SSL_set_tmp_rsa_callback(ssl, ssl_callback_TmpRSA);
SSL_set_tmp_dh_callback(ssl, ssl_callback_TmpDH);
- /*
- * Predefine some client verification results
- */
- apr_table_setn(c->notes, "ssl::verify::error", NULL);
- apr_table_setn(c->notes, "ssl::verify::info", NULL);
SSL_set_verify_result(ssl, X509_V_OK);
/*
{
int n, err;
X509 *xs;
- char *cp = NULL;
conn_rec *c = (conn_rec*)SSL_get_app_data (pRec->pssl);
SSLConnRec *sslconn = myConnConfig(c);
SSLSrvConfigRec *sc = mySrvConfig(c->base_server);
verify_result = SSL_get_verify_result(pRec->pssl);
if (verify_result != X509_V_OK ||
- ((cp = (char *)apr_table_get(c->notes,
- "ssl::verify::error")) != NULL))
+ sslconn->verify_error != NULL)
{
if (ssl_verify_error_is_optional(verify_result) &&
(sc->nVerifyClient == SSL_CVERIFY_OPTIONAL_NO_CA))
}
else {
- const char *verror =
+ const char *error = sslconn->verify_error ?
+ sslconn->verify_error :
X509_verify_cert_error_string(verify_result);
ssl_log(c->base_server, SSL_LOG_ERROR|SSL_ADD_SSLERR,
"SSL client authentication failed: %s",
- cp ? cp : verror ? verror : "unknown");
+ error ? error : "unknown");
return ssl_abort(pRec, c);
}
}
* Remember the peer certificate's DN
*/
if ((xs = SSL_get_peer_certificate(pRec->pssl)) != NULL) {
- cp = X509_NAME_oneline(X509_get_subject_name(xs), NULL, 0);
+ char *cp = X509_NAME_oneline(X509_get_subject_name(xs), NULL, 0);
sslconn->client_dn = apr_pstrdup(c->pool, cp);
free(cp);
}
SSL *ssl;
const char *client_dn;
ssl_shutdown_type_e shutdown_type;
+ const char *verify_info;
+ const char *verify_error;
} SSLConnRec;
typedef struct {
ssl_log(s, SSL_LOG_TRACE,
"Certificate Verification: Verifiable Issuer is configured as "
"optional, therefore we're accepting the certificate");
- apr_table_setn(conn->notes, "ssl::verify::info", "GENEROUS");
+ sslconn->verify_info = "GENEROUS";
ok = TRUE;
}
ssl_log(s, SSL_LOG_ERROR, "Certificate Verification: Error (%d): %s",
errnum, X509_verify_cert_error_string(errnum));
sslconn->client_dn = NULL;
- apr_table_setn(conn->notes, "ssl::verify::error",
- (void *)X509_verify_cert_error_string(errnum));
+ sslconn->verify_error =
+ X509_verify_cert_error_string(errnum);
}
/*
"Certificate Verification: Certificate Chain too long "
"(chain has %d certificates, but maximum allowed are only %d)",
errdepth, depth);
- apr_table_setn(conn->notes, "ssl::verify::error",
- (void *)X509_verify_cert_error_string(X509_V_ERR_CERT_CHAIN_TOO_LONG));
+ sslconn->verify_error =
+ X509_verify_cert_error_string(X509_V_ERR_CERT_CHAIN_TOO_LONG);
ok = FALSE;
}
SSLConnRec *sslconn = myConnConfig(c);
char *result;
long vrc;
- char *verr;
- char *vinfo;
+ const char *verr;
+ const char *vinfo;
SSL *ssl;
X509 *xs;
result = NULL;
ssl = sslconn->ssl;
- verr = (char *)apr_table_get(c->notes, "ssl::verify::error");
- vinfo = (char *)apr_table_get(c->notes, "ssl::verify::info");
+ verr = sslconn->verify_error;
+ vinfo = sslconn->verify_info;
vrc = SSL_get_verify_result(ssl);
xs = SSL_get_peer_certificate(ssl);
else if (strEQ(a, "errcode"))
result = "-";
else if (strEQ(a, "errstr"))
- result = (char *)apr_table_get(r->connection->notes, "ssl::verify::error");
+ result = (char *)sslconn->verify_error;
if (result != NULL && result[0] == NUL)
result = NULL;
return result;
projects / apache / commitdiff