diff --git a/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java b/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java index fd8fc5c..3303e63 100644 --- a/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java +++ b/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java @@ -50,6 +50,7 @@ import org.apache.tomcat.util.net.Constants; import org.apache.tomcat.util.net.SSLHostConfig; import org.apache.tomcat.util.net.SSLHostConfigCertificate; +import org.apache.tomcat.util.net.SSLHostConfig.CertificateVerification; import org.apache.tomcat.util.net.SSLHostConfigCertificate.Type; import org.apache.tomcat.util.res.StringManager; @@ -489,7 +490,9 @@ @Override public SSLEngine createSSLEngine() { return new OpenSSLEngine(ctx, defaultProtocol, false, sessionContext, - (negotiableProtocols != null && negotiableProtocols.size() > 0), initialized); + (negotiableProtocols != null && negotiableProtocols.size() > 0), initialized, + sslHostConfig.getCertificateVerificationDepth(), + sslHostConfig.getCertificateVerification() == CertificateVerification.OPTIONAL_NO_CA); } @Override diff --git a/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java b/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java index e775168..457bf2a 100644 --- a/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java +++ b/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java @@ -165,6 +165,8 @@ private final OpenSSLSessionContext sessionContext; private final boolean alpn; private final boolean initialized; + private final int certificateVerificationDepth; + private final boolean certificateVerificationOptionalNoCA; private String selectedProtocol = null; @@ -186,7 +188,7 @@ boolean clientMode, OpenSSLSessionContext sessionContext, boolean alpn) { this(sslCtx, fallbackApplicationProtocol, clientMode, sessionContext, - alpn, false); + alpn, false, VERIFY_DEPTH, false); } /** @@ -202,10 +204,14 @@ * otherwise * @param initialized {@code true} if this instance gets its protocol, * cipher and client verification from the {@code SSL_CTX} {@code sslCtx} + * @param certificateVerificationDepth Certificate verification depth + * @param certificateVerificationOptionalNoCA Skip CA verificiation in + * optional mode */ OpenSSLEngine(long sslCtx, String fallbackApplicationProtocol, boolean clientMode, OpenSSLSessionContext sessionContext, boolean alpn, - boolean initialized) { + boolean initialized, int certificateVerificationDepth, + boolean certificateVerificationOptionalNoCA) { if (sslCtx == 0) { throw new IllegalArgumentException(sm.getString("engine.noSSLContext")); } @@ -219,6 +225,8 @@ this.sessionContext = sessionContext; this.alpn = alpn; this.initialized = initialized; + this.certificateVerificationDepth = certificateVerificationDepth; + this.certificateVerificationOptionalNoCA = certificateVerificationOptionalNoCA; } @Override @@ -1111,13 +1119,15 @@ } switch (mode) { case NONE: - SSL.setVerify(ssl, SSL.SSL_CVERIFY_NONE, VERIFY_DEPTH); + SSL.setVerify(ssl, SSL.SSL_CVERIFY_NONE, certificateVerificationDepth); break; case REQUIRE: - SSL.setVerify(ssl, SSL.SSL_CVERIFY_REQUIRE, VERIFY_DEPTH); + SSL.setVerify(ssl, SSL.SSL_CVERIFY_REQUIRE, certificateVerificationDepth); break; case OPTIONAL: - SSL.setVerify(ssl, SSL.SSL_CVERIFY_OPTIONAL, VERIFY_DEPTH); + SSL.setVerify(ssl, + certificateVerificationOptionalNoCA ? SSL.SSL_CVERIFY_OPTIONAL_NO_CA : SSL.SSL_CVERIFY_OPTIONAL, + certificateVerificationDepth); break; } clientAuth = mode;