Avoid unnecessary renegotiations with SSLVerifyDepth 0.

PR: 48215
Submitted by: Kaspar Brand <asfbugz velox ch>

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1137394 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index 967c0b30496a0662ce93fdeb41d37730e2e7802b..7d1c8e8b627f3d78e4ac7d3c5b451bfde2cef436 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -2,6 +2,9 @@
 
 Changes with Apache 2.3.13
 
+  *) mod_ssl: Avoid unnecessary renegotiations with SSLVerifyDepth 0.
+     PR 48215. [Kaspar Brand]
+
   *) mod_status: Display information about asynchronous connections in the
      server-status. PR 44377. [Stefan Fritsch]
 

diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c
index d908e61d44422c11d0e5a2f3cc7a360ee97e938a..65a063f84b0d06e3f7e27bf3a3a7adea5cb5bd32 100644 (file)
--- a/modules/ssl/mod_ssl.c
+++ b/modules/ssl/mod_ssl.c
@@ -339,6 +339,7 @@ static SSLConnRec *ssl_init_connection_ctx(conn_rec *c)
     sslconn = apr_pcalloc(c->pool, sizeof(*sslconn));
 
     sslconn->server = c->base_server;
+    sslconn->verify_depth = UNSET;
 
     myConnConfigSet(c, sslconn);
 

diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
index 1ff5d2e63b2f751157ff174dca1edd6e2f886c77..af1e77d11c51ff54b668485a1d99ab9541598ceb 100644 (file)
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -499,7 +499,7 @@ int ssl_hook_Access(request_rec *r)
      * currently active/remembered verify depth (because this means more
      * restriction on the certificate chain).
      */
-    n = sslconn->verify_depth ?
+    n = (sslconn->verify_depth != UNSET) ?
         sslconn->verify_depth :
         (mySrvConfig(handshakeserver))->server->auth.verify_depth;
     /* determine the new depth */