чт, 20 июн. 2019 г. в 16:54, <[email protected]>:
>
> This is an automated email from the ASF dual-hosted git repository.
>
> markt pushed a commit to branch master
> in repository https://gitbox.apache.org/repos/asf/tomcat-native.git
>
> commit 02fcf97f1b2a1db04b7dd674daf6ab3a5f77312e
> Author: Mark Thomas <[email protected]>
> AuthorDate: Wed Jun 19 18:19:25 2019 +0100
>
> Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=63500
>
> Correct reference to the X509_STORE being configured
> Remove calls to X509_STORE_free since a separate store is not allocated
> for CRLs. It simply re-uses the existing store for the server
> SSLContext. Trying to close it triggers a JVM crash.
> ---
> if (!X509_LOOKUP_add_dir(lookup, J2S(path), X509_FILETYPE_PEM)) {
> ERR_error_string(SSL_ERR_get(), err);
> - X509_STORE_free(c->crl);
> c->crl = NULL;
> tcn_Throw(e, "Load failed for path %s (%s)", J2S(file), err);
> goto cleanup;
> }
> }
> - X509_STORE_set_flags(c->store, X509_V_FLAG_CRL_CHECK |
> X509_V_FLAG_CRL_CHECK_ALL);
> + X509_STORE_set_flags(c->crl, X509_V_FLAG_CRL_CHECK |
> X509_V_FLAG_CRL_CHECK_ALL);
> rv = JNI_TRUE;
> cleanup:
> TCN_FREE_CSTRING(file);
> diff --git a/xdocs/miscellaneous/changelog.xml
> b/xdocs/miscellaneous/changelog.xml
> index 6af4a2e..bd2ea01 100644
> --- a/xdocs/miscellaneous/changelog.xml
> +++ b/xdocs/miscellaneous/changelog.xml
> @@ -45,6 +45,10 @@
> contains an AIA extension without an OCSP URI. Patch provided by Milind
> Takawale. (markt)
> </fix>
> + <fix>
> + <bug>63500</bug>: Fix JVM crash on Connector start when a certificate
> + revocation file or path is specified for OpenSSL. (markt)
> + </fix>
1. Good catch. The fix is OK.
Indeed, SSL_CTX_get_cert_store() returns a reference to an existing store.
Documentation:
https://www.openssl.org/docs/manmaster/man3/SSL_CTX_get_cert_store.html
2. It seems that there are two fields c->crl and c->store that point
to the same object,
both initialized as SSL_CTX_get_cert_store(c->ctx).
It is confusing, as here we call
X509_STORE_set_flags(c->crl, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
and elsewhere we call
X509_STORE_set_flags(c->store, 0);
I was wondering whether it causes any problems, and it seems that it is OK.
The set_flags() calls are additive, just or'ing the new flags (and
thus the latter call is a NOOP). So there should not be problems at
runtime.
Documentation:
https://www.openssl.org/docs/manmaster/man3/X509_STORE_set_flags.html
https://www.openssl.org/docs/manmaster/man3/X509_VERIFY_PARAM_set_flags.html
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
