/openssl/commit/4af5836b
+ * For PHA Tomcat manipulates the handshake count so it appears to
the check below that the count has
+ * increased.
*
* Obtaining client certificates after the connection has been
established requires additional checks. We
* need to trigger additional reads until the certificates have
been read, but we don't know how many reads
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index e5a723c496..06bd9750d5 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -350,6 +350,10 @@
<bug>70102</bug>: Correct expected size of ticket keys when calling
<code>setSessionTicketKeys</code> with an FFM connector. (markt)
</fix>
+ <fix>
+ <bug>69988</bug>: Fix post handshake authentication for TLS 1.3. It was
+ broken by a breaking change in OpenSSL between 1.1.1 and 3.0.0. (markt)
+ </fix>
</changelog>
</subsection>
<subsection name="Jasper">
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
