httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ruediger Pluem <rpl...@apache.org>
Subject Re: svn commit: r1750779 - in /httpd/httpd/trunk: CHANGES modules/ssl/ssl_engine_kernel.c
Date Thu, 30 Jun 2016 15:05:26 GMT


On 06/30/2016 02:08 PM, icing@apache.org wrote:
> Author: icing
> Date: Thu Jun 30 12:08:42 2016
> New Revision: 1750779
> 
> URL: http://svn.apache.org/viewvc?rev=1750779&view=rev
> Log:
> modssl: reset client-verify state when renegotiation is aborted
> 
> Modified:
>     httpd/httpd/trunk/CHANGES
>     httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
> 
> Modified: httpd/httpd/trunk/CHANGES
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1750779&r1=1750778&r2=1750779&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/CHANGES [utf-8] (original)
> +++ httpd/httpd/trunk/CHANGES [utf-8] Thu Jun 30 12:08:42 2016
> @@ -1,6 +1,9 @@
>                                                           -*- coding: utf-8 -*-
>  Changes with Apache 2.5.0
>  
> +  *) mod_ssl: reset client-verify state of ssl when aborting renegotiations.
> +     [Erki Aring <erki@example.ee>, Stefan Eissing]
> +
>    *) mod_proxy_{http,ajp,fcgi}: don't reuse backend connections with data
>       available before the request is sent.  PR 57832.  [Yann Ylavic]
>  
> 
> Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c?rev=1750779&r1=1750778&r2=1750779&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c (original)
> +++ httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c Thu Jun 30 12:08:42 2016
> @@ -727,6 +727,7 @@ int ssl_hook_Access(request_rec *r)
>                       * on this connection.
>                       */
>                      apr_table_setn(r->notes, "ssl-renegotiate-forbidden", "verify-client");
> +                    SSL_set_verify(ssl, verify_old, ssl_callback_SSLVerify);

Is there a reson why we use ssl_callback_SSLVerify instead of NULL like we do in asimilar
situation below?
IMHO we do not want to change the callback here to whatever it may set.
I agree that in practice there won't be any difference right now, since we only have one callback.

Regards

RĂ¼diger


Mime
View raw message