Merge r833582, r833593, r881222 from trunk:
SECURITY: Partial fix for CVE-2009-3555:
Reject client-initiated renegotiations; this is sufficient to prevent
the attack for any configuration which does not require renegotiation
due to per-directory/per-location access control configuration.
Configuration with per-directory/per-location access control
requirements (such as "SSLVerifyClient require") are still vulnerable
to CVE-2009-3555 with this patch applied (if using OpenSSL != 0.9.8l).
* modules/ssl/ssl_private.h (SSLConnRec): Add reneg_state field.
(ssl_callback_Info): Renamed from ssl_callback_LogTracingState.
* modules/ssl/ssl_engine_init.c (ssl_init_ctx_callbacks): Install
the (renamed) info callback unconditionally.
* modules/ssl/ssl_engine_io.c (ssl_filter_ctx_t): Add config pointer
to SSLConnRec.
(bio_filter_out_write, bio_filter_in_read): Fail with
APR_ECONNABORTED if the reneg state is set to RENEG_ABORT.
* modules/ssl/ssl_engine_kernel.c (log_tracing_state): Factored out
of ssl_callback_LogTracingState.
(ssl_callback_Info): New function.
Submitted by: jorton, rpluem, rjung
Reviewed by: rjung, rpluem, pgollucci
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@943879
13f79535-47bb-0310-9956-
ffa450edef68
projects / thirdparty / apache / httpd.git / commit
