(tomcat-native) branch 1.2.x updated: BZ 67818: SSL#setVerify()/SSLContext#setVerify() silently set undocumented default verify paths

Mon, 30 Oct 2023 03:25:35 -0700 

This is an automated email from the ASF dual-hosted git repository.

michaelo pushed a commit to branch 1.2.x
in repository https://gitbox.apache.org/repos/asf/tomcat-native.git


The following commit(s) were added to refs/heads/1.2.x by this push:
     new 193c4e504 BZ 67818: SSL#setVerify()/SSLContext#setVerify() silently 
set undocumented default verify paths
193c4e504 is described below

commit 193c4e504fc10f74737b062ddd1b34f54f38a268
Author: Michael Osipov <micha...@apache.org>
AuthorDate: Wed Oct 18 22:22:06 2023 +0200

    BZ 67818: SSL#setVerify()/SSLContext#setVerify() silently set undocumented 
default verify paths
---
 native/src/ssl.c                  | 11 ++---------
 native/src/sslcontext.c           | 12 +++---------
 xdocs/miscellaneous/changelog.xml |  4 ++++
 3 files changed, 9 insertions(+), 18 deletions(-)

diff --git a/native/src/ssl.c b/native/src/ssl.c
index 31493e74f..ff716091f 100644
--- a/native/src/ssl.c
+++ b/native/src/ssl.c
@@ -1894,15 +1894,8 @@ TCN_IMPLEMENT_CALL(void, SSL, setVerify)(TCN_STDARGS, 
jlong ssl,
     if ((c->verify_mode == SSL_CVERIFY_OPTIONAL) ||
         (c->verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA))
         verify |= SSL_VERIFY_PEER;
-    if (!c->store) {
-        if (SSL_CTX_set_default_verify_paths(c->ctx)) {
-            c->store = SSL_CTX_get_cert_store(c->ctx);
-            X509_STORE_set_flags(c->store, 0);
-        }
-        else {
-            /* XXX: See if this is fatal */
-        }
-    }
+    if (!c->store)
+        c->store = SSL_CTX_get_cert_store(c->ctx);
 
     SSL_set_verify(ssl_, verify, SSL_callback_SSL_verify);
 }
diff --git a/native/src/sslcontext.c b/native/src/sslcontext.c
index 646577e72..36cf11ed0 100644
--- a/native/src/sslcontext.c
+++ b/native/src/sslcontext.c
@@ -36,6 +36,7 @@ static apr_status_t ssl_context_cleanup(void *data)
     if (c) {
         int i;
         c->crl = NULL;
+        c->store = NULL;
         if (c->ctx)
             SSL_CTX_free(c->ctx);
         c->ctx = NULL;
@@ -968,15 +969,8 @@ TCN_IMPLEMENT_CALL(void, SSLContext, 
setVerify)(TCN_STDARGS, jlong ctx,
     if ((c->verify_mode == SSL_CVERIFY_OPTIONAL) ||
         (c->verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA))
         verify |= SSL_VERIFY_PEER;
-    if (!c->store) {
-        if (SSL_CTX_set_default_verify_paths(c->ctx)) {
-            c->store = SSL_CTX_get_cert_store(c->ctx);
-            X509_STORE_set_flags(c->store, 0);
-        }
-        else {
-            /* XXX: See if this is fatal */
-        }
-    }
+    if (!c->store)
+        c->store = SSL_CTX_get_cert_store(c->ctx);
 
     SSL_CTX_set_verify(c->ctx, verify, SSL_callback_SSL_verify);
 }
diff --git a/xdocs/miscellaneous/changelog.xml 
b/xdocs/miscellaneous/changelog.xml
index a7462ec00..cac6e1b2d 100644
--- a/xdocs/miscellaneous/changelog.xml
+++ b/xdocs/miscellaneous/changelog.xml
@@ -44,6 +44,10 @@
     <update>
       Remove an unreachable if condition around CRLs in sslcontext.c. 
(michaelo)
     </update>
+    <fix>
+      <bug>67818</bug>: 
<code>SSL.setVerify()</code>/<code>SSLContext.setVerify()</code>
+      silently set undocumented default verify paths. (michaelo)
+    </fix>
   </changelog>
 </section>
 <section name="Changes in 1.2.39">


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to