Full_Name: Paolo Di Martino
Version: 2.4.6
OS: Linux RedHat 6.0
Submission from: (NULL) (193.207.124.39)
When I access to some location with
SSLClientVerify require
directive, the browser continue to ask me a certificate for every
object loaded from the location (html frames, images.....).
The log file [trace] said:
"Changed client verification type will force full renegotiation"
But this was changed only for the first access request.
I mean, if the directory is the same, next access requests have the
same verification type.
Take a look at the source code:
In pkg.sslmod/ssl_engine_kernel.c function ssl_hook_Access,
in the per-directory stuff there is a check between nVerify
and nVerifyOld to test if the directory configuration is
changed in order to decide if it is the case to force a (full-quick)
renegotiation or not.
When a new connections is established (within the same session)
a default value for the ssl->verify_mode is set and
the nVerifyOld tecnic is gone because there is no way to retrieve
the real old verification mode.
To solve the problem I've added a real_verify_mode field in the
SSL_SESSION structure and patched my source code with a function
that update the session cache entry with the changed value of
real_verify_mode.
My first think is to take care of it inside the SSL_Session_cache.
But to do this I changed some OpenSSL source files too.
Maybe I should talk with them too?
Is this a bug or it's my missunderstanding?
Patch follows
Index: ssl_engine_kernel.c
file: mod_ssl-2.4.6-1.3.9/pkg.sslmod/ssl_engine_kernel.c
Version mod_ssl: 2.4.6
@@ -823,6 +823,6 @@
if (dc->nVerifyClient != SSL_CVERIFY_UNSET) {
/* remember old state */
- nVerifyOld = SSL_get_verify_mode(ssl);
+ nVerifyOld = ssl->session->real_verify_mode;
/* configure new state */
nVerify = SSL_VERIFY_NONE;
@@ -1075,3 +1075,7 @@
#endif
+ if(dc->nVerifyClient!=SSL_CVERIFY_UNSET){
+ ssl->session->real_verify_mode=nVerify;
+ ssl_UpdateSessionCacheEntry(ssl,ssl->session);
+ }
return rc;
}
@@ -1682,2 +1682,2
ssl_scache_id2sz(pNew->session_id, pNew->session_id_length),
- t-time(NULL));
+ t-time(NULL),pNew->real_verify_mode);
@@ -1691,1 +1691,42
+int ssl_UpdateSessionCacheEntry(SSL *ssl, SSL_SESSION *pNew)
+{
+ conn_rec *conn;
+ server_rec *s;
+ SSLSrvConfigRec *sc;
+ long t;
+ BOOL rc;
+
+ /*
+ * Get Apache context back through OpenSSL context
+ */
+ conn = (conn_rec *)SSL_get_app_data(ssl);
+ s = conn->server;
+ sc = mySrvConfig(s);
+
+ ssl_scache_remove(s,pNew);
+
+ /*
+ * Store the SSL_SESSION in the inter-process cache with the
+ * same expire time, so it expires automatically there, too.
+ */
+ t = (SSL_get_time(pNew) + sc->nSessionCacheTimeout);
+ rc = ssl_scache_store(s, pNew, t);
+
+ /*
+ * Log this cache operation
+ */
+ ssl_log(s, SSL_LOG_TRACE, "Inter-Process Session Cache: "
+ "request=SET status=%s id=%s timeout=%ds (session caching)
verify=%d
+",
+ rc == TRUE ? "OK" : "BAD",
+ ssl_scache_id2sz(pNew->session_id, pNew->session_id_length),
+ t-time(NULL),pNew->real_verify_mode);
+
+ /*
+ * return 0 which means to OpenSSL that the pNew is still
+ * valid and was not freed by us with SSL_SESSION_free().
+ */
+ return 0;
+}
+
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
