modssl: reset client-verify state when renegotiation is aborted

author Stefan Eissing <icing@apache.org>

Thu, 30 Jun 2016 12:08:42 +0000 (12:08 +0000)

committer Stefan Eissing <icing@apache.org>

Thu, 30 Jun 2016 12:08:42 +0000 (12:08 +0000)
author Stefan Eissing <icing@apache.org>
Thu, 30 Jun 2016 12:08:42 +0000 (12:08 +0000)
committer Stefan Eissing <icing@apache.org>
Thu, 30 Jun 2016 12:08:42 +0000 (12:08 +0000)
diff --git a/CHANGES b/CHANGES

index 22eb092b5a752db809ab959c53e385f77e150136..2da665d89f8c5386ff00893692aa7cc4630ab4b1 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,9 @@
                                                           -*- coding: utf-8 -*-
  Changes with Apache 2.5.0
  
+  *) mod_ssl: reset client-verify state of ssl when aborting renegotiations.
+     [Erki Aring <erki@example.ee>, Stefan Eissing]
+
    *) mod_proxy_{http,ajp,fcgi}: don't reuse backend connections with data
       available before the request is sent.  PR 57832.  [Yann Ylavic]
  
diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c

index 7cf048cf17a7e2ca6edeefea8fb37bdf6dc82b4c..d606aa3205be034f7c391a7b04ec598cf3c479f1 100644 (file)
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -727,6 +727,7 @@ int ssl_hook_Access(request_rec *r)
                       * on this connection.
                       */
                      apr_table_setn(r->notes, "ssl-renegotiate-forbidden", "verify-client");
+                    SSL_set_verify(ssl, verify_old, ssl_callback_SSLVerify);
                      return HTTP_FORBIDDEN;
                  }
                  /* optimization */
author	Stefan Eissing <icing@apache.org>
	Thu, 30 Jun 2016 12:08:42 +0000 (12:08 +0000)
committer	Stefan Eissing <icing@apache.org>
	Thu, 30 Jun 2016 12:08:42 +0000 (12:08 +0000)
CHANGES		patch \| blob \| blame \| history
modules/ssl/ssl_engine_kernel.c		patch \| blob \| blame \| history