This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tomcat-native.git
commit ddf7377992919530b7a0839f856e2e43b0d6f777 Author: Mark Thomas <[email protected]> AuthorDate: Thu Dec 11 15:42:05 2025 +0000 Add timeout support to reading/writing OCSP requests/responses --- native/include/ssl_private.h | 2 ++ native/src/sslconf.c | 27 +++++++++++++++++++++++++++ native/src/sslutils.c | 26 ++++++++++++++++---------- xdocs/miscellaneous/changelog.xml | 4 ++++ 4 files changed, 49 insertions(+), 10 deletions(-) diff --git a/native/include/ssl_private.h b/native/include/ssl_private.h index e29124524..f55874178 100644 --- a/native/include/ssl_private.h +++ b/native/include/ssl_private.h @@ -311,6 +311,7 @@ struct tcn_ssl_ctxt_t { /* End add from netty-tcnative */ int no_ocsp_check; int ocsp_soft_fail; + int ocsp_timeout; }; #ifdef HAVE_SSL_CONF_CMD @@ -321,6 +322,7 @@ struct tcn_ssl_conf_ctxt_t { SSL_CONF_CTX *cctx; int no_ocsp_check; int ocsp_soft_fail; + int ocsp_timeout; }; #endif diff --git a/native/src/sslconf.c b/native/src/sslconf.c index 3b0f32f39..0dd853cb7 100644 --- a/native/src/sslconf.c +++ b/native/src/sslconf.c @@ -173,6 +173,19 @@ TCN_IMPLEMENT_CALL(jint, SSLConf, check)(TCN_STDARGS, jlong cctx, return 1; } + if (!strcmp(J2S(cmd), "OCSP_TIMEOUT")) { + int i; + errno = 0; + i = (int) strtol(J2S(value), NULL, 10); + if (!errno) { + // Tomcat configures timeout is millisecond. APR uses microseconds. + c->ocsp_timeout = i * 1000; + } + TCN_FREE_CSTRING(cmd); + TCN_FREE_CSTRING(value); + return 1; + } + SSL_ERR_clear(); value_type = SSL_CONF_cmd_value_type(c->cctx, J2S(cmd)); ec = SSL_ERR_get(); @@ -228,6 +241,8 @@ TCN_IMPLEMENT_CALL(void, SSLConf, assign)(TCN_STDARGS, jlong cctx, SSL_CONF_CTX_set_ssl_ctx(c->cctx, sc->ctx); sc->no_ocsp_check = c->no_ocsp_check; sc->ocsp_soft_fail = c->ocsp_soft_fail; + sc->ocsp_timeout = c->ocsp_timeout; + // TODO verify } /* Apply a command to an SSL_CONF context */ @@ -285,6 +300,18 @@ TCN_IMPLEMENT_CALL(jint, SSLConf, apply)(TCN_STDARGS, jlong cctx, TCN_FREE_CSTRING(value); return 1; } + if (!strcmp(J2S(cmd), "OCSP_TIMEOUT")) { + int i; + errno = 0; + i = (int) strtol(J2S(value), NULL, 10); + if (!errno) { + // Tomcat configures timeout is millisecond. APR uses microseconds. + c->ocsp_timeout = i * 1000; + } + TCN_FREE_CSTRING(cmd); + TCN_FREE_CSTRING(value); + return 1; + } SSL_ERR_clear(); rc = SSL_CONF_cmd(c->cctx, J2S(cmd), buf != NULL ? buf : J2S(value)); ec = SSL_ERR_get(); diff --git a/native/src/sslutils.c b/native/src/sslutils.c index b70a4aece..4bb68f60e 100644 --- a/native/src/sslutils.c +++ b/native/src/sslutils.c @@ -33,8 +33,8 @@ extern int WIN32_SSL_password_prompt(tcn_pass_cb_t *data); #define ASN1_SEQUENCE 0x30 #define ASN1_OID 0x06 #define ASN1_STRING 0x86 -static int ssl_verify_OCSP(X509_STORE_CTX *ctx); -static int ssl_ocsp_request(X509 *cert, X509 *issuer, X509_STORE_CTX *ctx); +static int ssl_verify_OCSP(X509_STORE_CTX *ctx, int timeout); +static int ssl_ocsp_request(X509 *cert, X509 *issuer, X509_STORE_CTX *ctx, int timeout); #endif /* _________________________________________________________________ @@ -305,6 +305,7 @@ int SSL_callback_SSL_verify(int ok, X509_STORE_CTX *ctx) int depth = con->ctx->verify_depth; int ocsp_check_type = con->ctx->no_ocsp_check; int ocsp_soft_fail = con->ctx->ocsp_soft_fail; + int ocsp_timeout = con->ctx->ocsp_timeout; #if defined(SSL_OP_NO_TLSv1_3) con->pha_state = PHA_COMPLETE; @@ -350,7 +351,7 @@ int SSL_callback_SSL_verify(int ok, X509_STORE_CTX *ctx) ok = 0; } else { - int ocsp_response = ssl_verify_OCSP(ctx); + int ocsp_response = ssl_verify_OCSP(ctx, ocsp_timeout); if (ocsp_response == OCSP_STATUS_REVOKED) { ok = 0 ; errnum = X509_STORE_CTX_get_error(ctx); @@ -493,7 +494,7 @@ int SSL_callback_alpn_select_proto(SSL* ssl, const unsigned char **out, unsigned #ifdef HAVE_OCSP /* Function that is used to do the OCSP verification */ -static int ssl_verify_OCSP(X509_STORE_CTX *ctx) +static int ssl_verify_OCSP(X509_STORE_CTX *ctx, int timeout) { X509 *cert, *issuer; int r = OCSP_STATUS_UNKNOWN; @@ -518,7 +519,7 @@ static int ssl_verify_OCSP(X509_STORE_CTX *ctx) /* if we can't get the issuer, we cannot perform OCSP verification */ issuer = X509_STORE_CTX_get0_current_issuer(ctx); if (issuer != NULL) { - r = ssl_ocsp_request(cert, issuer, ctx); + r = ssl_ocsp_request(cert, issuer, ctx, timeout); switch (r) { case OCSP_STATUS_OK: X509_STORE_CTX_set_error(ctx, X509_V_OK); @@ -958,7 +959,7 @@ static OCSP_REQUEST *get_ocsp_request(X509 *cert, X509 *issuer) } /* Submits an OCSP request and returns the OCSP_RESPONSE */ -static OCSP_RESPONSE *get_ocsp_response(apr_pool_t *p, char *url, OCSP_REQUEST *ocsp_req) +static OCSP_RESPONSE *get_ocsp_response(apr_pool_t *p, char *url, OCSP_REQUEST *ocsp_req, int timeout) { OCSP_RESPONSE *ocsp_resp = NULL; BIO *bio_req; @@ -989,6 +990,8 @@ static OCSP_RESPONSE *get_ocsp_response(apr_pool_t *p, char *url, OCSP_REQUEST * goto free_bio; } + apr_socket_timeout_set(apr_sock, timeout); + ok = ocsp_send_req(apr_sock, bio_req); if (ok) { ocsp_resp = ocsp_get_resp(mp, apr_sock); @@ -1075,7 +1078,7 @@ clean_bs: return o; } -static int ssl_ocsp_request(X509 *cert, X509 *issuer, X509_STORE_CTX *ctx) +static int ssl_ocsp_request(X509 *cert, X509 *issuer, X509_STORE_CTX *ctx, int timeout) { char **ocsp_urls = NULL; int nid; @@ -1104,13 +1107,16 @@ static int ssl_ocsp_request(X509 *cert, X509 *issuer, X509_STORE_CTX *ctx) approach is to iterate for all the possible ocsp urls */ req = get_ocsp_request(cert, issuer); if (req != NULL) { - resp = get_ocsp_response(p, ocsp_urls[0], req); + resp = get_ocsp_response(p, ocsp_urls[0], req, timeout); if (resp != NULL) { rv = process_ocsp_response(req, resp, cert, issuer, ctx); } else { - /* correct error code for application errors? */ - X509_STORE_CTX_set_error(ctx, X509_V_ERR_APPLICATION_VERIFICATION); + /* Unable to send request / receive response. */ + X509_STORE_CTX_set_error(ctx, X509_V_ERR_UNABLE_TO_GET_CRL); } + } else { + /* correct error code for application errors? */ + X509_STORE_CTX_set_error(ctx, X509_V_ERR_APPLICATION_VERIFICATION); } if (req != NULL) { diff --git a/xdocs/miscellaneous/changelog.xml b/xdocs/miscellaneous/changelog.xml index 05eab5a3b..a6ef70a93 100644 --- a/xdocs/miscellaneous/changelog.xml +++ b/xdocs/miscellaneous/changelog.xml @@ -49,6 +49,10 @@ responder cannot be contacted or fails to respond in a timely manner the OCSP check will not fail. (markt) </add> + <add> + Add a configurable timeout to the writing of OCSP requests and reading of + OCSP responses. (markt) + </add> </changelog> </section> <section name="Changes in 2.0.9"> --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
