You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by jo...@apache.org on 2019/03/19 17:26:38 UTC

svn commit: r1855849 - in /httpd/httpd/trunk: CHANGES modules/ssl/ssl_engine_kernel.c

Author: jorton
Date: Tue Mar 19 17:26:38 2019
New Revision: 1855849

URL: http://svn.apache.org/viewvc?rev=1855849&view=rev
Log:
* modules/ssl/ssl_engine_kernel.c (ssl_hook_Access_modern): Correctly
  restore SSL verify state after PHA failure in TLSv1.3.

Submitted by: Michael Kaufmann <mail michael-kaufmann.ch>

Modified:
    httpd/httpd/trunk/CHANGES
    httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c

Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1855849&r1=1855848&r2=1855849&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Tue Mar 19 17:26:38 2019
@@ -1,6 +1,9 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.5.1
 
+  *) mod_ssl: Correctly restore SSL verify state after TLSv1.3 PHA failure.
+     [Michael Kaufmann <mail michael-kaufmann.ch>]
+
   *) mod_md: Explicitly setting file permissions to break out of umasks. We want our
      non-privilegded apache user to be able to read them. See github issue
      <https://github.com/icing/mod_md/issues/117>. [Stefan Eissing] 

Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c?rev=1855849&r1=1855848&r2=1855849&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c Tue Mar 19 17:26:38 2019
@@ -1155,6 +1155,7 @@ static int ssl_hook_Access_modern(reques
                 ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server);
                 apr_table_setn(r->notes, "error-notes",
                                "Reason: Cannot perform Post-Handshake Authentication.<br />");
+                SSL_set_verify(ssl, vmode_inplace, NULL);
                 return HTTP_FORBIDDEN;
             }
             
@@ -1176,6 +1177,7 @@ static int ssl_hook_Access_modern(reques
              * Finally check for acceptable renegotiation results
              */
             if (OK != (rc = ssl_check_post_client_verify(r, sc, dc, sslconn, ssl))) {
+                SSL_set_verify(ssl, vmode_inplace, NULL);
                 return rc;
             }
         }