(tomcat) branch 10.1.x updated: Replace CVE-2017-15698 test

markt Tue, 13 Jan 2026 08:09:12 -0800

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git



The following commit(s) were added to refs/heads/10.1.x by this push:
     new d46672055c Replace CVE-2017-15698 test
d46672055c is described below

commit d46672055c88cf3fd2c8d653c2d44a7c4270772a
Author: Mark Thomas <[email protected]>
AuthorDate: Wed Dec 10 11:27:52 2025 +0000

    Replace CVE-2017-15698 test
---
 .../tomcat/security/TestSecurity2017Ocsp.java      |  96 +++++++++++++++++++++
 test/org/apache/tomcat/util/net/TesterSupport.java |   1 +
 test/org/apache/tomcat/util/net/index.db           |   1 +
 test/org/apache/tomcat/util/net/user3-crl-long.jks | Bin 0 -> 3035 bytes
 4 files changed, 98 insertions(+)

diff --git a/test/org/apache/tomcat/security/TestSecurity2017Ocsp.java 
b/test/org/apache/tomcat/security/TestSecurity2017Ocsp.java
new file mode 100644
index 0000000000..516839dfec
--- /dev/null
+++ b/test/org/apache/tomcat/security/TestSecurity2017Ocsp.java
@@ -0,0 +1,96 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.tomcat.security;
+
+import java.io.IOException;
+
+import javax.net.ssl.SSLHandshakeException;
+
+import jakarta.servlet.http.HttpServletResponse;
+
+import org.junit.AfterClass;
+import org.junit.Assert;
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.junit.runners.Parameterized;
+
+import org.apache.catalina.Context;
+import org.apache.catalina.startup.Tomcat;
+import org.apache.tomcat.util.buf.ByteChunk;
+import org.apache.tomcat.util.net.SSLHostConfig;
+import org.apache.tomcat.util.net.TesterSupport;
+import org.apache.tomcat.util.net.TesterSupport.SimpleServlet;
+import org.apache.tomcat.util.net.ocsp.OcspBaseTest;
+import org.apache.tomcat.util.net.ocsp.TesterOcspResponder;
+
+@RunWith(Parameterized.class)
+public class TestSecurity2017Ocsp extends OcspBaseTest {
+
+    private static TesterOcspResponder ocspResponder;
+
+    @BeforeClass
+    public static void startOcspResponder() throws IOException {
+        ocspResponder = new TesterOcspResponder();
+        ocspResponder.start();
+    }
+
+
+    @AfterClass
+    public static void stopOcspResponder() {
+        ocspResponder.stop();
+        ocspResponder = null;
+    }
+
+
+    /*
+     * In addition to testing Tomcat Native (where the CVE occurred), this 
also tests JSSE and OpenSSl via FFM.
+     */
+    @Test(expected=SSLHandshakeException.class)
+    public void testCVE_2017_15698() throws Exception {
+
+        Tomcat tomcat = getTomcatInstance();
+
+        // No file system docBase required
+        Context ctx = tomcat.addContext("", null);
+
+        Tomcat.addServlet(ctx, "simple", new SimpleServlet());
+        ctx.addServletMappingDecoded("/simple", "simple");
+
+        // User a valid (non-revoked) server certificate
+        TesterSupport.initSsl(tomcat, TesterSupport.LOCALHOST_RSA_JKS, 
useOpenSSLTrust);
+
+        // Require client certificates and enable verification
+        SSLHostConfig sslHostConfig = 
tomcat.getConnector().findSslHostConfigs()[0];
+        sslHostConfig.setOcspEnabled(true);
+        sslHostConfig.setCertificateVerification("required");
+
+        // Configure a revoked client certificate with a long AIA
+        // Don't verify the server certificate
+        TesterSupport.configureClientSsl(false, 
TesterSupport.CLIENT_CRL_LONG_JKS);
+
+        // Disable soft-fail
+        sslHostConfig.setOcspSoftFail(false);
+
+        tomcat.start();
+
+        int rc = getUrl("https://localhost:"; + getPort() + "/simple", new 
ByteChunk(), false);
+
+        // If the TLS handshake fails, the test won't get this far.
+        Assert.assertEquals(HttpServletResponse.SC_OK, rc);
+    }
+}
diff --git a/test/org/apache/tomcat/util/net/TesterSupport.java 
b/test/org/apache/tomcat/util/net/TesterSupport.java
index ba1a514a52..383d8f4064 100644
--- a/test/org/apache/tomcat/util/net/TesterSupport.java
+++ b/test/org/apache/tomcat/util/net/TesterSupport.java
@@ -104,6 +104,7 @@ public final class TesterSupport {
     public static final String OCSP_RESPONDER_RSA_KEY = SSL_DIR + 
"ocsp-responder-rsa-key.pem";
     public static final String LOCALHOST_CRL_RSA_JKS = SSL_DIR + 
"localhost-crl-rsa.jks";
     public static final String CLIENT_CRL_JKS = SSL_DIR + "user2-crl.jks";
+    public static final String CLIENT_CRL_LONG_JKS = SSL_DIR + 
"user3-crl-long.jks";
     public static final boolean TLSV13_AVAILABLE;
 
     public static final String ROLE = "testrole";
diff --git a/test/org/apache/tomcat/util/net/index.db 
b/test/org/apache/tomcat/util/net/index.db
index eb521a4242..f873a5341d 100644
--- a/test/org/apache/tomcat/util/net/index.db
+++ b/test/org/apache/tomcat/util/net/index.db
@@ -4,3 +4,4 @@ V       271205191331Z           1002    unknown 
/C=US/ST=DE/L=Wilmington/O=The Apache Software Fou
 R      271205191335Z   251205192924Z   1003    unknown 
/C=US/ST=DE/L=Wilmington/O=The Apache Software Foundation/OU=Apache Tomcat 
PMC/CN=user2
 V      271205191540Z           1004    unknown /C=US/ST=DE/L=Wilmington/O=The 
Apache Software Foundation/OU=Apache Tomcat PMC/CN=localhost
 V      271205193355Z           1005    unknown /C=US/ST=DE/L=Wilmington/O=The 
Apache Software Foundation/OU=Apache Tomcat PMC/CN=OCSP Responder
+R      271210104820Z   251210105017Z   1006    unknown 
/C=US/ST=DE/L=Wilmington/O=The Apache Software Foundation/OU=Apache Tomcat 
PMC/CN=user3
diff --git a/test/org/apache/tomcat/util/net/user3-crl-long.jks 
b/test/org/apache/tomcat/util/net/user3-crl-long.jks
new file mode 100644
index 0000000000..be14f575cb
Binary files /dev/null and b/test/org/apache/tomcat/util/net/user3-crl-long.jks 
differ


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

(tomcat) branch 10.1.x updated: Replace CVE-2017-15698 test

Reply via email to