You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by jo...@apache.org on 2019/03/19 17:26:38 UTC
svn commit: r1855849 - in /httpd/httpd/trunk: CHANGES
modules/ssl/ssl_engine_kernel.c
Author: jorton
Date: Tue Mar 19 17:26:38 2019
New Revision: 1855849
URL: http://svn.apache.org/viewvc?rev=1855849&view=rev
Log:
* modules/ssl/ssl_engine_kernel.c (ssl_hook_Access_modern): Correctly
restore SSL verify state after PHA failure in TLSv1.3.
Submitted by: Michael Kaufmann <mail michael-kaufmann.ch>
Modified:
httpd/httpd/trunk/CHANGES
httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1855849&r1=1855848&r2=1855849&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Tue Mar 19 17:26:38 2019
@@ -1,6 +1,9 @@
-*- coding: utf-8 -*-
Changes with Apache 2.5.1
+ *) mod_ssl: Correctly restore SSL verify state after TLSv1.3 PHA failure.
+ [Michael Kaufmann <mail michael-kaufmann.ch>]
+
*) mod_md: Explicitly setting file permissions to break out of umasks. We want our
non-privilegded apache user to be able to read them. See github issue
<https://github.com/icing/mod_md/issues/117>. [Stefan Eissing]
Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c?rev=1855849&r1=1855848&r2=1855849&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c Tue Mar 19 17:26:38 2019
@@ -1155,6 +1155,7 @@ static int ssl_hook_Access_modern(reques
ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server);
apr_table_setn(r->notes, "error-notes",
"Reason: Cannot perform Post-Handshake Authentication.<br />");
+ SSL_set_verify(ssl, vmode_inplace, NULL);
return HTTP_FORBIDDEN;
}
@@ -1176,6 +1177,7 @@ static int ssl_hook_Access_modern(reques
* Finally check for acceptable renegotiation results
*/
if (OK != (rc = ssl_check_post_client_verify(r, sc, dc, sslconn, ssl))) {
+ SSL_set_verify(ssl, vmode_inplace, NULL);
return rc;
}
}