This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 2c999ef1f758de3978842b020c45eec32b67d08a
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Mon Nov 4 14:26:43 2019 +0000
OpenSSLEngine to differentiate between optional and optionalNoCA
Patch by remm
---
.../apache/tomcat/util/net/openssl/OpenSSLContext.java | 5 ++++-
.../apache/tomcat/util/net/openssl/OpenSSLEngine.java | 18 ++++++++++++++----
webapps/docs/changelog.xml | 6 ++++++
3 files changed, 24 insertions(+), 5 deletions(-)
diff --git a/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
b/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
index fd8fc5c..81b2369 100644
--- a/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
+++ b/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
@@ -49,6 +49,7 @@ import org.apache.tomcat.jni.SSLContext;
import org.apache.tomcat.util.net.AbstractEndpoint;
import org.apache.tomcat.util.net.Constants;
import org.apache.tomcat.util.net.SSLHostConfig;
+import org.apache.tomcat.util.net.SSLHostConfig.CertificateVerification;
import org.apache.tomcat.util.net.SSLHostConfigCertificate;
import org.apache.tomcat.util.net.SSLHostConfigCertificate.Type;
import org.apache.tomcat.util.res.StringManager;
@@ -489,7 +490,9 @@ public class OpenSSLContext implements
org.apache.tomcat.util.net.SSLContext {
@Override
public SSLEngine createSSLEngine() {
return new OpenSSLEngine(ctx, defaultProtocol, false, sessionContext,
- (negotiableProtocols != null && negotiableProtocols.size() >
0), initialized);
+ (negotiableProtocols != null && negotiableProtocols.size() >
0), initialized,
+ sslHostConfig.getCertificateVerificationDepth(),
+ sslHostConfig.getCertificateVerification() ==
CertificateVerification.OPTIONAL_NO_CA);
}
@Override
diff --git a/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
b/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
index 7ae6fe8..ede30a8 100644
--- a/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
+++ b/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
@@ -165,6 +165,8 @@ public final class OpenSSLEngine extends SSLEngine
implements SSLUtil.ProtocolIn
private final OpenSSLSessionContext sessionContext;
private final boolean alpn;
private final boolean initialized;
+ private final int certificateVerificationDepth;
+ private final boolean certificateVerificationOptionalNoCA;
private String selectedProtocol = null;
@@ -183,10 +185,14 @@ public final class OpenSSLEngine extends SSLEngine
implements SSLUtil.ProtocolIn
* otherwise
* @param initialized {@code true} if this instance gets its protocol,
* cipher and client verification from the {@code SSL_CTX} {@code sslCtx}
+ * @param certificateVerificationDepth Certificate verification depth
+ * @param certificateVerificationOptionalNoCA Skip CA verification in
+ * optional mode
*/
OpenSSLEngine(long sslCtx, String fallbackApplicationProtocol,
boolean clientMode, OpenSSLSessionContext sessionContext, boolean
alpn,
- boolean initialized) {
+ boolean initialized, int certificateVerificationDepth,
+ boolean certificateVerificationOptionalNoCA) {
if (sslCtx == 0) {
throw new
IllegalArgumentException(sm.getString("engine.noSSLContext"));
}
@@ -200,6 +206,8 @@ public final class OpenSSLEngine extends SSLEngine
implements SSLUtil.ProtocolIn
this.sessionContext = sessionContext;
this.alpn = alpn;
this.initialized = initialized;
+ this.certificateVerificationDepth = certificateVerificationDepth;
+ this.certificateVerificationOptionalNoCA =
certificateVerificationOptionalNoCA;
}
@Override
@@ -1092,13 +1100,15 @@ public final class OpenSSLEngine extends SSLEngine
implements SSLUtil.ProtocolIn
}
switch (mode) {
case NONE:
- SSL.setVerify(ssl, SSL.SSL_CVERIFY_NONE, VERIFY_DEPTH);
+ SSL.setVerify(ssl, SSL.SSL_CVERIFY_NONE,
certificateVerificationDepth);
break;
case REQUIRE:
- SSL.setVerify(ssl, SSL.SSL_CVERIFY_REQUIRE, VERIFY_DEPTH);
+ SSL.setVerify(ssl, SSL.SSL_CVERIFY_REQUIRE,
certificateVerificationDepth);
break;
case OPTIONAL:
- SSL.setVerify(ssl, SSL.SSL_CVERIFY_OPTIONAL, VERIFY_DEPTH);
+ SSL.setVerify(ssl,
+ certificateVerificationOptionalNoCA ?
SSL.SSL_CVERIFY_OPTIONAL_NO_CA : SSL.SSL_CVERIFY_OPTIONAL,
+ certificateVerificationDepth);
break;
}
clientAuth = mode;
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 6562e55..75e11fc 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -109,6 +109,12 @@
Move connection tracking to the endpoint, since it requires far fewer
operations. (remm)
</fix>
+ <fix>
+ <bug>63894</bug>: Ensure that the configured values for
+ <code>certificateVerification</code> and
+ <code>certificateVerificationDepth</code> are correctly based to the
+ OpenSSL based SSLEngine implementation. (remm)
+ </fix>
</changelog>
</subsection>
<subsection name="Web applications">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
