httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From do...@apache.org
Subject cvs commit: httpd-2.0/modules/ssl mod_ssl.c mod_ssl.h ssl_engine_kernel.c
Date Fri, 24 Aug 2001 00:09:30 GMT
dougm       01/08/23 17:09:30

  Modified:    modules/ssl mod_ssl.c mod_ssl.h ssl_engine_kernel.c
  Log:
  support "SSLVerifyClient optional_no_ca"
  
  Revision  Changes    Path
  1.27      +29 -5     httpd-2.0/modules/ssl/mod_ssl.c
  
  Index: mod_ssl.c
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/modules/ssl/mod_ssl.c,v
  retrieving revision 1.26
  retrieving revision 1.27
  diff -u -r1.26 -r1.27
  --- mod_ssl.c	2001/08/23 23:43:45	1.26
  +++ mod_ssl.c	2001/08/24 00:09:30	1.27
  @@ -345,6 +345,7 @@
       char *cp = NULL;
       conn_rec *c = (conn_rec*)SSL_get_app_data (pRec->pssl);
       SSLSrvConfigRec *sc = mySrvConfig(c->base_server);
  +    long verify_result;
   
       if (!SSL_is_init_finished(pRec->pssl))
       {
  @@ -445,14 +446,37 @@
           /*
            * Check for failed client authentication
            */
  -        if (SSL_get_verify_result(pRec->pssl) != X509_V_OK ||
  +        verify_result = SSL_get_verify_result(pRec->pssl);
  +
  +        if (verify_result != X509_V_OK ||
               ((cp = (char *)apr_table_get(c->notes,
                                            "ssl::verify::error")) != NULL))
           {
  -            ssl_log(c->base_server, SSL_LOG_ERROR|SSL_ADD_SSLERR,
  -                    "SSL client authentication failed: %s",
  -                    cp != NULL ? cp : "unknown reason");
  -            return ssl_abort(pRec, c);
  +            if (ssl_verify_error_is_optional(verify_result) &&
  +                (sc->nVerifyClient == SSL_CVERIFY_OPTIONAL_NO_CA))
  +            {
  +                /* leaving this log message as an error for the moment,
  +                 * according to the mod_ssl docs:
  +                 * "level optional_no_ca is actually against the idea
  +                 *  of authentication (but can be used to establish 
  +                 * SSL test pages, etc.)"
  +                 * optional_no_ca doesn't appear to work as advertised
  +                 * in 1.x
  +                 */
  +                ssl_log(c->base_server, SSL_LOG_ERROR|SSL_ADD_SSLERR,
  +                        "SSL client authentication failed, "
  +                        "accepting certificate based on "
  +                        "\"SSLVerifyClient optional_no_ca\" configuration");
  +
  +            }
  +            else {
  +                const char *verror =
  +                    X509_verify_cert_error_string(verify_result);
  +                ssl_log(c->base_server, SSL_LOG_ERROR|SSL_ADD_SSLERR,
  +                        "SSL client authentication failed: %s",
  +                        cp ? cp : verror ? verror : "unknown");
  +                return ssl_abort(pRec, c);
  +            }
           }
   
           /*
  
  
  
  1.31      +11 -0     httpd-2.0/modules/ssl/mod_ssl.h
  
  Index: mod_ssl.h
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/modules/ssl/mod_ssl.h,v
  retrieving revision 1.30
  retrieving revision 1.31
  diff -u -r1.30 -r1.31
  --- mod_ssl.h	2001/08/23 19:42:44	1.30
  +++ mod_ssl.h	2001/08/24 00:09:30	1.31
  @@ -344,6 +344,17 @@
       SSL_CVERIFY_OPTIONAL_NO_CA  = 3
   } ssl_verify_t;
   
  +#ifndef X509_V_ERR_CERT_UNTRUSTED
  +#define X509_V_ERR_CERT_UNTRUSTED 27
  +#endif
  +
  +#define ssl_verify_error_is_optional(errnum) \
  +   ((errnum == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) \
  +    || (errnum == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN) \
  +    || (errnum == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) \
  +    || (errnum == X509_V_ERR_CERT_UNTRUSTED) \
  +    || (errnum == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE))
  +
   /*
    * Define the SSL pass phrase dialog types
    */
  
  
  
  1.19      +3 -8      httpd-2.0/modules/ssl/ssl_engine_kernel.c
  
  Index: ssl_engine_kernel.c
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_engine_kernel.c,v
  retrieving revision 1.18
  retrieving revision 1.19
  diff -u -r1.18 -r1.19
  --- ssl_engine_kernel.c	2001/08/22 21:37:15	1.18
  +++ ssl_engine_kernel.c	2001/08/24 00:09:30	1.19
  @@ -1237,14 +1237,9 @@
           verify = dc->nVerifyClient;
       else
           verify = sc->nVerifyClient;
  -    if (   (   errnum == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
  -            || errnum == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN
  -            || errnum == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
  -#if SSL_LIBRARY_VERSION >= 0x00905000
  -            || errnum == X509_V_ERR_CERT_UNTRUSTED
  -#endif
  -            || errnum == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE  )
  -        && verify == SSL_CVERIFY_OPTIONAL_NO_CA                       ) {
  +    if (ssl_verify_error_is_optional(errnum) &&
  +        verify == SSL_CVERIFY_OPTIONAL_NO_CA)
  +    {
           ssl_log(s, SSL_LOG_TRACE,
                   "Certificate Verification: Verifiable Issuer is configured as "
                   "optional, therefore we're accepting the certificate");
  
  
  

Mime
View raw message