From: markt Date: Thu, 5 Aug 2010 15:50:50 +0000 (+0000) Subject: Extend fix for https://issues.apache.org/bugzilla/show_bug.cgi?id=48545 to aid back... X-Git-Url: https://git.internetallee.de/?a=commitdiff_plain;h=596e0f476aefdc82aa5369b8c5563336df2a8a73;p=tomcat7.0 Extend fix for https://issues.apache.org/bugzilla/show_bug.cgi?id=48545 to aid back-port to 6.0.x by better aligning behaviours git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@982669 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java b/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java index 34941558c..d961284c4 100644 --- a/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java +++ b/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java @@ -28,6 +28,7 @@ import java.net.Socket; import java.net.SocketException; import java.security.KeyStore; import java.security.SecureRandom; +import java.security.UnrecoverableKeyException; import java.security.cert.CRL; import java.security.cert.CRLException; import java.security.cert.CertPathParameters; @@ -60,18 +61,12 @@ import javax.net.ssl.X509KeyManager; import org.apache.tomcat.util.net.AbstractEndpoint; import org.apache.tomcat.util.res.StringManager; -/* - 1. Make the JSSE's jars available, either as an installed - extension (copy them into jre/lib/ext) or by adding - them to the Tomcat classpath. - 2. keytool -genkey -alias tomcat -keyalg RSA - Use "changeit" as password ( this is the default we use ) - */ - /** - * SSL server socket factory. It _requires_ a valid RSA key and - * JSSE. - * + * SSL server socket factory. It requires a valid RSA key and + * JSSE.
+ * keytool -genkey -alias tomcat -keyalg RSA
+ * Use "changeit" as password (this is the default we use). + * * @author Harish Prabandham * @author Costin Manolache * @author Stefan Freyr Stefansson @@ -342,8 +337,23 @@ public class JSSESocketFactory } if (truststoreFile != null){ - trustStore = getStore(truststoreType, truststoreProvider, - truststoreFile, truststorePassword); + try { + trustStore = getStore(truststoreType, truststoreProvider, + truststoreFile, truststorePassword); + } catch (IOException ioe) { + Throwable cause = ioe.getCause(); + if (cause instanceof UnrecoverableKeyException) { + // Log a warning we had a password issue + log.warn(sm.getString("jsse.invalid_truststore_password"), + cause); + // Re-try + trustStore = getStore(truststoreType, truststoreProvider, + truststoreFile, null); + } else { + // Something else went wrong - re-throw + throw ioe; + } + } } return trustStore; @@ -374,7 +384,7 @@ public class JSSESocketFactory } char[] storePass = null; - if (pass != null) { + if (pass != null && !"".equals(pass)) { storePass = pass.toCharArray(); } ks.load(istream, storePass); @@ -383,9 +393,9 @@ public class JSSESocketFactory fnfe.getMessage()), fnfe); throw fnfe; } catch (IOException ioe) { - log.error(sm.getString("jsse.keystore_load_failed", type, path, - ioe.getMessage()), ioe); - throw ioe; + // May be expected when working with a trust store + // Re-throw. Caller will catch and log as required + throw ioe; } catch(Exception ex) { String msg = sm.getString("jsse.keystore_load_failed", type, path, ex.getMessage()); diff --git a/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties b/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties index 20a4d0188..69302278b 100644 --- a/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties +++ b/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties @@ -15,4 +15,5 @@ jsse.alias_no_key_entry=Alias name {0} does not identify a key entry jsse.keystore_load_failed=Failed to load keystore type {0} with path {1} due to {2} -jsse.invalid_ssl_conf=SSL configuration is invalid due to {0} +jsse.invalid_ssl_conf=SSL configuration is invalid due to {0} +jsse.invalid_truststore_password=The provided trust store password could not be used to unlock and/or validate the trust store. Retrying to access the trust store with a null password which will skip validation. \ No newline at end of file diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index 5b713f653..c91dc2601 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -44,6 +44,14 @@ + + + + Follow up to 48545. Make JSSE connectors more tolerant of a + incorrect trust store password. (markt) + + + diff --git a/webapps/docs/config/http.xml b/webapps/docs/config/http.xml index 48aa991c4..29c24e252 100644 --- a/webapps/docs/config/http.xml +++ b/webapps/docs/config/http.xml @@ -922,7 +922,10 @@

The password to access the trust store. The default is the value of the javax.net.ssl.trustStorePassword system property. If that - property is null, no trust store password will be configured.

+ property is null, no trust store password will be configured. If an + invalid trust store password is specified, a warning will be logged and an + attempt will be made to access the trust store without a password which + will skip validation of the trust store contents.