(tomcat) branch 9.0.x updated: Add verify flags to SSLHostConfig

Tue, 13 Jan 2026 08:31:42 -0800 

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/9.0.x by this push:
     new 147ffd530e Add verify flags to SSLHostConfig
147ffd530e is described below

commit 147ffd530eafb80eb0c38caee2f0abe733be3136
Author: Mark Thomas <[email protected]>
AuthorDate: Wed Dec 10 13:48:01 2025 +0000

    Add verify flags to SSLHostConfig
---
 java/org/apache/tomcat/util/net/SSLHostConfig.java            | 11 +++++++++++
 java/org/apache/tomcat/util/net/openssl/OpenSSLConfCmd.java   |  1 +
 java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java   |  2 ++
 .../apache/tomcat/util/net/openssl/panama/OpenSSLContext.java |  7 ++++---
 webapps/docs/changelog.xml                                    |  5 +++++
 webapps/docs/config/http.xml                                  |  8 ++++++++
 6 files changed, 31 insertions(+), 3 deletions(-)

diff --git a/java/org/apache/tomcat/util/net/SSLHostConfig.java 
b/java/org/apache/tomcat/util/net/SSLHostConfig.java
index dea61d9136..e6564ee08e 100644
--- a/java/org/apache/tomcat/util/net/SSLHostConfig.java
+++ b/java/org/apache/tomcat/util/net/SSLHostConfig.java
@@ -118,6 +118,7 @@ public class SSLHostConfig implements Serializable {
     private boolean ocspEnabled = false;
     private boolean ocspSoftFail = true;
     private int ocspTimeout = 15000;
+    private int ocspVerifyFlags = 0;
     private final Set<String> protocols = new HashSet<>();
     // Values <0 mean use the implementation default
     private int sessionCacheSize = -1;
@@ -649,6 +650,16 @@ public class SSLHostConfig implements Serializable {
     }
 
 
+    public int getOcspVerifyFlags() {
+        return ocspVerifyFlags;
+    }
+
+
+    public void setOcspVerifyFlags(int ocspVerifyFlags) {
+        this.ocspVerifyFlags = ocspVerifyFlags;
+    }
+
+
     public void setProtocols(String input) {
         protocols.clear();
         explicitlyRequestedProtocols.clear();
diff --git a/java/org/apache/tomcat/util/net/openssl/OpenSSLConfCmd.java 
b/java/org/apache/tomcat/util/net/openssl/OpenSSLConfCmd.java
index 07e9928227..06c2c55659 100644
--- a/java/org/apache/tomcat/util/net/openssl/OpenSSLConfCmd.java
+++ b/java/org/apache/tomcat/util/net/openssl/OpenSSLConfCmd.java
@@ -24,6 +24,7 @@ public class OpenSSLConfCmd implements Serializable {
     public static final String NO_OCSP_CHECK = "NO_OCSP_CHECK";
     public static final String OCSP_SOFT_FAIL = "OCSP_SOFT_FAIL";
     public static final String OCSP_TIMEOUT = "OCSP_TIMEOUT";
+    public static final String OCSP_VERIFY_FLAGS = "OCSP_VERIFY_FLAGS";
 
     private static final long serialVersionUID = 1L;
 
diff --git a/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java 
b/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
index 8bc918bcf8..5b4532f76e 100644
--- a/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
+++ b/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
@@ -391,6 +391,8 @@ public class OpenSSLContext implements 
org.apache.tomcat.util.net.SSLContext {
                         Boolean.toString(sslHostConfig.getOcspSoftFail())));
                 sslHostConfig.getOpenSslConf().addCmd(new 
OpenSSLConfCmd(OpenSSLConfCmd.OCSP_TIMEOUT,
                         Integer.toString(sslHostConfig.getOcspTimeout())));
+                sslHostConfig.getOpenSslConf().addCmd(new 
OpenSSLConfCmd(OpenSSLConfCmd.OCSP_VERIFY_FLAGS,
+                        Integer.toString(sslHostConfig.getOcspVerifyFlags())));
             }
 
             if (negotiableProtocols != null && !negotiableProtocols.isEmpty()) 
{
diff --git a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java 
b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
index 48f0845b17..9a21564c96 100644
--- a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
+++ b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
@@ -363,7 +363,7 @@ public class OpenSSLContext implements 
org.apache.tomcat.util.net.SSLContext {
                     ok = true;
                 } else if (name.equals(OpenSSLConfCmd.OCSP_TIMEOUT)) {
                     ok = true;
-                } else if (name.equals("OCSP_VERIFY_FLAGS")) {
+                } else if (name.equals(OpenSSLConfCmd.OCSP_VERIFY_FLAGS)) {
                     ok = true;
                 } else {
                     int code = SSL_CONF_cmd_value_type(state.confCtx, 
localArena.allocateFrom(name));
@@ -441,8 +441,8 @@ public class OpenSSLContext implements 
org.apache.tomcat.util.net.SSLContext {
                 } else if (name.equals(OpenSSLConfCmd.OCSP_TIMEOUT)) {
                     // Ignore - Tomcat internal - set directly
                     rc = 1;
-                } else if (name.equals("OCSP_VERIFY_FLAGS")) {
-                    ocspVerifyFlags = Integer.parseInt(value);
+                } else if (name.equals(OpenSSLConfCmd.OCSP_VERIFY_FLAGS)) {
+                    // Ignore - Tomcat internal - set directly
                     rc = 1;
                 } else {
                     rc = SSL_CONF_cmd(state.confCtx, 
localArena.allocateFrom(name), localArena.allocateFrom(value));
@@ -573,6 +573,7 @@ public class OpenSSLContext implements 
org.apache.tomcat.util.net.SSLContext {
             }
             ocspSoftFail = sslHostConfig.getOcspSoftFail();
             ocspTimeout = sslHostConfig.getOcspTimeout();
+            ocspVerifyFlags = sslHostConfig.getOcspVerifyFlags();
 
             // Set int verify_callback(int preverify_ok, X509_STORE_CTX 
*x509_ctx) callback
             SSL_CTX_set_verify(state.sslCtx, value,
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 830c641728..5938309a74 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -178,6 +178,11 @@
         Add support for soft failure of OCSP checks with soft failure support
         disabled by default. (markt)
       </add>
+      <add>
+        Add support for configuring the verification flags passed to
+        <code>OCSP_basic_verify</code> when using an OpenSSL based TLS
+        implementation. (markt)
+      </add>
     </changelog>
   </subsection>
   <subsection name="Cluster">
diff --git a/webapps/docs/config/http.xml b/webapps/docs/config/http.xml
index b0e1102163..d7d5a02360 100644
--- a/webapps/docs/config/http.xml
+++ b/webapps/docs/config/http.xml
@@ -1588,6 +1588,14 @@
       used.</p>
     </attribute>
 
+    <attribute name="ocspVerify" required="false">
+      <p>Configures the verification flags passed to
+      <code>OCSP_basic_verify</code> when using OCSP checks with an OpenSSL
+      based TLS implementation. This attribute has no effect if a JSSE based 
TLS
+      implementation is used.</p>
+      <p>If not specified, the default value of <code>0</code> will be 
used.</p>
+    </attribute>
+
     <attribute name="protocols" required="false">
       <p>The names of the protocols to support when communicating with clients.
       This should be a list of any combination of the following:


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to