Oden Eriksson wrote: > However, the perl-framework tests barfs at: > > t/ssl/v2....................# Failed test 1 in t/ssl/v2.t at line 16
The root cause for this failure could actually be the same as for a different issue which was reported to me by private e-mail just yesterday - in ssl_engine_kernel.c:ssl_hook_Access(), the SNI patch will trigger unnecessary renegotiations. Currently there's this check: if ((dc->nVerifyDepth != UNSET) || (sc->server->auth.verify_depth != UNSET)) { /* XXX: doesnt look like sslconn->verify_depth is actually used */ if (!(n = sslconn->verify_depth)) { sslconn->verify_depth = n = sc->server->auth.verify_depth; } ... When I added the second condition to the first if statement, I was assuming that the default for auth.verify_depth is UNSET as well. However, it's initialized to "1" (i.e. SSL_CVERIFY_OPTIONAL) in ssl_engine_init.c:ssl_init_ctx_verify(), so the patch is erroneously triggering renegotiations due to "Reduced client verification depth". Oden, if you change the line (sc->server->auth.verify_depth != UNSET)) { to (sc->server->auth.verify_depth != SSL_CVERIFY_OPTIONAL)) { will t/ssl/v2 succeed then? Kaspar