www/apache
1
0
Fork 0
mirror of https://github.com/apache/httpd.git synced 2025-08-08 15:02:10 +03:00
Code Activity

support "SSLVerifyClient optional_no_ca"

Browse Source 
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@90599 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Doug MacEachern
2001-08-24 00:09:30 +00:00
parent 0171b0a5b9
commit 48c41169f0
3 changed files with 43 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
modules/ssl/mod_ssl.c
View File

@@ -345,6 +345,7 @@ int ssl_hook_process_connection(SSLFilterRec *pRec)
char *cp = NULL; char *cp = NULL;
conn_rec *c = (conn_rec*)SSL_get_app_data (pRec->pssl); conn_rec *c = (conn_rec*)SSL_get_app_data (pRec->pssl);
SSLSrvConfigRec *sc = mySrvConfig(c->base_server); SSLSrvConfigRec *sc = mySrvConfig(c->base_server);
long verify_result;
if (!SSL_is_init_finished(pRec->pssl)) if (!SSL_is_init_finished(pRec->pssl))
{ {
@@ -445,14 +446,37 @@ int ssl_hook_process_connection(SSLFilterRec *pRec)
/* /*
* Check for failed client authentication * Check for failed client authentication
*/ */
if (SSL_get_verify_result(pRec->pssl) != X509_V_OK || verify_result = SSL_get_verify_result(pRec->pssl);
if (verify_result != X509_V_OK ||
((cp = (char *)apr_table_get(c->notes, ((cp = (char *)apr_table_get(c->notes,
"ssl::verify::error")) != NULL)) "ssl::verify::error")) != NULL))
{ {
ssl_log(c->base_server, SSL_LOG_ERROR|SSL_ADD_SSLERR, if (ssl_verify_error_is_optional(verify_result) &&
"SSL client authentication failed: %s", (sc->nVerifyClient == SSL_CVERIFY_OPTIONAL_NO_CA))
cp != NULL ? cp : "unknown reason"); {
return ssl_abort(pRec, c); /* leaving this log message as an error for the moment,
* according to the mod_ssl docs:
* "level optional_no_ca is actually against the idea
* of authentication (but can be used to establish
* SSL test pages, etc.)"
* optional_no_ca doesn't appear to work as advertised
* in 1.x
*/
ssl_log(c->base_server, SSL_LOG_ERROR|SSL_ADD_SSLERR,
"SSL client authentication failed, "
"accepting certificate based on "
"\"SSLVerifyClient optional_no_ca\" configuration");
}
else {
const char *verror =
X509_verify_cert_error_string(verify_result);
ssl_log(c->base_server, SSL_LOG_ERROR|SSL_ADD_SSLERR,
"SSL client authentication failed: %s",
cp ? cp : verror ? verror : "unknown");
return ssl_abort(pRec, c);
}
} }
/* /*

11
modules/ssl/mod_ssl.h
View File

@@ -344,6 +344,17 @@ typedef enum {
SSL_CVERIFY_OPTIONAL_NO_CA = 3 SSL_CVERIFY_OPTIONAL_NO_CA = 3
} ssl_verify_t; } ssl_verify_t;
#ifndef X509_V_ERR_CERT_UNTRUSTED
#define X509_V_ERR_CERT_UNTRUSTED 27
#endif
#define ssl_verify_error_is_optional(errnum) \
((errnum == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) \
|| (errnum == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN) \
|| (errnum == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) \
|| (errnum == X509_V_ERR_CERT_UNTRUSTED) \
|| (errnum == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE))
/* /*
* Define the SSL pass phrase dialog types * Define the SSL pass phrase dialog types
*/ */

11
modules/ssl/ssl_engine_kernel.c
View File

@@ -1237,14 +1237,9 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx)
verify = dc->nVerifyClient; verify = dc->nVerifyClient;
else else
verify = sc->nVerifyClient; verify = sc->nVerifyClient;
if ( ( errnum == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT if (ssl_verify_error_is_optional(errnum) &&
|| errnum == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN verify == SSL_CVERIFY_OPTIONAL_NO_CA)
|| errnum == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY {
#if SSL_LIBRARY_VERSION >= 0x00905000
|| errnum == X509_V_ERR_CERT_UNTRUSTED
#endif
|| errnum == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE )
&& verify == SSL_CVERIFY_OPTIONAL_NO_CA ) {
ssl_log(s, SSL_LOG_TRACE, ssl_log(s, SSL_LOG_TRACE,
"Certificate Verification: Verifiable Issuer is configured as " "Certificate Verification: Verifiable Issuer is configured as "
"optional, therefore we're accepting the certificate"); "optional, therefore we're accepting the certificate");