You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by do...@apache.org on 2002/06/11 05:45:54 UTC
cvs commit: httpd-2.0/modules/ssl ssl_engine_kernel.c
dougm 2002/06/10 20:45:54
Modified: modules/ssl ssl_engine_kernel.c
Log:
in case there is actually a cert chain in the cache, we should be
using the value of SSL_get_peer_certificate(ssl) to verify as it will
have been removed from the chain before it was put in the cache.
Revision Changes Path
1.75 +7 -2 httpd-2.0/modules/ssl/ssl_engine_kernel.c
Index: ssl_engine_kernel.c
===================================================================
RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_engine_kernel.c,v
retrieving revision 1.74
retrieving revision 1.75
diff -u -r1.74 -r1.75
--- ssl_engine_kernel.c 11 Jun 2002 03:19:26 -0000 1.74
+++ ssl_engine_kernel.c 11 Jun 2002 03:45:54 -0000 1.75
@@ -710,7 +710,9 @@
cert_stack = (STACK_OF(X509) *)SSL_get_peer_cert_chain(ssl);
- if (!cert_stack && (cert = SSL_get_peer_certificate(ssl))) {
+ cert = SSL_get_peer_certificate(ssl);
+
+ if (!cert_stack && cert) {
/* client cert is in the session cache, but there is
* no chain, since ssl3_get_client_certificate()
* sk_X509_shift-ed the peer cert out of the chain.
@@ -736,7 +738,10 @@
return HTTP_FORBIDDEN;
}
- cert = sk_X509_value(cert_stack, 0);
+ if (!cert) {
+ cert = sk_X509_value(cert_stack, 0);
+ }
+
X509_STORE_CTX_init(&cert_store_ctx, cert_store, cert, cert_stack);
depth = SSL_get_verify_depth(ssl);