mirror of
https://github.com/apache/httpd.git
synced 2025-08-07 04:02:58 +03:00
mod_ssl: when SSLVerify is disabled (NONE), don't force a renegotiation if
the SSLVerifyDepth applied with the default/handshaken vhost differs from the one applicable with the finally selected vhost. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1684171 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Yann Ylavic
4
CHANGES
4
CHANGES
@@ -1,6 +1,10 @@
|
|||||||
-*- coding: utf-8 -*-
|
-*- coding: utf-8 -*-
|
||||||
Changes with Apache 2.5.0
|
Changes with Apache 2.5.0
|
||||||
|
|
||||||
|
*) mod_ssl: When SSLVerify is disabled (NONE), don't force a renegotiation if
|
||||||
|
the SSLVerifyDepth applied with the default/handshaken vhost differs from
|
||||||
|
the one applicable with the finally selected vhost. [Yann Ylavic]
|
||||||
|
|
||||||
*) core: Avoid a possible truncation of the faulty header included in the
|
*) core: Avoid a possible truncation of the faulty header included in the
|
||||||
HTML response when LimitRequestFieldSize is reached. [Yann Ylavic]
|
HTML response when LimitRequestFieldSize is reached. [Yann Ylavic]
|
||||||
|
|
||||||
|
|||||||
@@ -513,31 +513,6 @@ int ssl_hook_Access(request_rec *r)
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
|
||||||
* override of SSLVerifyDepth
|
|
||||||
*
|
|
||||||
* The depth checks are handled by us manually inside the verify callback
|
|
||||||
* function and not by OpenSSL internally (and our function is aware of
|
|
||||||
* both the per-server and per-directory contexts). So we cannot ask
|
|
||||||
* OpenSSL about the currently verify depth. Instead we remember it in our
|
|
||||||
* SSLConnRec attached to the SSL* of OpenSSL. We've to force the
|
|
||||||
* renegotiation if the reconfigured/new verify depth is less than the
|
|
||||||
* currently active/remembered verify depth (because this means more
|
|
||||||
* restriction on the certificate chain).
|
|
||||||
*/
|
|
||||||
n = (sslconn->verify_depth != UNSET) ?
|
|
||||||
sslconn->verify_depth :
|
|
||||||
(mySrvConfig(handshakeserver))->server->auth.verify_depth;
|
|
||||||
/* determine the new depth */
|
|
||||||
sslconn->verify_depth = (dc->nVerifyDepth != UNSET) ?
|
|
||||||
dc->nVerifyDepth : sc->server->auth.verify_depth;
|
|
||||||
if (sslconn->verify_depth < n) {
|
|
||||||
renegotiate = TRUE;
|
|
||||||
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02254)
|
|
||||||
"Reduced client verification depth will force "
|
|
||||||
"renegotiation");
|
|
||||||
}
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* override of SSLVerifyClient
|
* override of SSLVerifyClient
|
||||||
*
|
*
|
||||||
@@ -554,6 +529,8 @@ int ssl_hook_Access(request_rec *r)
|
|||||||
*/
|
*/
|
||||||
if ((dc->nVerifyClient != SSL_CVERIFY_UNSET) ||
|
if ((dc->nVerifyClient != SSL_CVERIFY_UNSET) ||
|
||||||
(sc->server->auth.verify_mode != SSL_CVERIFY_UNSET)) {
|
(sc->server->auth.verify_mode != SSL_CVERIFY_UNSET)) {
|
||||||
|
SSLSrvConfigRec *hssc = mySrvConfig(handshakeserver);
|
||||||
|
|
||||||
/* remember old state */
|
/* remember old state */
|
||||||
verify_old = SSL_get_verify_mode(ssl);
|
verify_old = SSL_get_verify_mode(ssl);
|
||||||
/* configure new state */
|
/* configure new state */
|
||||||
@@ -601,7 +578,36 @@ int ssl_hook_Access(request_rec *r)
|
|||||||
"Changed client verification type will force "
|
"Changed client verification type will force "
|
||||||
"%srenegotiation",
|
"%srenegotiation",
|
||||||
renegotiate_quick ? "quick " : "");
|
renegotiate_quick ? "quick " : "");
|
||||||
}
|
}
|
||||||
|
else if (verify != SSL_VERIFY_NONE) {
|
||||||
|
/*
|
||||||
|
* override of SSLVerifyDepth
|
||||||
|
*
|
||||||
|
* The depth checks are handled by us manually inside the
|
||||||
|
* verify callback function and not by OpenSSL internally
|
||||||
|
* (and our function is aware of both the per-server and
|
||||||
|
* per-directory contexts). So we cannot ask OpenSSL about
|
||||||
|
* the currently verify depth. Instead we remember it in our
|
||||||
|
* SSLConnRec attached to the SSL* of OpenSSL. We've to force
|
||||||
|
* the renegotiation if the reconfigured/new verify depth is
|
||||||
|
* less than the currently active/remembered verify depth
|
||||||
|
* (because this means more restriction on the certificate
|
||||||
|
* chain).
|
||||||
|
*/
|
||||||
|
n = (sslconn->verify_depth != UNSET)
|
||||||
|
? sslconn->verify_depth
|
||||||
|
: hssc->server->auth.verify_depth;
|
||||||
|
/* determine the new depth */
|
||||||
|
sslconn->verify_depth = (dc->nVerifyDepth != UNSET)
|
||||||
|
? dc->nVerifyDepth
|
||||||
|
: sc->server->auth.verify_depth;
|
||||||
|
if (sslconn->verify_depth < n) {
|
||||||
|
renegotiate = TRUE;
|
||||||
|
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02254)
|
||||||
|
"Reduced client verification depth will "
|
||||||
|
"force renegotiation");
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
/* If we're handling a request for a vhost other than the default one,
|
/* If we're handling a request for a vhost other than the default one,
|
||||||
* then we need to make sure that client authentication is properly
|
* then we need to make sure that client authentication is properly
|
||||||
@@ -617,8 +623,6 @@ int ssl_hook_Access(request_rec *r)
|
|||||||
&& renegotiate
|
&& renegotiate
|
||||||
&& ((verify & SSL_VERIFY_PEER) ||
|
&& ((verify & SSL_VERIFY_PEER) ||
|
||||||
(verify & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))) {
|
(verify & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))) {
|
||||||
SSLSrvConfigRec *hssc = mySrvConfig(handshakeserver);
|
|
||||||
|
|
||||||
#define MODSSL_CFG_CA_NE(f, sc1, sc2) \
|
#define MODSSL_CFG_CA_NE(f, sc1, sc2) \
|
||||||
(sc1->server->auth.f && \
|
(sc1->server->auth.f && \
|
||||||
(!sc2->server->auth.f || \
|
(!sc2->server->auth.f || \
|
||||||
|
|||||||
Reference in New Issue
Block a user