(tomcat) branch 11.0.x updated: Add verify flags to SSLHostConfig

Tue, 13 Jan 2026 08:24:11 -0800 

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 11.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/11.0.x by this push:
     new 087b0cbfc3 Add verify flags to SSLHostConfig
087b0cbfc3 is described below

commit 087b0cbfc3d74cdb31861cde2448f351a1fb4176
Author: Mark Thomas <[email protected]>
AuthorDate: Wed Dec 10 13:48:01 2025 +0000

    Add verify flags to SSLHostConfig
---
 java/org/apache/tomcat/util/net/SSLHostConfig.java            | 11 +++++++++++
 java/org/apache/tomcat/util/net/openssl/OpenSSLConfCmd.java   |  1 +
 java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java   |  2 ++
 .../apache/tomcat/util/net/openssl/panama/OpenSSLContext.java |  7 ++++---
 webapps/docs/changelog.xml                                    |  5 +++++
 webapps/docs/config/http.xml                                  |  8 ++++++++
 6 files changed, 31 insertions(+), 3 deletions(-)

diff --git a/java/org/apache/tomcat/util/net/SSLHostConfig.java 
b/java/org/apache/tomcat/util/net/SSLHostConfig.java
index 817faa1ad8..ed5fce389d 100644
--- a/java/org/apache/tomcat/util/net/SSLHostConfig.java
+++ b/java/org/apache/tomcat/util/net/SSLHostConfig.java
@@ -120,6 +120,7 @@ public class SSLHostConfig implements Serializable {
     private boolean ocspEnabled = false;
     private boolean ocspSoftFail = true;
     private int ocspTimeout = 15000;
+    private int ocspVerifyFlags = 0;
     private final Set<String> protocols = new HashSet<>();
     // Values <0 mean use the implementation default
     private int sessionCacheSize = -1;
@@ -594,6 +595,16 @@ public class SSLHostConfig implements Serializable {
     }
 
 
+    public int getOcspVerifyFlags() {
+        return ocspVerifyFlags;
+    }
+
+
+    public void setOcspVerifyFlags(int ocspVerifyFlags) {
+        this.ocspVerifyFlags = ocspVerifyFlags;
+    }
+
+
     public void setProtocols(String input) {
         protocols.clear();
         explicitlyRequestedProtocols.clear();
diff --git a/java/org/apache/tomcat/util/net/openssl/OpenSSLConfCmd.java 
b/java/org/apache/tomcat/util/net/openssl/OpenSSLConfCmd.java
index 9680020f0a..d97ac785fb 100644
--- a/java/org/apache/tomcat/util/net/openssl/OpenSSLConfCmd.java
+++ b/java/org/apache/tomcat/util/net/openssl/OpenSSLConfCmd.java
@@ -25,6 +25,7 @@ public class OpenSSLConfCmd implements Serializable {
     public static final String NO_OCSP_CHECK = "NO_OCSP_CHECK";
     public static final String OCSP_SOFT_FAIL = "OCSP_SOFT_FAIL";
     public static final String OCSP_TIMEOUT = "OCSP_TIMEOUT";
+    public static final String OCSP_VERIFY_FLAGS = "OCSP_VERIFY_FLAGS";
 
     @Serial
     private static final long serialVersionUID = 1L;
diff --git a/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java 
b/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
index da0e88734d..9e2d0c7b9d 100644
--- a/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
+++ b/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
@@ -371,6 +371,8 @@ public class OpenSSLContext implements 
org.apache.tomcat.util.net.SSLContext {
                         Boolean.toString(sslHostConfig.getOcspSoftFail())));
                 sslHostConfig.getOpenSslConf().addCmd(new 
OpenSSLConfCmd(OpenSSLConfCmd.OCSP_TIMEOUT,
                         Integer.toString(sslHostConfig.getOcspTimeout())));
+                sslHostConfig.getOpenSslConf().addCmd(new 
OpenSSLConfCmd(OpenSSLConfCmd.OCSP_VERIFY_FLAGS,
+                        Integer.toString(sslHostConfig.getOcspVerifyFlags())));
             }
 
             if (negotiableProtocols != null && !negotiableProtocols.isEmpty()) 
{
diff --git a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java 
b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
index 48f0845b17..9a21564c96 100644
--- a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
+++ b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
@@ -363,7 +363,7 @@ public class OpenSSLContext implements 
org.apache.tomcat.util.net.SSLContext {
                     ok = true;
                 } else if (name.equals(OpenSSLConfCmd.OCSP_TIMEOUT)) {
                     ok = true;
-                } else if (name.equals("OCSP_VERIFY_FLAGS")) {
+                } else if (name.equals(OpenSSLConfCmd.OCSP_VERIFY_FLAGS)) {
                     ok = true;
                 } else {
                     int code = SSL_CONF_cmd_value_type(state.confCtx, 
localArena.allocateFrom(name));
@@ -441,8 +441,8 @@ public class OpenSSLContext implements 
org.apache.tomcat.util.net.SSLContext {
                 } else if (name.equals(OpenSSLConfCmd.OCSP_TIMEOUT)) {
                     // Ignore - Tomcat internal - set directly
                     rc = 1;
-                } else if (name.equals("OCSP_VERIFY_FLAGS")) {
-                    ocspVerifyFlags = Integer.parseInt(value);
+                } else if (name.equals(OpenSSLConfCmd.OCSP_VERIFY_FLAGS)) {
+                    // Ignore - Tomcat internal - set directly
                     rc = 1;
                 } else {
                     rc = SSL_CONF_cmd(state.confCtx, 
localArena.allocateFrom(name), localArena.allocateFrom(value));
@@ -573,6 +573,7 @@ public class OpenSSLContext implements 
org.apache.tomcat.util.net.SSLContext {
             }
             ocspSoftFail = sslHostConfig.getOcspSoftFail();
             ocspTimeout = sslHostConfig.getOcspTimeout();
+            ocspVerifyFlags = sslHostConfig.getOcspVerifyFlags();
 
             // Set int verify_callback(int preverify_ok, X509_STORE_CTX 
*x509_ctx) callback
             SSL_CTX_set_verify(state.sslCtx, value,
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index b7bf85fed8..11bb27aa23 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -177,6 +177,11 @@
         Add support for soft failure of OCSP checks with soft failure support
         disabled by default. (markt)
       </add>
+      <add>
+        Add support for configuring the verification flags passed to
+        <code>OCSP_basic_verify</code> when using an OpenSSL based TLS
+        implementation. (markt)
+      </add>
     </changelog>
   </subsection>
   <subsection name="Cluster">
diff --git a/webapps/docs/config/http.xml b/webapps/docs/config/http.xml
index f990a2bb5b..f6394df3fa 100644
--- a/webapps/docs/config/http.xml
+++ b/webapps/docs/config/http.xml
@@ -1455,6 +1455,14 @@
       used.</p>
     </attribute>
 
+    <attribute name="ocspVerify" required="false">
+      <p>Configures the verification flags passed to
+      <code>OCSP_basic_verify</code> when using OCSP checks with an OpenSSL
+      based TLS implementation. This attribute has no effect if a JSSE based 
TLS
+      implementation is used.</p>
+      <p>If not specified, the default value of <code>0</code> will be 
used.</p>
+    </attribute>
+
     <attribute name="protocols" required="false">
       <p>The names of the protocols to support when communicating with clients.
       This should be a list of any combination of the following:


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to