Summary: | SLHostConfig certificateVerification="optionalNoCA" certificateVerificationDepth="6" doesn't work | ||
---|---|---|---|
Product: | Tomcat 9 | Reporter: | jfclere <jfclere> |
Component: | Connectors | Assignee: | Tomcat Developers Mailing List <dev> |
Status: | RESOLVED FIXED | ||
Severity: | normal | ||
Priority: | P2 | ||
Version: | 9.0.x | ||
Target Milestone: | ----- | ||
Hardware: | PC | ||
OS: | Linux | ||
Attachments: | Test patch |
Description
jfclere
2019-10-30 17:22:59 UTC
Created attachment 36866 [details]
Test patch
The OpenSSL style doesn't work well with the JSSE style configuration on engine creation. Also optionalNoCA doesn't mean much since JSSE always has a truststore. So trying to pass the two parameters and see how it works, I didn't test it though.
Note to self: optionalNoCA always fails if OCSP is enabled which it is by default in most OpenSSL builds. Patch confirmed. I addressed the issue of the multiple calls to setVerify in SSL.c in a separate commit. Fixed in: - master for 9.0.28 onwards - 8.5.x for 8.5.48 onwards |