Add verify flags to SSLHostConfig

Author: markt-asf

java/org/apache/tomcat/util/net/SSLHostConfig.java

@@ -120,6 +120,7 @@ public class SSLHostConfig implements Serializable {
     private boolean ocspEnabled = false;
     private boolean ocspSoftFail = true;
     private int ocspTimeout = 15000;
+    private int ocspVerifyFlags = 0;
     private final Set<String> protocols = new HashSet<>();
     // Values <0 mean use the implementation default
     private int sessionCacheSize = -1;
@@ -594,6 +595,16 @@ public void setOcspTimeout(int ocspTimeout) {
     }
 
 
+    public int getOcspVerifyFlags() {
+        return ocspVerifyFlags;
+    }
+
+
+    public void setOcspVerifyFlags(int ocspVerifyFlags) {
+        this.ocspVerifyFlags = ocspVerifyFlags;
+    }
+
+
     public void setProtocols(String input) {
         protocols.clear();
         explicitlyRequestedProtocols.clear();

java/org/apache/tomcat/util/net/openssl/OpenSSLConfCmd.java

@@ -25,6 +25,7 @@ public class OpenSSLConfCmd implements Serializable {
     public static final String NO_OCSP_CHECK = "NO_OCSP_CHECK";
     public static final String OCSP_SOFT_FAIL = "OCSP_SOFT_FAIL";
     public static final String OCSP_TIMEOUT = "OCSP_TIMEOUT";
+    public static final String OCSP_VERIFY_FLAGS = "OCSP_VERIFY_FLAGS";
 
     @Serial
     private static final long serialVersionUID = 1L;

java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java

@@ -371,6 +371,8 @@ public void init(KeyManager[] kms, TrustManager[] tms, SecureRandom sr) throws K
                         Boolean.toString(sslHostConfig.getOcspSoftFail())));
                 sslHostConfig.getOpenSslConf().addCmd(new OpenSSLConfCmd(OpenSSLConfCmd.OCSP_TIMEOUT,
                         Integer.toString(sslHostConfig.getOcspTimeout())));
+                sslHostConfig.getOpenSslConf().addCmd(new OpenSSLConfCmd(OpenSSLConfCmd.OCSP_VERIFY_FLAGS,
+                        Integer.toString(sslHostConfig.getOcspVerifyFlags())));
             }
 
             if (negotiableProtocols != null && !negotiableProtocols.isEmpty()) {

java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java

@@ -363,7 +363,7 @@ private boolean checkConf(OpenSSLConf conf) {
                     ok = true;
                 } else if (name.equals(OpenSSLConfCmd.OCSP_TIMEOUT)) {
                     ok = true;
-                } else if (name.equals("OCSP_VERIFY_FLAGS")) {
+                } else if (name.equals(OpenSSLConfCmd.OCSP_VERIFY_FLAGS)) {
                     ok = true;
                 } else {
                     int code = SSL_CONF_cmd_value_type(state.confCtx, localArena.allocateFrom(name));
@@ -441,8 +441,8 @@ private boolean applyConf(OpenSSLConf conf) {
                 } else if (name.equals(OpenSSLConfCmd.OCSP_TIMEOUT)) {
                     // Ignore - Tomcat internal - set directly
                     rc = 1;
-                } else if (name.equals("OCSP_VERIFY_FLAGS")) {
-                    ocspVerifyFlags = Integer.parseInt(value);
+                } else if (name.equals(OpenSSLConfCmd.OCSP_VERIFY_FLAGS)) {
+                    // Ignore - Tomcat internal - set directly
                     rc = 1;
                 } else {
                     rc = SSL_CONF_cmd(state.confCtx, localArena.allocateFrom(name), localArena.allocateFrom(value));
@@ -573,6 +573,7 @@ public void init(KeyManager[] kms, TrustManager[] tms, SecureRandom sr) throws K
             }
             ocspSoftFail = sslHostConfig.getOcspSoftFail();
             ocspTimeout = sslHostConfig.getOcspTimeout();
+            ocspVerifyFlags = sslHostConfig.getOcspVerifyFlags();
 
             // Set int verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx) callback
             SSL_CTX_set_verify(state.sslCtx, value,

webapps/docs/changelog.xml

@@ -289,6 +289,11 @@
         Add support for soft failure of OCSP checks with soft failure support
         disabled by default. (markt)
       </add>
+      <add>
+        Add support for configuring the verification flags passed to
+        <code>OCSP_basic_verify</code> when using an OpenSSL based TLS
+        implementation. (markt)
+      </add>
     </changelog>
   </subsection>
   <subsection name="Jasper">

webapps/docs/config/http.xml

@@ -1372,6 +1372,14 @@
       used.</p>
     </attribute>
 
+    <attribute name="ocspVerify" required="false">
+      <p>Configures the verification flags passed to
+      <code>OCSP_basic_verify</code> when using OCSP checks with an OpenSSL
+      based TLS implementation. This attribute has no effect if a JSSE based TLS
+      implementation is used.</p>
+      <p>If not specified, the default value of <code>0</code> will be used.</p>
+    </attribute>
+
     <attribute name="protocols" required="false">
       <p>The names of the protocols to support when communicating with clients.
       This should be a list of any combination of the following: