* modules/ssl/ssl_engine_kernel.c (ssl_hook_Access_modern): Correctly

  restore SSL verify state after PHA failure in TLSv1.3.

Submitted by: Michael Kaufmann <mail michael-kaufmann.ch>

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1855849 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index 7bd6a34c03ddacc38962c265e3427188acedc82d..7553b451712b0fa35bbb1e7ffc36ace7e40839f0 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,9 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.5.1
 
+  *) mod_ssl: Correctly restore SSL verify state after TLSv1.3 PHA failure.
+     [Michael Kaufmann <mail michael-kaufmann.ch>]
+
   *) mod_md: Explicitly setting file permissions to break out of umasks. We want our
      non-privilegded apache user to be able to read them. See github issue
      <https://github.com/icing/mod_md/issues/117>. [Stefan Eissing] 

diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
index ba045f95f5b8d2898da3923b5a83bef9005f1f56..488e6abf3575b65eca6d9865846540252741aa1c 100644 (file)
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -1155,6 +1155,7 @@ static int ssl_hook_Access_modern(request_rec *r, SSLSrvConfigRec *sc, SSLDirCon
                 ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server);
                 apr_table_setn(r->notes, "error-notes",
                                "Reason: Cannot perform Post-Handshake Authentication.<br />");
+                SSL_set_verify(ssl, vmode_inplace, NULL);
                 return HTTP_FORBIDDEN;
             }
             
@@ -1176,6 +1177,7 @@ static int ssl_hook_Access_modern(request_rec *r, SSLSrvConfigRec *sc, SSLDirCon
              * Finally check for acceptable renegotiation results
              */
             if (OK != (rc = ssl_check_post_client_verify(r, sc, dc, sslconn, ssl))) {
+                SSL_set_verify(ssl, vmode_inplace, NULL);
                 return rc;
             }
         }