Fix client verification problem with SNI and multicerts.

author Guenter Knauf <fuankg@apache.org>

Tue, 3 Jun 2008 14:49:46 +0000 (14:49 +0000)

committer Guenter Knauf <fuankg@apache.org>

Tue, 3 Jun 2008 14:49:46 +0000 (14:49 +0000)
author Guenter Knauf <fuankg@apache.org>
Tue, 3 Jun 2008 14:49:46 +0000 (14:49 +0000)
committer Guenter Knauf <fuankg@apache.org>
Tue, 3 Jun 2008 14:49:46 +0000 (14:49 +0000)
diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c

index 1c3b5f5c19987fff5989d50de689a1bd0f0f0b48..e938d0599fec9e1d0f1e485b5b878d203fd2d49a 100644 (file)
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -432,6 +432,11 @@ int ssl_hook_Access(request_rec *r)
       * currently active/remembered verify depth (because this means more
       * restriction on the certificate chain).
       */
+    if ((sc->server->auth.verify_depth != UNSET) &&
+        (dc->nVerifyDepth == UNSET)) {
+        /* apply per-vhost setting, if per-directory config is not set */
+        dc->nVerifyDepth = sc->server->auth.verify_depth;
+    }
      if (dc->nVerifyDepth != UNSET) {
          /* XXX: doesnt look like sslconn->verify_depth is actually used */
          if (!(n = sslconn->verify_depth)) {
@@ -461,6 +466,11 @@ int ssl_hook_Access(request_rec *r)
       * verification but at least skip the I/O-intensive renegotation
       * handshake.
       */
+    if ((sc->server->auth.verify_mode != SSL_CVERIFY_UNSET) &&
+        (dc->nVerifyClient == SSL_CVERIFY_UNSET)) {
+        /* apply per-vhost setting, if per-directory config is not set */
+        dc->nVerifyClient = sc->server->auth.verify_mode;
+    }
      if (dc->nVerifyClient != SSL_CVERIFY_UNSET) {
          /* remember old state */
          verify_old = SSL_get_verify_mode(ssl);
author	Guenter Knauf <fuankg@apache.org>
	Tue, 3 Jun 2008 14:49:46 +0000 (14:49 +0000)
committer	Guenter Knauf <fuankg@apache.org>
	Tue, 3 Jun 2008 14:49:46 +0000 (14:49 +0000)