From e5efb68d5b874c6663c6b6661f01fdfc7b1f6d9c Mon Sep 17 00:00:00 2001 From: Dirk-Willem van Gulik Date: Thu, 14 Feb 2008 10:24:04 +0000 Subject: [PATCH] Kasper Brand came across a flaw in the current implementation when CRL information - i.e. SSLCARevocationFile/SSLCARevocationPath - is set on a per-vhost basis (don't know how much sense it makes to have non-global CRLs, but anyway...). The attached patch (47B2B1A7.1060009@velox.ch on httpd-dev) addresses this issue, and it also improves the logging behavior for an SNI enabled configuration (previously some of the messages would always go to the first vhost, or wouldn't appear at all, depending on the LogLevel of the first vhost). reviewed: dirkx git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@627699 13f79535-47bb-0310-9956-ffa450edef68 --- modules/ssl/ssl_engine_kernel.c | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c index e37d903331..6a0e5ef620 100644 --- a/modules/ssl/ssl_engine_kernel.c +++ b/modules/ssl/ssl_engine_kernel.c @@ -2022,6 +2022,26 @@ static int ssl_find_vhost(void *servername, conn_rec *c, server_rec *s) SSL_CTX_get_verify_callback(ssl->ctx)); } + /* + * We also need to make sure that the correct mctx is + * assigned to the connection - the CRL callback e.g. + * makes use of it for retrieving its store (mctx->crl). + */ + c->base_server = s; + + /* Since logging in callbacks uses c->base_server in many + * cases, it also ensures that these messages are routed + * to the proper log. And finally, there is one special + * filter callback, which is set very early depending on the + * base_server's log level. If this is not the first vhost + * we're now selecting (and the first vhost doesn't use + * APLOG_DEBUG), then we need to set that callback here. + */ + if (c->base_server->loglevel >= APLOG_DEBUG) { + BIO_set_callback(SSL_get_rbio(ssl), ssl_io_data_cb); + BIO_set_callback_arg(SSL_get_rbio(ssl), (void *)ssl); + } + return 1; } -- 2.50.1