tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ma...@apache.org
Subject [tomcat] 02/02: OpenSSLEngine to differentiate between optional and optionalNoCA
Date Mon, 04 Nov 2019 14:27:06 GMT
This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat.git

commit 2c999ef1f758de3978842b020c45eec32b67d08a
Author: Mark Thomas <markt@apache.org>
AuthorDate: Mon Nov 4 14:26:43 2019 +0000

    OpenSSLEngine to differentiate between optional and optionalNoCA
    
    Patch by remm
---
 .../apache/tomcat/util/net/openssl/OpenSSLContext.java |  5 ++++-
 .../apache/tomcat/util/net/openssl/OpenSSLEngine.java  | 18 ++++++++++++++----
 webapps/docs/changelog.xml                             |  6 ++++++
 3 files changed, 24 insertions(+), 5 deletions(-)

diff --git a/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java b/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
index fd8fc5c..81b2369 100644
--- a/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
+++ b/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
@@ -49,6 +49,7 @@ import org.apache.tomcat.jni.SSLContext;
 import org.apache.tomcat.util.net.AbstractEndpoint;
 import org.apache.tomcat.util.net.Constants;
 import org.apache.tomcat.util.net.SSLHostConfig;
+import org.apache.tomcat.util.net.SSLHostConfig.CertificateVerification;
 import org.apache.tomcat.util.net.SSLHostConfigCertificate;
 import org.apache.tomcat.util.net.SSLHostConfigCertificate.Type;
 import org.apache.tomcat.util.res.StringManager;
@@ -489,7 +490,9 @@ public class OpenSSLContext implements org.apache.tomcat.util.net.SSLContext
{
     @Override
     public SSLEngine createSSLEngine() {
         return new OpenSSLEngine(ctx, defaultProtocol, false, sessionContext,
-                (negotiableProtocols != null && negotiableProtocols.size() > 0),
initialized);
+                (negotiableProtocols != null && negotiableProtocols.size() > 0),
initialized,
+                sslHostConfig.getCertificateVerificationDepth(),
+                sslHostConfig.getCertificateVerification() == CertificateVerification.OPTIONAL_NO_CA);
     }
 
     @Override
diff --git a/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java b/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
index 7ae6fe8..ede30a8 100644
--- a/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
+++ b/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
@@ -165,6 +165,8 @@ public final class OpenSSLEngine extends SSLEngine implements SSLUtil.ProtocolIn
     private final OpenSSLSessionContext sessionContext;
     private final boolean alpn;
     private final boolean initialized;
+    private final int certificateVerificationDepth;
+    private final boolean certificateVerificationOptionalNoCA;
 
     private String selectedProtocol = null;
 
@@ -183,10 +185,14 @@ public final class OpenSSLEngine extends SSLEngine implements SSLUtil.ProtocolIn
      * otherwise
      * @param initialized {@code true} if this instance gets its protocol,
      * cipher and client verification from the {@code SSL_CTX} {@code sslCtx}
+     * @param certificateVerificationDepth Certificate verification depth
+     * @param certificateVerificationOptionalNoCA Skip CA verification in
+     *   optional mode
      */
     OpenSSLEngine(long sslCtx, String fallbackApplicationProtocol,
             boolean clientMode, OpenSSLSessionContext sessionContext, boolean alpn,
-            boolean initialized) {
+            boolean initialized, int certificateVerificationDepth,
+            boolean certificateVerificationOptionalNoCA) {
         if (sslCtx == 0) {
             throw new IllegalArgumentException(sm.getString("engine.noSSLContext"));
         }
@@ -200,6 +206,8 @@ public final class OpenSSLEngine extends SSLEngine implements SSLUtil.ProtocolIn
         this.sessionContext = sessionContext;
         this.alpn = alpn;
         this.initialized = initialized;
+        this.certificateVerificationDepth = certificateVerificationDepth;
+        this.certificateVerificationOptionalNoCA = certificateVerificationOptionalNoCA;
     }
 
     @Override
@@ -1092,13 +1100,15 @@ public final class OpenSSLEngine extends SSLEngine implements SSLUtil.ProtocolIn
             }
             switch (mode) {
                 case NONE:
-                    SSL.setVerify(ssl, SSL.SSL_CVERIFY_NONE, VERIFY_DEPTH);
+                    SSL.setVerify(ssl, SSL.SSL_CVERIFY_NONE, certificateVerificationDepth);
                     break;
                 case REQUIRE:
-                    SSL.setVerify(ssl, SSL.SSL_CVERIFY_REQUIRE, VERIFY_DEPTH);
+                    SSL.setVerify(ssl, SSL.SSL_CVERIFY_REQUIRE, certificateVerificationDepth);
                     break;
                 case OPTIONAL:
-                    SSL.setVerify(ssl, SSL.SSL_CVERIFY_OPTIONAL, VERIFY_DEPTH);
+                    SSL.setVerify(ssl,
+                            certificateVerificationOptionalNoCA ? SSL.SSL_CVERIFY_OPTIONAL_NO_CA
: SSL.SSL_CVERIFY_OPTIONAL,
+                            certificateVerificationDepth);
                     break;
             }
             clientAuth = mode;
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 6562e55..75e11fc 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -109,6 +109,12 @@
         Move connection tracking to the endpoint, since it requires far fewer
         operations. (remm)
       </fix>
+      <fix>
+        <bug>63894</bug>: Ensure that the configured values for
+        <code>certificateVerification</code> and
+        <code>certificateVerificationDepth</code> are correctly based to the
+        OpenSSL based SSLEngine implementation. (remm)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Web applications">


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message