https://issues.apache.org/bugzilla/show_bug.cgi?id=44561
Summary: SSL quick renegotiation + client certs failing
Product: Apache httpd-2
Version: 2.0.63
Platform: PC
OS/Version: All
Status: NEW
Keywords: PatchAvailable
Severity: normal
Priority: P2
Component: mod_ssl
AssignedTo: [email protected]
ReportedBy: [EMAIL PROTECTED]
Created an attachment (id=21646)
--> (https://issues.apache.org/bugzilla/attachment.cgi?id=21646)
Patch for 2.0.63
Scenario:
- Per-directory SSLVerifyClient
- SSLOptions +OptRenegotiate
Quick renegotiation fails because the certification verification procedure sets
the Verify Result incorrectly.
Bug exists in 2.0/2.2/trunk.
Detail:
if (!modssl_X509_verify_cert(&cert_store_ctx)) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
"Re-negotiation verification step failed");
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, r->server);
}
SSL_set_verify_result(ssl, cert_store_ctx.error);
Function mod_ssl_509_verify_cert(ctx) does not set cert_store.ctx.error unless
there was a problem verifying the certificate. Therefore, we do not to set the
verify_result to this value. Current behavior sets this to an undefined value
(which is NOT X509_V_OK).
Fix attached (against 2.0).
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
