Bug 63523 - JSSEutilBase in tomcat-embed-core getParameters() visibility change breaks compatability and prevents OCSP SOFT_FAIL configuration
Summary: JSSEutilBase in tomcat-embed-core getParameters() visibility change breaks co...
Status: RESOLVED FIXED
Alias: None
Product: Tomcat 9
Classification: Unclassified
Component: Catalina (show other bugs)
Version: 9.0.21
Hardware: PC Linux
: P2 normal (vote)
Target Milestone: -----
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-06-20 21:00 UTC by wjase
Modified: 2019-06-20 22:13 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description wjase 2019-06-20 21:00:35 UTC
We updated tomcat-embed-core to mitigate a CVE and our compile failed as we were subclassing JSSEUtil and overriding getParameters to further configure the Cert Params.

I have a pull request with a possible solution which does not involve making the the getParameters() method protected or public, but instead adds an interface object which can configure params after creation.

Link to PR is here:

https://github.com/apache/tomcat/pull/171
Comment 1 Remy Maucherat 2019-06-20 22:13:08 UTC
Since getParameters was protected (same for getCRLs), it should remain protected in 9.x and 8.5.
The fix will be in 9.0.22 and 8.5.43.