*) prefork: Initialize the POD when running in ONE_PROCESS (or -X) mode to
avoid a crash. [Jan Kaluza, Yann Ylavic]
+ *) mod_ssl: When SSLVerify is disabled (NONE), don't force a renegotiation if
+ the SSLVerifyDepth applied with the default/handshaken vhost differs from
+ the one applicable with the finally selected vhost. [Yann Ylavic]
+
*) mod_ssl: Add SSLOCSPProxyURL to add the possibility to do all queries
to OCSP responders through a HTTP proxy. [Ruediger Pluem]
PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
[ start all new proposals below, under PATCHES PROPOSED. ]
- *) mod_ssl: When SSLVerify is disabled (NONE), don't force a renegotiation if
- the SSLVerifyDepth applied with the default/handshaken vhost differs from
- the one applicable with the finally selected vhost.
- trunk patch: http://svn.apache.org/r1684171
- 2.4.x patch: http://home.apache.org/~ylavic/patches/httpd-2.4.x-SSLVerify_NONE_no_reneg_Depth.patch
- +1: ylavic, icing, jim
PATCHES PROPOSED TO BACKPORT FROM TRUNK:
}
}
- /*
- * override of SSLVerifyDepth
- *
- * The depth checks are handled by us manually inside the verify callback
- * function and not by OpenSSL internally (and our function is aware of
- * both the per-server and per-directory contexts). So we cannot ask
- * OpenSSL about the currently verify depth. Instead we remember it in our
- * SSLConnRec attached to the SSL* of OpenSSL. We've to force the
- * renegotiation if the reconfigured/new verify depth is less than the
- * currently active/remembered verify depth (because this means more
- * restriction on the certificate chain).
- */
- n = (sslconn->verify_depth != UNSET) ?
- sslconn->verify_depth :
- (mySrvConfig(handshakeserver))->server->auth.verify_depth;
- /* determine the new depth */
- sslconn->verify_depth = (dc->nVerifyDepth != UNSET) ?
- dc->nVerifyDepth : sc->server->auth.verify_depth;
- if (sslconn->verify_depth < n) {
- renegotiate = TRUE;
- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02254)
- "Reduced client verification depth will force "
- "renegotiation");
- }
-
/*
* override of SSLVerifyClient
*
"Changed client verification type will force "
"%srenegotiation",
renegotiate_quick ? "quick " : "");
- }
+ }
+ else if (verify != SSL_VERIFY_NONE) {
+ /*
+ * override of SSLVerifyDepth
+ *
+ * The depth checks are handled by us manually inside the
+ * verify callback function and not by OpenSSL internally
+ * (and our function is aware of both the per-server and
+ * per-directory contexts). So we cannot ask OpenSSL about
+ * the currently verify depth. Instead we remember it in our
+ * SSLConnRec attached to the SSL* of OpenSSL. We've to force
+ * the renegotiation if the reconfigured/new verify depth is
+ * less than the currently active/remembered verify depth
+ * (because this means more restriction on the certificate
+ * chain).
+ */
+ n = (sslconn->verify_depth != UNSET)
+ ? sslconn->verify_depth
+ : hssc->server->auth.verify_depth;
+ /* determine the new depth */
+ sslconn->verify_depth = (dc->nVerifyDepth != UNSET)
+ ? dc->nVerifyDepth
+ : sc->server->auth.verify_depth;
+ if (sslconn->verify_depth < n) {
+ renegotiate = TRUE;
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02254)
+ "Reduced client verification depth will "
+ "force renegotiation");
+ }
+ }
}
/* If we're handling a request for a vhost other than the default one,
* then we need to make sure that client authentication is properly
projects / apache / commitdiff