mod_ssl: follow up to r1734561 and r1735337.

We also need to reset the X509_STORE_CTX's error in the callback to quiet
X509_V_ERR_UNABLE_TO_GET_CRL for the leaf certificate (caught by AH02010).

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1737265 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
index 91d5e926d66ca374c82db68449a1879fd941223e..ffa78dff7b52a65f8d346c22584e29b4210245c1 100644 (file)
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -1637,6 +1637,11 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx)
 
     if (!ok && errnum == X509_V_ERR_UNABLE_TO_GET_CRL
             && (mctx->crl_check_mask & SSL_CRLCHECK_NO_CRL_FOR_CERT_OK)) {
+        ap_log_cerror(APLOG_MARK, APLOG_TRACE3, 0, conn,
+                      "Certificate Verification: Temporary error (%d): %s: "
+                      "optional therefore we're accepting the certificate",
+                      errnum, X509_verify_cert_error_string(errnum));
+        X509_STORE_CTX_set_error(ctx, X509_V_OK);
         errnum = X509_V_OK;
         ok = TRUE;
     }