From d5e33be20872142ce825f1f2fae56b10d567af7e Mon Sep 17 00:00:00 2001
From: Jim Jagielski <jim@apache.org>
Date: Thu, 3 Mar 2016 15:11:04 +0000
Subject: [PATCH] Merge r1684171 from trunk:

mod_ssl: when SSLVerify is disabled (NONE), don't force a renegotiation if
the SSLVerifyDepth applied with the default/handshaken vhost differs from
the one applicable with the finally selected vhost.

Submitted by: ylavic
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1733476 13f79535-47bb-0310-9956-ffa450edef68
---
 CHANGES                         |  4 +++
 STATUS                          |  6 ----
 modules/ssl/ssl_engine_kernel.c | 56 ++++++++++++++++++---------------
 3 files changed, 34 insertions(+), 32 deletions(-)

diff --git a/CHANGES b/CHANGES
index bd2470214d..7c5beb59e0 100644
--- a/CHANGES
+++ b/CHANGES
@@ -78,6 +78,10 @@ Changes with Apache 2.4.19
   *) prefork: Initialize the POD when running in ONE_PROCESS (or -X) mode to
      avoid a crash.  [Jan Kaluza, Yann Ylavic]
 
+  *) mod_ssl: When SSLVerify is disabled (NONE), don't force a renegotiation if
+     the SSLVerifyDepth applied with the default/handshaken vhost differs from
+     the one applicable with the finally selected vhost.  [Yann Ylavic]
+
   *) mod_ssl: Add SSLOCSPProxyURL to add the possibility to do all queries
      to OCSP responders through a HTTP proxy. [Ruediger Pluem]
 
diff --git a/STATUS b/STATUS
index 970a949c31..bad9e1da04 100644
--- a/STATUS
+++ b/STATUS
@@ -112,12 +112,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-  *) mod_ssl: When SSLVerify is disabled (NONE), don't force a renegotiation if
-     the SSLVerifyDepth applied with the default/handshaken vhost differs from
-     the one applicable with the finally selected vhost.
-     trunk patch: http://svn.apache.org/r1684171
-     2.4.x patch: http://home.apache.org/~ylavic/patches/httpd-2.4.x-SSLVerify_NONE_no_reneg_Depth.patch
-     +1: ylavic, icing, jim
 
 
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:
diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
index 2f85c3fdc1..17fd7db392 100644
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -668,31 +668,6 @@ int ssl_hook_Access(request_rec *r)
         }
     }
 
-    /*
-     * override of SSLVerifyDepth
-     *
-     * The depth checks are handled by us manually inside the verify callback
-     * function and not by OpenSSL internally (and our function is aware of
-     * both the per-server and per-directory contexts). So we cannot ask
-     * OpenSSL about the currently verify depth. Instead we remember it in our
-     * SSLConnRec attached to the SSL* of OpenSSL.  We've to force the
-     * renegotiation if the reconfigured/new verify depth is less than the
-     * currently active/remembered verify depth (because this means more
-     * restriction on the certificate chain).
-     */
-    n = (sslconn->verify_depth != UNSET) ?
-        sslconn->verify_depth :
-        (mySrvConfig(handshakeserver))->server->auth.verify_depth;
-    /* determine the new depth */
-    sslconn->verify_depth = (dc->nVerifyDepth != UNSET) ?
-                            dc->nVerifyDepth : sc->server->auth.verify_depth;
-    if (sslconn->verify_depth < n) {
-        renegotiate = TRUE;
-        ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02254)
-                     "Reduced client verification depth will force "
-                     "renegotiation");
-    }
-
     /*
      * override of SSLVerifyClient
      *
@@ -768,7 +743,36 @@ int ssl_hook_Access(request_rec *r)
                               "Changed client verification type will force "
                               "%srenegotiation",
                               renegotiate_quick ? "quick " : "");
-             }
+            }
+            else if (verify != SSL_VERIFY_NONE) {
+                /*
+                 * override of SSLVerifyDepth
+                 *
+                 * The depth checks are handled by us manually inside the
+                 * verify callback function and not by OpenSSL internally
+                 * (and our function is aware of both the per-server and
+                 * per-directory contexts). So we cannot ask OpenSSL about
+                 * the currently verify depth. Instead we remember it in our
+                 * SSLConnRec attached to the SSL* of OpenSSL.  We've to force
+                 * the renegotiation if the reconfigured/new verify depth is
+                 * less than the currently active/remembered verify depth
+                 * (because this means more restriction on the certificate
+                 * chain).
+                 */
+                n = (sslconn->verify_depth != UNSET)
+                    ? sslconn->verify_depth
+                    : hssc->server->auth.verify_depth;
+                /* determine the new depth */
+                sslconn->verify_depth = (dc->nVerifyDepth != UNSET)
+                                        ? dc->nVerifyDepth
+                                        : sc->server->auth.verify_depth;
+                if (sslconn->verify_depth < n) {
+                    renegotiate = TRUE;
+                    ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02254)
+                                  "Reduced client verification depth will "
+                                  "force renegotiation");
+                }
+            }
         }
         /* If we're handling a request for a vhost other than the default one,
          * then we need to make sure that client authentication is properly
-- 
2.50.1