Bug 66635 - AbstractEndpoint#logCertificate() prints incorrect information
Summary: AbstractEndpoint#logCertificate() prints incorrect information
Status: RESOLVED FIXED
Alias: None
Product: Tomcat 8
Classification: Unclassified
Component: Connectors (show other bugs)
Version: 8.5.x-trunk
Hardware: All All
: P2 normal (vote)
Target Milestone: ----
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-06-09 06:57 UTC by Michael Osipov
Modified: 2023-06-14 09:37 UTC (History)
1 user (show)



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Osipov 2023-06-09 06:57:30 UTC
This applies to other Tomcat versions as well, but only verified in 8.5.
Coming from: https://www.mail-archive.com/users@tomcat.apache.org/msg141656.html

Tomcat logs the following line:
> 2023-06-08T12:38:54.938 INFORMATION [main] org.apache.tomcat.util.net.AbstractEndpoint.logCertificate Connector [https-openssl-apr-8444], TLS virtual host [deblndw024v.ad001.siemens.net], certificate type [RSA] configured from [/net/home/smartld/.keystore] using alias [tomcat] and with trust store [null] 

But I have never configured a Java keystore, but solely use APR + OpenSSL style config:
> <Connector port="8444" connectionTimeout="20000" keepAliveTimeout="300000" maxParameterCount="1000"
>   maxHttpHeaderSize="24576" maxThreads="250"
>   SSLEnabled="true" scheme="https" secure="true"
>   defaultSSLHostConfigName="deblndw024v.ad001.siemens.net">
>   <SSLHostConfig hostName="deblndw024v.ad001.siemens.net" protocols="TLSv1.2+TLSv1.3"
>     honorCipherOrder="true" disableSessionTickets="true"
>     ciphers="HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!DSS:!SHA1:!SHA256:!SHA384">
>     <Certificate certificateFile="/opt/openssl/deblndw024v.ad001.siemens.net/cert.crt"
>       certificateKeyFile="/opt/openssl/deblndw024v.ad001.siemens.net/key.crt"
>       certificateKeyPassword="..." type="RSA" />
>   </SSLHostConfig>
> </Connector>

The Java code emitting this message does not check for store type to print the correct information. The keystore [/net/home/smartld/.keystore] does not exist.

The called class does differentiate internallyb between store types, so should this printer.
Comment 1 Mark Thomas 2023-06-13 16:28:48 UTC
Fixed in:
- 11.0.x for 11.0.0-M8 onwards
- 10.1.x for 10.1.11 onwards
-  9.0.x for  9.0.77 onwards
-  8.5.x for  8.5.91 onwards
Comment 2 Michael Osipov 2023-06-14 08:05:20 UTC
Looks much better now:

> 2023-06-14T09:58:06.481 INFORMATION [main] org.apache.tomcat.util.net.AbstractEndpoint.logCertificate Connector [https-openssl-apr-8444], TLS virtual host [deblndw024v.ad001.siemens.net], certificate type [RSA] configured from key [/opt/openssl/deblndw024v.ad001.siemens.net/key.crt], certificate [/opt/openssl/deblndw024v.ad001.siemens.net/cert.crt] and certificate chain [null] with trust store [null]
> 2023-06-14T09:58:06.585 INFORMATION [main] org.apache.tomcat.util.net.AbstractEndpoint.logCertificate Connector [https-openssl-apr-18444], TLS virtual host [deblndw024v.ad001.siemens.net], certificate type [RSA] configured from key [/opt/openssl/deblndw024v.ad001.siemens.net/key.crt], certificate [/opt/openssl/deblndw024v.ad001.siemens.net/cert.crt] and certificate chain [null] with trust store [/opt/openssl/certs]

I wonder to what extend we need certificateChainFile these days because the mod_ssl counterpart is deprecated for a long time: https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslcertificatechainfile as long as our code loads the file identially to mod_ssl.

Should I spawn a new issue for this?
Comment 3 Mark Thomas 2023-06-14 08:27:14 UTC
Yes. A new issue needs a new BZ entry.
Comment 4 Michael Osipov 2023-06-14 09:37:52 UTC
(In reply to Mark Thomas from comment #3)
> Yes. A new issue needs a new BZ entry.

Done in Bug 66647.