httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 45054] SSLVerifyClient optional_no_ca is broken
Date Tue, 13 Apr 2010 17:52:55 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=45054

--- Comment #1 from Paul Donohue <apache-bugzilla@PaulSD.com> 2010-04-13 13:52:53 EDT
---
I've run into the same problem.  If 'SSLVerifyClient optional_no_ca' is used,
the SSL_CLIENT_VERIFY environment variable will contain either 'SUCCESS' or
'FAILED:' (with no error string). It will never contain 'GENEROUS', as stated
by the documentation.

As Benjamin stated, this happens because ssl_callback_SSLVerify() in
ssl_engine_kernel.c only sets sslconn->verify_info = "GENEROUS" if validation
failed with an "optional" error, and only sets sslconn->verify_error if
optional_no_ca is used and validation failed with a non-optional error. Thus,
the 'if (vrc == X509_V_OK && vinfo != NULL && strEQ(vinfo, "GENEROUS"))'
statement in ssl_var_lookup_ssl_cert_verify() in ssl_engine_vars.c will never
match because vinfo will not have been set if vrc is set to X509_V_OK, and the
FAILED message will not contain an error string since sslconn->verify_error was
never set.

I get the sense that the original mistake was in the if statement in
ssl_engine_vars.c, so the second approach mentioned by Benjamin is probably the
best fix.  However, the ssl_verify_error_is_optional(vrc) check that Benjamin
used isn't actually needed, since sslconn->verify_info will not be set if the
error is optional, so you only really need to check for sslconn->verify_info ==
GENEROUS.

I'm attaching two patches (one for 2.2.x, and one for trunk) to correct this. 
Hopefully someone will apply them, as this is a simple but annoying bug.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message