You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by jf...@apache.org on 2020/05/22 08:04:09 UTC
[tomcat-native] branch master updated: Allow to bypass the OCSP
responder check like SSLOCSPEnable to use it in add:
Note that a not responding OCSP responder is now handled as
an error.
This is an automated email from the ASF dual-hosted git repository.
jfclere pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat-native.git
The following commit(s) were added to refs/heads/master by this push:
new be9fa30 Allow to bypass the OCSP responder check like SSLOCSPEnable to use it in <SSLHostConfig/> add: <OpenSSLConf> <OpenSSLConfCmd name="NO_OCSP_CHECK" value="true" /> </OpenSSLConf> Note that a not responding OCSP responder is now handled as an error.
be9fa30 is described below
commit be9fa3017d0daed7a6722f095d2223bfbeeac915
Author: Jean-Frederic Clere <jf...@gmail.com>
AuthorDate: Fri May 22 10:01:26 2020 +0200
Allow to bypass the OCSP responder check like SSLOCSPEnable
to use it in <SSLHostConfig/> add:
<OpenSSLConf>
<OpenSSLConfCmd name="NO_OCSP_CHECK" value="true" />
</OpenSSLConf>
Note that a not responding OCSP responder is now handled as an error.
---
native/include/ssl_private.h | 2 ++
native/src/sslconf.c | 19 +++++++++++++++++++
native/src/sslutils.c | 41 ++++++++++++++++++++++-------------------
3 files changed, 43 insertions(+), 19 deletions(-)
diff --git a/native/include/ssl_private.h b/native/include/ssl_private.h
index 26495e4..125d6b7 100644
--- a/native/include/ssl_private.h
+++ b/native/include/ssl_private.h
@@ -318,6 +318,7 @@ struct tcn_ssl_ctxt_t {
unsigned int alpn_proto_len;
int alpn_selector_failure_behavior;
/* End add from netty-tcnative */
+ int no_ocsp_check;
};
#ifdef HAVE_SSL_CONF_CMD
@@ -326,6 +327,7 @@ typedef struct tcn_ssl_conf_ctxt_t tcn_ssl_conf_ctxt_t;
struct tcn_ssl_conf_ctxt_t {
apr_pool_t *pool;
SSL_CONF_CTX *cctx;
+ int no_ocsp_check;
};
#endif
diff --git a/native/src/sslconf.c b/native/src/sslconf.c
index e881bfb..e2ece6f 100644
--- a/native/src/sslconf.c
+++ b/native/src/sslconf.c
@@ -155,6 +155,15 @@ TCN_IMPLEMENT_CALL(jint, SSLConf, check)(TCN_STDARGS, jlong cctx,
tcn_Throw(e, "Can not check null SSL_CONF command");
return SSL_THROW_RETURN;
}
+ if (!strcmp(J2S(cmd), "NO_OCSP_CHECK")) {
+ if (!strcasecmp(J2S(value), "false"))
+ c->no_ocsp_check = 0;
+ else
+ c->no_ocsp_check = 1;
+ TCN_FREE_CSTRING(cmd);
+ TCN_FREE_CSTRING(value);
+ return 1;
+ }
SSL_ERR_clear();
value_type = SSL_CONF_cmd_value_type(c->cctx, J2S(cmd));
@@ -209,6 +218,7 @@ TCN_IMPLEMENT_CALL(void, SSLConf, assign)(TCN_STDARGS, jlong cctx,
TCN_ASSERT(sc != 0);
// sc->ctx == 0 is allowed!
SSL_CONF_CTX_set_ssl_ctx(c->cctx, sc->ctx);
+ sc->no_ocsp_check = c->no_ocsp_check;
}
/* Apply a command to an SSL_CONF context */
@@ -248,6 +258,15 @@ TCN_IMPLEMENT_CALL(jint, SSLConf, apply)(TCN_STDARGS, jlong cctx,
buf[len - 1] = '\0';
}
#endif
+ if (!strcmp(J2S(cmd), "NO_OCSP_CHECK")) {
+ if (!strcasecmp(J2S(value), "false"))
+ c->no_ocsp_check = 0;
+ else
+ c->no_ocsp_check = 1;
+ TCN_FREE_CSTRING(cmd);
+ TCN_FREE_CSTRING(value);
+ return 1;
+ }
SSL_ERR_clear();
rc = SSL_CONF_cmd(c->cctx, J2S(cmd), buf != NULL ? buf : J2S(value));
ec = SSL_ERR_get();
diff --git a/native/src/sslutils.c b/native/src/sslutils.c
index aa0d68c..0896429 100644
--- a/native/src/sslutils.c
+++ b/native/src/sslutils.c
@@ -312,7 +312,6 @@ int SSL_CTX_use_certificate_chain(SSL_CTX *ctx, const char *file,
* does client authentication and verifies the certificate chain.
*/
-
int SSL_callback_SSL_verify(int ok, X509_STORE_CTX *ctx)
{
/* Get Apache context back through OpenSSL context */
@@ -324,6 +323,7 @@ int SSL_callback_SSL_verify(int ok, X509_STORE_CTX *ctx)
int errdepth = X509_STORE_CTX_get_error_depth(ctx);
int verify = con->ctx->verify_mode;
int depth = con->ctx->verify_depth;
+ int ocsp_check_type = con->ctx->no_ocsp_check;
#if defined(SSL_OP_NO_TLSv1_3)
con->pha_state = PHA_COMPLETE;
@@ -358,25 +358,28 @@ int SSL_callback_SSL_verify(int ok, X509_STORE_CTX *ctx)
#ifdef HAVE_OCSP_STAPLING
/* First perform OCSP validation if possible */
- if (ok) {
- /* If there was an optional verification error, it's not
- * possible to perform OCSP validation since the issuer may be
- * missing/untrusted. Fail in that case.
- */
- if (SSL_VERIFY_ERROR_IS_OPTIONAL(errnum)) {
- X509_STORE_CTX_set_error(ctx, X509_V_ERR_APPLICATION_VERIFICATION);
- errnum = X509_V_ERR_APPLICATION_VERIFICATION;
- ok = 0;
- }
- else {
- int ocsp_response = ssl_verify_OCSP(ctx);
- if (ocsp_response == OCSP_STATUS_REVOKED) {
- ok = 0 ;
- errnum = X509_STORE_CTX_get_error(ctx);
+ if (ocsp_check_type == 0) {
+ if (ok) {
+ /* If there was an optional verification error, it's not
+ * possible to perform OCSP validation since the issuer may be
+ * missing/untrusted. Fail in that case.
+ */
+ if (SSL_VERIFY_ERROR_IS_OPTIONAL(errnum)) {
+ X509_STORE_CTX_set_error(ctx, X509_V_ERR_APPLICATION_VERIFICATION);
+ errnum = X509_V_ERR_APPLICATION_VERIFICATION;
+ ok = 0;
}
- else if (ocsp_response == OCSP_STATUS_UNKNOWN) {
- /* TODO: do nothing for time being */
- ;
+ else {
+ int ocsp_response = ssl_verify_OCSP(ctx);
+ if (ocsp_response == OCSP_STATUS_REVOKED) {
+ ok = 0 ;
+ errnum = X509_STORE_CTX_get_error(ctx);
+ }
+ else if (ocsp_response == OCSP_STATUS_UNKNOWN) {
+ errnum = X509_STORE_CTX_get_error(ctx);
+ if (errnum)
+ ok = 0 ;
+ }
}
}
}
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org