Commit e9f93c6c authored by Doug MacEachern's avatar Doug MacEachern
Browse files

in case there is actually a cert chain in the cache, we should be 

using the value of SSL_get_peer_certificate(ssl) to verify as it will
have been removed from the chain before it was put in the cache.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@95603 13f79535-47bb-0310-9956-ffa450edef68
parent 5a2ea818

modules/ssl/ssl_engine_kernel.c

+7 −2
Original line number Diff line number Diff line
@@ -710,7 +710,9 @@ int ssl_hook_Access(request_rec *r) 


            cert_stack = (STACK_OF(X509) *)SSL_get_peer_cert_chain(ssl);



            if (!cert_stack && (cert = SSL_get_peer_certificate(ssl))) {

            cert = SSL_get_peer_certificate(ssl);



            if (!cert_stack && cert) {

                /* client cert is in the session cache, but there is

                 * no chain, since ssl3_get_client_certificate()

                 * sk_X509_shift-ed the peer cert out of the chain.
@@ -736,7 +738,10 @@ int ssl_hook_Access(request_rec *r) 
                return HTTP_FORBIDDEN;

            }



            if (!cert) {

                cert = sk_X509_value(cert_stack, 0);

            }



            X509_STORE_CTX_init(&cert_store_ctx, cert_store, cert, cert_stack);

            depth = SSL_get_verify_depth(ssl);