[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: svn commit: r1840585 - in /httpd/httpd/trunk: docs/log-message-tags/next-number modules/ssl/ssl_engine_kernel.c


On Tue, Sep 11, 2018 at 6:01 PM <jorton@xxxxxxxxxx> wrote:
>
> Author: jorton
> Date: Tue Sep 11 16:01:47 2018
> New Revision: 1840585
>
> URL: http://svn.apache.org/viewvc?rev=1840585&view=rev
> Log:
> * modules/ssl/ssl_engine_kernel.c (ssl_hook_Access_modern): Fail with
>   403 if SSL_verify_client_post_handshake() fails, e.g. when the
>   TLS/1.3 client didn't send the Post-Handshake Authentication
>   extension.

There also seems to be some subtilities between SSL_VERIFY_CLIENT_ONCE
(which we use in ssl_hook_Access_modern) and
SSL_VERIFY_POST_HANDSHAKES (another openssl flag related to PHA). I'm
not sure to understand the docs for now...

Both seem to be mutually exclusive (though it's not really stated in
the doc), and possibly we don't use the right one since we call
SSL_verify_client_post_handshake() explicitely. On the other hand
SSL_VERIFY_POST_HANDSHAKES might depend on the client being PHA aware
(and/or advertised?), and if so should we detect it on the server side
to use SSL_VERIFY_POST_HANDSHAKES for the handshake?

I'm asking, should you have more insight on those flags...