i was about to move the usage of c->notes.ssl::verify::depth to SSLConnRec.verify_depth and in the process noticed the bloody thing is never used. the comment says:
/* * override of SSLVerifyDepth * * The depth checks are handled by us manually inside the verify callback * function and not by OpenSSL internally (and our function is aware of * both the per-server and per-directory contexts). So we cannot ask * OpenSSL about the currently verify depth. Instead we remember it in our * ap_ctx attached to the SSL* of OpenSSL. We've to force the * renegotiation if the reconfigured/new verify depth is less than the * currently active/remembered verify depth (because this means more * restriction on the certificate chain). */ but if you look at the patch below, after ssl::verify::depth usage is replaced, this is only place it is referenced, in ssl_hook_Access: if (!(n = sslconn->verify_depth)) { sslconn->verify_depth = n = sc->nVerifyDepth; } i see no reason why that couldn't just be: n = sc->nVerifyDepth; can anybody see something i'm missing? mod_ssl 1.x is no different. Index: mod_ssl.c =================================================================== RCS file: /home/cvs/httpd-2.0/modules/ssl/mod_ssl.c,v retrieving revision 1.34 diff -u -r1.34 mod_ssl.c --- mod_ssl.c 2001/11/21 22:29:14 1.34 +++ mod_ssl.c 2001/11/21 23:17:16 @@ -274,7 +274,6 @@ SSL_set_app_data(ssl, c); apctx = apr_table_make(c->pool, AP_CTX_MAX_ENTRIES); apr_table_setn(apctx, "ssl::request_rec", NULL); - apr_table_setn(apctx, "ssl::verify::depth", AP_CTX_NUM2PTR(0)); SSL_set_app_data2(ssl, apctx); sslconn->ssl = ssl; Index: mod_ssl.h =================================================================== RCS file: /home/cvs/httpd-2.0/modules/ssl/mod_ssl.h,v retrieving revision 1.38 diff -u -r1.38 mod_ssl.h --- mod_ssl.h 2001/11/21 22:29:14 1.38 +++ mod_ssl.h 2001/11/21 23:17:16 @@ -462,6 +462,7 @@ ssl_shutdown_type_e shutdown_type; const char *verify_info; const char *verify_error; + int verify_depth; } SSLConnRec; typedef struct { Index: ssl_engine_kernel.c =================================================================== RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_engine_kernel.c,v retrieving revision 1.24 diff -u -r1.24 ssl_engine_kernel.c --- ssl_engine_kernel.c 2001/11/21 22:29:14 1.24 +++ ssl_engine_kernel.c 2001/11/21 23:17:18 @@ -371,11 +371,9 @@ STACK_OF(SSL_CIPHER) *skCipherOld; STACK_OF(SSL_CIPHER) *skCipher; SSL_CIPHER *pCipher; - apr_table_t *apctx; int nVerifyOld; int nVerify; int n; - void *vp; int rc; dc = myDirConfig(r); @@ -522,13 +520,10 @@ * restriction on the certificate chain). */ if (dc->nVerifyDepth != UNSET) { - apctx = (apr_table_t *)SSL_get_app_data2(ssl); - if ((vp = (void *)apr_table_get(apctx, "ssl::verify::depth")) != NULL) - n = (int)AP_CTX_PTR2NUM(vp); - else - n = sc->nVerifyDepth; - apr_table_setn(apctx, "ssl::verify::depth", - (const char *)AP_CTX_NUM2PTR(dc->nVerifyDepth)); + if (!(n = sslconn->verify_depth)) { + sslconn->verify_depth = n = sc->nVerifyDepth; + } + /* determine whether a renegotiation has to be forced */ if (dc->nVerifyDepth < n) { renegotiate = TRUE;