You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by yl...@apache.org on 2015/06/08 14:25:22 UTC
svn commit: r1684171 - in /httpd/httpd/trunk: CHANGES
modules/ssl/ssl_engine_kernel.c
Author: ylavic
Date: Mon Jun 8 12:25:22 2015
New Revision: 1684171
URL: http://svn.apache.org/r1684171
Log:
mod_ssl: when SSLVerify is disabled (NONE), don't force a renegotiation if
the SSLVerifyDepth applied with the default/handshaken vhost differs from
the one applicable with the finally selected vhost.
Modified:
httpd/httpd/trunk/CHANGES
httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1684171&r1=1684170&r2=1684171&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Mon Jun 8 12:25:22 2015
@@ -1,6 +1,10 @@
-*- coding: utf-8 -*-
Changes with Apache 2.5.0
+ *) mod_ssl: When SSLVerify is disabled (NONE), don't force a renegotiation if
+ the SSLVerifyDepth applied with the default/handshaken vhost differs from
+ the one applicable with the finally selected vhost. [Yann Ylavic]
+
*) core: Avoid a possible truncation of the faulty header included in the
HTML response when LimitRequestFieldSize is reached. [Yann Ylavic]
Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c?rev=1684171&r1=1684170&r2=1684171&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c Mon Jun 8 12:25:22 2015
@@ -514,31 +514,6 @@ int ssl_hook_Access(request_rec *r)
}
/*
- * override of SSLVerifyDepth
- *
- * The depth checks are handled by us manually inside the verify callback
- * function and not by OpenSSL internally (and our function is aware of
- * both the per-server and per-directory contexts). So we cannot ask
- * OpenSSL about the currently verify depth. Instead we remember it in our
- * SSLConnRec attached to the SSL* of OpenSSL. We've to force the
- * renegotiation if the reconfigured/new verify depth is less than the
- * currently active/remembered verify depth (because this means more
- * restriction on the certificate chain).
- */
- n = (sslconn->verify_depth != UNSET) ?
- sslconn->verify_depth :
- (mySrvConfig(handshakeserver))->server->auth.verify_depth;
- /* determine the new depth */
- sslconn->verify_depth = (dc->nVerifyDepth != UNSET) ?
- dc->nVerifyDepth : sc->server->auth.verify_depth;
- if (sslconn->verify_depth < n) {
- renegotiate = TRUE;
- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02254)
- "Reduced client verification depth will force "
- "renegotiation");
- }
-
- /*
* override of SSLVerifyClient
*
* We force a renegotiation if the reconfigured/new verify type is
@@ -554,6 +529,8 @@ int ssl_hook_Access(request_rec *r)
*/
if ((dc->nVerifyClient != SSL_CVERIFY_UNSET) ||
(sc->server->auth.verify_mode != SSL_CVERIFY_UNSET)) {
+ SSLSrvConfigRec *hssc = mySrvConfig(handshakeserver);
+
/* remember old state */
verify_old = SSL_get_verify_mode(ssl);
/* configure new state */
@@ -601,7 +578,36 @@ int ssl_hook_Access(request_rec *r)
"Changed client verification type will force "
"%srenegotiation",
renegotiate_quick ? "quick " : "");
- }
+ }
+ else if (verify != SSL_VERIFY_NONE) {
+ /*
+ * override of SSLVerifyDepth
+ *
+ * The depth checks are handled by us manually inside the
+ * verify callback function and not by OpenSSL internally
+ * (and our function is aware of both the per-server and
+ * per-directory contexts). So we cannot ask OpenSSL about
+ * the currently verify depth. Instead we remember it in our
+ * SSLConnRec attached to the SSL* of OpenSSL. We've to force
+ * the renegotiation if the reconfigured/new verify depth is
+ * less than the currently active/remembered verify depth
+ * (because this means more restriction on the certificate
+ * chain).
+ */
+ n = (sslconn->verify_depth != UNSET)
+ ? sslconn->verify_depth
+ : hssc->server->auth.verify_depth;
+ /* determine the new depth */
+ sslconn->verify_depth = (dc->nVerifyDepth != UNSET)
+ ? dc->nVerifyDepth
+ : sc->server->auth.verify_depth;
+ if (sslconn->verify_depth < n) {
+ renegotiate = TRUE;
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02254)
+ "Reduced client verification depth will "
+ "force renegotiation");
+ }
+ }
}
/* If we're handling a request for a vhost other than the default one,
* then we need to make sure that client authentication is properly
@@ -617,8 +623,6 @@ int ssl_hook_Access(request_rec *r)
&& renegotiate
&& ((verify & SSL_VERIFY_PEER) ||
(verify & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))) {
- SSLSrvConfigRec *hssc = mySrvConfig(handshakeserver);
-
#define MODSSL_CFG_CA_NE(f, sc1, sc2) \
(sc1->server->auth.f && \
(!sc2->server->auth.f || \