There must be a bug in SSL support

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

There must be a bug in SSL support

Jack , Zhan Hua Ping
my ssl is ok, then I just add a new key to .keystore,

then my ssl doesn't work.
the client get the new key from the tomcat server.

after I delete the new key,
everything starts to work again.





---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Thank you for reply.

Jack , Zhan Hua Ping
Paul Singleton wrote:
>Unless you specify the key with <Connector ... keyAlias="xyz" ... /> (works
>with 5.5.9 and later, dunno about older versions)
>then it seems to pick an arbitrary one (the newest?)

Thank you for your effort to reply me.
I didn't specify the keyAlias. I was using 5.5.12.
I didn't spend time on that. I just delete the newest key.
then everything is fine.

I check its sha1 & md5 digest, and I am 100% sure it just picked the newest
key. I don't know the reason. I don't want to put time on it.
I just want to let other people know it.

[hidden email]




---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

The bug seems come from here

Jack , Zhan Hua Ping
In reply to this post by Jack , Zhan Hua Ping
In the getKeyManagers of org.apache.tomcat.util.net.jsse.JSSE14SocketFactory
we can see the following code:

        kms = kmf.getKeyManagers();
        jacklog("return "+kms.length+" KeyManagers.");
        if (keyAlias != null) {
            if (JSSESocketFactory.defaultKeystoreType.equals(keystoreType))
{
                keyAlias = keyAlias.toLowerCase();
            }
            for(int i=0; i<kms.length; i++) {
                kms[i] = new JSSEKeyManager((X509KeyManager)kms[i],
keyAlias);
            }
        }

        return kms;

When the keyAlias==null, we don't use our own JSSEKeyManager at all.




---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]