You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by rj...@apache.org on 2016/02/10 00:18:20 UTC

svn commit: r1729498 - /httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c

Author: rjung
Date: Tue Feb  9 23:18:20 2016
New Revision: 1729498

URL: http://svn.apache.org/viewvc?rev=1729498&view=rev
Log:
OpenSSl 1.1.0 support
- improve renegotiation loop.
  Should now also work in case only the
  cipher changes.
  Should now also work in case the handshake
  ends with an error.

Modified:
    httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c

Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c?rev=1729498&r1=1729497&r2=1729498&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c Tue Feb  9 23:18:20 2016
@@ -1038,16 +1038,9 @@ int ssl_hook_Access(request_rec *r)
              * See: http://marc.info/?t=145493359200002&r=1&w=2
              */
             /* XXX: Polling is bad, alternatives? */
-            /* XXX: What about renegotiations which do not need to
-             *      send client certs, e.g. if only the cipher needs
-             *      to switch? We need a better success criterion here
-             *      or the loop will poll until SSL_HANDSHAKE_MAX_POLLS
-             *      is reached.
-             */
             for (i = 0; i < SSL_HANDSHAKE_MAX_POLLS; i++) {
                 has_buffered_data(r);
-                cert = SSL_get_peer_certificate(ssl);
-                if (cert != NULL) {
+                if (sslconn->ssl == NULL || SSL_is_init_finished(ssl)) {
                     break;
                 }
                 apr_sleep(SSL_HANDSHAKE_POLL_MS);
@@ -1055,10 +1048,11 @@ int ssl_hook_Access(request_rec *r)
             ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r, APLOGNO()
                           "Renegotiation loop %d iterations, "
                           "in_init=%d, init_finished=%d, "
-                          "state=%s, peer_certs=%s",
+                          "state=%s, sslconn->ssl=%s, peer_certs=%s",
                           i, SSL_in_init(ssl), SSL_is_init_finished(ssl),
                           SSL_state_string_long(ssl),
-                          cert != NULL ? "yes" : "no");
+                          sslconn->ssl != NULL ? "yes" : "no",
+                          SSL_get_peer_certificate(ssl) != NULL ? "yes" : "no");
 
 #endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L */