Shouldn't we backport this? Or do you have doubts or maybe waiting for
feedback?
Regards,
Rainer
Am 01.10.2018 um 20:21 schrieb rpl...@apache.org:
Author: rpluem
Date: Mon Oct 1 18:21:18 2018
New Revision: 1842540
URL: http://svn.apache.org/viewvc?rev=1842540&view=rev
Log:
* Pickup the proxy related configuration for verify mode and verify depth and
not the configuration settings for frontend connections in case of
connections by the proxy to the backend.
PR: 62769
Modified:
httpd/httpd/trunk/CHANGES
httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
Modified: httpd/httpd/trunk/CHANGES
URL:
http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1842540&r1=1842539&r2=1842540&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Mon Oct 1 18:21:18 2018
@@ -1,6 +1,10 @@
-*- coding: utf-8 -*-
Changes with Apache 2.5.1
+ *) mod_ssl: Fix a regression that the configuration settings for verify mode
+ and verify depth were taken from the frontend connection in case of
+ connections by the proxy to the backend. PR 62769. [Ruediger Pluem]
+
*) ab: Add client certificate support. [Graham Leggett]
*) mod_proxy_hcheck: Fix issues with TCP health checks. PR 61499
@@ -9,7 +13,7 @@ Changes with Apache 2.5.1
*) mod_http2: connection IO event handling reworked. Instead of reacting on
incoming bytes, the state machine now acts on incoming frames that are
affecting it. This reduces state transitions. [Stefan Eissing]
-
+
*) MPMs: Initialize all runtime/asynchronous objects on a dedicated pool and
before signals handling to avoid lifetime issues on restart or shutdown.
PR 62658. [Yann Ylavic]
Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
URL:
http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c?rev=1842540&r1=1842539&r2=1842540&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c Mon Oct 1 18:21:18 2018
@@ -1750,7 +1750,8 @@ int ssl_callback_SSLVerify(int ok, X509_
/* Get verify ingredients */
int errnum = X509_STORE_CTX_get_error(ctx);
int errdepth = X509_STORE_CTX_get_error_depth(ctx);
- int depth, verify;
+ int depth = UNSET;
+ int verify = SSL_CVERIFY_UNSET;
/*
* Log verification information
@@ -1766,10 +1767,15 @@ int ssl_callback_SSLVerify(int ok, X509_
/*
* Check for optionally acceptable non-verifiable issuer situation
*/
- if (dc && (dc->nVerifyClient != SSL_CVERIFY_UNSET)) {
- verify = dc->nVerifyClient;
+ if (dc) {
+ if (sslconn->is_proxy) {
+ verify = dc->proxy->auth.verify_mode;
+ }
+ else {
+ verify = dc->nVerifyClient;
+ }
}
- else {
+ if (!dc || (verify == SSL_CVERIFY_UNSET)) {
verify = mctx->auth.verify_mode;
}
@@ -1873,10 +1879,15 @@ int ssl_callback_SSLVerify(int ok, X509_
/*
* Finally check the depth of the certificate verification
*/
- if (dc && (dc->nVerifyDepth != UNSET)) {
- depth = dc->nVerifyDepth;
+ if (dc) {
+ if (sslconn->is_proxy) {
+ depth = dc->proxy->auth.verify_depth;
+ }
+ else {
+ depth = dc->nVerifyDepth;
+ }
}
- else {
+ if (!dc || (depth == UNSET)) {
depth = mctx->auth.verify_depth;
}
