OSDir


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: svn commit: r1842540 - in /httpd/httpd/trunk: CHANGES modules/ssl/ssl_engine_kernel.c


Shouldn't we backport this? Or do you have doubts or maybe waiting for feedback?

Regards,

Rainer

Am 01.10.2018 um 20:21 schrieb rpluem@xxxxxxxxxx:
Author: rpluem
Date: Mon Oct  1 18:21:18 2018
New Revision: 1842540

URL: http://svn.apache.org/viewvc?rev=1842540&view=rev
Log:
* Pickup the proxy related configuration for verify mode and verify depth and
   not the configuration settings for frontend connections in case of
   connections by the proxy to the backend.

PR: 62769

Modified:
     httpd/httpd/trunk/CHANGES
     httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c

Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1842540&r1=1842539&r2=1842540&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Mon Oct  1 18:21:18 2018
@@ -1,6 +1,10 @@
                                                           -*- coding: utf-8 -*-
  Changes with Apache 2.5.1
+ *) mod_ssl: Fix a regression that the configuration settings for verify mode
+     and verify depth were taken from the frontend connection in case of
+     connections by the proxy to the backend. PR 62769. [Ruediger Pluem]
+
    *) ab: Add client certificate support. [Graham Leggett]
*) mod_proxy_hcheck: Fix issues with TCP health checks. PR 61499
@@ -9,7 +13,7 @@ Changes with Apache 2.5.1
    *) mod_http2: connection IO event handling reworked. Instead of reacting on
       incoming bytes, the state machine now acts on incoming frames that are
       affecting it. This reduces state transitions. [Stefan Eissing]
-
+
    *) MPMs: Initialize all runtime/asynchronous objects on a dedicated pool and
       before signals handling to avoid lifetime issues on restart or shutdown.
       PR 62658. [Yann Ylavic]

Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c?rev=1842540&r1=1842539&r2=1842540&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c Mon Oct  1 18:21:18 2018
@@ -1750,7 +1750,8 @@ int ssl_callback_SSLVerify(int ok, X509_
      /* Get verify ingredients */
      int errnum   = X509_STORE_CTX_get_error(ctx);
      int errdepth = X509_STORE_CTX_get_error_depth(ctx);
-    int depth, verify;
+    int depth = UNSET;
+    int verify = SSL_CVERIFY_UNSET;
/*
       * Log verification information
@@ -1766,10 +1767,15 @@ int ssl_callback_SSLVerify(int ok, X509_
      /*
       * Check for optionally acceptable non-verifiable issuer situation
       */
-    if (dc && (dc->nVerifyClient != SSL_CVERIFY_UNSET)) {
-        verify = dc->nVerifyClient;
+    if (dc) {
+        if (sslconn->is_proxy) {
+            verify = dc->proxy->auth.verify_mode;
+        }
+        else {
+            verify = dc->nVerifyClient;
+        }
      }
-    else {
+    if (!dc || (verify == SSL_CVERIFY_UNSET)) {
          verify = mctx->auth.verify_mode;
      }
@@ -1873,10 +1879,15 @@ int ssl_callback_SSLVerify(int ok, X509_
      /*
       * Finally check the depth of the certificate verification
       */
-    if (dc && (dc->nVerifyDepth != UNSET)) {
-        depth = dc->nVerifyDepth;
+    if (dc) {
+        if (sslconn->is_proxy) {
+            depth = dc->proxy->auth.verify_depth;
+        }
+        else {
+            depth = dc->nVerifyDepth;
+        }
      }
-    else {
+    if (!dc || (depth == UNSET)) {
          depth = mctx->auth.verify_depth;
      }