Commit 2bbed6cd authored by Joe Orton's avatar Joe Orton
Browse files

* modules/ssl/ssl_engine_kernel.c (ssl_hook_Access_modern): Correctly 

  restore SSL verify state after PHA failure in TLSv1.3.

Submitted by: Michael Kaufmann <mail michael-kaufmann.ch>


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1855849 13f79535-47bb-0310-9956-ffa450edef68
parent 707c7f70

CHANGES

+3 −0
Original line number Original line Diff line number Diff line 
                                                         -*- coding: utf-8 -*-

                                                         -*- coding: utf-8 -*-

Changes with Apache 2.5.1

Changes with Apache 2.5.1





  *) mod_ssl: Correctly restore SSL verify state after TLSv1.3 PHA failure.

     [Michael Kaufmann <mail michael-kaufmann.ch>]



  *) mod_md: Explicitly setting file permissions to break out of umasks. We want our

  *) mod_md: Explicitly setting file permissions to break out of umasks. We want our

     non-privilegded apache user to be able to read them. See github issue

     non-privilegded apache user to be able to read them. See github issue

     <https://github.com/icing/mod_md/issues/117>. [Stefan Eissing] 

     <https://github.com/icing/mod_md/issues/117>. [Stefan Eissing]

modules/ssl/ssl_engine_kernel.c

+2 −0
Original line number Original line Diff line number Diff line
@@ -1155,6 +1155,7 @@ static int ssl_hook_Access_modern(request_rec *r, SSLSrvConfigRec *sc, SSLDirCon 
                ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server);

                ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server);

                apr_table_setn(r->notes, "error-notes",

                apr_table_setn(r->notes, "error-notes",

                               "Reason: Cannot perform Post-Handshake Authentication.<br />");

                               "Reason: Cannot perform Post-Handshake Authentication.<br />");

                SSL_set_verify(ssl, vmode_inplace, NULL);

                return HTTP_FORBIDDEN;

                return HTTP_FORBIDDEN;

            }

            }
@@ -1176,6 +1177,7 @@ static int ssl_hook_Access_modern(request_rec *r, SSLSrvConfigRec *sc, SSLDirCon 
             * Finally check for acceptable renegotiation results

             * Finally check for acceptable renegotiation results

             */

             */

            if (OK != (rc = ssl_check_post_client_verify(r, sc, dc, sslconn, ssl))) {

            if (OK != (rc = ssl_check_post_client_verify(r, sc, dc, sslconn, ssl))) {

                SSL_set_verify(ssl, vmode_inplace, NULL);

                return rc;

                return rc;

            }

            }

        }

        }