From 5d55a0052d74ceedd2c2816eba3e75669b7e0395 Mon Sep 17 00:00:00 2001 From: Rainer Jung Date: Tue, 9 Feb 2016 23:18:20 +0000 Subject: [PATCH] OpenSSl 1.1.0 support - improve renegotiation loop. Should now also work in case only the cipher changes. Should now also work in case the handshake ends with an error. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1729498 13f79535-47bb-0310-9956-ffa450edef68 --- modules/ssl/ssl_engine_kernel.c | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c index 855bed2d46..31dcb27e20 100644 --- a/modules/ssl/ssl_engine_kernel.c +++ b/modules/ssl/ssl_engine_kernel.c @@ -1038,16 +1038,9 @@ int ssl_hook_Access(request_rec *r) * See: http://marc.info/?t=145493359200002&r=1&w=2 */ /* XXX: Polling is bad, alternatives? */ - /* XXX: What about renegotiations which do not need to - * send client certs, e.g. if only the cipher needs - * to switch? We need a better success criterion here - * or the loop will poll until SSL_HANDSHAKE_MAX_POLLS - * is reached. - */ for (i = 0; i < SSL_HANDSHAKE_MAX_POLLS; i++) { has_buffered_data(r); - cert = SSL_get_peer_certificate(ssl); - if (cert != NULL) { + if (sslconn->ssl == NULL || SSL_is_init_finished(ssl)) { break; } apr_sleep(SSL_HANDSHAKE_POLL_MS); @@ -1055,10 +1048,11 @@ int ssl_hook_Access(request_rec *r) ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r, APLOGNO() "Renegotiation loop %d iterations, " "in_init=%d, init_finished=%d, " - "state=%s, peer_certs=%s", + "state=%s, sslconn->ssl=%s, peer_certs=%s", i, SSL_in_init(ssl), SSL_is_init_finished(ssl), SSL_state_string_long(ssl), - cert != NULL ? "yes" : "no"); + sslconn->ssl != NULL ? "yes" : "no", + SSL_get_peer_certificate(ssl) != NULL ? "yes" : "no"); #endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L */ -- 2.40.0