On 08/06/2023 12:25, Osipov, Michael (SMD IT IN) wrote:
Folks,
I am running of 8.5.88 and noticed these lines in my catalina.out:
2023-06-08T12:38:54.938 INFORMATION [main]
org.apache.tomcat.util.net.AbstractEndpoint.logCertificate Connector
[https-openssl-apr-8444], TLS virtual host
[deblndw024v.ad001.siemens.net], certificate type [RSA] configured
from [/net/home/smartld/.keystore] using alias [tomcat] and with trust
store [null]
2023-06-08T12:38:55.036 INFORMATION [main]
org.apache.tomcat.util.net.AbstractEndpoint.logCertificate Connector
[https-openssl-apr-18444], TLS virtual host
[deblndw024v.ad001.siemens.net], certificate type [RSA] configured
from [/net/home/smartld/.keystore] using alias [tomcat] and with trust
store [/opt/openssl/certs]
I have two connectors configured (both APR and OpenSSL), the only
difference is that the second one (18444) requires TLS client certificates:
<Connector port="8444" connectionTimeout="20000"
keepAliveTimeout="300000" maxParameterCount="1000"
maxHttpHeaderSize="24576" maxThreads="250"
SSLEnabled="true" scheme="https" secure="true"
defaultSSLHostConfigName="deblndw024v.ad001.siemens.net">
<SSLHostConfig hostName="deblndw024v.ad001.siemens.net"
protocols="TLSv1.2+TLSv1.3"
honorCipherOrder="true" disableSessionTickets="true"
ciphers="HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!DSS:!SHA1:!SHA256:!SHA384">
<Certificate
certificateFile="/opt/openssl/deblndw024v.ad001.siemens.net/cert.crt"
certificateKeyFile="/opt/openssl/deblndw024v.ad001.siemens.net/key.crt"
certificateKeyPassword="..." type="RSA" />
</SSLHostConfig>
</Connector>
and
<Connector port="18444" connectionTimeout="20000"
keepAliveTimeout="7200000" maxParameterCount="1000"
maxHttpHeaderSize="24576" maxThreads="250"
SSLEnabled="true" scheme="https" secure="true"
defaultSSLHostConfigName="deblndw024v.ad001.siemens.net">
<SSLHostConfig hostName="deblndw024v.ad001.siemens.net"
protocols="TLSv1.2+TLSv1.3"
honorCipherOrder="true" disableSessionTickets="true"
certificateVerification="optional" certificateVerificationDepth="5"
caCertificatePath="/opt/openssl/certs"
ciphers="HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!DSS:!SHA1:!SHA256:!SHA384">
<Certificate
certificateFile="/opt/openssl/deblndw024v.ad001.siemens.net/cert.crt"
certificateKeyFile="/opt/openssl/deblndw024v.ad001.siemens.net/key.crt"
certificateKeyPassword="..." type="RSA" />
<OpenSSLConf>
<OpenSSLConfCmd name="RequestCAFile"
value="/opt/openssl/siemens-medium+strong-clientcert-cacerts.crt" />
</OpenSSLConf>
</SSLHostConfig>
</Connector>
The information displayed is partially wrong. It missed to differentiate
between store types
(org.apache.tomcat.util.net.SSLHostConfigCertificate.StoreType).
I disagree with the characterization that the data is wrong. There are
many TLS configuration attributes. A few are displayed, most are not.
StoreType is one of those that is not.
The aim isn't to display the full configuration (admins can look at
server.xml for that). The intention is to make clear, for each
configured server certificate, which configuration files are being used.
The idea being that you can then examine the relevant files and/or
server.xml if there is an issue.
I'm not seeing much of a case for adding StoreType.
Moreover, from my PoV it makes little sense to print "trust store
[null]" if no verification is requested, no? It causes, at least,
confusion that a user/admin has missed to configure something.
Only if the admin doesn't understand the purpose of the trust store. I'd
prefer to keep it. It makes it explicit that one hasn't been configured.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org