(tomcat) 02/07: CAs may not issue CRLs.

Thu, 09 Oct 2025 13:09:33 -0700 

This is an automated email from the ASF dual-hosted git repository.

dsoumis pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git

commit b74842bed4043430dcb57f1ce88f52445b8a90f2
Author: Dimitris Soumis <[email protected]>
AuthorDate: Tue Oct 7 16:40:36 2025 +0300

    CAs may not issue CRLs.
---
 .../apache/tomcat/util/net/openssl/panama/OpenSSLEngine.java   |  3 +++
 java/org/apache/tomcat/util/openssl/openssl_h.java             | 10 ++++++++++
 2 files changed, 13 insertions(+)

diff --git a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLEngine.java 
b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLEngine.java
index 0b602c0d17..0af07e3860 100644
--- a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLEngine.java
+++ b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLEngine.java
@@ -1138,6 +1138,9 @@ public final class OpenSSLEngine extends SSLEngine 
implements SSLUtil.ProtocolIn
                 ok = 1;
                 openssl_h_Compatibility.SSL_set_verify_result(state.ssl, 
X509_V_OK());
             }
+            if (ok == 0 && errnum == X509_V_ERR_UNABLE_TO_GET_CRL()) {
+                ok = 1;
+            }
             /*
              * Expired certificates vs. "expired" CRLs: by default, OpenSSL 
turns X509_V_ERR_CRL_HAS_EXPIRED into a
              * "certificate_expired(45)" SSL alert, but that's not really the 
message we should convey to the peer (at
diff --git a/java/org/apache/tomcat/util/openssl/openssl_h.java 
b/java/org/apache/tomcat/util/openssl/openssl_h.java
index 0c2465b633..ac9858e422 100644
--- a/java/org/apache/tomcat/util/openssl/openssl_h.java
+++ b/java/org/apache/tomcat/util/openssl/openssl_h.java
@@ -226,6 +226,16 @@ public class openssl_h {
         return X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN;
     }
 
+    private static final int X509_V_ERR_UNABLE_TO_GET_CRL = (int) 3L;
+
+    /**
+     * {@snippet lang = c : * #define X509_V_ERR_UNABLE_TO_GET_CRL 3
+     * }
+     */
+    public static int X509_V_ERR_UNABLE_TO_GET_CRL() {
+        return X509_V_ERR_UNABLE_TO_GET_CRL;
+    }
+
     private static final int X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY = 
(int) 20L;
 
     /**


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to