Re: SNI in 2.2.x (Re: Time for 2.2.10?)

Wed, 01 Apr 2009 03:31:17 -0700 

 

> -----Ursprüngliche Nachricht-----
> Von: Kaspar Brand 
> Gesendet: Montag, 30. März 2009 18:15
> An: dev@httpd.apache.org
> Betreff: Re: SNI in 2.2.x (Re: Time for 2.2.10?)
> 
> Ruediger Pluem wrote:
> > Going through the archive I noticed several attachments 
> with the same
> > basename and and a version string attached. Are these patches
> > cumulative so that I only need to review the latest one?
> 
> sni_sslverifyclient-v5.diff includes all improvements to
> ssl_hook_Access/ssl_callback_SSLVerify/ssl_callback_SSLVerify_CRL
> which I did in June 2008, yes. Then I stopped updating the 
> trunk version
> (due to lack of responses) and only worked on further 
> improvements on to
> the 2.2.x patch (latest version lives at
> http://sni.velox.ch/httpd-2.2.x-sni.20080928.patch).


A question regarding your patch:

@@ -427,29 +435,26 @@ int ssl_hook_Access(request_rec *r)
      * function and not by OpenSSL internally (and our function is aware of
      * both the per-server and per-directory contexts). So we cannot ask
      * OpenSSL about the currently verify depth. Instead we remember it in our
      * ap_ctx attached to the SSL* of OpenSSL.  We've to force the
      * renegotiation if the reconfigured/new verify depth is less than the
      * currently active/remembered verify depth (because this means more
      * restriction on the certificate chain).
      */
-    if ((sc->server->auth.verify_depth != UNSET) &&
-        (dc->nVerifyDepth == UNSET)) {
-        /* apply per-vhost setting, if per-directory config is not set */
-        dc->nVerifyDepth = sc->server->auth.verify_depth;
-    }

Why don't you stick with the old approach of updating dc->nVerifyDepth and using
this later on consistently (the same happens with other fields in the same
way later on)?

-    if (dc->nVerifyDepth != UNSET) {
+    if ((dc->nVerifyDepth != UNSET) ||
+        (sc->server->auth.verify_depth != UNSET)) {
         /* XXX: doesnt look like sslconn->verify_depth is actually used */
         if (!(n = sslconn->verify_depth)) {
             sslconn->verify_depth = n = sc->server->auth.verify_depth;
         }

         /* determine whether a renegotiation has to be forced */
-        if (dc->nVerifyDepth < n) {
+        if ((dc->nVerifyDepth < n) ||
+            (sc->server->auth.verify_depth < n)) {
             renegotiate = TRUE;
             ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
                           "Reduced client verification depth will force "
                           "renegotiation");
         }
     }

     /*


Regards

Rüdiger

Reply via email to