> -----Ursprüngliche Nachricht----- > Von: Kaspar Brand > Gesendet: Montag, 30. März 2009 18:15 > An: dev@httpd.apache.org > Betreff: Re: SNI in 2.2.x (Re: Time for 2.2.10?) > > Ruediger Pluem wrote: > > Going through the archive I noticed several attachments > with the same > > basename and and a version string attached. Are these patches > > cumulative so that I only need to review the latest one? > > sni_sslverifyclient-v5.diff includes all improvements to > ssl_hook_Access/ssl_callback_SSLVerify/ssl_callback_SSLVerify_CRL > which I did in June 2008, yes. Then I stopped updating the > trunk version > (due to lack of responses) and only worked on further > improvements on to > the 2.2.x patch (latest version lives at > http://sni.velox.ch/httpd-2.2.x-sni.20080928.patch).
A question regarding your patch: @@ -427,29 +435,26 @@ int ssl_hook_Access(request_rec *r) * function and not by OpenSSL internally (and our function is aware of * both the per-server and per-directory contexts). So we cannot ask * OpenSSL about the currently verify depth. Instead we remember it in our * ap_ctx attached to the SSL* of OpenSSL. We've to force the * renegotiation if the reconfigured/new verify depth is less than the * currently active/remembered verify depth (because this means more * restriction on the certificate chain). */ - if ((sc->server->auth.verify_depth != UNSET) && - (dc->nVerifyDepth == UNSET)) { - /* apply per-vhost setting, if per-directory config is not set */ - dc->nVerifyDepth = sc->server->auth.verify_depth; - } Why don't you stick with the old approach of updating dc->nVerifyDepth and using this later on consistently (the same happens with other fields in the same way later on)? - if (dc->nVerifyDepth != UNSET) { + if ((dc->nVerifyDepth != UNSET) || + (sc->server->auth.verify_depth != UNSET)) { /* XXX: doesnt look like sslconn->verify_depth is actually used */ if (!(n = sslconn->verify_depth)) { sslconn->verify_depth = n = sc->server->auth.verify_depth; } /* determine whether a renegotiation has to be forced */ - if (dc->nVerifyDepth < n) { + if ((dc->nVerifyDepth < n) || + (sc->server->auth.verify_depth < n)) { renegotiate = TRUE; ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "Reduced client verification depth will force " "renegotiation"); } } /* Regards Rüdiger