This is an automated email from the ASF dual-hosted git repository. dsoumis pushed a commit to branch 10.1.x in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 395ac084f983db7dd67d120b56fbc7878ada89dc Author: Dimitris Soumis <[email protected]> AuthorDate: Tue Oct 7 16:40:36 2025 +0300 CAs may not issue CRLs. --- .../apache/tomcat/util/net/openssl/panama/OpenSSLEngine.java | 3 +++ java/org/apache/tomcat/util/openssl/openssl_h.java | 10 ++++++++++ 2 files changed, 13 insertions(+) diff --git a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLEngine.java b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLEngine.java index c70521f00a..c82bf69247 100644 --- a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLEngine.java +++ b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLEngine.java @@ -1138,6 +1138,9 @@ public final class OpenSSLEngine extends SSLEngine implements SSLUtil.ProtocolIn ok = 1; openssl_h_Compatibility.SSL_set_verify_result(state.ssl, X509_V_OK()); } + if (ok == 0 && errnum == X509_V_ERR_UNABLE_TO_GET_CRL()) { + ok = 1; + } /* * Expired certificates vs. "expired" CRLs: by default, OpenSSL turns X509_V_ERR_CRL_HAS_EXPIRED into a * "certificate_expired(45)" SSL alert, but that's not really the message we should convey to the peer (at diff --git a/java/org/apache/tomcat/util/openssl/openssl_h.java b/java/org/apache/tomcat/util/openssl/openssl_h.java index 0c2465b633..ac9858e422 100644 --- a/java/org/apache/tomcat/util/openssl/openssl_h.java +++ b/java/org/apache/tomcat/util/openssl/openssl_h.java @@ -226,6 +226,16 @@ public class openssl_h { return X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN; } + private static final int X509_V_ERR_UNABLE_TO_GET_CRL = (int) 3L; + + /** + * {@snippet lang = c : * #define X509_V_ERR_UNABLE_TO_GET_CRL 3 + * } + */ + public static int X509_V_ERR_UNABLE_TO_GET_CRL() { + return X509_V_ERR_UNABLE_TO_GET_CRL; + } + private static final int X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY = (int) 20L; /** --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
