OpenSSl 1.1.0 support

- improve renegotiation loop.
  Should now also work in case only the
  cipher changes.
  Should now also work in case the handshake
  ends with an error.

Backport of r1729498 from trunk.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x-openssl-1.1.0-compat@1755824 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
index 442ad377a0b177770fa26e42a061689a5eda9941..ef5f77740b9207fe9d9a37562e03a01f7278dec6 100644 (file)
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -1039,16 +1039,9 @@ int ssl_hook_Access(request_rec *r)
              * See: http://marc.info/?t=145493359200002&r=1&w=2
              */
             /* XXX: Polling is bad, alternatives? */
-            /* XXX: What about renegotiations which do not need to
-             *      send client certs, e.g. if only the cipher needs
-             *      to switch? We need a better success criterion here
-             *      or the loop will poll until SSL_HANDSHAKE_MAX_POLLS
-             *      is reached.
-             */
             for (i = 0; i < SSL_HANDSHAKE_MAX_POLLS; i++) {
                 has_buffered_data(r);
-                cert = SSL_get_peer_certificate(ssl);
-                if (cert != NULL) {
+                if (sslconn->ssl == NULL || SSL_is_init_finished(ssl)) {
                     break;
                 }
                 apr_sleep(SSL_HANDSHAKE_POLL_MS);
@@ -1056,10 +1049,11 @@ int ssl_hook_Access(request_rec *r)
             ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r, APLOGNO()
                           "Renegotiation loop %d iterations, "
                           "in_init=%d, init_finished=%d, "
-                          "state=%s, peer_certs=%s",
+                          "state=%s, sslconn->ssl=%s, peer_certs=%s",
                           i, SSL_in_init(ssl), SSL_is_init_finished(ssl),
                           SSL_state_string_long(ssl),
-                          cert != NULL ? "yes" : "no");
+                          sslconn->ssl != NULL ? "yes" : "no",
+                          SSL_get_peer_certificate(ssl) != NULL ? "yes" : "no");
 
 #endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L */