www/apache
1
0
Fork 0
mirror of https://github.com/apache/httpd.git synced 2025-08-08 15:02:10 +03:00
Code Activity

mod_ssl: Fix quick renegotiation (OptRenegotiaton) with no intermediate

Browse Source 
in the client certificate chain.  PR 55786.

This is done by handling an empty cert chain as no/NULL chain.



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1756542 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Yann Ylavic
2016-08-16 18:24:56 +00:00
parent cf30866d63
commit a0cddc57d4
2 changed files with 11 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
modules/ssl/ssl_engine_kernel.c
View File

@@ -886,7 +886,14 @@ int ssl_hook_Access(request_rec *r)
cert = SSL_get_peer_certificate(ssl);
if (!cert_stack && cert) {
if (!cert_stack || (sk_X509_num(cert_stack) == 0)) {
if (!cert) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02222)
"Cannot find peer certificate chain");
return HTTP_FORBIDDEN;
}
/* client cert is in the session cache, but there is
* no chain, since ssl3_get_client_certificate()
* sk_X509_shift-ed the peer cert out of the chain.
@@ -896,13 +903,6 @@ int ssl_hook_Access(request_rec *r)
sk_X509_push(cert_stack, cert);
}
if (!cert_stack || (sk_X509_num(cert_stack) == 0)) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02222)
"Cannot find peer certificate chain");
return HTTP_FORBIDDEN;
}
if (!(cert_store ||
(cert_store = SSL_CTX_get_cert_store(ctx))))
{