Support OpenSSL 1.1.0:

- Fix renegotiation for the client side
  of a proxy connection.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1730146 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
index 770bb7e3bec04b94de317e8c30110ddcf69cb7a9..749ec1b29dca9554bae37adc7abf41f8e94d0cc1 100644 (file)
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -2139,7 +2139,9 @@ void ssl_callback_Info(const SSL *ssl, int where, int rc)
         if (state == SSL3_ST_SR_CLNT_HELLO_A
             || state == SSL23_ST_SR_CLNT_HELLO_A) {
 #else
-    if ((where & SSL_CB_HANDSHAKE_START) && scr->reneg_state == RENEG_REJECT) {
+    if (!scr->is_proxy &&
+        (where & SSL_CB_HANDSHAKE_START) &&
+        scr->reneg_state == RENEG_REJECT) {
 #endif
             scr->reneg_state = RENEG_ABORT;
             ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(02042)
@@ -2149,13 +2151,18 @@ void ssl_callback_Info(const SSL *ssl, int where, int rc)
 #endif
     }
 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
-    else if ((where & SSL_CB_HANDSHAKE_START) && scr->reneg_state == RENEG_ALLOW) {
+    else if (!scr->is_proxy &&
+             (where & SSL_CB_HANDSHAKE_START) &&
+             scr->reneg_state == RENEG_ALLOW) {
         scr->reneg_state = RENEG_STARTED;
     }
-    else if ((where & SSL_CB_HANDSHAKE_DONE) && scr->reneg_state == RENEG_STARTED) {
+    else if (!scr->is_proxy &&
+             (where & SSL_CB_HANDSHAKE_DONE) &&
+             scr->reneg_state == RENEG_STARTED) {
         scr->reneg_state = RENEG_DONE;
     }
-    else if ((where & SSL_CB_ALERT) &&
+    else if (!scr->is_proxy &&
+             (where & SSL_CB_ALERT) &&
              (scr->reneg_state == RENEG_ALLOW || scr->reneg_state == RENEG_STARTED)) {
         scr->reneg_state = RENEG_ALERT;
     }