You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Rainer Jung <ra...@kippdata.de> on 2018/10/05 10:26:07 UTC
Re: svn commit: r1842540 - in /httpd/httpd/trunk: CHANGES
modules/ssl/ssl_engine_kernel.c
Shouldn't we backport this? Or do you have doubts or maybe waiting for
feedback?
Regards,
Rainer
Am 01.10.2018 um 20:21 schrieb rpluem@apache.org:
> Author: rpluem
> Date: Mon Oct 1 18:21:18 2018
> New Revision: 1842540
>
> URL: http://svn.apache.org/viewvc?rev=1842540&view=rev
> Log:
> * Pickup the proxy related configuration for verify mode and verify depth and
> not the configuration settings for frontend connections in case of
> connections by the proxy to the backend.
>
> PR: 62769
>
> Modified:
> httpd/httpd/trunk/CHANGES
> httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
>
> Modified: httpd/httpd/trunk/CHANGES
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1842540&r1=1842539&r2=1842540&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/CHANGES [utf-8] (original)
> +++ httpd/httpd/trunk/CHANGES [utf-8] Mon Oct 1 18:21:18 2018
> @@ -1,6 +1,10 @@
> -*- coding: utf-8 -*-
> Changes with Apache 2.5.1
>
> + *) mod_ssl: Fix a regression that the configuration settings for verify mode
> + and verify depth were taken from the frontend connection in case of
> + connections by the proxy to the backend. PR 62769. [Ruediger Pluem]
> +
> *) ab: Add client certificate support. [Graham Leggett]
>
> *) mod_proxy_hcheck: Fix issues with TCP health checks. PR 61499
> @@ -9,7 +13,7 @@ Changes with Apache 2.5.1
> *) mod_http2: connection IO event handling reworked. Instead of reacting on
> incoming bytes, the state machine now acts on incoming frames that are
> affecting it. This reduces state transitions. [Stefan Eissing]
> -
> +
> *) MPMs: Initialize all runtime/asynchronous objects on a dedicated pool and
> before signals handling to avoid lifetime issues on restart or shutdown.
> PR 62658. [Yann Ylavic]
>
> Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c?rev=1842540&r1=1842539&r2=1842540&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c (original)
> +++ httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c Mon Oct 1 18:21:18 2018
> @@ -1750,7 +1750,8 @@ int ssl_callback_SSLVerify(int ok, X509_
> /* Get verify ingredients */
> int errnum = X509_STORE_CTX_get_error(ctx);
> int errdepth = X509_STORE_CTX_get_error_depth(ctx);
> - int depth, verify;
> + int depth = UNSET;
> + int verify = SSL_CVERIFY_UNSET;
>
> /*
> * Log verification information
> @@ -1766,10 +1767,15 @@ int ssl_callback_SSLVerify(int ok, X509_
> /*
> * Check for optionally acceptable non-verifiable issuer situation
> */
> - if (dc && (dc->nVerifyClient != SSL_CVERIFY_UNSET)) {
> - verify = dc->nVerifyClient;
> + if (dc) {
> + if (sslconn->is_proxy) {
> + verify = dc->proxy->auth.verify_mode;
> + }
> + else {
> + verify = dc->nVerifyClient;
> + }
> }
> - else {
> + if (!dc || (verify == SSL_CVERIFY_UNSET)) {
> verify = mctx->auth.verify_mode;
> }
>
> @@ -1873,10 +1879,15 @@ int ssl_callback_SSLVerify(int ok, X509_
> /*
> * Finally check the depth of the certificate verification
> */
> - if (dc && (dc->nVerifyDepth != UNSET)) {
> - depth = dc->nVerifyDepth;
> + if (dc) {
> + if (sslconn->is_proxy) {
> + depth = dc->proxy->auth.verify_depth;
> + }
> + else {
> + depth = dc->nVerifyDepth;
> + }
> }
> - else {
> + if (!dc || (depth == UNSET)) {
> depth = mctx->auth.verify_depth;
> }
AW: svn commit: r1842540 - in /httpd/httpd/trunk: CHANGES
modules/ssl/ssl_engine_kernel.c
Posted by Plüm,
Rüdiger,
Vodafone Group <ru...@vodafone.com>.
> -----Ursprüngliche Nachricht-----
> Von: Yann Ylavic <yl...@gmail.com>
> Gesendet: Montag, 8. Oktober 2018 23:46
> An: httpd-dev <de...@httpd.apache.org>
> Betreff: Re: svn commit: r1842540 - in /httpd/httpd/trunk: CHANGES
> modules/ssl/ssl_engine_kernel.c
>
> On Fri, Oct 5, 2018 at 12:49 PM Ruediger Pluem <rp...@apache.org>
> wrote:
> >
> >
> >
> > On 10/05/2018 12:26 PM, Rainer Jung wrote:
> > > Shouldn't we backport this? Or do you have doubts or maybe waiting
> for feedback?
> >
> > From my point of view it can be backported. It was sitting around in
> trunk waiting for feedback and then because of
> > being busy I forgot about. Feel free to propose.
>
> Proposed for backport in r1843208.
> Thanks for the fix Rüdiger.
Thanks for proposing.
Regards
Rüdiger
Re: svn commit: r1842540 - in /httpd/httpd/trunk: CHANGES modules/ssl/ssl_engine_kernel.c
Posted by Yann Ylavic <yl...@gmail.com>.
On Fri, Oct 5, 2018 at 12:49 PM Ruediger Pluem <rp...@apache.org> wrote:
>
>
>
> On 10/05/2018 12:26 PM, Rainer Jung wrote:
> > Shouldn't we backport this? Or do you have doubts or maybe waiting for feedback?
>
> From my point of view it can be backported. It was sitting around in trunk waiting for feedback and then because of
> being busy I forgot about. Feel free to propose.
Proposed for backport in r1843208.
Thanks for the fix Rüdiger.
Regards,
Yann.
Re: svn commit: r1842540 - in /httpd/httpd/trunk: CHANGES
modules/ssl/ssl_engine_kernel.c
Posted by Ruediger Pluem <rp...@apache.org>.
On 10/05/2018 12:26 PM, Rainer Jung wrote:
> Shouldn't we backport this? Or do you have doubts or maybe waiting for feedback?
From my point of view it can be backported. It was sitting around in trunk waiting for feedback and then because of
being busy I forgot about. Feel free to propose.
Regards
Rüdiger
>
> Regards,
>
> Rainer
>
> Am 01.10.2018 um 20:21 schrieb rpluem@apache.org:
>> Author: rpluem
>> Date: Mon Oct 1 18:21:18 2018
>> New Revision: 1842540
>>
>> URL: http://svn.apache.org/viewvc?rev=1842540&view=rev
>> Log:
>> * Pickup the proxy related configuration for verify mode and verify depth and
>> not the configuration settings for frontend connections in case of
>> connections by the proxy to the backend.
>>
>> PR: 62769
>>
>> Modified:
>> httpd/httpd/trunk/CHANGES
>> httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
>>
>> Modified: httpd/httpd/trunk/CHANGES
>> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1842540&r1=1842539&r2=1842540&view=diff
>> ==============================================================================
>> --- httpd/httpd/trunk/CHANGES [utf-8] (original)
>> +++ httpd/httpd/trunk/CHANGES [utf-8] Mon Oct 1 18:21:18 2018
>> @@ -1,6 +1,10 @@
>> -*- coding: utf-8 -*-
>> Changes with Apache 2.5.1
>> + *) mod_ssl: Fix a regression that the configuration settings for verify mode
>> + and verify depth were taken from the frontend connection in case of
>> + connections by the proxy to the backend. PR 62769. [Ruediger Pluem]
>> +
>> *) ab: Add client certificate support. [Graham Leggett]
>> *) mod_proxy_hcheck: Fix issues with TCP health checks. PR 61499
>> @@ -9,7 +13,7 @@ Changes with Apache 2.5.1
>> *) mod_http2: connection IO event handling reworked. Instead of reacting on
>> incoming bytes, the state machine now acts on incoming frames that are
>> affecting it. This reduces state transitions. [Stefan Eissing]
>> -
>> +
>> *) MPMs: Initialize all runtime/asynchronous objects on a dedicated pool and
>> before signals handling to avoid lifetime issues on restart or shutdown.
>> PR 62658. [Yann Ylavic]
>>
>> Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
>> URL:
>> http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c?rev=1842540&r1=1842539&r2=1842540&view=diff
>>
>> ==============================================================================
>> --- httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c (original)
>> +++ httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c Mon Oct 1 18:21:18 2018
>> @@ -1750,7 +1750,8 @@ int ssl_callback_SSLVerify(int ok, X509_
>> /* Get verify ingredients */
>> int errnum = X509_STORE_CTX_get_error(ctx);
>> int errdepth = X509_STORE_CTX_get_error_depth(ctx);
>> - int depth, verify;
>> + int depth = UNSET;
>> + int verify = SSL_CVERIFY_UNSET;
>> /*
>> * Log verification information
>> @@ -1766,10 +1767,15 @@ int ssl_callback_SSLVerify(int ok, X509_
>> /*
>> * Check for optionally acceptable non-verifiable issuer situation
>> */
>> - if (dc && (dc->nVerifyClient != SSL_CVERIFY_UNSET)) {
>> - verify = dc->nVerifyClient;
>> + if (dc) {
>> + if (sslconn->is_proxy) {
>> + verify = dc->proxy->auth.verify_mode;
>> + }
>> + else {
>> + verify = dc->nVerifyClient;
>> + }
>> }
>> - else {
>> + if (!dc || (verify == SSL_CVERIFY_UNSET)) {
>> verify = mctx->auth.verify_mode;
>> }
>> @@ -1873,10 +1879,15 @@ int ssl_callback_SSLVerify(int ok, X509_
>> /*
>> * Finally check the depth of the certificate verification
>> */
>> - if (dc && (dc->nVerifyDepth != UNSET)) {
>> - depth = dc->nVerifyDepth;
>> + if (dc) {
>> + if (sslconn->is_proxy) {
>> + depth = dc->proxy->auth.verify_depth;
>> + }
>> + else {
>> + depth = dc->nVerifyDepth;
>> + }
>> }
>> - else {
>> + if (!dc || (depth == UNSET)) {
>> depth = mctx->auth.verify_depth;
>> }
>