Remove code to support per-dir-CA configuration which relies on a

function which was never included in OpenSSL: * acinclude.m4: Remove test for fictional function. * modules/ssl/ssl_engine_kernel.c (ssl_hook_Access): Remove code. * modules/ssl/ssl_engine_config.c (MODSSL_SET_CA): Remove unused macro. (ssl_cmd_SSLCACertificatePath, ssl_cmd_SSLCACertificateFile): Fail if per-dir-CA is configured. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@757380 13f79535-47bb-0310-9956-ffa450edef68
2025-08-08 15:02:10 +03:00 · 2009-03-23 11:45:00 +00:00
parent c84fec1552
commit f67ffe3d58
3 changed files with 9 additions and 78 deletions
--- a/acinclude.m4
+++ b/acinclude.m4
@@ -475,7 +475,6 @@ if test "x$ap_ssltk_configured" = "x"; then
    AC_CHECK_FUNCS([SSLC_library_version SSL_CTX_new], [], [liberrors="yes"])
    AC_CHECK_FUNCS(SSL_set_state)
  fi
  AC_CHECK_FUNCS(SSL_set_cert_store)
  dnl restore
  CPPFLAGS="$saved_CPPFLAGS"
  LIBS="$saved_LIBS"
--- a/modules/ssl/ssl_engine_config.c
+++ b/modules/ssl/ssl_engine_config.c
@@ -749,22 +749,7 @@ const char *ssl_cmd_SSLPKCS7CertificateFile(cmd_parms *cmd,
 }
 #define NO_PER_DIR_SSL_CA \
-    "Your ssl library does not have support for per-directory CA"
+    "Your SSL library does not have support for per-directory CA"
 #ifdef HAVE_SSL_SET_CERT_STORE
 #   define MODSSL_HAVE_SSL_SET_CERT_STORE 1
 #else
 #   define MODSSL_HAVE_SSL_SET_CERT_STORE 0
 #endif
 #define MODSSL_SET_CA(f) \
    if (cmd->path) \
        if (MODSSL_HAVE_SSL_SET_CERT_STORE) \
            dc->f = arg; \
        else \
            return NO_PER_DIR_SSL_CA; \
    else \
        sc->f = arg \
 const char *ssl_cmd_SSLCACertificatePath(cmd_parms *cmd,
                                         void *dcfg,
@@ -778,6 +763,10 @@ const char *ssl_cmd_SSLCACertificatePath(cmd_parms *cmd,
        return err;
    }
    if (cmd->path) {
        return NO_PER_DIR_SSL_CA;
    }
    /* XXX: bring back per-dir */
    sc->server->auth.ca_cert_path = arg;
@@ -796,6 +785,10 @@ const char *ssl_cmd_SSLCACertificateFile(cmd_parms *cmd,
        return err;
    }
    if (cmd->path) {
        return NO_PER_DIR_SSL_CA;
    }
    /* XXX: bring back per-dir */
    sc->server->auth.ca_cert_file = arg;
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -540,67 +540,6 @@ int ssl_hook_Access(request_rec *r)
        }
    }
    /*
     * override SSLCACertificateFile & SSLCACertificatePath
     * This is only enabled if the SSL_set_cert_store() function
     * is available in the ssl library.  the 1.x based mod_ssl
     * used SSL_CTX_set_cert_store which is not thread safe.
     */
 #ifdef HAVE_SSL_SET_CERT_STORE
    /*
     * check if per-dir and per-server config field are not the same.
     * if f is defined in per-dir and not defined in per-server
     * or f is defined in both but not the equal ...
     */
 #define MODSSL_CFG_NE(f) \
     (dc->f && (!sc->f || (sc->f && strNE(dc->f, sc->f))))
 #define MODSSL_CFG_CA(f) \
     (dc->f ? dc->f : sc->f)
    if (MODSSL_CFG_NE(szCACertificateFile) ||
        MODSSL_CFG_NE(szCACertificatePath))
    {
        STACK_OF(X509_NAME) *ca_list;
        const char *ca_file = MODSSL_CFG_CA(szCACertificateFile);
        const char *ca_path = MODSSL_CFG_CA(szCACertificatePath);
        cert_store = X509_STORE_new();
        if (!X509_STORE_load_locations(cert_store, ca_file, ca_path)) {
            ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
                          "Unable to reconfigure verify locations "
                          "for client authentication");
            ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, r->server);
            X509_STORE_free(cert_store);
            return HTTP_FORBIDDEN;
        }
        /* SSL_free will free cert_store */
        SSL_set_cert_store(ssl, cert_store);
        if (!(ca_list = ssl_init_FindCAList(r->server, r->pool,
                                            ca_file, ca_path)))
        {
            ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
                         "Unable to determine list of available "
                         "CA certificates for client authentication");
            return HTTP_FORBIDDEN;
        }
        SSL_set_client_CA_list(ssl, ca_list);
        renegotiate = TRUE;
        ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
                      "Changed client verification locations will force "
                      "renegotiation");
    }
 #endif /* HAVE_SSL_SET_CERT_STORE */
    /* If a renegotiation is now required for this location, and the
     * request includes a message body (and the client has not
     * requested a "100 Continue" response), then the client will be