Bug 63894 - SLHostConfig certificateVerification="optionalNoCA" certificateVerificationDepth="6" doesn't work
Summary: SLHostConfig certificateVerification="optionalNoCA" certificateVerificationDe...
Alias: None
Product: Tomcat 9
Classification: Unclassified
Component: Connectors (show other bugs)
Version: 9.0.x
Hardware: PC Linux
: P2 normal (vote)
Target Milestone: -----
Assignee: Tomcat Developers Mailing List
Depends on:
Reported: 2019-10-30 17:22 UTC by jfclere
Modified: 2019-11-04 14:46 UTC (History)
0 users

Test patch (4.10 KB, patch)
2019-10-31 15:00 UTC, Remy Maucherat
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description jfclere 2019-10-30 17:22:59 UTC
When trying to set certificateVerification="optionalNoCA" certificateVerificationDepth="6" in SSLHostConfig I have noted that verification is always 2 and the depth 10.

Basically I printed  it in SSL_callback_SSL_verify() in native/src/sslutils.c and I don't get the optionalNoCA nor 6.

According to my traces:
In sslcontext.c setVerify level 3 depth 6
In SSL.c setVerify Level: 1 DeptH: 10
In SSL.c setVerify Level: 1 DeptH: 10

So the value is set properly and later overwritten twice :-(

My configuration is:

    <Connector port="8443" protocol="HTTP/1.1"
               maxThreads="150" SSLEnabled="true">
        <SSLHostConfig certificateVerification="optionalNoCA" certificateVerificationDepth="6" caCertificateFile="/etc/pki/CA/cacert.pem">
            <Certificate certificateKeyFile="/home/jfclere/NOTES/APACHECONNA2019/httpdssl/jfcpc_newkey.pem"
                         type="RSA" />
Comment 1 Remy Maucherat 2019-10-31 15:00:46 UTC
Created attachment 36866 [details]
Test patch

The OpenSSL style doesn't work well with the JSSE style configuration on engine creation. Also optionalNoCA doesn't mean much since JSSE always has a truststore. So trying to pass the two parameters and see how it works, I didn't test it though.
Comment 2 Mark Thomas 2019-11-04 11:32:56 UTC
Note to self: optionalNoCA always fails if OCSP is enabled which it is by default in most OpenSSL builds.
Comment 3 Mark Thomas 2019-11-04 14:46:41 UTC
Patch confirmed.

I addressed the issue of the multiple calls to setVerify in SSL.c in a separate commit.

Fixed in:
- master for 9.0.28 onwards
- 8.5.x for 8.5.48 onwards