This is an automated email from the ASF dual-hosted git repository.
michaelo pushed a commit to branch 1.2.x
in repository https://gitbox.apache.org/repos/asf/tomcat-native.git
The following commit(s) were added to refs/heads/1.2.x by this push:
new 193c4e504 BZ 67818: SSL#setVerify()/SSLContext#setVerify() silently
set undocumented default verify paths
193c4e504 is described below
commit 193c4e504fc10f74737b062ddd1b34f54f38a268
Author: Michael Osipov <[email protected]>
AuthorDate: Wed Oct 18 22:22:06 2023 +0200
BZ 67818: SSL#setVerify()/SSLContext#setVerify() silently set undocumented
default verify paths
---
native/src/ssl.c | 11 ++---------
native/src/sslcontext.c | 12 +++---------
xdocs/miscellaneous/changelog.xml | 4 ++++
3 files changed, 9 insertions(+), 18 deletions(-)
diff --git a/native/src/ssl.c b/native/src/ssl.c
index 31493e74f..ff716091f 100644
--- a/native/src/ssl.c
+++ b/native/src/ssl.c
@@ -1894,15 +1894,8 @@ TCN_IMPLEMENT_CALL(void, SSL, setVerify)(TCN_STDARGS,
jlong ssl,
if ((c->verify_mode == SSL_CVERIFY_OPTIONAL) ||
(c->verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA))
verify |= SSL_VERIFY_PEER;
- if (!c->store) {
- if (SSL_CTX_set_default_verify_paths(c->ctx)) {
- c->store = SSL_CTX_get_cert_store(c->ctx);
- X509_STORE_set_flags(c->store, 0);
- }
- else {
- /* XXX: See if this is fatal */
- }
- }
+ if (!c->store)
+ c->store = SSL_CTX_get_cert_store(c->ctx);
SSL_set_verify(ssl_, verify, SSL_callback_SSL_verify);
}
diff --git a/native/src/sslcontext.c b/native/src/sslcontext.c
index 646577e72..36cf11ed0 100644
--- a/native/src/sslcontext.c
+++ b/native/src/sslcontext.c
@@ -36,6 +36,7 @@ static apr_status_t ssl_context_cleanup(void *data)
if (c) {
int i;
c->crl = NULL;
+ c->store = NULL;
if (c->ctx)
SSL_CTX_free(c->ctx);
c->ctx = NULL;
@@ -968,15 +969,8 @@ TCN_IMPLEMENT_CALL(void, SSLContext,
setVerify)(TCN_STDARGS, jlong ctx,
if ((c->verify_mode == SSL_CVERIFY_OPTIONAL) ||
(c->verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA))
verify |= SSL_VERIFY_PEER;
- if (!c->store) {
- if (SSL_CTX_set_default_verify_paths(c->ctx)) {
- c->store = SSL_CTX_get_cert_store(c->ctx);
- X509_STORE_set_flags(c->store, 0);
- }
- else {
- /* XXX: See if this is fatal */
- }
- }
+ if (!c->store)
+ c->store = SSL_CTX_get_cert_store(c->ctx);
SSL_CTX_set_verify(c->ctx, verify, SSL_callback_SSL_verify);
}
diff --git a/xdocs/miscellaneous/changelog.xml
b/xdocs/miscellaneous/changelog.xml
index a7462ec00..cac6e1b2d 100644
--- a/xdocs/miscellaneous/changelog.xml
+++ b/xdocs/miscellaneous/changelog.xml
@@ -44,6 +44,10 @@
<update>
Remove an unreachable if condition around CRLs in sslcontext.c.
(michaelo)
</update>
+ <fix>
+ <bug>67818</bug>:
<code>SSL.setVerify()</code>/<code>SSLContext.setVerify()</code>
+ silently set undocumented default verify paths. (michaelo)
+ </fix>
</changelog>
</section>
<section name="Changes in 1.2.39">
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
