This is an automated email from the ASF dual-hosted git repository. jfclere pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/tomcat-native.git
The following commit(s) were added to refs/heads/master by this push: new be9fa30 Allow to bypass the OCSP responder check like SSLOCSPEnable to use it in <SSLHostConfig/> add: <OpenSSLConf> <OpenSSLConfCmd name="NO_OCSP_CHECK" value="true" /> </OpenSSLConf> Note that a not responding OCSP responder is now handled as an error. be9fa30 is described below commit be9fa3017d0daed7a6722f095d2223bfbeeac915 Author: Jean-Frederic Clere <jfcl...@gmail.com> AuthorDate: Fri May 22 10:01:26 2020 +0200 Allow to bypass the OCSP responder check like SSLOCSPEnable to use it in <SSLHostConfig/> add: <OpenSSLConf> <OpenSSLConfCmd name="NO_OCSP_CHECK" value="true" /> </OpenSSLConf> Note that a not responding OCSP responder is now handled as an error. --- native/include/ssl_private.h | 2 ++ native/src/sslconf.c | 19 +++++++++++++++++++ native/src/sslutils.c | 41 ++++++++++++++++++++++------------------- 3 files changed, 43 insertions(+), 19 deletions(-) diff --git a/native/include/ssl_private.h b/native/include/ssl_private.h index 26495e4..125d6b7 100644 --- a/native/include/ssl_private.h +++ b/native/include/ssl_private.h @@ -318,6 +318,7 @@ struct tcn_ssl_ctxt_t { unsigned int alpn_proto_len; int alpn_selector_failure_behavior; /* End add from netty-tcnative */ + int no_ocsp_check; }; #ifdef HAVE_SSL_CONF_CMD @@ -326,6 +327,7 @@ typedef struct tcn_ssl_conf_ctxt_t tcn_ssl_conf_ctxt_t; struct tcn_ssl_conf_ctxt_t { apr_pool_t *pool; SSL_CONF_CTX *cctx; + int no_ocsp_check; }; #endif diff --git a/native/src/sslconf.c b/native/src/sslconf.c index e881bfb..e2ece6f 100644 --- a/native/src/sslconf.c +++ b/native/src/sslconf.c @@ -155,6 +155,15 @@ TCN_IMPLEMENT_CALL(jint, SSLConf, check)(TCN_STDARGS, jlong cctx, tcn_Throw(e, "Can not check null SSL_CONF command"); return SSL_THROW_RETURN; } + if (!strcmp(J2S(cmd), "NO_OCSP_CHECK")) { + if (!strcasecmp(J2S(value), "false")) + c->no_ocsp_check = 0; + else + c->no_ocsp_check = 1; + TCN_FREE_CSTRING(cmd); + TCN_FREE_CSTRING(value); + return 1; + } SSL_ERR_clear(); value_type = SSL_CONF_cmd_value_type(c->cctx, J2S(cmd)); @@ -209,6 +218,7 @@ TCN_IMPLEMENT_CALL(void, SSLConf, assign)(TCN_STDARGS, jlong cctx, TCN_ASSERT(sc != 0); // sc->ctx == 0 is allowed! SSL_CONF_CTX_set_ssl_ctx(c->cctx, sc->ctx); + sc->no_ocsp_check = c->no_ocsp_check; } /* Apply a command to an SSL_CONF context */ @@ -248,6 +258,15 @@ TCN_IMPLEMENT_CALL(jint, SSLConf, apply)(TCN_STDARGS, jlong cctx, buf[len - 1] = '\0'; } #endif + if (!strcmp(J2S(cmd), "NO_OCSP_CHECK")) { + if (!strcasecmp(J2S(value), "false")) + c->no_ocsp_check = 0; + else + c->no_ocsp_check = 1; + TCN_FREE_CSTRING(cmd); + TCN_FREE_CSTRING(value); + return 1; + } SSL_ERR_clear(); rc = SSL_CONF_cmd(c->cctx, J2S(cmd), buf != NULL ? buf : J2S(value)); ec = SSL_ERR_get(); diff --git a/native/src/sslutils.c b/native/src/sslutils.c index aa0d68c..0896429 100644 --- a/native/src/sslutils.c +++ b/native/src/sslutils.c @@ -312,7 +312,6 @@ int SSL_CTX_use_certificate_chain(SSL_CTX *ctx, const char *file, * does client authentication and verifies the certificate chain. */ - int SSL_callback_SSL_verify(int ok, X509_STORE_CTX *ctx) { /* Get Apache context back through OpenSSL context */ @@ -324,6 +323,7 @@ int SSL_callback_SSL_verify(int ok, X509_STORE_CTX *ctx) int errdepth = X509_STORE_CTX_get_error_depth(ctx); int verify = con->ctx->verify_mode; int depth = con->ctx->verify_depth; + int ocsp_check_type = con->ctx->no_ocsp_check; #if defined(SSL_OP_NO_TLSv1_3) con->pha_state = PHA_COMPLETE; @@ -358,25 +358,28 @@ int SSL_callback_SSL_verify(int ok, X509_STORE_CTX *ctx) #ifdef HAVE_OCSP_STAPLING /* First perform OCSP validation if possible */ - if (ok) { - /* If there was an optional verification error, it's not - * possible to perform OCSP validation since the issuer may be - * missing/untrusted. Fail in that case. - */ - if (SSL_VERIFY_ERROR_IS_OPTIONAL(errnum)) { - X509_STORE_CTX_set_error(ctx, X509_V_ERR_APPLICATION_VERIFICATION); - errnum = X509_V_ERR_APPLICATION_VERIFICATION; - ok = 0; - } - else { - int ocsp_response = ssl_verify_OCSP(ctx); - if (ocsp_response == OCSP_STATUS_REVOKED) { - ok = 0 ; - errnum = X509_STORE_CTX_get_error(ctx); + if (ocsp_check_type == 0) { + if (ok) { + /* If there was an optional verification error, it's not + * possible to perform OCSP validation since the issuer may be + * missing/untrusted. Fail in that case. + */ + if (SSL_VERIFY_ERROR_IS_OPTIONAL(errnum)) { + X509_STORE_CTX_set_error(ctx, X509_V_ERR_APPLICATION_VERIFICATION); + errnum = X509_V_ERR_APPLICATION_VERIFICATION; + ok = 0; } - else if (ocsp_response == OCSP_STATUS_UNKNOWN) { - /* TODO: do nothing for time being */ - ; + else { + int ocsp_response = ssl_verify_OCSP(ctx); + if (ocsp_response == OCSP_STATUS_REVOKED) { + ok = 0 ; + errnum = X509_STORE_CTX_get_error(ctx); + } + else if (ocsp_response == OCSP_STATUS_UNKNOWN) { + errnum = X509_STORE_CTX_get_error(ctx); + if (errnum) + ok = 0 ; + } } } } --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org