]> granicus.if.org Git - apache/commitdiff
projects / apache / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 5133c75)
* modules/ssl/ssl_engine_kernel.c (ssl_hook_Access_modern): Fail with
authorJoe Orton <jorton@apache.org>
Tue, 11 Sep 2018 16:01:47 +0000 (16:01 +0000)
committerJoe Orton <jorton@apache.org>
Tue, 11 Sep 2018 16:01:47 +0000 (16:01 +0000)
  403 if SSL_verify_client_post_handshake() fails, e.g. when the
  TLS/1.3 client didn't send the Post-Handshake Authentication
  extension.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1840585 13f79535-47bb-0310-9956-ffa450edef68

docs/log-message-tags/next-number patch | blob | history
modules/ssl/ssl_engine_kernel.c patch | blob | history

diff --git a/docs/log-message-tags/next-number b/docs/log-message-tags/next-number
index 0d02a5ca0607e26f8e8ddc97546c65fd23423d62..9c11cc094f339553c2baae52e8b11afcb8ec31e6 100644 (file)
--- a/docs/log-message-tags/next-number
+++ b/docs/log-message-tags/next-number
@@ -1 +1 @@
-10158
+10159
diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
index 2b0bc75a22b453b94e6d53e67e3298a5c43b3b2c..ddf2a7b60750031925dbc2cc6eae6bc7cfa43e31 100644 (file)
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -1219,8 +1219,16 @@ static int ssl_hook_Access_modern(request_rec *r, SSLSrvConfigRec *sc, SSLDirCon
             ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10129) "verify client post handshake");
 
             SSL_set_verify(ssl, vmode_needed, ssl_callback_SSLVerify);
-            SSL_verify_client_post_handshake(ssl);
 
+            if (SSL_verify_client_post_handshake(ssl) != 1) {
+                ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10158)
+                              "cannot perform post-handshake authentication");
+                ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server);
+                apr_table_setn(r->notes, "error-notes",
+                               "Reason: Cannot perform Post-Handshake Authentication.<br />");
+                return HTTP_FORBIDDEN;
+            }
+            
             old_state = sslconn->reneg_state;
             sslconn->reneg_state = RENEG_ALLOW;
             modssl_set_app_data2(ssl, r);
Unnamed repository; edit this file 'description' to name the repository.