httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 45054] SSLVerifyClient optional_no_ca is broken
Date Tue, 13 Apr 2010 17:52:55 GMT

--- Comment #1 from Paul Donohue <> 2010-04-13 13:52:53 EDT
I've run into the same problem.  If 'SSLVerifyClient optional_no_ca' is used,
the SSL_CLIENT_VERIFY environment variable will contain either 'SUCCESS' or
'FAILED:' (with no error string). It will never contain 'GENEROUS', as stated
by the documentation.

As Benjamin stated, this happens because ssl_callback_SSLVerify() in
ssl_engine_kernel.c only sets sslconn->verify_info = "GENEROUS" if validation
failed with an "optional" error, and only sets sslconn->verify_error if
optional_no_ca is used and validation failed with a non-optional error. Thus,
the 'if (vrc == X509_V_OK && vinfo != NULL && strEQ(vinfo, "GENEROUS"))'
statement in ssl_var_lookup_ssl_cert_verify() in ssl_engine_vars.c will never
match because vinfo will not have been set if vrc is set to X509_V_OK, and the
FAILED message will not contain an error string since sslconn->verify_error was
never set.

I get the sense that the original mistake was in the if statement in
ssl_engine_vars.c, so the second approach mentioned by Benjamin is probably the
best fix.  However, the ssl_verify_error_is_optional(vrc) check that Benjamin
used isn't actually needed, since sslconn->verify_info will not be set if the
error is optional, so you only really need to check for sslconn->verify_info ==

I'm attaching two patches (one for 2.2.x, and one for trunk) to correct this. 
Hopefully someone will apply them, as this is a simple but annoying bug.

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message