On Wed, Mar 01, 2000, Hansknecht, Deborah A wrote:
> Perhaps I should have been more clear. I think the "problem" occurs when one
> is trying to compile the SSL_EXPERIMENTAL code. In ssl_engine_ext.c there
> are a couple of references to sc->ctx. These are in code (functions
> ssl_ext_mp_init() and ssl_ext_mp_clientcert_cb()) that is bracketed by
> SSL_EXPERIMENTAL. "sc" is a pointer to the SSLSrvConfigRec which is defined
> in mod_ssl.h. In that structure, the definition of *ctx is bracketed by
> SSL_VENDOR. It sure seems that the compilation of the SSL_EXPERIMENTAL code
> depends on that being defined.
Ahhhhhhh... _NOW_ we've located the problem. Yes, you're
right. There actually _IS_ a problem. I've always used either
SSL_EXPERIMENTAL+SSL_VENDOR+SSL_CONSERVATIVE or none of them in my
tests, so the problem never occured for me. Now I can reproduce it too,
of course. Thanks for discovering this subtle problem. The actual error
was that it is bogus to use the context entry at all for the proxy
stuff. There is no reason for this. The appended patch fixes this and
will be comitted for mod_ssl 2.6.2. Thanks for your help.
Yours,
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
Index: mod_ssl.h
===================================================================
RCS file: /e/modssl/cvs/mod_ssl/pkg.apache/src/modules/ssl/mod_ssl.h,v
retrieving revision 1.126
diff -u -r1.126 mod_ssl.h
--- mod_ssl.h 2000/02/29 13:03:53 1.126
+++ mod_ssl.h 2000/03/02 08:11:22
@@ -590,6 +590,7 @@
char *szProxyClientCertificatePath;
char *szProxyCipherSuite;
SSL_CTX *pSSLProxyCtx;
+ STACK_OF(X509_INFO) *skProxyClientCerts;
#endif
#ifdef SSL_VENDOR
ap_ctx *ctx;
Index: ssl_engine_ext.c
===================================================================
RCS file: /e/modssl/cvs/mod_ssl/pkg.apache/src/modules/ssl/ssl_engine_ext.c,v
retrieving revision 1.37
diff -u -r1.37 ssl_engine_ext.c
--- ssl_engine_ext.c 2000/02/24 19:49:36 1.37
+++ ssl_engine_ext.c 2000/03/02 08:12:28
@@ -330,7 +330,7 @@
cpVHostID, sk_X509_INFO_num(sk));
if (sk_X509_INFO_num(sk) > 0) {
SSL_CTX_set_client_cert_cb(ctx, ssl_ext_mp_clientcert_cb);
- ap_ctx_set(sc->ctx, "ssl::proxy::clientcerts", (void *)sk);
+ sc->skProxyClientCerts = sk;
}
}
@@ -592,7 +592,7 @@
servername = ap_ctx_get(pCtx, "ssl::proxy::servername");
sc = mySrvConfig(s);
- pcerts = ap_ctx_get(sc->ctx, "ssl::proxy::clientcerts");
+ pcerts = sc->skProxyClientCerts;
ssl_log(s, SSL_LOG_DEBUG, "Proxy client certificate callback: (%s) entered");
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
