Bug 63894

Summary: SLHostConfig certificateVerification="optionalNoCA" certificateVerificationDepth="6" doesn't work
Product: Tomcat 9 Reporter: jfclere <jfclere>
Component: ConnectorsAssignee: Tomcat Developers Mailing List <dev>
Severity: normal    
Priority: P2    
Version: 9.0.x   
Target Milestone: -----   
Hardware: PC   
OS: Linux   
Attachments: Test patch

Description jfclere 2019-10-30 17:22:59 UTC
When trying to set certificateVerification="optionalNoCA" certificateVerificationDepth="6" in SSLHostConfig I have noted that verification is always 2 and the depth 10.

Basically I printed  it in SSL_callback_SSL_verify() in native/src/sslutils.c and I don't get the optionalNoCA nor 6.

According to my traces:
In sslcontext.c setVerify level 3 depth 6
In SSL.c setVerify Level: 1 DeptH: 10
In SSL.c setVerify Level: 1 DeptH: 10

So the value is set properly and later overwritten twice :-(

My configuration is:

    <Connector port="8443" protocol="HTTP/1.1"
               maxThreads="150" SSLEnabled="true">
        <SSLHostConfig certificateVerification="optionalNoCA" certificateVerificationDepth="6" caCertificateFile="/etc/pki/CA/cacert.pem">
            <Certificate certificateKeyFile="/home/jfclere/NOTES/APACHECONNA2019/httpdssl/jfcpc_newkey.pem"
                         type="RSA" />
Comment 1 Remy Maucherat 2019-10-31 15:00:46 UTC
Created attachment 36866 [details]
Test patch

The OpenSSL style doesn't work well with the JSSE style configuration on engine creation. Also optionalNoCA doesn't mean much since JSSE always has a truststore. So trying to pass the two parameters and see how it works, I didn't test it though.
Comment 2 Mark Thomas 2019-11-04 11:32:56 UTC
Note to self: optionalNoCA always fails if OCSP is enabled which it is by default in most OpenSSL builds.
Comment 3 Mark Thomas 2019-11-04 14:46:41 UTC
Patch confirmed.

I addressed the issue of the multiple calls to setVerify in SSL.c in a separate commit.

Fixed in:
- master for 9.0.28 onwards
- 8.5.x for 8.5.48 onwards