Merge r1756542 from trunk: (ad95a17f) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP Apache Httpd

CHANGES

+3 −0

Original line number	Diff line number	Diff line
		@@ -2,6 +2,9 @@

		Changes with Apache 2.4.24

		*) mod_ssl: Fix quick renegotiation (OptRenegotiaton) with no intermediate
		in the client certificate chain. PR 55786. [Yann Ylavic]

		*) mod_dir: Responses that go through "FallbackResource" might appear to
		hang due to unterminated chunked encoding. PR58292. [Eric Covener]

+0 −5

Original line number	Diff line number	Diff line
		@@ -117,11 +117,6 @@ RELEASE SHOWSTOPPERS:
		PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
		[ start all new proposals below, under PATCHES PROPOSED. ]

		*) mod_ssl: Fix quick renegotiation (OptRenegotiaton) with no intermediate
		in the client certificate chain. PR 55786.
		trunk patch: http://svn.apache.org/r1756542
		2.4.x patch: trunk works (modulo CHANGES)
		+1: ylavic, icing (by inspectin), jim


		PATCHES PROPOSED TO BACKPORT FROM TRUNK:

+8 −8

Original line number	Diff line number	Diff line
		@@ -884,7 +884,14 @@ int ssl_hook_Access(request_rec *r)

		cert = SSL_get_peer_certificate(ssl);

		if (!cert_stack && cert) {
		if (!cert_stack \|\| (sk_X509_num(cert_stack) == 0)) {
		if (!cert) {
		ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02222)
		"Cannot find peer certificate chain");

		return HTTP_FORBIDDEN;
		}

		/* client cert is in the session cache, but there is
		* no chain, since ssl3_get_client_certificate()
		* sk_X509_shift-ed the peer cert out of the chain.
		@@ -894,13 +901,6 @@ int ssl_hook_Access(request_rec *r)
		sk_X509_push(cert_stack, cert);
		}

		if (!cert_stack \|\| (sk_X509_num(cert_stack) == 0)) {
		ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02222)
		"Cannot find peer certificate chain");

		return HTTP_FORBIDDEN;
		}

		if (!(cert_store \|\|
		(cert_store = SSL_CTX_get_cert_store(ctx))))
		{