Bug 44864

Summary: optionalNoCA not honored
Product: Tomcat 6 Reporter: André Cruz <andre.cruz>
Component: ConnectorsAssignee: Tomcat Developers Mailing List <dev>
Severity: major CC: ian, trscavo
Priority: P2    
Version: unspecified   
Target Milestone: default   
Hardware: PC   
OS: Linux   

Description André Cruz 2008-04-23 09:36:55 UTC
Even when SSLVerifyClient="optionalNoCA" is specified in the connector, invalid client certificates still lead to invalid SSL handshakes.

This is because SSL_get_verify_result(con->ssl) in sslnetwork.c still returns != X509_V_OK even though SSL_callback_SSL_verify() returns ok in these cases. There is an extra check in openssl itself which is returning the error.

The way this is dealt on mod_ssl in apache (ssl_engine_io.c) is: 

    if ((verify_result != X509_V_OK) ||
        if (ssl_verify_error_is_optional(verify_result) &&
            (sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA))
            /* leaving this log message as an error for the moment,
             * according to the mod_ssl docs:
             * "level optional_no_ca is actually against the idea
             *  of authentication (but can be used to establish
             * SSL test pages, etc.)"
             * optional_no_ca doesn't appear to work as advertised
             * in 1.x
            ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c,
                          "SSL client authentication failed, "
                          "accepting certificate based on "
                          "\"SSLVerifyClient optional_no_ca\" "
            ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, c->base_server);
        else {
            const char *error = sslconn->verify_error ?
                sslconn->verify_error :

            ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c,
                         "SSL client authentication failed: %s",
                         error ? error : "unknown");
            ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, c->base_server);

            return ssl_filter_io_shutdown(filter_ctx, c, 1);

Even though verify_result is not OK, if optional_no_ca is specified, the request should be valid.

The release notes specify that bugs in this code should be filed under "Native:JNI" component but I could find it in the pull-down.
Comment 1 Mladen Turk 2008-07-23 01:11:24 UTC
This actually belongs to Connectors, not JK
Comment 2 Mladen Turk 2008-07-23 02:04:15 UTC
Should be fixed now. Can you verify by using the SVN trunk?
Comment 3 André Cruz 2008-07-23 04:31:21 UTC
Yes, it seems to work.

Comment 4 Tom Scavo 2008-07-23 07:31:02 UTC
What version of tomcat will incorporate this patch, do you know?  Thanks.