www/apache
1
0
Fork 0
mirror of https://github.com/apache/httpd.git synced 2025-08-08 15:02:10 +03:00
Code Activity

mod_ssl: follow up to r1734561 and r1735337.

Browse Source 
We also need to reset the X509_STORE_CTX's error in the callback to quiet
X509_V_ERR_UNABLE_TO_GET_CRL for the leaf certificate (caught by AH02010).



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1737265 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Yann Ylavic
2016-03-31 18:24:06 +00:00
parent 478077c99b
commit 1a829ed2fa
1 changed files with 5 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
modules/ssl/ssl_engine_kernel.c
View File

@@ -1637,6 +1637,11 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx)
if (!ok && errnum == X509_V_ERR_UNABLE_TO_GET_CRL if (!ok && errnum == X509_V_ERR_UNABLE_TO_GET_CRL
&& (mctx->crl_check_mask & SSL_CRLCHECK_NO_CRL_FOR_CERT_OK)) { && (mctx->crl_check_mask & SSL_CRLCHECK_NO_CRL_FOR_CERT_OK)) {
ap_log_cerror(APLOG_MARK, APLOG_TRACE3, 0, conn,
"Certificate Verification: Temporary error (%d): %s: "
"optional therefore we're accepting the certificate",
errnum, X509_verify_cert_error_string(errnum));
X509_STORE_CTX_set_error(ctx, X509_V_OK);
errnum = X509_V_OK; errnum = X509_V_OK;
ok = TRUE; ok = TRUE;
} }