Merge r1750779 from trunk:

modssl: reset client-verify state when renegotiation is aborted
Submitted by: icing
Reviewed/backported by: jim

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1750808 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index 4ba72a611dab0b37626397701e7c12f05da5d778..cc2f340582da608a26b60579adf57ec4d23c7f81 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -2,6 +2,9 @@
 
 Changes with Apache 2.4.23
 
+  *) mod_ssl: reset client-verify state of ssl when aborting renegotiations.
+     [Erki Aring <erki@example.ee>, Stefan Eissing]
+
   *) mod_sed: Fix 'x' command processing. [Christophe Jaillet]
 
   *) configure: Fix ./configure edge-case failures around dependencies

diff --git a/STATUS b/STATUS
index 84df88bffcccdd7aa8f66b5a1008df48455bc153..9dbf8cb2725ae574a217d9357923474ff99a47a5 100644 (file)
--- a/STATUS
+++ b/STATUS
@@ -116,11 +116,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-  *) mod_ssl: reset client-verify state of connection when renegotiation is
-     aborted.
-     trunk patch: http://svn.apache.org/r1750779
-     2.4.x: trunk patch works
-     +1: icing, jim, ylavic
 
 
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:

diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
index 4fa0b12889f965336441998b16d30420e11cdcb0..8b6149d8ec330de0c03df8884af1c66e19f168ee 100644 (file)
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -727,6 +727,7 @@ int ssl_hook_Access(request_rec *r)
                      * on this connection.
                      */
                     apr_table_setn(r->notes, "ssl-renegotiate-forbidden", "verify-client");
+                    SSL_set_verify(ssl, verify_old, ssl_callback_SSLVerify);
                     return HTTP_FORBIDDEN;
                 }
                 /* optimization */