On 3/30/23 7:09 PM, gbec...@apache.org wrote:
> Author: gbechis
> Date: Thu Mar 30 17:09:09 2023
> New Revision: 1908805
>
> URL: http://svn.apache.org/viewvc?rev=1908805&view=rev
> Log:
> check for more possible SSL failures
> bz #66225
>
> Modified:
> httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
>
> Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
> URL:
> http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c?rev=1908805&r1=1908804&r2=1908805&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c (original)
> +++ httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c Thu Mar 30 17:09:09 2023
> @@ -997,10 +997,7 @@ static int ssl_hook_Access_classic(reque
> * handshake to proceed. */
> modssl_set_reneg_state(sslconn, RENEG_ALLOW);
>
> - SSL_renegotiate(ssl);
> - SSL_do_handshake(ssl);
> -
> - if (!SSL_is_init_finished(ssl)) {
> + if(!SSL_renegotiate(ssl) || !SSL_do_handshake(ssl) ||
> !SSL_is_init_finished(ssl)) {
Wouldn't
if (!(SSL_renegotiate(ssl) && SSL_do_handshake(ssl) &&
SSL_is_init_finished(ssl))) {
be better as it would stop the calls as soon as one fails (due to boolean
shortcuts)?
Or is it mandatory that SSL_do_handshake and / or SSL_is_init_finished get
executed if one of steps before fails?
> ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02225)
> "Re-negotiation request failed");
> ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server);
>
>
>
Regards
RĂ¼diger
