[tomcat-native] branch master updated: Allow to bypass the OCSP responder check like SSLOCSPEnable to use it in <SSLHostConfig/> add: <OpenSSLConf> <OpenSSLConfCmd name="NO_OCSP_CHECK" value="true" /> </OpenSSLConf> Note that a not responding OCSP responder is now handled as an error.

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[tomcat-native] branch master updated: Allow to bypass the OCSP responder check like SSLOCSPEnable to use it in <SSLHostConfig/> add: <OpenSSLConf> <OpenSSLConfCmd name="NO_OCSP_CHECK" value="true" /> </OpenSSLConf> Note that a not responding OCSP responder is now handled as an error.

jfclere
This is an automated email from the ASF dual-hosted git repository.

jfclere pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat-native.git


The following commit(s) were added to refs/heads/master by this push:
     new be9fa30  Allow to bypass the OCSP responder check like SSLOCSPEnable to use it in <SSLHostConfig/> add: <OpenSSLConf>     <OpenSSLConfCmd name="NO_OCSP_CHECK" value="true" />  </OpenSSLConf> Note that a not responding OCSP responder is now handled as an error.
be9fa30 is described below

commit be9fa3017d0daed7a6722f095d2223bfbeeac915
Author: Jean-Frederic Clere <[hidden email]>
AuthorDate: Fri May 22 10:01:26 2020 +0200

    Allow to bypass the OCSP responder check like SSLOCSPEnable
    to use it in <SSLHostConfig/> add:
    <OpenSSLConf>
        <OpenSSLConfCmd name="NO_OCSP_CHECK" value="true" />
     </OpenSSLConf>
    Note that a not responding OCSP responder is now handled as an error.
---
 native/include/ssl_private.h |  2 ++
 native/src/sslconf.c         | 19 +++++++++++++++++++
 native/src/sslutils.c        | 41 ++++++++++++++++++++++-------------------
 3 files changed, 43 insertions(+), 19 deletions(-)

diff --git a/native/include/ssl_private.h b/native/include/ssl_private.h
index 26495e4..125d6b7 100644
--- a/native/include/ssl_private.h
+++ b/native/include/ssl_private.h
@@ -318,6 +318,7 @@ struct tcn_ssl_ctxt_t {
     unsigned int    alpn_proto_len;
     int             alpn_selector_failure_behavior;
     /* End add from netty-tcnative */
+    int             no_ocsp_check;
 };
 
 #ifdef HAVE_SSL_CONF_CMD
@@ -326,6 +327,7 @@ typedef struct tcn_ssl_conf_ctxt_t tcn_ssl_conf_ctxt_t;
 struct tcn_ssl_conf_ctxt_t {
     apr_pool_t      *pool;
     SSL_CONF_CTX    *cctx;
+    int     no_ocsp_check;
 };
 #endif
 
diff --git a/native/src/sslconf.c b/native/src/sslconf.c
index e881bfb..e2ece6f 100644
--- a/native/src/sslconf.c
+++ b/native/src/sslconf.c
@@ -155,6 +155,15 @@ TCN_IMPLEMENT_CALL(jint, SSLConf, check)(TCN_STDARGS, jlong cctx,
         tcn_Throw(e, "Can not check null SSL_CONF command");
         return SSL_THROW_RETURN;
     }
+    if (!strcmp(J2S(cmd), "NO_OCSP_CHECK")) {
+        if (!strcasecmp(J2S(value), "false"))
+            c->no_ocsp_check = 0;
+        else
+            c->no_ocsp_check = 1;
+        TCN_FREE_CSTRING(cmd);
+        TCN_FREE_CSTRING(value);
+        return 1;
+    }
 
     SSL_ERR_clear();
     value_type = SSL_CONF_cmd_value_type(c->cctx, J2S(cmd));
@@ -209,6 +218,7 @@ TCN_IMPLEMENT_CALL(void, SSLConf, assign)(TCN_STDARGS, jlong cctx,
     TCN_ASSERT(sc != 0);
     // sc->ctx == 0 is allowed!
     SSL_CONF_CTX_set_ssl_ctx(c->cctx, sc->ctx);
+    sc->no_ocsp_check = c->no_ocsp_check;
 }
 
 /* Apply a command to an SSL_CONF context */
@@ -248,6 +258,15 @@ TCN_IMPLEMENT_CALL(jint, SSLConf, apply)(TCN_STDARGS, jlong cctx,
         buf[len - 1] = '\0';
     }
 #endif
+    if (!strcmp(J2S(cmd), "NO_OCSP_CHECK")) {
+        if (!strcasecmp(J2S(value), "false"))
+            c->no_ocsp_check = 0;
+        else
+            c->no_ocsp_check = 1;
+        TCN_FREE_CSTRING(cmd);
+        TCN_FREE_CSTRING(value);
+        return 1;
+    }
     SSL_ERR_clear();
     rc = SSL_CONF_cmd(c->cctx, J2S(cmd), buf != NULL ? buf : J2S(value));
     ec = SSL_ERR_get();
diff --git a/native/src/sslutils.c b/native/src/sslutils.c
index aa0d68c..0896429 100644
--- a/native/src/sslutils.c
+++ b/native/src/sslutils.c
@@ -312,7 +312,6 @@ int SSL_CTX_use_certificate_chain(SSL_CTX *ctx, const char *file,
  * does client authentication and verifies the certificate chain.
  */
 
-
 int SSL_callback_SSL_verify(int ok, X509_STORE_CTX *ctx)
 {
    /* Get Apache context back through OpenSSL context */
@@ -324,6 +323,7 @@ int SSL_callback_SSL_verify(int ok, X509_STORE_CTX *ctx)
     int errdepth = X509_STORE_CTX_get_error_depth(ctx);
     int verify   = con->ctx->verify_mode;
     int depth    = con->ctx->verify_depth;
+    int ocsp_check_type = con->ctx->no_ocsp_check;
 
 #if defined(SSL_OP_NO_TLSv1_3)
     con->pha_state = PHA_COMPLETE;
@@ -358,25 +358,28 @@ int SSL_callback_SSL_verify(int ok, X509_STORE_CTX *ctx)
 
 #ifdef HAVE_OCSP_STAPLING
     /* First perform OCSP validation if possible */
-    if (ok) {
-        /* If there was an optional verification error, it's not
-         * possible to perform OCSP validation since the issuer may be
-         * missing/untrusted.  Fail in that case.
-         */
-        if (SSL_VERIFY_ERROR_IS_OPTIONAL(errnum)) {
-            X509_STORE_CTX_set_error(ctx, X509_V_ERR_APPLICATION_VERIFICATION);
-            errnum = X509_V_ERR_APPLICATION_VERIFICATION;
-            ok = 0;
-        }
-        else {
-            int ocsp_response = ssl_verify_OCSP(ctx);
-            if (ocsp_response == OCSP_STATUS_REVOKED) {
-                ok = 0 ;
-                errnum = X509_STORE_CTX_get_error(ctx);
+    if (ocsp_check_type == 0) {
+       if (ok) {
+            /* If there was an optional verification error, it's not
+             * possible to perform OCSP validation since the issuer may be
+             * missing/untrusted.  Fail in that case.
+             */
+            if (SSL_VERIFY_ERROR_IS_OPTIONAL(errnum)) {
+                X509_STORE_CTX_set_error(ctx, X509_V_ERR_APPLICATION_VERIFICATION);
+                errnum = X509_V_ERR_APPLICATION_VERIFICATION;
+                ok = 0;
             }
-            else if (ocsp_response == OCSP_STATUS_UNKNOWN) {
-                /* TODO: do nothing for time being */
-                ;
+            else {
+                int ocsp_response = ssl_verify_OCSP(ctx);
+                if (ocsp_response == OCSP_STATUS_REVOKED) {
+                    ok = 0 ;
+                    errnum = X509_STORE_CTX_get_error(ctx);
+                }
+                else if (ocsp_response == OCSP_STATUS_UNKNOWN) {
+                    errnum = X509_STORE_CTX_get_error(ctx);
+                    if (errnum)
+                        ok = 0 ;
+                }
             }
         }
     }


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]