Oden Eriksson wrote:
> However, the perl-framework tests barfs at:
>
> t/ssl/v2....................# Failed test 1 in t/ssl/v2.t at line 16
The root cause for this failure could actually be the same as for a
different issue which was reported to me by private e-mail just
yesterday - in ssl_engine_kernel.c:ssl_hook_Access(), the SNI patch will
trigger unnecessary renegotiations. Currently there's this check:
if ((dc->nVerifyDepth != UNSET) ||
(sc->server->auth.verify_depth != UNSET)) {
/* XXX: doesnt look like sslconn->verify_depth is actually used */
if (!(n = sslconn->verify_depth)) {
sslconn->verify_depth = n = sc->server->auth.verify_depth;
}
...
When I added the second condition to the first if statement, I was
assuming that the default for auth.verify_depth is UNSET as well.
However, it's initialized to "1" (i.e. SSL_CVERIFY_OPTIONAL) in
ssl_engine_init.c:ssl_init_ctx_verify(), so the patch is erroneously
triggering renegotiations due to "Reduced client verification depth".
Oden, if you change the line
(sc->server->auth.verify_depth != UNSET)) {
to
(sc->server->auth.verify_depth != SSL_CVERIFY_OPTIONAL)) {
will t/ssl/v2 succeed then?
Kaspar
