git.net

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: svn commit: r1842540 - in /httpd/httpd/trunk: CHANGES modules/ssl/ssl_engine_kernel.c



On 10/05/2018 12:26 PM, Rainer Jung wrote:
> Shouldn't we backport this? Or do you have doubts or maybe waiting for feedback?

>From my point of view it can be backported. It was sitting around in trunk waiting for feedback and then because of
being busy I forgot about. Feel free to propose.

Regards

Rüdiger

> 
> Regards,
> 
> Rainer
> 
> Am 01.10.2018 um 20:21 schrieb rpluem@xxxxxxxxxx:
>> Author: rpluem
>> Date: Mon Oct  1 18:21:18 2018
>> New Revision: 1842540
>>
>> URL: http://svn.apache.org/viewvc?rev=1842540&view=rev
>> Log:
>> * Pickup the proxy related configuration for verify mode and verify depth and
>>    not the configuration settings for frontend connections in case of
>>    connections by the proxy to the backend.
>>
>> PR: 62769
>>
>> Modified:
>>      httpd/httpd/trunk/CHANGES
>>      httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
>>
>> Modified: httpd/httpd/trunk/CHANGES
>> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1842540&r1=1842539&r2=1842540&view=diff
>> ==============================================================================
>> --- httpd/httpd/trunk/CHANGES [utf-8] (original)
>> +++ httpd/httpd/trunk/CHANGES [utf-8] Mon Oct  1 18:21:18 2018
>> @@ -1,6 +1,10 @@
>>                                                            -*- coding: utf-8 -*-
>>   Changes with Apache 2.5.1
>>   +  *) mod_ssl: Fix a regression that the configuration settings for verify mode
>> +     and verify depth were taken from the frontend connection in case of
>> +     connections by the proxy to the backend. PR 62769. [Ruediger Pluem]
>> +
>>     *) ab: Add client certificate support. [Graham Leggett]
>>       *) mod_proxy_hcheck: Fix issues with TCP health checks. PR 61499
>> @@ -9,7 +13,7 @@ Changes with Apache 2.5.1
>>     *) mod_http2: connection IO event handling reworked. Instead of reacting on
>>        incoming bytes, the state machine now acts on incoming frames that are
>>        affecting it. This reduces state transitions. [Stefan Eissing]
>> -
>> +
>>     *) MPMs: Initialize all runtime/asynchronous objects on a dedicated pool and
>>        before signals handling to avoid lifetime issues on restart or shutdown.
>>        PR 62658. [Yann Ylavic]
>>
>> Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
>> URL:
>> http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c?rev=1842540&r1=1842539&r2=1842540&view=diff
>>
>> ==============================================================================
>> --- httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c (original)
>> +++ httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c Mon Oct  1 18:21:18 2018
>> @@ -1750,7 +1750,8 @@ int ssl_callback_SSLVerify(int ok, X509_
>>       /* Get verify ingredients */
>>       int errnum   = X509_STORE_CTX_get_error(ctx);
>>       int errdepth = X509_STORE_CTX_get_error_depth(ctx);
>> -    int depth, verify;
>> +    int depth = UNSET;
>> +    int verify = SSL_CVERIFY_UNSET;
>>         /*
>>        * Log verification information
>> @@ -1766,10 +1767,15 @@ int ssl_callback_SSLVerify(int ok, X509_
>>       /*
>>        * Check for optionally acceptable non-verifiable issuer situation
>>        */
>> -    if (dc && (dc->nVerifyClient != SSL_CVERIFY_UNSET)) {
>> -        verify = dc->nVerifyClient;
>> +    if (dc) {
>> +        if (sslconn->is_proxy) {
>> +            verify = dc->proxy->auth.verify_mode;
>> +        }
>> +        else {
>> +            verify = dc->nVerifyClient;
>> +        }
>>       }
>> -    else {
>> +    if (!dc || (verify == SSL_CVERIFY_UNSET)) {
>>           verify = mctx->auth.verify_mode;
>>       }
>>   @@ -1873,10 +1879,15 @@ int ssl_callback_SSLVerify(int ok, X509_
>>       /*
>>        * Finally check the depth of the certificate verification
>>        */
>> -    if (dc && (dc->nVerifyDepth != UNSET)) {
>> -        depth = dc->nVerifyDepth;
>> +    if (dc) {
>> +        if (sslconn->is_proxy) {
>> +            depth = dc->proxy->auth.verify_depth;
>> +        }
>> +        else {
>> +            depth = dc->nVerifyDepth;
>> +        }
>>       }
>> -    else {
>> +    if (!dc || (depth == UNSET)) {
>>           depth = mctx->auth.verify_depth;
>>       }
>