Re: [tomcat-native] 02/02: Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=63500

Thu, 20 Jun 2019 07:59:23 -0700 

чт, 20 июн. 2019 г. в 16:54, <ma...@apache.org>:
>
> This is an automated email from the ASF dual-hosted git repository.
>
> markt pushed a commit to branch master
> in repository https://gitbox.apache.org/repos/asf/tomcat-native.git
>
> commit 02fcf97f1b2a1db04b7dd674daf6ab3a5f77312e
> Author: Mark Thomas <ma...@apache.org>
> AuthorDate: Wed Jun 19 18:19:25 2019 +0100
>
>     Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=63500
>
>     Correct reference to the X509_STORE being configured
>     Remove calls to X509_STORE_free since a separate store is not allocated
>     for CRLs. It simply re-uses the existing store for the server
>     SSLContext. Trying to close it triggers a JVM crash.
> ---

>          if (!X509_LOOKUP_add_dir(lookup, J2S(path), X509_FILETYPE_PEM)) {
>              ERR_error_string(SSL_ERR_get(), err);
> -            X509_STORE_free(c->crl);
>              c->crl = NULL;
>              tcn_Throw(e, "Load failed for path %s (%s)", J2S(file), err);
>              goto cleanup;
>          }
>      }
> -    X509_STORE_set_flags(c->store, X509_V_FLAG_CRL_CHECK | 
> X509_V_FLAG_CRL_CHECK_ALL);
> +    X509_STORE_set_flags(c->crl, X509_V_FLAG_CRL_CHECK | 
> X509_V_FLAG_CRL_CHECK_ALL);
>      rv = JNI_TRUE;
>  cleanup:
>      TCN_FREE_CSTRING(file);
> diff --git a/xdocs/miscellaneous/changelog.xml 
> b/xdocs/miscellaneous/changelog.xml
> index 6af4a2e..bd2ea01 100644
> --- a/xdocs/miscellaneous/changelog.xml
> +++ b/xdocs/miscellaneous/changelog.xml
> @@ -45,6 +45,10 @@
>        contains an AIA extension without an OCSP URI. Patch provided by Milind
>        Takawale. (markt)
>      </fix>
> +    <fix>
> +      <bug>63500</bug>: Fix JVM crash on Connector start when a certificate
> +      revocation file or path is specified for OpenSSL. (markt)
> +    </fix>

1. Good catch. The fix is OK.

Indeed, SSL_CTX_get_cert_store() returns a reference to an existing store.

Documentation:
https://www.openssl.org/docs/manmaster/man3/SSL_CTX_get_cert_store.html

2. It seems that there are two fields  c->crl and c->store that point
to the same object,
both initialized as SSL_CTX_get_cert_store(c->ctx).

It is confusing, as here we call
X509_STORE_set_flags(c->crl, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
and elsewhere we call
X509_STORE_set_flags(c->store, 0);

I was wondering whether it causes any problems, and it seems that it is OK.
The set_flags() calls are additive, just or'ing the new flags (and
thus the latter call is a NOOP). So there should not be problems at
runtime.

Documentation:
https://www.openssl.org/docs/manmaster/man3/X509_STORE_set_flags.html
https://www.openssl.org/docs/manmaster/man3/X509_VERIFY_PARAM_set_flags.html

Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to