This is an automated email from the ASF dual-hosted git repository.
dsoumis pushed a commit to branch 1.3.x
in repository https://gitbox.apache.org/repos/asf/tomcat-native.git
The following commit(s) were added to refs/heads/1.3.x by this push:
new 402bc8e3a Correctly handle optionalNoCA verification
402bc8e3a is described below
commit 402bc8e3a589b3d16805e5fa75775cd7a3962cd3
Author: dsoumis <[email protected]>
AuthorDate: Thu Oct 9 20:45:40 2025 +0300
Correctly handle optionalNoCA verification
The existing logic to approve optionalNoCA connections only checked if
errnum was one of the known optional errors defined in the
SSL_VERIFY_ERROR_IS_OPTIONAL macro. It did not account for the case where the
error code was X509_V_OK. As a result, the condition was not met, and the
function incorrectly proceeded as if the handshake had failed, causing the
connection to be rejected.
---
native/src/sslutils.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/native/src/sslutils.c b/native/src/sslutils.c
index d03fb491f..3b4a6155d 100644
--- a/native/src/sslutils.c
+++ b/native/src/sslutils.c
@@ -333,7 +333,7 @@ int SSL_callback_SSL_verify(int ok, X509_STORE_CTX *ctx)
return 1;
}
- if (SSL_VERIFY_ERROR_IS_OPTIONAL(errnum) && (verify ==
SSL_CVERIFY_OPTIONAL_NO_CA)) {
+ if ((SSL_VERIFY_ERROR_IS_OPTIONAL(errnum) || errnum == X509_V_OK) &&
(verify == SSL_CVERIFY_OPTIONAL_NO_CA)) {
SSL_set_verify_result(ssl, X509_V_OK);
// Skip OCSP checks since the CA is optional
return 1;
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
