Re: certificateVerification="optionalNoCA" and OCSP validation.

Tue, 26 Sep 2023 03:50:07 -0700 

Hi,

This is an old thread (2021) but relevant to BZ 67061 [1].

In short, optionalNoCA doesn't work unless OCSP is also disabled.

Do we:
a) Always skip the OCSP check if optionalNoCA is used (and document this for optionalNoCA)?
b) Leave the code unchanged and document that using optionalNoCA also requires OCSP to be explicitly disabled?
My understanding from the 2021 thread is that we agreed to implement a) although it looks like that never happened. 

Unless there are objections, I intend to implement a) shortly.

Mark


[1] https://bz.apache.org/bugzilla/show_bug.cgi?id=67061

On 30/06/2021 15:09, jean-frederic clere wrote:

On 29/06/2021 18:22, Mark Thomas wrote:

On 29/06/2021 15:19, jean-frederic clere wrote:

On 29/06/2021 14:45, Mark Thomas wrote:

On 29/06/2021 12:29, jean-frederic clere wrote:

Hi,
It seems certificateVerification="optionalNoCA" only works if the OCSP is disabled. 
               <OpenSSLConf>
                 <OpenSSLConfCmd name="NO_OCSP_CHECK" value="true" />
               </OpenSSLConf>
In <SSLHostConfig/>
Otherwise the OCSP check forces an error because it can't check anything...
How to "fix" that? Just document it? or return OK where we test SSL_CVERIFY_OPTIONAL_NO_CA (https://github.com/apache/tomcat-native/blob/main/native/src/sslutils.c#L337)? 

Hmm.

My expectation is that:

- certificate provided results in OCSP for that cert and the connection
   fails if the check fails.
certificateVerification="optional" makes the client certificate optional (required by webapps if needed).
certificateVerification="optionalNoCA" does the same and additionally should avoid checking the client against the CA. The OCSP checking needs to validate the client certificate against the CA otherwise it will prevent getting the connection, making NoCA like ignored...
Got it. In which case I'll change my expectation to optionalNoCA == no OCSP check. We should document this. 

OK I will fix the code and document it.



Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org






---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to