httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 44561] New: SSL quick renegotiation + client certs failing
Date Fri, 07 Mar 2008 19:44:12 GMT

           Summary: SSL quick renegotiation + client certs failing
           Product: Apache httpd-2
           Version: 2.0.63
          Platform: PC
        OS/Version: All
            Status: NEW
          Keywords: PatchAvailable
          Severity: normal
          Priority: P2
         Component: mod_ssl

Created an attachment (id=21646)
 --> (
Patch for 2.0.63


- Per-directory SSLVerifyClient
- SSLOptions +OptRenegotiate

Quick renegotiation fails because the certification verification procedure sets
the Verify Result incorrectly.

Bug exists in 2.0/2.2/trunk.


            if (!modssl_X509_verify_cert(&cert_store_ctx)) {
                ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
                             "Re-negotiation verification step failed");
                ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, r->server);

            SSL_set_verify_result(ssl, cert_store_ctx.error);

Function mod_ssl_509_verify_cert(ctx) does not set cert_store.ctx.error unless
there was a problem verifying the certificate. Therefore, we do not to set the
verify_result to this value. Current behavior sets this to an undefined value
(which is NOT X509_V_OK).

Fix attached (against 2.0).

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message