Changes with Apache 2.0.37
+ *) 'SSLOptions +OptRengotiate' will use client cert in from the ssl
+ session cache when there is no cert chain in the cache. prior to
+ the fix this situation would result in a FORBIDDEN response and
+ error message "Cannot find peer certificate chain"
+ [Doug MacEachern]
+
*) ap_finalize_sub_req_protocol() shouldn't send an EOS bucket if
one was already sent. PR 9644 [Jeff Trawick]
cert_stack = (STACK_OF(X509) *)SSL_get_peer_cert_chain(ssl);
+ if (!cert_stack && (cert = SSL_get_peer_certificate(ssl))) {
+ /* client cert is in the session cache, but there is
+ * no chain, since ssl3_get_client_certificate()
+ * sk_X509_shift-ed the peer cert out of the chain.
+ * we put it back here for the purpose of quick_renegotiation.
+ */
+ cert_stack = sk_new_null();
+ sk_X509_push(cert_stack, cert);
+ }
+
if (!cert_stack || (sk_X509_num(cert_stack) == 0)) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
"Cannot find peer certificate chain");
SSL_set_verify_result(ssl, cert_store_ctx.error);
X509_STORE_CTX_cleanup(&cert_store_ctx);
+
+ if (cert_stack != SSL_get_peer_cert_chain(ssl)) {
+ /* we created this ourselves, so free it */
+ sk_X509_pop_free(cert_stack, X509_free);
+ }
}
else {
request_rec *id = r->main ? r->main : r;
projects / apache / commitdiff