This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat-native.git
commit 7864f88ab33b3396452f8e2e9d692eec9469a10e
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Wed Sep 27 09:16:03 2023 +0100
Disable OCSP if optionalNoCA is used
---
native/src/sslutils.c | 9 ++++-----
xdocs/miscellaneous/changelog.xml | 5 +++++
2 files changed, 9 insertions(+), 5 deletions(-)
diff --git a/native/src/sslutils.c b/native/src/sslutils.c
index 2af4d2504..5052c5e7a 100644
--- a/native/src/sslutils.c
+++ b/native/src/sslutils.c
@@ -309,15 +309,14 @@ int SSL_callback_SSL_verify(int ok, X509_STORE_CTX *ctx)
con->pha_state = PHA_COMPLETE;
#endif
- if (verify == SSL_CVERIFY_UNSET ||
- verify == SSL_CVERIFY_NONE) {
+ if (verify == SSL_CVERIFY_UNSET || verify == SSL_CVERIFY_NONE) {
return 1;
}
- if (SSL_VERIFY_ERROR_IS_OPTIONAL(errnum) &&
- (verify == SSL_CVERIFY_OPTIONAL_NO_CA)) {
- ok = 1;
+ if (SSL_VERIFY_ERROR_IS_OPTIONAL(errnum) && (verify ==
SSL_CVERIFY_OPTIONAL_NO_CA)) {
SSL_set_verify_result(ssl, X509_V_OK);
+ // Skip OCSP checks since the CA is optional
+ return 1;
}
/*
diff --git a/xdocs/miscellaneous/changelog.xml
b/xdocs/miscellaneous/changelog.xml
index 5bb4b7e51..125e36066 100644
--- a/xdocs/miscellaneous/changelog.xml
+++ b/xdocs/miscellaneous/changelog.xml
@@ -33,6 +33,11 @@
</section>
<section name="Changes in 2.0.6">
<changelog>
+ <fix>
+ <bug>67061</bug>: If the insecure optionalNoCA certificate verification
+ mode is used, disable OCSP if enabled else client certificates from
+ unknown certificate authorities will be rejected. (markt)
+ </fix>
</changelog>
</section>
<section name="Changes in 2.0.5">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
