From 50f39b07dce3de7b4f9712a4e4d3a19bb59c9356 Mon Sep 17 00:00:00 2001
From: Joe Orton <jorton@apache.org>
Date: Tue, 11 Sep 2018 16:01:47 +0000
Subject: [PATCH] * modules/ssl/ssl_engine_kernel.c (ssl_hook_Access_modern):
 Fail with   403 if SSL_verify_client_post_handshake() fails, e.g. when the  
 TLS/1.3 client didn't send the Post-Handshake Authentication   extension.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1840585 13f79535-47bb-0310-9956-ffa450edef68
---
 docs/log-message-tags/next-number |  2 +-
 modules/ssl/ssl_engine_kernel.c   | 10 +++++++++-
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/docs/log-message-tags/next-number b/docs/log-message-tags/next-number
index 0d02a5ca06..9c11cc094f 100644
--- a/docs/log-message-tags/next-number
+++ b/docs/log-message-tags/next-number
@@ -1 +1 @@
-10158
+10159
diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
index 2b0bc75a22..ddf2a7b607 100644
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -1219,8 +1219,16 @@ static int ssl_hook_Access_modern(request_rec *r, SSLSrvConfigRec *sc, SSLDirCon
             ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10129) "verify client post handshake");
 
             SSL_set_verify(ssl, vmode_needed, ssl_callback_SSLVerify);
-            SSL_verify_client_post_handshake(ssl);
 
+            if (SSL_verify_client_post_handshake(ssl) != 1) {
+                ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10158)
+                              "cannot perform post-handshake authentication");
+                ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server);
+                apr_table_setn(r->notes, "error-notes",
+                               "Reason: Cannot perform Post-Handshake Authentication.<br />");
+                return HTTP_FORBIDDEN;
+            }
+            
             old_state = sslconn->reneg_state;
             sslconn->reneg_state = RENEG_ALLOW;
             modssl_set_app_data2(ssl, r);
-- 
2.40.0