View | Details | Raw Unified | Return to bug 58244
Collapse All | Expand All

(-)java/org/apache/tomcat/util/net/AprSSLSupport.java (-2 / +8 lines)
Lines 64-74 Link Here
64
        }
64
        }
65
65
66
        try {
66
        try {
67
            // certLength == -1 indicates an error
67
            // certLength == -1 indicates an error unless TLS session tickets
68
            // are in use in which case OpenSSL won't store the chain in the
69
            // ticket.
68
            int certLength = SSLSocket.getInfoI(socketRef, SSL.SSL_INFO_CLIENT_CERT_CHAIN);
70
            int certLength = SSLSocket.getInfoI(socketRef, SSL.SSL_INFO_CLIENT_CERT_CHAIN);
69
            byte[] clientCert = SSLSocket.getInfoB(socketRef, SSL.SSL_INFO_CLIENT_CERT);
71
            byte[] clientCert = SSLSocket.getInfoB(socketRef, SSL.SSL_INFO_CLIENT_CERT);
70
            X509Certificate[] certs = null;
72
            X509Certificate[] certs = null;
71
            if (clientCert != null  && certLength > -1) {
73
74
            if (clientCert != null) {
75
                if (certLength < 0) {
76
                    certLength = 0;
77
                }
72
                certs = new X509Certificate[certLength + 1];
78
                certs = new X509Certificate[certLength + 1];
73
                CertificateFactory cf;
79
                CertificateFactory cf;
74
                if (clientCertProvider == null) {
80
                if (clientCertProvider == null) {
(-)webapps/docs/config/http.xml (-2 / +6 lines)
Lines 1103-1110 Link Here
1103
1103
1104
    <attribute name="disableSessionTickets" required="false">
1104
    <attribute name="disableSessionTickets" required="false">
1105
      <p>OpenSSL only.</p>
1105
      <p>OpenSSL only.</p>
1106
      <p>Disables use of TLS Session Tickets (RFC 4507) if set to
1106
      <p>Disables use of TLS session tickets (RFC 5077) if set to
1107
      <code>true</code>. Default is <code>false</code>.</p>
1107
      <code>true</code>. Default is <code>false</code>. Note that when TLS
1108
      session tickets are in use, the full peer certificate chain will only be
1109
      available on the first connection. Subsequent connections (that use a
1110
      ticket to estrablish the TLS session) will only have the peer certificate,
1111
      not the full chain.</p>
1108
    </attribute>
1112
    </attribute>
1109
1113
1110
    <attribute name="honorCipherOrder" required="false">
1114
    <attribute name="honorCipherOrder" required="false">

Return to bug 58244