On 06/05/2015 15:48, Mark Thomas wrote: > On 06/05/2015 15:26, Konstantin Kolinko wrote: >> 2015-05-06 15:36 GMT+03:00 <ma...@apache.org>: >>> Author: markt >>> Date: Wed May 6 12:36:50 2015 >>> New Revision: 1677971 >>> >>> URL: http://svn.apache.org/r1677971 >>> Log: >>> Use the truststoreProvider rather than the keystoreProvider for the trust >>> manager >>> >>> Modified: >>> tomcat/tc7.0.x/trunk/ (props changed) >>> >>> tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java >>> tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml >> >> >>> Modified: >>> tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java >>> URL: >>> http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java?rev=1677971&r1=1677970&r2=1677971&view=diff >>> ============================================================================== >>> --- >>> tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java >>> (original) >>> +++ >>> tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java >>> Wed May 6 12:36:50 2015 >>> @@ -545,8 +545,7 @@ public class JSSESocketFactory implement >>> algorithm = TrustManagerFactory.getDefaultAlgorithm(); >>> } >>> >>> - return getTrustManagers(truststoreType, >>> endpoint.getKeystoreProvider(), >>> - algorithm); >>> + return getTrustManagers(truststoreType, >>> endpoint.getTruststoreProvider(), algorithm); >>> } >>> >>> @Override >>> >>> Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml >>> URL: >>> http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?rev=1677971&r1=1677970&r2=1677971&view=diff >>> ============================================================================== >>> --- tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml (original) >>> +++ tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Wed May 6 12:36:50 2015 >>> @@ -128,6 +128,12 @@ >>> <bug>57837</bug>: Add <code>text/css</code> to the default list of >>> compressable MIME types. (markt) >>> </fix> >>> + <fix> >>> + For the JSSE based TLS connectors, use the >>> + <code>truststoreProvider</code> rather than the >>> + <code>keystoreProvider</code> when creating the >>> + <code>TrustManager</code>s. (markt) >>> + </fix> >>> </changelog> >>> </subsection> >>> <subsection name="Jasper"> >> >> >> Hi! >> >> I voted for TC 6 backport of this revision, but on further review >> there are two problems: >> >> 1. In other place that calls endpoint.getTruststoreProvider() -- >> JSSESocketFactory.getTrustStore() -- there is some logic to fallback >> to getKeystoreProvider(). It also consults a system property. >> >> If we call endpoint.getTruststoreProvider() directly then there is no >> such fallback logic. > > I'll look at fixing that. > >> 2. The patch is not applicable to Tomcat 6 as is, as its endpoint >> classes do not have "getTruststoreProvider()" method. >> >> Searching for "truststoreProvider" I see that documentation mentions >> such option in config/http.xml, and the code in >> JSSESocketFactory.getTrustStore() does >> >> String truststoreProvider = >> (String)attributes.get("truststoreProvider"); >> >> instead of using a getter method. > > Once I fix the first issue, I'll put together a specific 6.0.x patch.
Looking at this again, I don't think the original patch was correct. I need to spend some more time on this. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
