httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kaspar Brand <httpd-dev.2...@velox.ch>
Subject Re: SNI in 2.2.x (Re: Time for 2.2.10?)
Date Thu, 28 Aug 2008 17:13:36 GMT
Oden Eriksson wrote:
> However, the perl-framework tests barfs at:
> 
> t/ssl/v2....................# Failed test 1 in t/ssl/v2.t at line 16

The root cause for this failure could actually be the same as for a
different issue which was reported to me by private e-mail just
yesterday - in ssl_engine_kernel.c:ssl_hook_Access(), the SNI patch will
trigger unnecessary renegotiations. Currently there's this check:

 if ((dc->nVerifyDepth != UNSET) ||
     (sc->server->auth.verify_depth != UNSET)) {
     /* XXX: doesnt look like sslconn->verify_depth is actually used */
       if (!(n = sslconn->verify_depth)) {
           sslconn->verify_depth = n = sc->server->auth.verify_depth;
       }
  ...

When I added the second condition to the first if statement, I was
assuming that the default for auth.verify_depth is UNSET as well.
However, it's initialized to "1" (i.e. SSL_CVERIFY_OPTIONAL) in
ssl_engine_init.c:ssl_init_ctx_verify(), so the patch is erroneously
triggering renegotiations due to "Reduced client verification depth".

Oden, if you change the line

     (sc->server->auth.verify_depth != UNSET)) {
to
     (sc->server->auth.verify_depth != SSL_CVERIFY_OPTIONAL)) {

will t/ssl/v2 succeed then?


Kaspar

Mime
View raw message