Return-Path: Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 13980 invoked by uid 500); 22 Nov 2001 01:36:18 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: list-post: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 13968 invoked from network); 22 Nov 2001 01:36:18 -0000 X-Authentication-Warning: mako.covalent.net: dougm owned process doing -bs Date: Wed, 21 Nov 2001 17:40:27 -0800 (PST) From: Doug MacEachern X-Sender: dougm@localhost To: "'dev@httpd.apache.org'" Subject: RE: mod_ssl ssl::verify::depth ? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N On Wed, 21 Nov 2001, MATHIHALLI,MADHUSUDAN (HP-Cupertino,ex1) wrote: > If I'm not wrong, what we're trying to do here is to enforce the strongest > SSLVerifyDepth b/w the directory config and the server-config - right, but i don't see why ssl::verify::depth was ever needed for that. i mean, the patch below should continue to do that without this (as far as i can see) unneeded sslconn->verify_depth. so we end up with simply: if (per-dir-verify != unset) { if (per-dir-verify < per-server-verify) { rengotiate = TRUE; } } ssl_hook_Access is only going to be called once, the value of sc->nVerifyDepth isn't going to change even it were called more than once. Index: modules/ssl/ssl_engine_kernel.c =================================================================== RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_engine_kernel.c,v retrieving revision 1.26 diff -u -r1.26 ssl_engine_kernel.c --- modules/ssl/ssl_engine_kernel.c 2001/11/22 00:42:35 1.26 +++ modules/ssl/ssl_engine_kernel.c 2001/11/22 01:15:37 @@ -518,13 +518,8 @@ * restriction on the certificate chain). */ if (dc->nVerifyDepth != UNSET) { - /* XXX: doesnt look like sslconn->verify_depth is actually used */ - if (!(n = sslconn->verify_depth)) { - sslconn->verify_depth = n = sc->nVerifyDepth; - } - /* determine whether a renegotiation has to be forced */ - if (dc->nVerifyDepth < n) { + if (dc->nVerifyDepth < sc->nVerifyDepth) { renegotiate = TRUE; ssl_log(r->server, SSL_LOG_TRACE, "Reduced client verification depth will force renegotiation");