This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 1.3.x in repository https://gitbox.apache.org/repos/asf/tomcat-native.git
commit 11ceb08beb68ccaa7f00bcaf90199e53e51bb81c Author: Mark Thomas <[email protected]> AuthorDate: Thu Dec 11 15:31:36 2025 +0000 Add soft-fail support for OCSP --- native/include/ssl_private.h | 4 +++- native/src/sslconf.c | 20 ++++++++++++++++++++ native/src/sslutils.c | 15 ++++++++------- xdocs/miscellaneous/changelog.xml | 5 +++++ 4 files changed, 36 insertions(+), 8 deletions(-) diff --git a/native/include/ssl_private.h b/native/include/ssl_private.h index 68d2245ad..e748c5da5 100644 --- a/native/include/ssl_private.h +++ b/native/include/ssl_private.h @@ -311,6 +311,7 @@ struct tcn_ssl_ctxt_t { int alpn_selector_failure_behavior; /* End add from netty-tcnative */ int no_ocsp_check; + int ocsp_soft_fail; }; #ifdef HAVE_SSL_CONF_CMD @@ -319,7 +320,8 @@ typedef struct tcn_ssl_conf_ctxt_t tcn_ssl_conf_ctxt_t; struct tcn_ssl_conf_ctxt_t { apr_pool_t *pool; SSL_CONF_CTX *cctx; - int no_ocsp_check; + int no_ocsp_check; + int ocsp_soft_fail; }; #endif diff --git a/native/src/sslconf.c b/native/src/sslconf.c index 2c8a41254..8ee5680be 100644 --- a/native/src/sslconf.c +++ b/native/src/sslconf.c @@ -165,6 +165,16 @@ TCN_IMPLEMENT_CALL(jint, SSLConf, check)(TCN_STDARGS, jlong cctx, return 1; } + if (!strcmp(J2S(cmd), "OCSP_SOFT_FAIL")) { + if (!strcasecmp(J2S(value), "false")) + c->ocsp_soft_fail = 0; + else + c->ocsp_soft_fail = 1; + TCN_FREE_CSTRING(cmd); + TCN_FREE_CSTRING(value); + return 1; + } + SSL_ERR_clear(); value_type = SSL_CONF_cmd_value_type(c->cctx, J2S(cmd)); ec = SSL_ERR_get(); @@ -219,6 +229,7 @@ TCN_IMPLEMENT_CALL(void, SSLConf, assign)(TCN_STDARGS, jlong cctx, // sc->ctx == 0 is allowed! SSL_CONF_CTX_set_ssl_ctx(c->cctx, sc->ctx); sc->no_ocsp_check = c->no_ocsp_check; + sc->ocsp_soft_fail = c->ocsp_soft_fail; } /* Apply a command to an SSL_CONF context */ @@ -267,6 +278,15 @@ TCN_IMPLEMENT_CALL(jint, SSLConf, apply)(TCN_STDARGS, jlong cctx, TCN_FREE_CSTRING(value); return 1; } + if (!strcmp(J2S(cmd), "OCSP_SOFT_FAIL")) { + if (!strcasecmp(J2S(value), "false")) + c->ocsp_soft_fail = 0; + else + c->ocsp_soft_fail = 1; + TCN_FREE_CSTRING(cmd); + TCN_FREE_CSTRING(value); + return 1; + } SSL_ERR_clear(); rc = SSL_CONF_cmd(c->cctx, J2S(cmd), buf != NULL ? buf : J2S(value)); ec = SSL_ERR_get(); diff --git a/native/src/sslutils.c b/native/src/sslutils.c index 66790d3e3..ded6eb67a 100644 --- a/native/src/sslutils.c +++ b/native/src/sslutils.c @@ -319,11 +319,12 @@ int SSL_callback_SSL_verify(int ok, X509_STORE_CTX *ctx) SSL_get_ex_data_X509_STORE_CTX_idx()); tcn_ssl_conn_t *con = (tcn_ssl_conn_t *)SSL_get_app_data(ssl); /* Get verify ingredients */ - int errnum = X509_STORE_CTX_get_error(ctx); - int errdepth = X509_STORE_CTX_get_error_depth(ctx); - int verify = con->ctx->verify_mode; - int depth = con->ctx->verify_depth; - int ocsp_check_type = con->ctx->no_ocsp_check; + int errnum = X509_STORE_CTX_get_error(ctx); + int errdepth = X509_STORE_CTX_get_error_depth(ctx); + int verify = con->ctx->verify_mode; + int depth = con->ctx->verify_depth; + int ocsp_check_type = con->ctx->no_ocsp_check; + int ocsp_soft_fail = con->ctx->ocsp_soft_fail; #if defined(SSL_OP_NO_TLSv1_3) con->pha_state = PHA_COMPLETE; @@ -376,8 +377,8 @@ int SSL_callback_SSL_verify(int ok, X509_STORE_CTX *ctx) } else if (ocsp_response == OCSP_STATUS_UNKNOWN) { errnum = X509_STORE_CTX_get_error(ctx); - if (errnum) - ok = 0 ; + if (errnum != 0 && !(ocsp_soft_fail && errnum == X509_V_ERR_UNABLE_TO_GET_CRL)) + ok = 0; } } } diff --git a/xdocs/miscellaneous/changelog.xml b/xdocs/miscellaneous/changelog.xml index 22bbc9201..2f0b6ddc4 100644 --- a/xdocs/miscellaneous/changelog.xml +++ b/xdocs/miscellaneous/changelog.xml @@ -59,6 +59,11 @@ <add> Expand verification of OCSP responses. (markt) </add> + <add> + Add the ability to configure the OCSP checks to soft-fail - i.e. if the + responder cannot be contacted or fails to respond in a timely manner the + OCSP check will not fail. (markt) + </add> </changelog> </section> <section name="Changes in 1.3.1"> --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
