When trying to set certificateVerification="optionalNoCA" certificateVerificationDepth="6" in SSLHostConfig I have noted that verification is always 2 and the depth 10. Basically I printed it in SSL_callback_SSL_verify() in native/src/sslutils.c and I don't get the optionalNoCA nor 6. According to my traces: In sslcontext.c setVerify level 3 depth 6 In SSL.c setVerify Level: 1 DeptH: 10 In SSL.c setVerify Level: 1 DeptH: 10 So the value is set properly and later overwritten twice :-( My configuration is: <Connector port="8443" protocol="HTTP/1.1" maxThreads="150" SSLEnabled="true"> <SSLHostConfig certificateVerification="optionalNoCA" certificateVerificationDepth="6" caCertificateFile="/etc/pki/CA/cacert.pem"> <Certificate certificateKeyFile="/home/jfclere/NOTES/APACHECONNA2019/httpdssl/jfcpc_newkey.pem" certificateFile="/home/jfclere/NOTES/APACHECONNA2019/httpdssl/jfcpc_newcert.pem" certificateKeyPassword="adelina" type="RSA" /> </SSLHostConfig>
Created attachment 36866 [details] Test patch The OpenSSL style doesn't work well with the JSSE style configuration on engine creation. Also optionalNoCA doesn't mean much since JSSE always has a truststore. So trying to pass the two parameters and see how it works, I didn't test it though.
Note to self: optionalNoCA always fails if OCSP is enabled which it is by default in most OpenSSL builds.
Patch confirmed. I addressed the issue of the multiple calls to setVerify in SSL.c in a separate commit. Fixed in: - master for 9.0.28 onwards - 8.5.x for 8.5.48 onwards