This is an automated email from the ASF dual-hosted git repository. remm pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/master by this push: new 7b41d6e Try to process certificates using JSSE before OpenSSL 7b41d6e is described below commit 7b41d6edaf1f37c8741a06b1ac496e7faa8d1863 Author: remm <r...@apache.org> AuthorDate: Thu Mar 7 15:02:00 2019 +0100 Try to process certificates using JSSE before OpenSSL Add logging if there is a key manager issue at info level (also with the exception if at debug level). For example the issue occurred with a test config with a PKCS1 private key (so pretty old) which couldn't be processed with the JSSE code. Although valid, the user could probably update to something more modern and the message gives a hint. --- .../tomcat/util/net/openssl/LocalStrings.properties | 1 + .../apache/tomcat/util/net/openssl/OpenSSLUtil.java | 19 ++++++++++++++++--- 2 files changed, 17 insertions(+), 3 deletions(-) diff --git a/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties b/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties index ff294c6..1dca2b5 100644 --- a/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties +++ b/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties @@ -50,6 +50,7 @@ openssl.errMakeConf=Could not create OpenSSLConf context openssl.errorSSLCtxInit=Error initializing SSL context openssl.keyManagerMissing=No key manager found openssl.makeConf=Creating OpenSSLConf context +openssl.nonJsseCertficate=The certificate [{0}] or its private key [{1}] could not be processed using a JSSE key manager and will be given directly to OpenSSL openssl.trustManagerMissing=No trust manager found opensslconf.applyCommand=OpenSSLConf applying command (name [{0}], value [{1}]) diff --git a/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java b/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java index 514aef2..6878deb 100644 --- a/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java +++ b/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java @@ -16,6 +16,7 @@ */ package org.apache.tomcat.util.net.openssl; +import java.security.KeyStoreException; import java.util.List; import java.util.Set; @@ -99,10 +100,22 @@ public class OpenSSLUtil extends SSLUtilBase { @Override public KeyManager[] getKeyManagers() throws Exception { - if (certificate.getCertificateFile() == null) { + try { return super.getKeyManagers(); - } else { - return null; + } catch (KeyStoreException e) { + if (certificate.getCertificateFile() != null) { + if (log.isDebugEnabled()) { + log.info(sm.getString("openssl.nonJsseCertficate", + certificate.getCertificateFile(), certificate.getCertificateKeyFile()), e); + } else { + log.info(sm.getString("openssl.nonJsseCertficate", + certificate.getCertificateFile(), certificate.getCertificateKeyFile())); + } + // Assume JSSE processing of the certificate failed, try again with OpenSSL + // without a key manager + return null; + } + throw e; } } --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org