From 3e754d68fd787062e251a160d9b4aa493567b2c0 Mon Sep 17 00:00:00 2001
From: Ruediger Pluem <rpluem@apache.org>
Date: Mon, 1 Oct 2018 18:21:18 +0000
Subject: [PATCH] * Pickup the proxy related configuration for verify mode and
 verify depth and   not the configuration settings for frontend connections in
 case of   connections by the proxy to the backend.

PR: 62769


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1842540 13f79535-47bb-0310-9956-ffa450edef68
---
 CHANGES                         |  6 +++++-
 modules/ssl/ssl_engine_kernel.c | 25 ++++++++++++++++++-------
 2 files changed, 23 insertions(+), 8 deletions(-)

diff --git a/CHANGES b/CHANGES
index 5eafac77bd..ebb00eb311 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,10 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.5.1
 
+  *) mod_ssl: Fix a regression that the configuration settings for verify mode
+     and verify depth were taken from the frontend connection in case of
+     connections by the proxy to the backend. PR 62769. [Ruediger Pluem]
+
   *) ab: Add client certificate support. [Graham Leggett]
 
   *) mod_proxy_hcheck: Fix issues with TCP health checks. PR 61499
@@ -9,7 +13,7 @@ Changes with Apache 2.5.1
   *) mod_http2: connection IO event handling reworked. Instead of reacting on 
      incoming bytes, the state machine now acts on incoming frames that are 
      affecting it. This reduces state transitions. [Stefan Eissing]
-     
+
   *) MPMs: Initialize all runtime/asynchronous objects on a dedicated pool and
      before signals handling to avoid lifetime issues on restart or shutdown.
      PR 62658. [Yann Ylavic]
diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
index c65f18690b..e91f600e87 100644
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -1750,7 +1750,8 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx)
     /* Get verify ingredients */
     int errnum   = X509_STORE_CTX_get_error(ctx);
     int errdepth = X509_STORE_CTX_get_error_depth(ctx);
-    int depth, verify;
+    int depth = UNSET;
+    int verify = SSL_CVERIFY_UNSET;
 
     /*
      * Log verification information
@@ -1766,10 +1767,15 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx)
     /*
      * Check for optionally acceptable non-verifiable issuer situation
      */
-    if (dc && (dc->nVerifyClient != SSL_CVERIFY_UNSET)) {
-        verify = dc->nVerifyClient;
+    if (dc) {
+        if (sslconn->is_proxy) {
+            verify = dc->proxy->auth.verify_mode;
+        }
+        else {
+            verify = dc->nVerifyClient;
+        }
     }
-    else {
+    if (!dc || (verify == SSL_CVERIFY_UNSET)) {
         verify = mctx->auth.verify_mode;
     }
 
@@ -1873,10 +1879,15 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx)
     /*
      * Finally check the depth of the certificate verification
      */
-    if (dc && (dc->nVerifyDepth != UNSET)) {
-        depth = dc->nVerifyDepth;
+    if (dc) {
+        if (sslconn->is_proxy) {
+            depth = dc->proxy->auth.verify_depth;
+        }
+        else {
+            depth = dc->nVerifyDepth;
+        }
     }
-    else {
+    if (!dc || (depth == UNSET)) {
         depth = mctx->auth.verify_depth;
     }
 
-- 
2.50.1