just a note on this, SSLOptions +OptRengotiate simulates what s3_srvr.c:ssl3_get_client_certificate would do when calling ssl_verify_cert_chain() with the certs presented by the client.
for whatever reason, when the cert chain is saved to the session cache, the peer cert is removed from the chain: s->session->peer=sk_X509_shift(sk); ... s->session->sess_cert->cert_chain=sk; /* Inconsistency alert: cert_chain does *not* include the * peer's own certificate, while we do include it in s3_clnt.c */ so this workaround simply pushes the peer cert from the session cache back into the "chain". i'd be surprised if 'SSLOptions +OptRengotiate' actually ever worked for anybody before this change, including the 1.3 based modssl which still has this issue. On 11 Jun 2002 [EMAIL PROTECTED] wrote: > dougm 2002/06/10 20:12:34 > > Modified: modules/ssl ssl_engine_kernel.c > . CHANGES > Log: > 'SSLOptions +OptRengotiate' will use client cert in from the ssl > session cache when there is no cert chain in the cache. prior to > the fix this situation would result in a FORBIDDEN response and > error message "Cannot find peer certificate chain" > > Revision Changes Path > 1.73 +15 -0 httpd-2.0/modules/ssl/ssl_engine_kernel.c > > Index: ssl_engine_kernel.c > =================================================================== > RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_engine_kernel.c,v > retrieving revision 1.72 > retrieving revision 1.73 > diff -u -r1.72 -r1.73 > --- ssl_engine_kernel.c 4 Jun 2002 07:12:26 -0000 1.72 > +++ ssl_engine_kernel.c 11 Jun 2002 03:12:33 -0000 1.73 > @@ -709,6 +709,16 @@ > > cert_stack = (STACK_OF(X509) *)SSL_get_peer_cert_chain(ssl); > > + if (!cert_stack && (cert = SSL_get_peer_certificate(ssl))) { > + /* client cert is in the session cache, but there is > + * no chain, since ssl3_get_client_certificate() > + * sk_X509_shift-ed the peer cert out of the chain. > + * we put it back here for the purpose of quick_renegotiation. > + */ > + cert_stack = sk_new_null(); > + sk_X509_push(cert_stack, cert); > + } > + > if (!cert_stack || (sk_X509_num(cert_stack) == 0)) { > ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, > "Cannot find peer certificate chain"); > @@ -745,6 +755,11 @@ > > SSL_set_verify_result(ssl, cert_store_ctx.error); > X509_STORE_CTX_cleanup(&cert_store_ctx); > + > + if (cert_stack != SSL_get_peer_cert_chain(ssl)) { > + /* we created this ourselves, so free it */ > + sk_X509_pop_free(cert_stack, X509_free); > + } > } > else { > request_rec *id = r->main ? r->main : r; > > > > 1.819 +6 -0 httpd-2.0/CHANGES > > Index: CHANGES > =================================================================== > RCS file: /home/cvs/httpd-2.0/CHANGES,v > retrieving revision 1.818 > retrieving revision 1.819 > diff -u -r1.818 -r1.819 > --- CHANGES 10 Jun 2002 18:51:37 -0000 1.818 > +++ CHANGES 11 Jun 2002 03:12:33 -0000 1.819 > @@ -1,5 +1,11 @@ > Changes with Apache 2.0.37 > > + *) 'SSLOptions +OptRengotiate' will use client cert in from the ssl > + session cache when there is no cert chain in the cache. prior to > + the fix this situation would result in a FORBIDDEN response and > + error message "Cannot find peer certificate chain" > + [Doug MacEachern] > + > *) ap_finalize_sub_req_protocol() shouldn't send an EOS bucket if > one was already sent. PR 9644 [Jeff Trawick] > > > > >