You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by rj...@apache.org on 2016/02/10 00:18:20 UTC
svn commit: r1729498 - /httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
Author: rjung
Date: Tue Feb 9 23:18:20 2016
New Revision: 1729498
URL: http://svn.apache.org/viewvc?rev=1729498&view=rev
Log:
OpenSSl 1.1.0 support
- improve renegotiation loop.
Should now also work in case only the
cipher changes.
Should now also work in case the handshake
ends with an error.
Modified:
httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c?rev=1729498&r1=1729497&r2=1729498&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c Tue Feb 9 23:18:20 2016
@@ -1038,16 +1038,9 @@ int ssl_hook_Access(request_rec *r)
* See: http://marc.info/?t=145493359200002&r=1&w=2
*/
/* XXX: Polling is bad, alternatives? */
- /* XXX: What about renegotiations which do not need to
- * send client certs, e.g. if only the cipher needs
- * to switch? We need a better success criterion here
- * or the loop will poll until SSL_HANDSHAKE_MAX_POLLS
- * is reached.
- */
for (i = 0; i < SSL_HANDSHAKE_MAX_POLLS; i++) {
has_buffered_data(r);
- cert = SSL_get_peer_certificate(ssl);
- if (cert != NULL) {
+ if (sslconn->ssl == NULL || SSL_is_init_finished(ssl)) {
break;
}
apr_sleep(SSL_HANDSHAKE_POLL_MS);
@@ -1055,10 +1048,11 @@ int ssl_hook_Access(request_rec *r)
ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r, APLOGNO()
"Renegotiation loop %d iterations, "
"in_init=%d, init_finished=%d, "
- "state=%s, peer_certs=%s",
+ "state=%s, sslconn->ssl=%s, peer_certs=%s",
i, SSL_in_init(ssl), SSL_is_init_finished(ssl),
SSL_state_string_long(ssl),
- cert != NULL ? "yes" : "no");
+ sslconn->ssl != NULL ? "yes" : "no",
+ SSL_get_peer_certificate(ssl) != NULL ? "yes" : "no");
#endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L */