On 29/06/2021 15:19, jean-frederic clere wrote:
On 29/06/2021 14:45, Mark Thomas wrote:
On 29/06/2021 12:29, jean-frederic clere wrote:
Hi,
It seems certificateVerification="optionalNoCA" only works if the
OCSP is disabled.
<OpenSSLConf>
<OpenSSLConfCmd name="NO_OCSP_CHECK" value="true" />
</OpenSSLConf>
In <SSLHostConfig/>
Otherwise the OCSP check forces an error because it can't check
anything...
How to "fix" that? Just document it? or return OK where we test
SSL_CVERIFY_OPTIONAL_NO_CA
(https://github.com/apache/tomcat-native/blob/main/native/src/sslutils.c#L337)?
Hmm.
My expectation is that:
- certificate provided results in OCSP for that cert and the connection
fails if the check fails.
certificateVerification="optional" makes the client certificate optional
(required by webapps if needed).
certificateVerification="optionalNoCA" does the same and additionally
should avoid checking the client against the CA.
The OCSP checking needs to validate the client certificate against the
CA otherwise it will prevent getting the connection, making NoCA like
ignored...
Got it. In which case I'll change my expectation to optionalNoCA == no
OCSP check. We should document this.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
