This is an automated email from the ASF dual-hosted git repository.
dsoumis pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat-native.git
The following commit(s) were added to refs/heads/main by this push:
new 9df4e39c6 Correctly handle optionalNoCA verification
9df4e39c6 is described below
commit 9df4e39c62577e513320cdf5554f3fae8b32341f
Author: Dimitrios Soumis <[email protected]>
AuthorDate: Thu Oct 9 22:43:44 2025 +0300
Correctly handle optionalNoCA verification
The existing logic to approve optionalNoCA connections only checked if
errnum was one of the known optional errors defined in the
SSL_VERIFY_ERROR_IS_OPTIONAL macro. It did not account for the case where the
error code was X509_V_OK. As a result, the condition was not met, and the
function incorrectly proceeded as if the handshake had failed, causing the
connection to be rejected.
---
native/src/sslutils.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/native/src/sslutils.c b/native/src/sslutils.c
index 5052c5e7a..32724494c 100644
--- a/native/src/sslutils.c
+++ b/native/src/sslutils.c
@@ -313,7 +313,7 @@ int SSL_callback_SSL_verify(int ok, X509_STORE_CTX *ctx)
return 1;
}
- if (SSL_VERIFY_ERROR_IS_OPTIONAL(errnum) && (verify ==
SSL_CVERIFY_OPTIONAL_NO_CA)) {
+ if ((SSL_VERIFY_ERROR_IS_OPTIONAL(errnum) || errnum == X509_V_OK) &&
(verify == SSL_CVERIFY_OPTIONAL_NO_CA)) {
SSL_set_verify_result(ssl, X509_V_OK);
// Skip OCSP checks since the CA is optional
return 1;
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
