From: Rainer Jung Date: Wed, 10 Aug 2016 20:10:51 +0000 (+0000) Subject: Support OpenSSL 1.1.0: X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=062e3cf93b41ad1e2dd60d1c38941f4055c97abf;p=thirdparty%2Fapache%2Fhttpd.git Support OpenSSL 1.1.0: - Fix renegotiation for the client side of a proxy connection. Backport of r1730146 from trunk. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x-openssl-1.1.0-compat@1755835 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c index 3bfd98224b0..a0c735f5286 100644 --- a/modules/ssl/ssl_engine_kernel.c +++ b/modules/ssl/ssl_engine_kernel.c @@ -2141,7 +2141,9 @@ void ssl_callback_Info(const SSL *ssl, int where, int rc) if (state == SSL3_ST_SR_CLNT_HELLO_A || state == SSL23_ST_SR_CLNT_HELLO_A) { #else - if ((where & SSL_CB_HANDSHAKE_START) && scr->reneg_state == RENEG_REJECT) { + if (!scr->is_proxy && + (where & SSL_CB_HANDSHAKE_START) && + scr->reneg_state == RENEG_REJECT) { #endif scr->reneg_state = RENEG_ABORT; ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(02042) @@ -2151,13 +2153,18 @@ void ssl_callback_Info(const SSL *ssl, int where, int rc) #endif } #if OPENSSL_VERSION_NUMBER >= 0x10100000L - else if ((where & SSL_CB_HANDSHAKE_START) && scr->reneg_state == RENEG_ALLOW) { + else if (!scr->is_proxy && + (where & SSL_CB_HANDSHAKE_START) && + scr->reneg_state == RENEG_ALLOW) { scr->reneg_state = RENEG_STARTED; } - else if ((where & SSL_CB_HANDSHAKE_DONE) && scr->reneg_state == RENEG_STARTED) { + else if (!scr->is_proxy && + (where & SSL_CB_HANDSHAKE_DONE) && + scr->reneg_state == RENEG_STARTED) { scr->reneg_state = RENEG_DONE; } - else if ((where & SSL_CB_ALERT) && + else if (!scr->is_proxy && + (where & SSL_CB_ALERT) && (scr->reneg_state == RENEG_ALLOW || scr->reneg_state == RENEG_STARTED)) { scr->reneg_state = RENEG_ALERT; }