For OpenSSL+FFM, only configure CA certs if configuration is present

markt-asf · markt-asf · commit 80d938f3d43d · 2026-01-06T09:12:36.000Z
diff --git a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
@@ -557,7 +557,7 @@ public void init(KeyManager[] kms, TrustManager[] tms, SecureRandom sr) throws K
             SSL_CTX_set_verify(state.sslCtx, value,
                     SSL_CTX_set_verify$callback.allocate(new OpenSSLEngine.VerifyCallback(), contextArena));
 
-            // Trust and certificate verification
+            // Trust and certificate verification (optional - may not be configured)
             if (tms != null) {
                 // Client certificate verification based on custom trust managers
                 x509TrustManager = chooseTrustManager(tms);
@@ -580,7 +580,7 @@ public void init(KeyManager[] kms, TrustManager[] tms, SecureRandom sr) throws K
                         log.debug(sm.getString("openssl.addedClientCaCert", caCert.toString()));
                     }
                 }
-            } else {
+            } else if (sslHostConfig.getCaCertificateFile() != null || sslHostConfig.getCaCertificatePath() != null) {
                 // Client certificate verification based on trusted CA files and dirs
                 MemorySegment caCertificateFileNative = sslHostConfig.getCaCertificateFile() != null ?
                         localArena
@@ -590,9 +590,7 @@ public void init(KeyManager[] kms, TrustManager[] tms, SecureRandom sr) throws K
                         localArena
                                 .allocateFrom(SSLHostConfig.adjustRelativePath(sslHostConfig.getCaCertificatePath())) :
                         MemorySegment.NULL;
-                if ((sslHostConfig.getCaCertificateFile() != null || sslHostConfig.getCaCertificatePath() != null) &&
-                        SSL_CTX_load_verify_locations(state.sslCtx, caCertificateFileNative,
-                                caCertificatePathNative) <= 0) {
+                if (SSL_CTX_load_verify_locations(state.sslCtx, caCertificateFileNative, caCertificatePathNative) <= 0) {
                     logLastError("openssl.errorConfiguringLocations");
                 } else {
                     var caCerts = SSL_CTX_get_client_CA_list(state.sslCtx);
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
@@ -241,6 +241,11 @@
         Better warning message when <code>OpenSSLConf</code> configuration
         elements are used with a JSSE TLS implementation. (markt)
       </fix>
+      <fix>
+        When using OpenSSL via FFM, don't log a warning about missing CA
+        certificates unless CA certificates were configured and the
+        configuration failed. (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Jasper">
