Commit 5c199515 authored by Eric Covener's avatar Eric Covener
Browse files

Merge r1842540 from trunk: 

* Pickup the proxy related configuration for verify mode and verify depth and
  not the configuration settings for frontend connections in case of
  connections by the proxy to the backend.

PR: 62769



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1843370 13f79535-47bb-0310-9956-ffa450edef68
parent c6211217

CHANGES

+4 −0
Original line number Diff line number Diff line 
                                                         -*- coding: utf-8 -*-

Changes with Apache 2.4.36



  *) mod_ssl: Fix a regression that the configuration settings for verify mode

     and verify depth were taken from the frontend connection in case of

     connections by the proxy to the backend. PR 62769. [Ruediger Pluem]



  *) MPMs: Initialize all runtime/asynchronous objects on a dedicated pool and

     before signals handling to avoid lifetime issues on restart or shutdown.

     PR 62658. [Yann Ylavic]

STATUS

+0 −9
Original line number Diff line number Diff line
@@ -136,15 +136,6 @@ PATCHES ACCEPTED TO BACKPORT FROM TRUNK: 
     (requires r1738415 and r1826930 above to resolve conflict)

     +1: minfrin, jim, ylavic



  *) mod_ssl: Fix a regression that the configuration settings for verify mode

     and verify depth were taken from the frontend connection in case of

     connections by the proxy to the backend. PR 62769.

     trunk patch: http://svn.apache.org/r1842540

     2.4.x: trunk works (modulo CHANGES)

            svn merge -c r1842540 ^/httpd/httpd/trunk .

     +1: ylavic, icing (by inspection), covener





PATCHES PROPOSED TO BACKPORT FROM TRUNK:

  [ New proposals should be added at the end of the list ]

modules/ssl/ssl_engine_kernel.c

+18 −7
Original line number Diff line number Diff line
@@ -1740,7 +1740,8 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx) 
    /* Get verify ingredients */

    int errnum   = X509_STORE_CTX_get_error(ctx);

    int errdepth = X509_STORE_CTX_get_error_depth(ctx);

    int depth, verify;

    int depth = UNSET;

    int verify = SSL_CVERIFY_UNSET;



    /*

     * Log verification information
@@ -1756,10 +1757,15 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx) 
    /*

     * Check for optionally acceptable non-verifiable issuer situation

     */

    if (dc && (dc->nVerifyClient != SSL_CVERIFY_UNSET)) {

        verify = dc->nVerifyClient;

    if (dc) {

        if (sslconn->is_proxy) {

            verify = dc->proxy->auth.verify_mode;

        }

        else {

            verify = dc->nVerifyClient;

        }

    }

    if (!dc || (verify == SSL_CVERIFY_UNSET)) {

        verify = mctx->auth.verify_mode;

    }
@@ -1863,10 +1869,15 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx) 
    /*

     * Finally check the depth of the certificate verification

     */

    if (dc && (dc->nVerifyDepth != UNSET)) {

        depth = dc->nVerifyDepth;

    if (dc) {

        if (sslconn->is_proxy) {

            depth = dc->proxy->auth.verify_depth;

        }

        else {

            depth = dc->nVerifyDepth;

        }

    }

    if (!dc || (depth == UNSET)) {

        depth = mctx->auth.verify_depth;

    }