just a note on this, SSLOptions +OptRengotiate simulates what
s3_srvr.c:ssl3_get_client_certificate would do when calling
ssl_verify_cert_chain() with the certs presented by the client.
for whatever reason, when the cert chain is saved to the session cache,
the peer cert is removed from the chain:
s->session->peer=sk_X509_shift(sk);
...
s->session->sess_cert->cert_chain=sk;
/* Inconsistency alert: cert_chain does *not* include the
* peer's own certificate, while we do include it in s3_clnt.c */
so this workaround simply pushes the peer cert from the session cache back
into the "chain".
i'd be surprised if 'SSLOptions +OptRengotiate' actually ever worked for
anybody before this change, including the 1.3 based modssl which still has
this issue.
On 11 Jun 2002 [EMAIL PROTECTED] wrote:
> dougm 2002/06/10 20:12:34
>
> Modified: modules/ssl ssl_engine_kernel.c
> . CHANGES
> Log:
> 'SSLOptions +OptRengotiate' will use client cert in from the ssl
> session cache when there is no cert chain in the cache. prior to
> the fix this situation would result in a FORBIDDEN response and
> error message "Cannot find peer certificate chain"
>
> Revision Changes Path
> 1.73 +15 -0 httpd-2.0/modules/ssl/ssl_engine_kernel.c
>
> Index: ssl_engine_kernel.c
> ===================================================================
> RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_engine_kernel.c,v
> retrieving revision 1.72
> retrieving revision 1.73
> diff -u -r1.72 -r1.73
> --- ssl_engine_kernel.c 4 Jun 2002 07:12:26 -0000 1.72
> +++ ssl_engine_kernel.c 11 Jun 2002 03:12:33 -0000 1.73
> @@ -709,6 +709,16 @@
>
> cert_stack = (STACK_OF(X509) *)SSL_get_peer_cert_chain(ssl);
>
> + if (!cert_stack && (cert = SSL_get_peer_certificate(ssl))) {
> + /* client cert is in the session cache, but there is
> + * no chain, since ssl3_get_client_certificate()
> + * sk_X509_shift-ed the peer cert out of the chain.
> + * we put it back here for the purpose of quick_renegotiation.
> + */
> + cert_stack = sk_new_null();
> + sk_X509_push(cert_stack, cert);
> + }
> +
> if (!cert_stack || (sk_X509_num(cert_stack) == 0)) {
> ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
> "Cannot find peer certificate chain");
> @@ -745,6 +755,11 @@
>
> SSL_set_verify_result(ssl, cert_store_ctx.error);
> X509_STORE_CTX_cleanup(&cert_store_ctx);
> +
> + if (cert_stack != SSL_get_peer_cert_chain(ssl)) {
> + /* we created this ourselves, so free it */
> + sk_X509_pop_free(cert_stack, X509_free);
> + }
> }
> else {
> request_rec *id = r->main ? r->main : r;
>
>
>
> 1.819 +6 -0 httpd-2.0/CHANGES
>
> Index: CHANGES
> ===================================================================
> RCS file: /home/cvs/httpd-2.0/CHANGES,v
> retrieving revision 1.818
> retrieving revision 1.819
> diff -u -r1.818 -r1.819
> --- CHANGES 10 Jun 2002 18:51:37 -0000 1.818
> +++ CHANGES 11 Jun 2002 03:12:33 -0000 1.819
> @@ -1,5 +1,11 @@
> Changes with Apache 2.0.37
>
> + *) 'SSLOptions +OptRengotiate' will use client cert in from the ssl
> + session cache when there is no cert chain in the cache. prior to
> + the fix this situation would result in a FORBIDDEN response and
> + error message "Cannot find peer certificate chain"
> + [Doug MacEachern]
> +
> *) ap_finalize_sub_req_protocol() shouldn't send an EOS bucket if
> one was already sent. PR 9644 [Jeff Trawick]
>
>
>
>
>
