On 29/06/2021 14:45, Mark Thomas wrote:
On 29/06/2021 12:29, jean-frederic clere wrote:
Hi,
It seems certificateVerification="optionalNoCA" only works if the OCSP
is disabled.
<OpenSSLConf>
<OpenSSLConfCmd name="NO_OCSP_CHECK" value="true" />
</OpenSSLConf>
In <SSLHostConfig/>
Otherwise the OCSP check forces an error because it can't check
anything...
How to "fix" that? Just document it? or return OK where we test
SSL_CVERIFY_OPTIONAL_NO_CA
(https://github.com/apache/tomcat-native/blob/main/native/src/sslutils.c#L337)?
Hmm.
My expectation is that:
- certificate provided results in OCSP for that cert and the connection
fails if the check fails.
certificateVerification="optional" makes the client certificate optional
(required by webapps if needed).
certificateVerification="optionalNoCA" does the same and additionally
should avoid checking the client against the CA.
The OCSP checking needs to validate the client certificate against the
CA otherwise it will prevent getting the connection, making NoCA like
ignored...
- no cert, no check
I don't know how practical that is. What does OpenSSL do in those
circumstances? Or is it up to the application using the OpenSSL library?
It is up to the application.
Note when using SSLOCSPEnable on, Httpd is behaving like Tomcat, but
SSLOCSPEnable default is off. So in Httpd SSLVerifyClient optional_no_ca
works by default and certificateVerification="optionalNoCA" doesn't in
Tomcat.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
--
Cheers
Jean-Frederic
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
