ASF Bugzilla – Attachment 33578 Details for
Bug 58244
two way SSL loses client certificate after a few requests
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Potential patch if OpenSSL decide this is a WONTFIX
bug58244-v1.patch (text/plain), 2.06 KB, created by
Mark Thomas
on 2016-02-21 16:49:43 UTC
(
hide
)
Description:
Potential patch if OpenSSL decide this is a WONTFIX
Filename:
MIME Type:
Creator:
Mark Thomas
Created:
2016-02-21 16:49:43 UTC
Size:
2.06 KB
patch
obsolete
>Index: java/org/apache/tomcat/util/net/AprSSLSupport.java >=================================================================== >--- java/org/apache/tomcat/util/net/AprSSLSupport.java (revision 1731249) >+++ java/org/apache/tomcat/util/net/AprSSLSupport.java (working copy) >@@ -64,11 +64,17 @@ > } > > try { >- // certLength == -1 indicates an error >+ // certLength == -1 indicates an error unless TLS session tickets >+ // are in use in which case OpenSSL won't store the chain in the >+ // ticket. > int certLength = SSLSocket.getInfoI(socketRef, SSL.SSL_INFO_CLIENT_CERT_CHAIN); > byte[] clientCert = SSLSocket.getInfoB(socketRef, SSL.SSL_INFO_CLIENT_CERT); > X509Certificate[] certs = null; >- if (clientCert != null && certLength > -1) { >+ >+ if (clientCert != null) { >+ if (certLength < 0) { >+ certLength = 0; >+ } > certs = new X509Certificate[certLength + 1]; > CertificateFactory cf; > if (clientCertProvider == null) { >Index: webapps/docs/config/http.xml >=================================================================== >--- webapps/docs/config/http.xml (revision 1731249) >+++ webapps/docs/config/http.xml (working copy) >@@ -1103,8 +1103,12 @@ > > <attribute name="disableSessionTickets" required="false"> > <p>OpenSSL only.</p> >- <p>Disables use of TLS Session Tickets (RFC 4507) if set to >- <code>true</code>. Default is <code>false</code>.</p> >+ <p>Disables use of TLS session tickets (RFC 5077) if set to >+ <code>true</code>. Default is <code>false</code>. Note that when TLS >+ session tickets are in use, the full peer certificate chain will only be >+ available on the first connection. Subsequent connections (that use a >+ ticket to estrablish the TLS session) will only have the peer certificate, >+ not the full chain.</p> > </attribute> > > <attribute name="honorCipherOrder" required="false">
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=33578">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 58244
:
33041
|
33232
| 33578