Support OpenSSL 1.1.0:

- Fix renegotiation for the client side
  of a proxy connection.

Backport of r1730146 from trunk.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x-openssl-1.1.0-compat@1755835 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
index 3bfd98224b0885e868c6ccc5b4b9aa87df7c86df..a0c735f52863ed4fac48d80f44c864bbb97cba11 100644 (file)
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -2141,7 +2141,9 @@ void ssl_callback_Info(const SSL *ssl, int where, int rc)
         if (state == SSL3_ST_SR_CLNT_HELLO_A
             || state == SSL23_ST_SR_CLNT_HELLO_A) {
 #else
-    if ((where & SSL_CB_HANDSHAKE_START) && scr->reneg_state == RENEG_REJECT) {
+    if (!scr->is_proxy &&
+        (where & SSL_CB_HANDSHAKE_START) &&
+        scr->reneg_state == RENEG_REJECT) {
 #endif
             scr->reneg_state = RENEG_ABORT;
             ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(02042)
@@ -2151,13 +2153,18 @@ void ssl_callback_Info(const SSL *ssl, int where, int rc)
 #endif
     }
 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
-    else if ((where & SSL_CB_HANDSHAKE_START) && scr->reneg_state == RENEG_ALLOW) {
+    else if (!scr->is_proxy &&
+             (where & SSL_CB_HANDSHAKE_START) &&
+             scr->reneg_state == RENEG_ALLOW) {
         scr->reneg_state = RENEG_STARTED;
     }
-    else if ((where & SSL_CB_HANDSHAKE_DONE) && scr->reneg_state == RENEG_STARTED) {
+    else if (!scr->is_proxy &&
+             (where & SSL_CB_HANDSHAKE_DONE) &&
+             scr->reneg_state == RENEG_STARTED) {
         scr->reneg_state = RENEG_DONE;
     }
-    else if ((where & SSL_CB_ALERT) &&
+    else if (!scr->is_proxy &&
+             (where & SSL_CB_ALERT) &&
              (scr->reneg_state == RENEG_ALLOW || scr->reneg_state == RENEG_STARTED)) {
         scr->reneg_state = RENEG_ALERT;
     }