Bug 45392 - No OCSP support for client SSL verification
No OCSP support for client SSL verification
Status: RESOLVED FIXED
Product: Tomcat Native
Classification: Unclassified
Component: Library
unspecified
All All
: P2 normal (vote)
: ---
Assigned To: Tomcat Developers Mailing List
: PatchAvailable
Depends on:
Blocks:
  Show dependency tree
 
Reported: 2008-07-14 03:33 UTC by Aristotelis
Modified: 2013-01-24 09:40 UTC (History)
1 user (show)



Attachments
patch to add basic support for OCSP (12.99 KB, patch)
2008-07-14 03:33 UTC, Aristotelis
Details | Diff
patch to add basic support for OCSP for tomcat-native 1.1.14 (12.81 KB, patch)
2008-07-14 03:35 UTC, Aristotelis
Details | Diff
OCSP support for apache tomcat (15.52 KB, patch)
2008-07-14 07:01 UTC, Aristotelis
Details | Diff
OCSP support for apache tomcat (20.21 KB, patch)
2008-07-17 07:52 UTC, Aristotelis
Details | Diff
OCSP support for apache tomcat (17.78 KB, patch)
2008-09-16 04:39 UTC, Aristotelis
Details | Diff
OCSP support for apache tomcat (17.98 KB, patch)
2008-09-19 07:13 UTC, Aristotelis
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Aristotelis 2008-07-14 03:33:40 UTC
Created attachment 22251 [details]
patch to add basic support for OCSP

Standalone tocmat (tomcat6) with apr support (tcnative 1.1.13) has no support for OCSP checking in the certificates even if the certificates have OCSP information. This permits clients with revoked certificates to use them as authentication method. The following patch that is attached adds basic functionality for OCSP support to prevent this type of attack. (patch made against tomcat native 1.1.13).

More info http://email.uoa.gr/projects/misc/tomcat-ocsp/
Comment 1 Aristotelis 2008-07-14 03:35:16 UTC
Created attachment 22252 [details]
patch to add basic support for OCSP for tomcat-native 1.1.14

patch for tomcat native 1.1.14
Comment 2 Mladen Turk 2008-07-14 03:54:15 UTC
Few things, about the patch.
1. Please use 4 spaces instead TAB
2. New files must have ASL 2.0 license header at the top.

Please make the patch against the svn trunk.
Some documentation would be great if additional setup is required.


Other then that, the patch is pretty promissing.
It would be nice to use the APR for make_socket, but that can be done later.

Regards
Comment 3 Remy Maucherat 2008-07-14 04:45:36 UTC
-1. Please do not add zillions of random features to the Tomcat native code. If APR supports it, then it's ok, otherwise I don't think this is a good idea.
Comment 4 Aristotelis 2008-07-14 05:13:52 UTC
(In reply to comment #3)
> -1. Please do not add zillions of random features to the Tomcat native code. If
> APR supports it, then it's ok, otherwise I don't think this is a good idea.
> 

Plz correct me if I'm wrong on this, but tomcat using APR in order to have the openSSL functionality makes callbacks to tha native code that exists within apache tomcat. So actually for client authentication the function that is used to verify the certs is in sslutils.c :
/*
 * This OpenSSL callback function is called when OpenSSL
 * does client authentication and verifies the certificate chain.
 */


int SSL_callback_SSL_verify(int ok, X509_STORE_CTX *ctx)


 So i believe this part is responsibility of tomcat (or perhaps i'm getting something totally wrong) (at least the code resides on this branch)

 On the side note, i don't think this is a random feature for tomcat, since i haven't found a proper way of reloading the CRL (besides restarting the service) and permitting clients connecting with revoked certificates in not the best case scenario (from a security point of view there must be a good reason for a certificate to be revoked).
Comment 5 Aristotelis 2008-07-14 05:18:15 UTC
(In reply to comment #2)
> Few things, about the patch.
> 1. Please use 4 spaces instead TAB
> 2. New files must have ASL 2.0 license header at the top.
> 
> Please make the patch against the svn trunk.

  I'll fix these issues, create a new patch and upload it here. 

> Some documentation would be great if additional setup is required.
> 

  Actually at this time since the patch uses the ocsp server info found in the certificates no further setup is required. If extra functionality is to be introduced (i.e having a default ocsp server) perhaps some additional setup must be made.

> 
> Other then that, the patch is pretty promissing.
> It would be nice to use the APR for make_socket, but that can be done later.
> 

  I have to find some documentation and/or look on some code on how to use APR for the socket.

 Thanks :)

Comment 6 Aristotelis 2008-07-14 07:01:58 UTC
Created attachment 22253 [details]
OCSP support for apache tomcat

The patch created using trunk (14/10/2008 at 16:20 ) adding the licence in the new files and changing the identation to 4 spaces only 
(Hopefully no mistakes :) )
Comment 7 Mladen Turk 2008-07-14 07:13:29 UTC
OK, thanks for the patch.
However this won't be acceptable until you resolve portability
issues. The <sys/socket.h, netinet/in.h, etc... are not present on
all platforms or their functionallity is inside different headers,
so the APR needs to be used instead.

BTW, the RFC2560 is a cool thing especially cause it's integral part
of mod_ssl and supported by OpenSSL. Think that APR-zing the needed
stuff won't be that hard. 

Regards
Comment 8 Aristotelis 2008-07-17 07:52:26 UTC
Created attachment 22272 [details]
OCSP support for apache tomcat

Added the APR support. (for the socket communication). Hopefully things are setting into place :)
Comment 9 jfclere 2008-08-27 00:59:47 UTC
apr has a pool for memory allocation.
Couldn't the malloc,realloc,free be changed to the apr corresponding ones?
Comment 10 Aristotelis 2008-09-16 04:39:09 UTC
Created attachment 22594 [details]
OCSP support for apache tomcat

This is a new version of the patch. Everything went to sslutils.c (as asked) and everything is in #ifdef HAVE_OCSP_SSL so that this can be made as compile time option. (i haven't touched anything that has to do with the building procedure).
Comment 11 Aristotelis 2008-09-19 07:13:04 UTC
Created attachment 22611 [details]
OCSP support for apache tomcat

A new version of the patch. Removed the malloc/realloc/free calls and replaced them with apr_ calls. For some tests i did it didn't seem to break anything, but i'm not so familliar with APR either :) (I also think that it wasn's such a heavy usage of malloc and free, since it was mainly used for string manipulation).
Comment 12 Aristotelis 2012-09-26 16:30:06 UTC
Since this feature has been added to apache tomcat 1.1.23 shouldn't this bug be closed??