From: Yann Ylavic <ylavic@apache.org>
Date: Thu, 31 Mar 2016 18:24:06 +0000 (+0000)
Subject: mod_ssl: follow up to r1734561 and r1735337.
X-Git-Tag: 2.5.0-alpha~1804
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=1a829ed2fa91532e86edf8c544a1f5629bc5595b;p=apache

mod_ssl: follow up to r1734561 and r1735337.

We also need to reset the X509_STORE_CTX's error in the callback to quiet
X509_V_ERR_UNABLE_TO_GET_CRL for the leaf certificate (caught by AH02010).



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1737265 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
index 91d5e926d6..ffa78dff7b 100644
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -1637,6 +1637,11 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx)
 
     if (!ok && errnum == X509_V_ERR_UNABLE_TO_GET_CRL
             && (mctx->crl_check_mask & SSL_CRLCHECK_NO_CRL_FOR_CERT_OK)) {
+        ap_log_cerror(APLOG_MARK, APLOG_TRACE3, 0, conn,
+                      "Certificate Verification: Temporary error (%d): %s: "
+                      "optional therefore we're accepting the certificate",
+                      errnum, X509_verify_cert_error_string(errnum));
+        X509_STORE_CTX_set_error(ctx, X509_V_OK);
         errnum = X509_V_OK;
         ok = TRUE;
     }