From 1a829ed2fa91532e86edf8c544a1f5629bc5595b Mon Sep 17 00:00:00 2001 From: Yann Ylavic Date: Thu, 31 Mar 2016 18:24:06 +0000 Subject: [PATCH] mod_ssl: follow up to r1734561 and r1735337. We also need to reset the X509_STORE_CTX's error in the callback to quiet X509_V_ERR_UNABLE_TO_GET_CRL for the leaf certificate (caught by AH02010). git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1737265 13f79535-47bb-0310-9956-ffa450edef68 --- modules/ssl/ssl_engine_kernel.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c index 91d5e926d6..ffa78dff7b 100644 --- a/modules/ssl/ssl_engine_kernel.c +++ b/modules/ssl/ssl_engine_kernel.c @@ -1637,6 +1637,11 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx) if (!ok && errnum == X509_V_ERR_UNABLE_TO_GET_CRL && (mctx->crl_check_mask & SSL_CRLCHECK_NO_CRL_FOR_CERT_OK)) { + ap_log_cerror(APLOG_MARK, APLOG_TRACE3, 0, conn, + "Certificate Verification: Temporary error (%d): %s: " + "optional therefore we're accepting the certificate", + errnum, X509_verify_cert_error_string(errnum)); + X509_STORE_CTX_set_error(ctx, X509_V_OK); errnum = X509_V_OK; ok = TRUE; } -- 2.50.1