www/apache
1
0
Fork 0
mirror of https://github.com/apache/httpd.git synced 2025-08-07 04:02:58 +03:00
Code Activity

* modules/ssl/ssl_engine_kernel.c (ssl_hook_Access_modern): Fail with

Browse Source 
403 if SSL_verify_client_post_handshake() fails, e.g. when the
  TLS/1.3 client didn't send the Post-Handshake Authentication
  extension.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1840585 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Joe Orton
2018-09-11 16:01:47 +00:00
parent 5133c75373
commit 50f39b07dc
2 changed files with 10 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
modules/ssl/ssl_engine_kernel.c
View File

@@ -1219,8 +1219,16 @@ static int ssl_hook_Access_modern(request_rec *r, SSLSrvConfigRec *sc, SSLDirCon
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10129) "verify client post handshake");
SSL_set_verify(ssl, vmode_needed, ssl_callback_SSLVerify);
SSL_verify_client_post_handshake(ssl);
if (SSL_verify_client_post_handshake(ssl) != 1) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10158)
"cannot perform post-handshake authentication");
ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server);
apr_table_setn(r->notes, "error-notes",
"Reason: Cannot perform Post-Handshake Authentication.<br />");
return HTTP_FORBIDDEN;
}
old_state = sslconn->reneg_state;
sslconn->reneg_state = RENEG_ALLOW;
modssl_set_app_data2(ssl, r);