From 10806f5db18b19faecff1c1a8990e04646dd1f16 Mon Sep 17 00:00:00 2001
From: Yann Ylavic <ylavic@apache.org>
Date: Mon, 8 Jun 2015 12:25:22 +0000
Subject: [PATCH] mod_ssl: when SSLVerify is disabled (NONE), don't force a
 renegotiation if the SSLVerifyDepth applied with the default/handshaken vhost
 differs from the one applicable with the finally selected vhost.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1684171 13f79535-47bb-0310-9956-ffa450edef68
---
 CHANGES                         |  4 +++
 modules/ssl/ssl_engine_kernel.c | 60 ++++++++++++++++++---------------
 2 files changed, 36 insertions(+), 28 deletions(-)

diff --git a/CHANGES b/CHANGES
index 95b89f5256..63e7d0fc11 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,10 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.5.0
 
+  *) mod_ssl: When SSLVerify is disabled (NONE), don't force a renegotiation if
+     the SSLVerifyDepth applied with the default/handshaken vhost differs from
+     the one applicable with the finally selected vhost.  [Yann Ylavic]
+     
   *) core: Avoid a possible truncation of the faulty header included in the
      HTML response when LimitRequestFieldSize is reached.  [Yann Ylavic]
 
diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
index e172e0496a..1df82fbd71 100644
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -513,31 +513,6 @@ int ssl_hook_Access(request_rec *r)
         }
     }
 
-    /*
-     * override of SSLVerifyDepth
-     *
-     * The depth checks are handled by us manually inside the verify callback
-     * function and not by OpenSSL internally (and our function is aware of
-     * both the per-server and per-directory contexts). So we cannot ask
-     * OpenSSL about the currently verify depth. Instead we remember it in our
-     * SSLConnRec attached to the SSL* of OpenSSL.  We've to force the
-     * renegotiation if the reconfigured/new verify depth is less than the
-     * currently active/remembered verify depth (because this means more
-     * restriction on the certificate chain).
-     */
-    n = (sslconn->verify_depth != UNSET) ?
-        sslconn->verify_depth :
-        (mySrvConfig(handshakeserver))->server->auth.verify_depth;
-    /* determine the new depth */
-    sslconn->verify_depth = (dc->nVerifyDepth != UNSET) ?
-                            dc->nVerifyDepth : sc->server->auth.verify_depth;
-    if (sslconn->verify_depth < n) {
-        renegotiate = TRUE;
-        ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02254)
-                     "Reduced client verification depth will force "
-                     "renegotiation");
-    }
-
     /*
      * override of SSLVerifyClient
      *
@@ -554,6 +529,8 @@ int ssl_hook_Access(request_rec *r)
      */
     if ((dc->nVerifyClient != SSL_CVERIFY_UNSET) ||
         (sc->server->auth.verify_mode != SSL_CVERIFY_UNSET)) {
+        SSLSrvConfigRec *hssc = mySrvConfig(handshakeserver);
+
         /* remember old state */
         verify_old = SSL_get_verify_mode(ssl);
         /* configure new state */
@@ -601,7 +578,36 @@ int ssl_hook_Access(request_rec *r)
                               "Changed client verification type will force "
                               "%srenegotiation",
                               renegotiate_quick ? "quick " : "");
-             }
+            }
+            else if (verify != SSL_VERIFY_NONE) {
+                /*
+                 * override of SSLVerifyDepth
+                 *
+                 * The depth checks are handled by us manually inside the
+                 * verify callback function and not by OpenSSL internally
+                 * (and our function is aware of both the per-server and
+                 * per-directory contexts). So we cannot ask OpenSSL about
+                 * the currently verify depth. Instead we remember it in our
+                 * SSLConnRec attached to the SSL* of OpenSSL.  We've to force
+                 * the renegotiation if the reconfigured/new verify depth is
+                 * less than the currently active/remembered verify depth
+                 * (because this means more restriction on the certificate
+                 * chain).
+                 */
+                n = (sslconn->verify_depth != UNSET)
+                    ? sslconn->verify_depth
+                    : hssc->server->auth.verify_depth;
+                /* determine the new depth */
+                sslconn->verify_depth = (dc->nVerifyDepth != UNSET)
+                                        ? dc->nVerifyDepth
+                                        : sc->server->auth.verify_depth;
+                if (sslconn->verify_depth < n) {
+                    renegotiate = TRUE;
+                    ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02254)
+                                  "Reduced client verification depth will "
+                                  "force renegotiation");
+                }
+            }
         }
         /* If we're handling a request for a vhost other than the default one,
          * then we need to make sure that client authentication is properly
@@ -617,8 +623,6 @@ int ssl_hook_Access(request_rec *r)
             && renegotiate
             && ((verify & SSL_VERIFY_PEER) ||
                 (verify & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))) {
-            SSLSrvConfigRec *hssc = mySrvConfig(handshakeserver);
-
 #define MODSSL_CFG_CA_NE(f, sc1, sc2) \
             (sc1->server->auth.f && \
              (!sc2->server->auth.f || \
-- 
2.50.1