This is an automated email from the ASF dual-hosted git repository.
remm pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new 66d3bad Avoid hardcoding https with OCSP
66d3bad is described below
commit 66d3baddd305c6545deb32d5e410b0d3f9d5f487
Author: remm <r...@apache.org>
AuthorDate: Fri Nov 5 14:16:36 2021 +0100
Avoid hardcoding https with OCSP
Especially useful since I failed to make openssl do tls with ocsp.
Also catch exceptions, it's safer.
---
.../tomcat/util/net/openssl/panama/OpenSSLEngine.java | 17 +++++++++--------
1 file changed, 9 insertions(+), 8 deletions(-)
diff --git
a/modules/openssl-panama-foreign/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLEngine.java
b/modules/openssl-panama-foreign/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLEngine.java
index 70a70cd..29c4ce7 100644
---
a/modules/openssl-panama-foreign/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLEngine.java
+++
b/modules/openssl-panama-foreign/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLEngine.java
@@ -25,6 +25,7 @@ import java.lang.invoke.MethodHandles;
import java.lang.invoke.MethodType;
import java.lang.ref.Cleaner;
import java.lang.ref.Cleaner.Cleanable;
+import java.net.HttpURLConnection;
import java.net.MalformedURLException;
import java.net.URL;
import java.nio.ByteBuffer;
@@ -1403,14 +1404,14 @@ public final class OpenSSLEngine extends SSLEngine
implements SSLUtil.ProtocolIn
if (!urls.isEmpty()) {
// Use OpenSSL to build OCSP request
for (String urlString : urls) {
- if (logger.isDebugEnabled()) {
- logger.debug("Processing OCSP URL: " +
urlString);
- }
try {
URL url = new URL(urlString);
ocspResponse = processOCSPRequest(url,
issuer, x509, x509ctx, scope);
+ if (logger.isDebugEnabled()) {
+ logger.debug("OCSP response for
URL: " + urlString + " was " + ocspResponse);
+ }
} catch (MalformedURLException e) {
-
logger.warn(sm.getString("engine.invalidOCSPURL"));
+
logger.warn(sm.getString("engine.invalidOCSPURL", urlString));
}
if (ocspResponse !=
V_OCSP_CERTSTATUS_UNKNOWN()) {
break;
@@ -1460,7 +1461,7 @@ public final class OpenSSLEngine extends SSLEngine
implements SSLUtil.ProtocolIn
MemoryAddress ocspResponse = MemoryAddress.NULL;
MemoryAddress id = MemoryAddress.NULL;
MemoryAddress ocspOneReq = MemoryAddress.NULL;
- HttpsURLConnection connection = null;
+ HttpURLConnection connection = null;
MemoryAddress basicResponse = MemoryAddress.NULL;
MemoryAddress certId = MemoryAddress.NULL;
try (ByteArrayOutputStream baos = new ByteArrayOutputStream()) {
@@ -1489,7 +1490,7 @@ public final class OpenSSLEngine extends SSLEngine
implements SSLUtil.ProtocolIn
// Content-Type: application/ocsp-request
// Content-Length: ocspRequestData.length
byte[] ocspRequestData = MemorySegment.ofAddressNative(buf,
requestLength, scope).toArray(ValueLayout.JAVA_BYTE);
- connection = (HttpsURLConnection) url.openConnection();
+ connection = (HttpURLConnection) url.openConnection();
connection.setRequestMethod("POST");
connection.setDoInput(true);
connection.setDoOutput(true);
@@ -1498,7 +1499,7 @@ public final class OpenSSLEngine extends SSLEngine
implements SSLUtil.ProtocolIn
connection.connect();
connection.getOutputStream().write(ocspRequestData);
int responseCode = connection.getResponseCode();
- if (responseCode != HttpsURLConnection.HTTP_OK) {
+ if (responseCode != HttpURLConnection.HTTP_OK) {
return V_OCSP_CERTSTATUS_UNKNOWN();
}
InputStream is = connection.getInputStream();
@@ -1524,7 +1525,7 @@ public final class OpenSSLEngine extends SSLEngine
implements SSLUtil.ProtocolIn
MemoryAddress.NULL, MemoryAddress.NULL,
MemoryAddress.NULL);
}
}
- } catch (IOException e) {
+ } catch (Exception e) {
logger.warn(sm.getString("engine.ocspRequestError",
url.toString()), e);
} finally {
if (MemoryAddress.NULL.equals(ocspResponse)) {
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
