www/apache
1
0
Fork 0
mirror of https://github.com/apache/httpd.git synced 2025-08-07 04:02:58 +03:00
Code Activity

mod_ssl: when SSLVerify is disabled (NONE), don't force a renegotiation if

Browse Source 
the SSLVerifyDepth applied with the default/handshaken vhost differs from
the one applicable with the finally selected vhost.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1684171 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Yann Ylavic
2015-06-08 12:25:22 +00:00
parent 2e15d780b5
commit 10806f5db1
2 changed files with 36 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

60
modules/ssl/ssl_engine_kernel.c
View File

@@ -513,31 +513,6 @@ int ssl_hook_Access(request_rec *r)
}
}
/*
* override of SSLVerifyDepth
*
* The depth checks are handled by us manually inside the verify callback
* function and not by OpenSSL internally (and our function is aware of
* both the per-server and per-directory contexts). So we cannot ask
* OpenSSL about the currently verify depth. Instead we remember it in our
* SSLConnRec attached to the SSL* of OpenSSL. We've to force the
* renegotiation if the reconfigured/new verify depth is less than the
* currently active/remembered verify depth (because this means more
* restriction on the certificate chain).
*/
n = (sslconn->verify_depth != UNSET) ?
sslconn->verify_depth :
(mySrvConfig(handshakeserver))->server->auth.verify_depth;
/* determine the new depth */
sslconn->verify_depth = (dc->nVerifyDepth != UNSET) ?
dc->nVerifyDepth : sc->server->auth.verify_depth;
if (sslconn->verify_depth < n) {
renegotiate = TRUE;
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02254)
"Reduced client verification depth will force "
"renegotiation");
}
/*
* override of SSLVerifyClient
*
@@ -554,6 +529,8 @@ int ssl_hook_Access(request_rec *r)
*/
if ((dc->nVerifyClient != SSL_CVERIFY_UNSET) ||
(sc->server->auth.verify_mode != SSL_CVERIFY_UNSET)) {
SSLSrvConfigRec *hssc = mySrvConfig(handshakeserver);
/* remember old state */
verify_old = SSL_get_verify_mode(ssl);
/* configure new state */
@@ -601,7 +578,36 @@ int ssl_hook_Access(request_rec *r)
"Changed client verification type will force "
"%srenegotiation",
renegotiate_quick ? "quick " : "");
}
}
else if (verify != SSL_VERIFY_NONE) {
/*
* override of SSLVerifyDepth
*
* The depth checks are handled by us manually inside the
* verify callback function and not by OpenSSL internally
* (and our function is aware of both the per-server and
* per-directory contexts). So we cannot ask OpenSSL about
* the currently verify depth. Instead we remember it in our
* SSLConnRec attached to the SSL* of OpenSSL. We've to force
* the renegotiation if the reconfigured/new verify depth is
* less than the currently active/remembered verify depth
* (because this means more restriction on the certificate
* chain).
*/
n = (sslconn->verify_depth != UNSET)
? sslconn->verify_depth
: hssc->server->auth.verify_depth;
/* determine the new depth */
sslconn->verify_depth = (dc->nVerifyDepth != UNSET)
? dc->nVerifyDepth
: sc->server->auth.verify_depth;
if (sslconn->verify_depth < n) {
renegotiate = TRUE;
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02254)
"Reduced client verification depth will "
"force renegotiation");
}
}
}
/* If we're handling a request for a vhost other than the default one,
* then we need to make sure that client authentication is properly
@@ -617,8 +623,6 @@ int ssl_hook_Access(request_rec *r)
&& renegotiate
&& ((verify & SSL_VERIFY_PEER) ||
(verify & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))) {
SSLSrvConfigRec *hssc = mySrvConfig(handshakeserver);
#define MODSSL_CFG_CA_NE(f, sc1, sc2) \
(sc1->server->auth.f && \
(!sc2->server->auth.f || \