| Summary: | SLHostConfig certificateVerification="optionalNoCA" certificateVerificationDepth="6" doesn't work | ||
|---|---|---|---|
| Product: | Tomcat 9 | Reporter: | jfclere <jfclere> |
| Component: | Connectors | Assignee: | Tomcat Developers Mailing List <dev> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | ||
| Priority: | P2 | ||
| Version: | 9.0.x | ||
| Target Milestone: | ----- | ||
| Hardware: | PC | ||
| OS: | Linux | ||
| Attachments: | Test patch | ||
Created attachment 36866 [details]
Test patch
The OpenSSL style doesn't work well with the JSSE style configuration on engine creation. Also optionalNoCA doesn't mean much since JSSE always has a truststore. So trying to pass the two parameters and see how it works, I didn't test it though.
Note to self: optionalNoCA always fails if OCSP is enabled which it is by default in most OpenSSL builds. Patch confirmed. I addressed the issue of the multiple calls to setVerify in SSL.c in a separate commit. Fixed in: - master for 9.0.28 onwards - 8.5.x for 8.5.48 onwards |
When trying to set certificateVerification="optionalNoCA" certificateVerificationDepth="6" in SSLHostConfig I have noted that verification is always 2 and the depth 10. Basically I printed it in SSL_callback_SSL_verify() in native/src/sslutils.c and I don't get the optionalNoCA nor 6. According to my traces: In sslcontext.c setVerify level 3 depth 6 In SSL.c setVerify Level: 1 DeptH: 10 In SSL.c setVerify Level: 1 DeptH: 10 So the value is set properly and later overwritten twice :-( My configuration is: <Connector port="8443" protocol="HTTP/1.1" maxThreads="150" SSLEnabled="true"> <SSLHostConfig certificateVerification="optionalNoCA" certificateVerificationDepth="6" caCertificateFile="/etc/pki/CA/cacert.pem"> <Certificate certificateKeyFile="/home/jfclere/NOTES/APACHECONNA2019/httpdssl/jfcpc_newkey.pem" certificateFile="/home/jfclere/NOTES/APACHECONNA2019/httpdssl/jfcpc_newcert.pem" certificateKeyPassword="adelina" type="RSA" /> </SSLHostConfig>