(tomcat) branch 11.0.x updated: Second part of fix for BZ 69988 - PHA with JSSE style trust

Thu, 11 Jun 2026 08:35:17 -0700 

This is an automated email from the ASF dual-hosted git repository.

markt-asf pushed a commit to branch 11.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/11.0.x by this push:
     new 4ebb394b0e Second part of fix for BZ 69988 - PHA with JSSE style trust
4ebb394b0e is described below

commit 4ebb394b0e9d0757bbfe81559a14254a127ceeb7
Author: Mark Thomas <[email protected]>
AuthorDate: Thu Jun 11 16:34:28 2026 +0100

    Second part of fix for BZ 69988 - PHA with JSSE style trust
---
 java/org/apache/tomcat/jni/SSL.java                                     | 2 ++
 java/org/apache/tomcat/util/net/openssl/OpenSSLCertificateVerifier.java | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/java/org/apache/tomcat/jni/SSL.java 
b/java/org/apache/tomcat/jni/SSL.java
index 11b345b5ee..8753beb09c 100644
--- a/java/org/apache/tomcat/jni/SSL.java
+++ b/java/org/apache/tomcat/jni/SSL.java
@@ -975,6 +975,8 @@ public final class SSL {
      */
     public static native int getPostHandshakeAuthInProgress(long ssl);
 
+    public static native void markPostHandshakeAuthComplete(long ssl);
+
     /**
      * SSL_in_init.
      *
diff --git 
a/java/org/apache/tomcat/util/net/openssl/OpenSSLCertificateVerifier.java 
b/java/org/apache/tomcat/util/net/openssl/OpenSSLCertificateVerifier.java
index eee2978b48..d2d0b0e416 100644
--- a/java/org/apache/tomcat/util/net/openssl/OpenSSLCertificateVerifier.java
+++ b/java/org/apache/tomcat/util/net/openssl/OpenSSLCertificateVerifier.java
@@ -23,6 +23,7 @@ import javax.net.ssl.X509TrustManager;
 import org.apache.juli.logging.Log;
 import org.apache.juli.logging.LogFactory;
 import org.apache.tomcat.jni.CertificateVerifier;
+import org.apache.tomcat.jni.SSL;
 import org.apache.tomcat.util.res.StringManager;
 
 /**
@@ -49,6 +50,7 @@ public class OpenSSLCertificateVerifier implements 
CertificateVerifier {
         X509Certificate[] peerCerts = certificates(chain);
         try {
             x509TrustManager.checkClientTrusted(peerCerts, auth);
+            SSL.markPostHandshakeAuthComplete(ssl);
             return true;
         } catch (Exception e) {
             if (log.isDebugEnabled()) {


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to