This is an automated email from the ASF dual-hosted git repository.
markt-asf pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/9.0.x by this push:
new e910089c76 Fix BZ 69988 - post handshake authentication for TLS 1.3
e910089c76 is described below
commit e910089c76a432de0ee613d33479b5ff239f7f16
Author: Mark Thomas <[email protected]>
AuthorDate: Thu Jun 11 15:16:47 2026 +0100
Fix BZ 69988 - post handshake authentication for TLS 1.3
The OpenSSL change that broke it was:
https://github.com/openssl/openssl/commit/4af5836b
---
java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java | 8 ++++++--
webapps/docs/changelog.xml | 4 ++++
2 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
b/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
index 585a466264..7ab9536b01 100644
--- a/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
+++ b/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
@@ -940,8 +940,10 @@ public final class OpenSSLEngine extends SSLEngine
implements SSLUtil.ProtocolIn
int code;
if (SSL.getVersion(ssl).equals(Constants.SSL_PROTO_TLSv1_3)) {
code = SSL.verifyClientPostHandshake(ssl);
+ currentHandshake = SSL.getHandshakeCount(ssl) - 1;
} else {
code = SSL.renegotiate(ssl);
+ currentHandshake = SSL.getHandshakeCount(ssl);
}
if (code <= 0) {
checkLastError();
@@ -949,7 +951,6 @@ public final class OpenSSLEngine extends SSLEngine
implements SSLUtil.ProtocolIn
handshakeFinished = false;
peerCerts = null;
x509PeerCerts = null;
- currentHandshake = SSL.getHandshakeCount(ssl);
int code2 = SSL.doHandshake(ssl);
if (code2 <= 0) {
checkLastError();
@@ -1026,7 +1027,10 @@ public final class OpenSSLEngine extends SSLEngine
implements SSLUtil.ProtocolIn
/*
* Tomcat Native stores a count of the completed handshakes in the
SSL instance and increments it every time
* a handshake is completed. Comparing the handshake count when
the handshake started to the current
- * handshake count enables this code to detect when the handshake
has completed.
+ * handshake count enables this code to detect when the handshake
has completed. Post handshake
+ * authentication DOES NOT increase this count. See
https://github.com/openssl/openssl/commit/4af5836b
+ * For PHA Tomcat manipulates the handshake count so it appears to
the check below that the count has
+ * increased.
*
* Obtaining client certificates after the connection has been
established requires additional checks. We
* need to trigger additional reads until the certificates have
been read, but we don't know how many reads
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 67d1f2a1d7..94d1863421 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -346,6 +346,10 @@
<bug>70102</bug>: Correct expected size of ticket keys when calling
<code>setSessionTicketKeys</code> with an FFM connector. (markt)
</fix>
+ <fix>
+ <bug>69988</bug>: Fix post handshake authentication for TLS 1.3. It was
+ broken by a breaking change in OpenSSL between 1.1.1 and 3.0.0. (markt)
+ </fix>
</changelog>
</subsection>
<subsection name="Jasper">
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
