[BugDB] optional_no_ca broken for multi-processes? (PR#480)

modssl-bugdb Wed, 01 Nov 2000 23:14:32 -0800
Full_Name: Rich Salz
Version: 2.7.1
OS: RedHat 6.2+fixes
Submission from: (NULL) (216.73.149.205)


I have "SSLVerifyClient optional_no_ca" in httpd.conf.  When I first connect
the browser asks me to present my certificate.  When I reload the page the
browser says 'connection broken' and the ssl_engine_log says "unknown error"
The following diff adds more logging (showing that the error actually is
X509_V_ERR_CERT_UNTRUSTED).  This patch is not right since it uniformly slams
error status rather than looking at the config info. mod_ssl is
configured as follows:
    o ssl_module uses ConfigStart/End
      + SSL interface: mod_ssl/2.7.1
      + SSL interface build type: OBJ
      + SSL interface compatibility: enabled
      + SSL interface experimental code: disabled
      + SSL interface conservative code: disabled
      + SSL interface vendor extensions: disabled
      + SSL interface plugin: Built-in SDBM
Here's the diff
*** ssl_engine_kernel.c Wed Nov  1 10:53:22 2000
--- ../../../../mod_ssl/pkg.sslmod/ssl_engine_kernel.c  Fri Oct 20 11:10:08
2000
***************
*** 137,143 ****
      char *cpVHostMD5;
      X509 *xs;
      int rc;
-     int vrfyrc;
  
      /*
       * Get context
--- 137,142 ----
***************
*** 354,368 ****
          /*
           * Check for failed client authentication
           */
!       vrfyrc = SSL_get_verify_result(ssl);
!       if (vrfyrc == X509_V_ERR_CERT_UNTRUSTED)
!           vrfyrc = X509_V_OK;
!         if (vrfyrc != X509_V_OK
              || ap_ctx_get(fb->ctx, "ssl::verify::error") != NULL) {
              cp = (char *)ap_ctx_get(fb->ctx, "ssl::verify::error");
              ssl_log(srvr, SSL_LOG_ERROR|SSL_ADD_SSLERR,
!                     "SSL client authentication failed: (0x%x) %s", 
!                   vrfyrc, cp != NULL ? cp : "unknown reason");
              SSL_set_shutdown(ssl, SSL_RECEIVED_SHUTDOWN);
              SSL_smart_shutdown(ssl);
              SSL_free(ssl);
--- 353,364 ----
          /*
           * Check for failed client authentication
           */
!         if (   SSL_get_verify_result(ssl) != X509_V_OK
              || ap_ctx_get(fb->ctx, "ssl::verify::error") != NULL) {
              cp = (char *)ap_ctx_get(fb->ctx, "ssl::verify::error");
              ssl_log(srvr, SSL_LOG_ERROR|SSL_ADD_SSLERR,
!                     "SSL client authentication failed: %s", 
!                     cp != NULL ? cp : "unknown reason");
              SSL_set_shutdown(ssl, SSL_RECEIVED_SHUTDOWN);
              SSL_smart_shutdown(ssl);
              SSL_free(ssl);


      + SSL library path: /home/rsalz/jack/openssl
      + SSL library version: OpenSSL 0.9.5a 1 Apr 2000
      + SSL library type: source tree only (stand-alone)


______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      [EMAIL PROTECTED]
Automated List Manager                            [EMAIL PROTECTED]
[BugDB] optional_no_ca broken for multi-processes? (PR#480)

Reply via email to
