svn commit: r1293122 - /tomcat/native/branches/1.1.x/native/src/sslutils.c

Thu, 23 Feb 2012 23:58:53 -0800 

Author: mturk
Date: Fri Feb 24 07:58:26 2012
New Revision: 1293122

URL: http://svn.apache.org/viewvc?rev=1293122&view=rev
Log:
Apply additional security check from mod_ssl

Modified:
    tomcat/native/branches/1.1.x/native/src/sslutils.c

Modified: tomcat/native/branches/1.1.x/native/src/sslutils.c
URL: 
http://svn.apache.org/viewvc/tomcat/native/branches/1.1.x/native/src/sslutils.c?rev=1293122&r1=1293121&r2=1293122&view=diff
==============================================================================
--- tomcat/native/branches/1.1.x/native/src/sslutils.c (original)
+++ tomcat/native/branches/1.1.x/native/src/sslutils.c Fri Feb 24 07:58:26 2012
@@ -665,17 +665,28 @@ int SSL_callback_SSL_verify(int ok, X509
 #if HAS_OCSP_ENABLED
     /* First perform OCSP validation if possible */
     if(ok) {
-        int ocsp_response = ssl_verify_OCSP(ok, ctx);
-        if (ocsp_response == OCSP_STATUS_OK ) {
-            skip_crl = 1; /* we know it is valid we skip crl evaluation */
-        }
-        else if(ocsp_response == OCSP_STATUS_REVOKED ) {
-            ok = 0 ;
-            errnum = X509_STORE_CTX_get_error(ctx);
+        /* If there was an optional verification error, it's not
+         * possible to perform OCSP validation since the issuer may be
+         * missing/untrusted.  Fail in that case.
+         */
+        if (SSL_VERIFY_ERROR_IS_OPTIONAL(errnum)) {
+            X509_STORE_CTX_set_error(ctx, X509_V_ERR_APPLICATION_VERIFICATION);
+            errnum = X509_V_ERR_APPLICATION_VERIFICATION;
+            ok = 0;
         }
-        else if (ocsp_response == OCSP_STATUS_UNKNOWN) {
-            /* TODO: do nothing for time being, continue with CRL */
-            ;
+        else {
+            int ocsp_response = ssl_verify_OCSP(ok, ctx);
+            if (ocsp_response == OCSP_STATUS_OK ) {
+                skip_crl = 1; /* we know it is valid we skip crl evaluation */
+            }
+            else if(ocsp_response == OCSP_STATUS_REVOKED ) {
+                ok = 0 ;
+                errnum = X509_STORE_CTX_get_error(ctx);
+            }
+            else if (ocsp_response == OCSP_STATUS_UNKNOWN) {
+                /* TODO: do nothing for time being, continue with CRL */
+                ;
+            }
         }
     }
 #endif



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to