On 29/06/2021 12:29, jean-frederic clere wrote:
Hi,
It seems certificateVerification="optionalNoCA" only works if the OCSP
is disabled.
<OpenSSLConf>
<OpenSSLConfCmd name="NO_OCSP_CHECK" value="true" />
</OpenSSLConf>
In <SSLHostConfig/>
Otherwise the OCSP check forces an error because it can't check anything...
How to "fix" that? Just document it? or return OK where we test
SSL_CVERIFY_OPTIONAL_NO_CA
(https://github.com/apache/tomcat-native/blob/main/native/src/sslutils.c#L337)?
Hmm.
My expectation is that:
- certificate provided results in OCSP for that cert and the connection
fails if the check fails.
- no cert, no check
I don't know how practical that is. What does OpenSSL do in those
circumstances? Or is it up to the application using the OpenSSL library?
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
