*) mod_ssl: Disable client verification on ACME ALPN challenges. Fixes github

     issue mod_md#172 (https://github.com/icing/mod_md/issues/172).
     [Michael Kaufmann <mail michael-kaufmann.ch>, Stefan Eissing]

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1873888 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index ef8c44db3f181db30632fc6872b0b59f51090d0f..30f253eae199db35b5a2c285cecd8ed4ae3e07ee 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,10 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.5.1
 
+  *) mod_ssl: Disable client verification on ACME ALPN challenges. Fixes github
+     issue mod_md#172 (https://github.com/icing/mod_md/issues/172).
+     [Michael Kaufmann <mail michael-kaufmann.ch>, Stefan Eissing]
+
   *) mod_rewrite: Extend the [CO] (cookie) flag of RewriteRule to accept a 
      SameSite attribute. [Eric Covener]
 

diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
index 408ffd902020e31e411d7bd3ed8f5c36e8483163..a27168c5658bfb9fb69b90d24a3f02972c68bd23 100644 (file)
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -2403,6 +2403,7 @@ static apr_status_t init_vhost(conn_rec *c, SSL *ssl, const char *servername)
                 if (set_challenge_creds(c, servername, ssl, cert, key) != APR_SUCCESS) {
                     return APR_EGENERAL;
                 }
+                SSL_set_verify(ssl, SSL_VERIFY_NONE, ssl_callback_SSLVerify);
             }
             else {
                 ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(02044)
@@ -2783,6 +2784,7 @@ int ssl_callback_alpn_select(SSL *ssl,
                 if (set_challenge_creds(c, servername, ssl, cert, key) != APR_SUCCESS) {
                     return SSL_TLSEXT_ERR_ALERT_FATAL;
                 }
+                SSL_set_verify(ssl, SSL_VERIFY_NONE, ssl_callback_SSLVerify);
             }
         }
     }