tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject [Bug 61394] NIO/NIO2 + OpenSSL renegotiation doesn't send list of CAs to user agent
Date Wed, 09 Aug 2017 10:07:53 GMT
https://bz.apache.org/bugzilla/show_bug.cgi?id=61394

--- Comment #3 from Rainer Jung <rainer.jung@kippdata.de> ---
OK, so the problem is only occuring if JSSE style config is used?

And the attempt would be to read CA certs from the configured truststore, pass
them as raw data to a new method setCACertificateRaw(), whose native impl
converts them to OpenSSL X509 analogous to setCertificateRaw() and passes the
result directly to OpenSSL via SSL_CTX_set_client_CA_list().

Is that what you expect?

I might give it an attempt this evening.

Note that our docs say:

###################
trustManagerClassName   

JSSE only.

The name of a custom trust manager class to use to validate client
certificates. The class must have a zero argument constructor and must also
implement javax.net.ssl.X509TrustManager. If this attribute is set, the trust
store attributes may be ignored.
###################

So retrieving CA certs from a configured trust store might give wrong results,
if e.g. a custom trust manager gets used and a trust store is configured, that
the trust manager would not use but we would still use it to feed OpenSSL. One
could argue that would be a configuration issue, but at least the docs ("may be
ignored") would open to interpretation then.

Regards,

Rainer

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message