On 10/05/2018 12:26 PM, Rainer Jung wrote:
> Shouldn't we backport this? Or do you have doubts or maybe waiting for
> feedback?
>From my point of view it can be backported. It was sitting around in trunk
>waiting for feedback and then because of
being busy I forgot about. Feel free to propose.
Regards
Rüdiger
>
> Regards,
>
> Rainer
>
> Am 01.10.2018 um 20:21 schrieb rpl...@apache.org:
>> Author: rpluem
>> Date: Mon Oct 1 18:21:18 2018
>> New Revision: 1842540
>>
>> URL: http://svn.apache.org/viewvc?rev=1842540&view=rev
>> Log:
>> * Pickup the proxy related configuration for verify mode and verify depth and
>> not the configuration settings for frontend connections in case of
>> connections by the proxy to the backend.
>>
>> PR: 62769
>>
>> Modified:
>> httpd/httpd/trunk/CHANGES
>> httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
>>
>> Modified: httpd/httpd/trunk/CHANGES
>> URL:
>> http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1842540&r1=1842539&r2=1842540&view=diff
>> ==============================================================================
>> --- httpd/httpd/trunk/CHANGES [utf-8] (original)
>> +++ httpd/httpd/trunk/CHANGES [utf-8] Mon Oct 1 18:21:18 2018
>> @@ -1,6 +1,10 @@
>> -*- coding: utf-8
>> -*-
>> Changes with Apache 2.5.1
>> + *) mod_ssl: Fix a regression that the configuration settings for verify
>> mode
>> + and verify depth were taken from the frontend connection in case of
>> + connections by the proxy to the backend. PR 62769. [Ruediger Pluem]
>> +
>> *) ab: Add client certificate support. [Graham Leggett]
>> *) mod_proxy_hcheck: Fix issues with TCP health checks. PR 61499
>> @@ -9,7 +13,7 @@ Changes with Apache 2.5.1
>> *) mod_http2: connection IO event handling reworked. Instead of reacting
>> on
>> incoming bytes, the state machine now acts on incoming frames that are
>> affecting it. This reduces state transitions. [Stefan Eissing]
>> -
>> +
>> *) MPMs: Initialize all runtime/asynchronous objects on a dedicated pool
>> and
>> before signals handling to avoid lifetime issues on restart or
>> shutdown.
>> PR 62658. [Yann Ylavic]
>>
>> Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
>> URL:
>> http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c?rev=1842540&r1=1842539&r2=1842540&view=diff
>>
>> ==============================================================================
>> --- httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c (original)
>> +++ httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c Mon Oct 1 18:21:18
>> 2018
>> @@ -1750,7 +1750,8 @@ int ssl_callback_SSLVerify(int ok, X509_
>> /* Get verify ingredients */
>> int errnum = X509_STORE_CTX_get_error(ctx);
>> int errdepth = X509_STORE_CTX_get_error_depth(ctx);
>> - int depth, verify;
>> + int depth = UNSET;
>> + int verify = SSL_CVERIFY_UNSET;
>> /*
>> * Log verification information
>> @@ -1766,10 +1767,15 @@ int ssl_callback_SSLVerify(int ok, X509_
>> /*
>> * Check for optionally acceptable non-verifiable issuer situation
>> */
>> - if (dc && (dc->nVerifyClient != SSL_CVERIFY_UNSET)) {
>> - verify = dc->nVerifyClient;
>> + if (dc) {
>> + if (sslconn->is_proxy) {
>> + verify = dc->proxy->auth.verify_mode;
>> + }
>> + else {
>> + verify = dc->nVerifyClient;
>> + }
>> }
>> - else {
>> + if (!dc || (verify == SSL_CVERIFY_UNSET)) {
>> verify = mctx->auth.verify_mode;
>> }
>> @@ -1873,10 +1879,15 @@ int ssl_callback_SSLVerify(int ok, X509_
>> /*
>> * Finally check the depth of the certificate verification
>> */
>> - if (dc && (dc->nVerifyDepth != UNSET)) {
>> - depth = dc->nVerifyDepth;
>> + if (dc) {
>> + if (sslconn->is_proxy) {
>> + depth = dc->proxy->auth.verify_depth;
>> + }
>> + else {
>> + depth = dc->nVerifyDepth;
>> + }
>> }
>> - else {
>> + if (!dc || (depth == UNSET)) {
>> depth = mctx->auth.verify_depth;
>> }
>
