* modules/ssl/mod_ssl.c: Declare new config directives

SSLCADNRequestFile and SSLCADNRequestPath. * modules/ssl/ssl_private.h (modssl_pk_server_t): Add ca_name_path, ca_name_file fields. * modules/ssl/ssl_engine_init.c (ssl_init_ctx_verify): If either of SSLCADNRequestFile or SSLCADNRequestPath are configured, load the CA DN list sent in the CertificateRequest from those certificates. * modules/ssl/ssl_engine_config.c (modssl_ctx_init_server): Use pcalloc to zero-initialize the entire modssl_pk_server_t structure. (ssl_config_server_new): Merge the ca_name_* fields. (ssl_cmd_SSLCADNRequestPath, ssl_cmd_SSLCADNRequestFile): New functions. PR: 32848 Submitted by: Tim Taylor <tim.taylor dfas.mil> git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@125165 13f79535-47bb-0310-9956-ffa450edef68
2025-08-07 04:02:58 +03:00 · 2005-01-14 13:54:31 +00:00
parent 5d4ce7fb94
commit 3f6c23e40a
5 changed files with 63 additions and 15 deletions
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -544,12 +544,17 @@ static void ssl_init_ctx_verify(server_rec *s,
            ssl_die();
        }

-        ca_list = ssl_init_FindCAList(s, ptemp,
-                                      mctx->auth.ca_cert_file,
-                                      mctx->auth.ca_cert_path);
+        if (mctx->pks && (mctx->pks->ca_name_file || mctx->pks->ca_name_path)) {
+            ca_list = ssl_init_FindCAList(s, ptemp,
+                                          mctx->pks->ca_name_file,
+                                          mctx->pks->ca_name_path);
+        } else
+            ca_list = ssl_init_FindCAList(s, ptemp,
+                                          mctx->auth.ca_cert_file,
+                                          mctx->auth.ca_cert_path);
        if (!ca_list) {
            ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
-                    "Unable to determine list of available "
+                    "Unable to determine list of acceptable "
                    "CA certificates for client authentication");
            ssl_die();
        }
@@ -1151,7 +1156,7 @@ STACK_OF(X509_NAME) *ssl_init_FindCAList(server_rec *s,

        if ((rv = apr_dir_open(&dir, ca_path, ptemp)) != APR_SUCCESS) {
            ap_log_error(APLOG_MARK, APLOG_ERR, rv, s,
-                    "Failed to open SSLCACertificatePath `%s'",
+                    "Failed to open Certificate Path `%s'",
                    ca_path);
            ssl_die();
        }