From 8b8c8a066fddffc7f4b7cd0f5d385b6a38cd32c9 Mon Sep 17 00:00:00 2001 From: Joe Orton Date: Wed, 12 Sep 2018 11:52:21 +0000 Subject: [PATCH] Merge r1840585 from trunk: * modules/ssl/ssl_engine_kernel.c (ssl_hook_Access_modern): Fail with 403 if SSL_verify_client_post_handshake() fails, e.g. when the TLS/1.3 client didn't send the Post-Handshake Authentication extension. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/tlsv1.3-for-2.4.x@1840664 13f79535-47bb-0310-9956-ffa450edef68 --- modules/ssl/ssl_engine_kernel.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c index 1a74e1efb5b..8be437c81d0 100644 --- a/modules/ssl/ssl_engine_kernel.c +++ b/modules/ssl/ssl_engine_kernel.c @@ -1219,8 +1219,16 @@ static int ssl_hook_Access_modern(request_rec *r, SSLSrvConfigRec *sc, SSLDirCon ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO() "verify client post handshake"); SSL_set_verify(ssl, vmode_needed, ssl_callback_SSLVerify); - SSL_verify_client_post_handshake(ssl); + if (SSL_verify_client_post_handshake(ssl) != 1) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10158) + "cannot perform post-handshake authentication"); + ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server); + apr_table_setn(r->notes, "error-notes", + "Reason: Cannot perform Post-Handshake Authentication.
"); + return HTTP_FORBIDDEN; + } + old_state = sslconn->reneg_state; sslconn->reneg_state = RENEG_ALLOW; modssl_set_app_data2(ssl, r); -- 2.47.3