You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2019/11/04 14:45:43 UTC
[tomcat] 03/03: OpenSSLEngine to differentiate between optional and
optionalNoCA
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 0a986a161726dcbef236cd2f8cbc3ba804275b54
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Mon Nov 4 14:26:43 2019 +0000
OpenSSLEngine to differentiate between optional and optionalNoCA
Patch by remm
---
.../apache/tomcat/util/net/openssl/OpenSSLContext.java | 5 ++++-
.../apache/tomcat/util/net/openssl/OpenSSLEngine.java | 18 ++++++++++++++----
webapps/docs/changelog.xml | 6 ++++++
3 files changed, 24 insertions(+), 5 deletions(-)
diff --git a/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java b/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
index 5cf17be..19bc06b 100644
--- a/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
+++ b/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
@@ -49,6 +49,7 @@ import org.apache.tomcat.util.codec.binary.Base64;
import org.apache.tomcat.util.net.AbstractEndpoint;
import org.apache.tomcat.util.net.Constants;
import org.apache.tomcat.util.net.SSLHostConfig;
+import org.apache.tomcat.util.net.SSLHostConfig.CertificateVerification;
import org.apache.tomcat.util.net.SSLHostConfigCertificate;
import org.apache.tomcat.util.net.SSLHostConfigCertificate.Type;
import org.apache.tomcat.util.res.StringManager;
@@ -498,7 +499,9 @@ public class OpenSSLContext implements org.apache.tomcat.util.net.SSLContext {
@Override
public SSLEngine createSSLEngine() {
return new OpenSSLEngine(ctx, defaultProtocol, false, sessionContext,
- (negotiableProtocols != null && negotiableProtocols.size() > 0), initialized);
+ (negotiableProtocols != null && negotiableProtocols.size() > 0), initialized,
+ sslHostConfig.getCertificateVerificationDepth(),
+ sslHostConfig.getCertificateVerification() == CertificateVerification.OPTIONAL_NO_CA);
}
@Override
diff --git a/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java b/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
index 7ae6fe8..ede30a8 100644
--- a/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
+++ b/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
@@ -165,6 +165,8 @@ public final class OpenSSLEngine extends SSLEngine implements SSLUtil.ProtocolIn
private final OpenSSLSessionContext sessionContext;
private final boolean alpn;
private final boolean initialized;
+ private final int certificateVerificationDepth;
+ private final boolean certificateVerificationOptionalNoCA;
private String selectedProtocol = null;
@@ -183,10 +185,14 @@ public final class OpenSSLEngine extends SSLEngine implements SSLUtil.ProtocolIn
* otherwise
* @param initialized {@code true} if this instance gets its protocol,
* cipher and client verification from the {@code SSL_CTX} {@code sslCtx}
+ * @param certificateVerificationDepth Certificate verification depth
+ * @param certificateVerificationOptionalNoCA Skip CA verification in
+ * optional mode
*/
OpenSSLEngine(long sslCtx, String fallbackApplicationProtocol,
boolean clientMode, OpenSSLSessionContext sessionContext, boolean alpn,
- boolean initialized) {
+ boolean initialized, int certificateVerificationDepth,
+ boolean certificateVerificationOptionalNoCA) {
if (sslCtx == 0) {
throw new IllegalArgumentException(sm.getString("engine.noSSLContext"));
}
@@ -200,6 +206,8 @@ public final class OpenSSLEngine extends SSLEngine implements SSLUtil.ProtocolIn
this.sessionContext = sessionContext;
this.alpn = alpn;
this.initialized = initialized;
+ this.certificateVerificationDepth = certificateVerificationDepth;
+ this.certificateVerificationOptionalNoCA = certificateVerificationOptionalNoCA;
}
@Override
@@ -1092,13 +1100,15 @@ public final class OpenSSLEngine extends SSLEngine implements SSLUtil.ProtocolIn
}
switch (mode) {
case NONE:
- SSL.setVerify(ssl, SSL.SSL_CVERIFY_NONE, VERIFY_DEPTH);
+ SSL.setVerify(ssl, SSL.SSL_CVERIFY_NONE, certificateVerificationDepth);
break;
case REQUIRE:
- SSL.setVerify(ssl, SSL.SSL_CVERIFY_REQUIRE, VERIFY_DEPTH);
+ SSL.setVerify(ssl, SSL.SSL_CVERIFY_REQUIRE, certificateVerificationDepth);
break;
case OPTIONAL:
- SSL.setVerify(ssl, SSL.SSL_CVERIFY_OPTIONAL, VERIFY_DEPTH);
+ SSL.setVerify(ssl,
+ certificateVerificationOptionalNoCA ? SSL.SSL_CVERIFY_OPTIONAL_NO_CA : SSL.SSL_CVERIFY_OPTIONAL,
+ certificateVerificationDepth);
break;
}
clientAuth = mode;
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index ec97e0b..91cc103 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -98,6 +98,12 @@
and pass through <code>None</code> value if set by user. Patch provided
by John Kelly. (markt)
</fix>
+ <fix>
+ <bug>63894</bug>: Ensure that the configured values for
+ <code>certificateVerification</code> and
+ <code>certificateVerificationDepth</code> are correctly based to the
+ OpenSSL based SSLEngine implementation. (remm)
+ </fix>
</changelog>
</subsection>
<subsection name="Web applications">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org