> -----Ursprüngliche Nachricht----- > Von: Kaspar Brand > Gesendet: Samstag, 25. April 2009 09:37 > An: dev@httpd.apache.org > Betreff: Re: SNI in 2.2.x (Re: Time for 2.2.10?) > > >> Mind to sent a version v9 of your patch such that I can review the > >> complete one again? Thanks for your efforts. > > Sorry, please disregard v9 - it makes SSL_VERIFY_CLIENT > report GENEROUS > even in cases where it could/should be SUCCESS, actually (if > the CA list > stays the same; i.e., v9 doesn't weaken things, security-wise, but > possibly locks out legitimate [non-SNI] clients).
Sounds reasonable. > > I have attached v10. As far as ssl_var_lookup_ssl_cert_verify() > is concerned, a tweak could look like: > > --- modules/ssl/ssl_engine_vars.c (revision 765079) > +++ modules/ssl/ssl_engine_vars.c (working copy) > @@ -607,7 +607,7 @@ static char *ssl_var_lookup_ssl_cert_verify(apr_po > result = "SUCCESS"; > else if (vrc == X509_V_OK && vinfo != NULL && > strEQ(vinfo, "GENEROUS")) > /* client verification done in generous way */ > - result = "GENEROUS"; > + result = xs ? "GENEROUS" : "NONE"; > else > /* client verification failed */ > result = apr_psprintf(p, "FAILED:%s", verr); > > > [Not included in v10. If it's added, we should probably > update the comment > to explain why we're doing it like this, exactly.] I guess the following one is the better patch Index: modules/ssl/ssl_engine_vars.c =================================================================== --- modules/ssl/ssl_engine_vars.c (revision 768231) +++ modules/ssl/ssl_engine_vars.c (working copy) @@ -599,7 +599,7 @@ vrc = SSL_get_verify_result(ssl); xs = SSL_get_peer_certificate(ssl); - if (vrc == X509_V_OK && verr == NULL && vinfo == NULL && xs == NULL) + if (vrc == X509_V_OK && verr == NULL && xs == NULL) /* no client verification done at all */ result = "NONE"; else if (vrc == X509_V_OK && verr == NULL && vinfo == NULL && xs != NULL) IMHO we can report NONE whenever there was no error and the client cert is empty. Opinions by the SSL Gurus? Regards Rüdiger