httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Plüm, Rüdiger, VF-Group" <ruediger.pl...@vodafone.com>
Subject Re: SNI in 2.2.x (Re: Time for 2.2.10?)
Date Sat, 25 Apr 2009 08:29:55 GMT
 

> -----Ursprüngliche Nachricht-----
> Von: Kaspar Brand 
> Gesendet: Samstag, 25. April 2009 09:37
> An: dev@httpd.apache.org
> Betreff: Re: SNI in 2.2.x (Re: Time for 2.2.10?)
> 
> >> Mind to sent a version v9 of your patch such that I can review the
> >> complete one again? Thanks for your efforts.
> 
> Sorry, please disregard v9 - it makes SSL_VERIFY_CLIENT 
> report GENEROUS
> even in cases where it could/should be SUCCESS, actually (if 
> the CA list
> stays the same; i.e., v9 doesn't weaken things, security-wise, but
> possibly locks out legitimate [non-SNI] clients).

Sounds reasonable.

> 
> I have attached v10. As far as ssl_var_lookup_ssl_cert_verify()
> is concerned, a tweak could look like:
> 
> --- modules/ssl/ssl_engine_vars.c       (revision 765079)
> +++ modules/ssl/ssl_engine_vars.c       (working copy)
> @@ -607,7 +607,7 @@ static char *ssl_var_lookup_ssl_cert_verify(apr_po
>          result = "SUCCESS";
>      else if (vrc == X509_V_OK && vinfo != NULL && 
> strEQ(vinfo, "GENEROUS"))
>          /* client verification done in generous way */
> -        result = "GENEROUS";
> +        result = xs ? "GENEROUS" : "NONE";
>      else
>          /* client verification failed */
>          result = apr_psprintf(p, "FAILED:%s", verr);
> 
> 
> [Not included in v10. If it's added, we should probably 
> update the comment
> to explain why we're doing it like this, exactly.]

I guess the following one is the better patch

Index: modules/ssl/ssl_engine_vars.c
===================================================================
--- modules/ssl/ssl_engine_vars.c       (revision 768231)
+++ modules/ssl/ssl_engine_vars.c       (working copy)
@@ -599,7 +599,7 @@
     vrc   = SSL_get_verify_result(ssl);
     xs    = SSL_get_peer_certificate(ssl);

-    if (vrc == X509_V_OK && verr == NULL && vinfo == NULL && xs ==
NULL)
+    if (vrc == X509_V_OK && verr == NULL && xs == NULL)
         /* no client verification done at all */
         result = "NONE";
     else if (vrc == X509_V_OK && verr == NULL && vinfo == NULL &&
xs != NULL)

IMHO we can report NONE whenever there was no error and the client cert is empty.
Opinions by the SSL Gurus?

Regards

Rüdiger


Mime
View raw message