You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by do...@apache.org on 2001/08/24 02:09:30 UTC
cvs commit: httpd-2.0/modules/ssl mod_ssl.c mod_ssl.h ssl_engine_kernel.c
dougm 01/08/23 17:09:30
Modified: modules/ssl mod_ssl.c mod_ssl.h ssl_engine_kernel.c
Log:
support "SSLVerifyClient optional_no_ca"
Revision Changes Path
1.27 +29 -5 httpd-2.0/modules/ssl/mod_ssl.c
Index: mod_ssl.c
===================================================================
RCS file: /home/cvs/httpd-2.0/modules/ssl/mod_ssl.c,v
retrieving revision 1.26
retrieving revision 1.27
diff -u -r1.26 -r1.27
--- mod_ssl.c 2001/08/23 23:43:45 1.26
+++ mod_ssl.c 2001/08/24 00:09:30 1.27
@@ -345,6 +345,7 @@
char *cp = NULL;
conn_rec *c = (conn_rec*)SSL_get_app_data (pRec->pssl);
SSLSrvConfigRec *sc = mySrvConfig(c->base_server);
+ long verify_result;
if (!SSL_is_init_finished(pRec->pssl))
{
@@ -445,14 +446,37 @@
/*
* Check for failed client authentication
*/
- if (SSL_get_verify_result(pRec->pssl) != X509_V_OK ||
+ verify_result = SSL_get_verify_result(pRec->pssl);
+
+ if (verify_result != X509_V_OK ||
((cp = (char *)apr_table_get(c->notes,
"ssl::verify::error")) != NULL))
{
- ssl_log(c->base_server, SSL_LOG_ERROR|SSL_ADD_SSLERR,
- "SSL client authentication failed: %s",
- cp != NULL ? cp : "unknown reason");
- return ssl_abort(pRec, c);
+ if (ssl_verify_error_is_optional(verify_result) &&
+ (sc->nVerifyClient == SSL_CVERIFY_OPTIONAL_NO_CA))
+ {
+ /* leaving this log message as an error for the moment,
+ * according to the mod_ssl docs:
+ * "level optional_no_ca is actually against the idea
+ * of authentication (but can be used to establish
+ * SSL test pages, etc.)"
+ * optional_no_ca doesn't appear to work as advertised
+ * in 1.x
+ */
+ ssl_log(c->base_server, SSL_LOG_ERROR|SSL_ADD_SSLERR,
+ "SSL client authentication failed, "
+ "accepting certificate based on "
+ "\"SSLVerifyClient optional_no_ca\" configuration");
+
+ }
+ else {
+ const char *verror =
+ X509_verify_cert_error_string(verify_result);
+ ssl_log(c->base_server, SSL_LOG_ERROR|SSL_ADD_SSLERR,
+ "SSL client authentication failed: %s",
+ cp ? cp : verror ? verror : "unknown");
+ return ssl_abort(pRec, c);
+ }
}
/*
1.31 +11 -0 httpd-2.0/modules/ssl/mod_ssl.h
Index: mod_ssl.h
===================================================================
RCS file: /home/cvs/httpd-2.0/modules/ssl/mod_ssl.h,v
retrieving revision 1.30
retrieving revision 1.31
diff -u -r1.30 -r1.31
--- mod_ssl.h 2001/08/23 19:42:44 1.30
+++ mod_ssl.h 2001/08/24 00:09:30 1.31
@@ -344,6 +344,17 @@
SSL_CVERIFY_OPTIONAL_NO_CA = 3
} ssl_verify_t;
+#ifndef X509_V_ERR_CERT_UNTRUSTED
+#define X509_V_ERR_CERT_UNTRUSTED 27
+#endif
+
+#define ssl_verify_error_is_optional(errnum) \
+ ((errnum == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) \
+ || (errnum == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN) \
+ || (errnum == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) \
+ || (errnum == X509_V_ERR_CERT_UNTRUSTED) \
+ || (errnum == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE))
+
/*
* Define the SSL pass phrase dialog types
*/
1.19 +3 -8 httpd-2.0/modules/ssl/ssl_engine_kernel.c
Index: ssl_engine_kernel.c
===================================================================
RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_engine_kernel.c,v
retrieving revision 1.18
retrieving revision 1.19
diff -u -r1.18 -r1.19
--- ssl_engine_kernel.c 2001/08/22 21:37:15 1.18
+++ ssl_engine_kernel.c 2001/08/24 00:09:30 1.19
@@ -1237,14 +1237,9 @@
verify = dc->nVerifyClient;
else
verify = sc->nVerifyClient;
- if ( ( errnum == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
- || errnum == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN
- || errnum == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
-#if SSL_LIBRARY_VERSION >= 0x00905000
- || errnum == X509_V_ERR_CERT_UNTRUSTED
-#endif
- || errnum == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE )
- && verify == SSL_CVERIFY_OPTIONAL_NO_CA ) {
+ if (ssl_verify_error_is_optional(errnum) &&
+ verify == SSL_CVERIFY_OPTIONAL_NO_CA)
+ {
ssl_log(s, SSL_LOG_TRACE,
"Certificate Verification: Verifiable Issuer is configured as "
"optional, therefore we're accepting the certificate");