You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by fu...@apache.org on 2008/06/03 16:49:46 UTC
svn commit: r662815 - /httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
Author: fuankg
Date: Tue Jun 3 07:49:46 2008
New Revision: 662815
URL: http://svn.apache.org/viewvc?rev=662815&view=rev
Log:
Fix client verification problem with SNI and multicerts.
Submitted by: Kaspar Brand <asfbugz velox.ch>
Modified:
httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c?rev=662815&r1=662814&r2=662815&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c Tue Jun 3 07:49:46 2008
@@ -432,6 +432,11 @@
* currently active/remembered verify depth (because this means more
* restriction on the certificate chain).
*/
+ if ((sc->server->auth.verify_depth != UNSET) &&
+ (dc->nVerifyDepth == UNSET)) {
+ /* apply per-vhost setting, if per-directory config is not set */
+ dc->nVerifyDepth = sc->server->auth.verify_depth;
+ }
if (dc->nVerifyDepth != UNSET) {
/* XXX: doesnt look like sslconn->verify_depth is actually used */
if (!(n = sslconn->verify_depth)) {
@@ -461,6 +466,11 @@
* verification but at least skip the I/O-intensive renegotation
* handshake.
*/
+ if ((sc->server->auth.verify_mode != SSL_CVERIFY_UNSET) &&
+ (dc->nVerifyClient == SSL_CVERIFY_UNSET)) {
+ /* apply per-vhost setting, if per-directory config is not set */
+ dc->nVerifyClient = sc->server->auth.verify_mode;
+ }
if (dc->nVerifyClient != SSL_CVERIFY_UNSET) {
/* remember old state */
verify_old = SSL_get_verify_mode(ssl);