From: Joe Orton Date: Wed, 12 Sep 2018 15:54:59 +0000 (+0000) Subject: Merge r1840710 from trunk: X-Git-Tag: 2.4.36~37^2~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4658737147cc968e330c22d51f829075307e5d45;p=thirdparty%2Fapache%2Fhttpd.git Merge r1840710 from trunk: * modules/ssl/ssl_engine_init.c (ssl_init_ctx_protocol): Disable AUTO_RETRY mode for OpenSSL 1.1.1, which fixes post-handshake authentication. (ssl_init_proxy_certs): Fix proxy client cert support with TLSv1.3, which is now crippled by default. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/tlsv1.3-for-2.4.x@1840711 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c index 85d43376b2a..b7b2be796c2 100644 --- a/modules/ssl/ssl_engine_init.c +++ b/modules/ssl/ssl_engine_init.c @@ -761,6 +761,13 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s, SSL_CTX_set_mode(ctx, SSL_MODE_RELEASE_BUFFERS); #endif +#if OPENSSL_VERSION_NUMBER >= 0x1010100fL + /* For OpenSSL >=1.1.1, disable auto-retry mode so it's possible + * to consume handshake records without blocking for app-data. + * https://github.com/openssl/openssl/issues/7178 */ + SSL_CTX_clear_mode(ctx, SSL_MODE_AUTO_RETRY); +#endif + return APR_SUCCESS; } @@ -1485,6 +1492,13 @@ static apr_status_t ssl_init_proxy_certs(server_rec *s, X509_STORE_CTX *sctx; X509_STORE *store = SSL_CTX_get_cert_store(mctx->ssl_ctx); +#if OPENSSL_VERSION_NUMBER >= 0x1010100fL + /* For OpenSSL >=1.1.1, turn on client cert support which is + * otherwise turned off by default (by design). + * https://github.com/openssl/openssl/issues/6933 */ + SSL_CTX_set_post_handshake_auth(mctx->ssl_ctx, 1); +#endif + SSL_CTX_set_client_cert_cb(mctx->ssl_ctx, ssl_callback_proxy_cert);