httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 44561] New: SSL quick renegotiation + client certs failing
Date Fri, 07 Mar 2008 19:44:12 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=44561

           Summary: SSL quick renegotiation + client certs failing
           Product: Apache httpd-2
           Version: 2.0.63
          Platform: PC
        OS/Version: All
            Status: NEW
          Keywords: PatchAvailable
          Severity: normal
          Priority: P2
         Component: mod_ssl
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: asf@divinehawk.com


Created an attachment (id=21646)
 --> (https://issues.apache.org/bugzilla/attachment.cgi?id=21646)
Patch for 2.0.63

Scenario:

- Per-directory SSLVerifyClient
- SSLOptions +OptRenegotiate

Quick renegotiation fails because the certification verification procedure sets
the Verify Result incorrectly.

Bug exists in 2.0/2.2/trunk.

Detail:

            if (!modssl_X509_verify_cert(&cert_store_ctx)) {
                ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
                             "Re-negotiation verification step failed");
                ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, r->server);
            }

            SSL_set_verify_result(ssl, cert_store_ctx.error);

Function mod_ssl_509_verify_cert(ctx) does not set cert_store.ctx.error unless
there was a problem verifying the certificate. Therefore, we do not to set the
verify_result to this value. Current behavior sets this to an undefined value
(which is NOT X509_V_OK).

Fix attached (against 2.0).


-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message