httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Doug MacEachern <do...@covalent.net>
Subject RE: mod_ssl ssl::verify::depth ?
Date Thu, 22 Nov 2001 01:40:27 GMT
On Wed, 21 Nov 2001, MATHIHALLI,MADHUSUDAN (HP-Cupertino,ex1) wrote:

> If I'm not wrong, what we're trying to do here is to enforce the strongest
> SSLVerifyDepth b/w the directory config and the server-config - 

right, but i don't see why ssl::verify::depth was ever needed for that.
i mean, the patch below should continue to do that without this (as far as
i can see) unneeded sslconn->verify_depth.

so we end up with simply:
if (per-dir-verify != unset) {
    if (per-dir-verify < per-server-verify) {
        rengotiate = TRUE;
    }
}

ssl_hook_Access is only going to be called once, the value of
sc->nVerifyDepth isn't going to change even it were called more than once.

Index: modules/ssl/ssl_engine_kernel.c
===================================================================
RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_engine_kernel.c,v
retrieving revision 1.26
diff -u -r1.26 ssl_engine_kernel.c
--- modules/ssl/ssl_engine_kernel.c	2001/11/22 00:42:35	1.26
+++ modules/ssl/ssl_engine_kernel.c	2001/11/22 01:15:37
@@ -518,13 +518,8 @@
      * restriction on the certificate chain).
      */
     if (dc->nVerifyDepth != UNSET) {
-        /* XXX: doesnt look like sslconn->verify_depth is actually used */
-        if (!(n = sslconn->verify_depth)) {
-            sslconn->verify_depth = n = sc->nVerifyDepth;
-        }
-
         /* determine whether a renegotiation has to be forced */
-        if (dc->nVerifyDepth < n) {
+        if (dc->nVerifyDepth < sc->nVerifyDepth) {
             renegotiate = TRUE;
             ssl_log(r->server, SSL_LOG_TRACE,
                     "Reduced client verification depth will force renegotiation");


Mime
View raw message