PR:

Obtained from:
Submitted by:
Reviewed by:
allow POST method over SSL when per-directory client cert
authentication is used with 'SSLOptions +OptRenegotiate' enabled
and a client cert was found in the ssl session cache.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@95602 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index 45fe3998049a9ebdf5e748f5ca154e99ba92b713..7ba4e0d755068b882e319ea74f1714a2072c3790 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,5 +1,9 @@
 Changes with Apache 2.0.37
 
+  *) allow POST method over SSL when per-directory client cert
+     authentication is used with 'SSLOptions +OptRenegotiate' enabled
+     and a client cert was found in the ssl session cache.
+
   *) 'SSLOptions +OptRengotiate' will use client cert in from the ssl
      session cache when there is no cert chain in the cache.  prior to
      the fix this situation would result in a FORBIDDEN response and

diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
index 9b180dffba0249f754e9bfd692ebf0694660ca09..9274298e556d88f3d96dd2b4b4e3b3272d7472c1 100644 (file)
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -673,10 +673,11 @@ int ssl_hook_Access(request_rec *r)
      *
      * !! BUT ALL THIS IS STILL NOT RE-IMPLEMENTED FOR APACHE 2.0 !!
      */
-    if (renegotiate && (r->method_number == M_POST)) {
+    if (renegotiate && !renegotiate_quick && (r->method_number == M_POST)) {
         ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
                      "SSL Re-negotiation in conjunction "
-                     "with POST method not supported!");
+                     "with POST method not supported!\n"
+                     "hint: try SSLOptions +OptRenegotiate");
 
         return HTTP_METHOD_NOT_ALLOWED;
     }