-*- coding: utf-8 -*-
Changes with Apache 2.5.1
+ *) mod_ssl: Fix a regression that the configuration settings for verify mode
+ and verify depth were taken from the frontend connection in case of
+ connections by the proxy to the backend. PR 62769. [Ruediger Pluem]
+
*) ab: Add client certificate support. [Graham Leggett]
*) mod_proxy_hcheck: Fix issues with TCP health checks. PR 61499
*) mod_http2: connection IO event handling reworked. Instead of reacting on
incoming bytes, the state machine now acts on incoming frames that are
affecting it. This reduces state transitions. [Stefan Eissing]
-
+
*) MPMs: Initialize all runtime/asynchronous objects on a dedicated pool and
before signals handling to avoid lifetime issues on restart or shutdown.
PR 62658. [Yann Ylavic]
/* Get verify ingredients */
int errnum = X509_STORE_CTX_get_error(ctx);
int errdepth = X509_STORE_CTX_get_error_depth(ctx);
- int depth, verify;
+ int depth = UNSET;
+ int verify = SSL_CVERIFY_UNSET;
/*
* Log verification information
/*
* Check for optionally acceptable non-verifiable issuer situation
*/
- if (dc && (dc->nVerifyClient != SSL_CVERIFY_UNSET)) {
- verify = dc->nVerifyClient;
+ if (dc) {
+ if (sslconn->is_proxy) {
+ verify = dc->proxy->auth.verify_mode;
+ }
+ else {
+ verify = dc->nVerifyClient;
+ }
}
- else {
+ if (!dc || (verify == SSL_CVERIFY_UNSET)) {
verify = mctx->auth.verify_mode;
}
/*
* Finally check the depth of the certificate verification
*/
- if (dc && (dc->nVerifyDepth != UNSET)) {
- depth = dc->nVerifyDepth;
+ if (dc) {
+ if (sslconn->is_proxy) {
+ depth = dc->proxy->auth.verify_depth;
+ }
+ else {
+ depth = dc->nVerifyDepth;
+ }
}
- else {
+ if (!dc || (depth == UNSET)) {
depth = mctx->auth.verify_depth;
}
projects / apache / commitdiff