[prev in list] [next in list] [prev in thread] [next in thread]
List: tomcat-dev
Subject: (tomcat-native) branch 1.2.x updated: BZ 67818: SSL#setVerify()/SSLContext#setVerify() silently set
From: michaelo () apache ! org
Date: 2023-10-30 10:25:30
Message-ID: 169866153029.2846965.3813094305773991557 () gitbox2-he-fi ! apache ! org
[Download RAW message or body]
This is an automated email from the ASF dual-hosted git repository.
michaelo pushed a commit to branch 1.2.x
in repository https://gitbox.apache.org/repos/asf/tomcat-native.git
The following commit(s) were added to refs/heads/1.2.x by this push:
new 193c4e504 BZ 67818: SSL#setVerify()/SSLContext#setVerify() silently set \
undocumented default verify paths 193c4e504 is described below
commit 193c4e504fc10f74737b062ddd1b34f54f38a268
Author: Michael Osipov <michaelo@apache.org>
AuthorDate: Wed Oct 18 22:22:06 2023 +0200
BZ 67818: SSL#setVerify()/SSLContext#setVerify() silently set undocumented \
default verify paths
---
native/src/ssl.c | 11 ++---------
native/src/sslcontext.c | 12 +++---------
xdocs/miscellaneous/changelog.xml | 4 ++++
3 files changed, 9 insertions(+), 18 deletions(-)
diff --git a/native/src/ssl.c b/native/src/ssl.c
index 31493e74f..ff716091f 100644
--- a/native/src/ssl.c
+++ b/native/src/ssl.c
@@ -1894,15 +1894,8 @@ TCN_IMPLEMENT_CALL(void, SSL, setVerify)(TCN_STDARGS, jlong \
ssl, if ((c->verify_mode == SSL_CVERIFY_OPTIONAL) ||
(c->verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA))
verify |= SSL_VERIFY_PEER;
- if (!c->store) {
- if (SSL_CTX_set_default_verify_paths(c->ctx)) {
- c->store = SSL_CTX_get_cert_store(c->ctx);
- X509_STORE_set_flags(c->store, 0);
- }
- else {
- /* XXX: See if this is fatal */
- }
- }
+ if (!c->store)
+ c->store = SSL_CTX_get_cert_store(c->ctx);
SSL_set_verify(ssl_, verify, SSL_callback_SSL_verify);
}
diff --git a/native/src/sslcontext.c b/native/src/sslcontext.c
index 646577e72..36cf11ed0 100644
--- a/native/src/sslcontext.c
+++ b/native/src/sslcontext.c
@@ -36,6 +36,7 @@ static apr_status_t ssl_context_cleanup(void *data)
if (c) {
int i;
c->crl = NULL;
+ c->store = NULL;
if (c->ctx)
SSL_CTX_free(c->ctx);
c->ctx = NULL;
@@ -968,15 +969,8 @@ TCN_IMPLEMENT_CALL(void, SSLContext, setVerify)(TCN_STDARGS, \
jlong ctx, if ((c->verify_mode == SSL_CVERIFY_OPTIONAL) ||
(c->verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA))
verify |= SSL_VERIFY_PEER;
- if (!c->store) {
- if (SSL_CTX_set_default_verify_paths(c->ctx)) {
- c->store = SSL_CTX_get_cert_store(c->ctx);
- X509_STORE_set_flags(c->store, 0);
- }
- else {
- /* XXX: See if this is fatal */
- }
- }
+ if (!c->store)
+ c->store = SSL_CTX_get_cert_store(c->ctx);
SSL_CTX_set_verify(c->ctx, verify, SSL_callback_SSL_verify);
}
diff --git a/xdocs/miscellaneous/changelog.xml b/xdocs/miscellaneous/changelog.xml
index a7462ec00..cac6e1b2d 100644
--- a/xdocs/miscellaneous/changelog.xml
+++ b/xdocs/miscellaneous/changelog.xml
@@ -44,6 +44,10 @@
<update>
Remove an unreachable if condition around CRLs in sslcontext.c. (michaelo)
</update>
+ <fix>
+ <bug>67818</bug>: \
<code>SSL.setVerify()</code>/<code>SSLContext.setVerify()</code> + silently set \
undocumented default verify paths. (michaelo) + </fix>
</changelog>
</section>
<section name="Changes in 1.2.39">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic