From: Joe Orton Date: Wed, 20 Mar 2019 15:45:16 +0000 (+0000) Subject: Merge r1855849 from trunk: X-Git-Tag: 2.4.39~9 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3bbbaeba6929b54d8c29eda4d231fd4ed1cba860;p=thirdparty%2Fapache%2Fhttpd.git Merge r1855849 from trunk: * modules/ssl/ssl_engine_kernel.c (ssl_hook_Access_modern): Correctly restore SSL verify state after PHA failure in TLSv1.3. Submitted by: Michael Kaufmann Reviewed by: jorton, covener, jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1855917 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 6b03eadfa07..6f20d688ece 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,9 @@ -*- coding: utf-8 -*- Changes with Apache 2.4.39 + *) mod_ssl: Correctly restore SSL verify state after TLSv1.3 PHA failure. + [Michael Kaufmann ] + *) mod_log_config: Support %{c}h for conn-hostname, %h for useragent_host PR 55348 diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c index c8325c3ed00..41c4015cbf7 100644 --- a/modules/ssl/ssl_engine_kernel.c +++ b/modules/ssl/ssl_engine_kernel.c @@ -1155,6 +1155,7 @@ static int ssl_hook_Access_modern(request_rec *r, SSLSrvConfigRec *sc, SSLDirCon ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server); apr_table_setn(r->notes, "error-notes", "Reason: Cannot perform Post-Handshake Authentication.
"); + SSL_set_verify(ssl, vmode_inplace, NULL); return HTTP_FORBIDDEN; } @@ -1176,6 +1177,7 @@ static int ssl_hook_Access_modern(request_rec *r, SSLSrvConfigRec *sc, SSLDirCon * Finally check for acceptable renegotiation results */ if (OK != (rc = ssl_check_post_client_verify(r, sc, dc, sslconn, ssl))) { + SSL_set_verify(ssl, vmode_inplace, NULL); return rc; } }