This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 1.2.x
in repository https://gitbox.apache.org/repos/asf/tomcat-native.git
commit 9f27e2a857860fe85eadf16cb83b5516cc635016
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Wed Sep 27 09:16:03 2023 +0100
Disable OCSP if optionalNoCA is used
---
native/src/sslutils.c | 9 ++++-----
xdocs/miscellaneous/changelog.xml | 7 +++++++
2 files changed, 11 insertions(+), 5 deletions(-)
diff --git a/native/src/sslutils.c b/native/src/sslutils.c
index 619a6537e..2c6810d5e 100644
--- a/native/src/sslutils.c
+++ b/native/src/sslutils.c
@@ -329,15 +329,14 @@ int SSL_callback_SSL_verify(int ok, X509_STORE_CTX *ctx)
con->pha_state = PHA_COMPLETE;
#endif
- if (verify == SSL_CVERIFY_UNSET ||
- verify == SSL_CVERIFY_NONE) {
+ if (verify == SSL_CVERIFY_UNSET || verify == SSL_CVERIFY_NONE) {
return 1;
}
- if (SSL_VERIFY_ERROR_IS_OPTIONAL(errnum) &&
- (verify == SSL_CVERIFY_OPTIONAL_NO_CA)) {
- ok = 1;
+ if (SSL_VERIFY_ERROR_IS_OPTIONAL(errnum) && (verify ==
SSL_CVERIFY_OPTIONAL_NO_CA)) {
SSL_set_verify_result(ssl, X509_V_OK);
+ // Skip OCSP checks since the CA is optional
+ return 1;
}
/*
diff --git a/xdocs/miscellaneous/changelog.xml
b/xdocs/miscellaneous/changelog.xml
index 7bf5ce428..f57f1bb26 100644
--- a/xdocs/miscellaneous/changelog.xml
+++ b/xdocs/miscellaneous/changelog.xml
@@ -31,6 +31,13 @@
</p>
</section>
<section name="Changes in 1.2.39">
+ <changelog>
+ <fix>
+ <bug>67061</bug>: If the insecure optionalNoCA certificate verification
+ mode is used, disable OCSP if enabled else client certificates from
+ unknown certificate authorities will be rejected. (markt)
+ </fix>
+ </changelog>
</section>
<section name="Changes in 1.2.38">
<changelog>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
