From: Joe Orton Date: Tue, 11 Sep 2018 16:01:47 +0000 (+0000) Subject: * modules/ssl/ssl_engine_kernel.c (ssl_hook_Access_modern): Fail with X-Git-Tag: 2.5.0-alpha2-ci-test-only~2344 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=50f39b07dce3de7b4f9712a4e4d3a19bb59c9356;p=thirdparty%2Fapache%2Fhttpd.git * modules/ssl/ssl_engine_kernel.c (ssl_hook_Access_modern): Fail with 403 if SSL_verify_client_post_handshake() fails, e.g. when the TLS/1.3 client didn't send the Post-Handshake Authentication extension. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1840585 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/docs/log-message-tags/next-number b/docs/log-message-tags/next-number index 0d02a5ca060..9c11cc094f3 100644 --- a/docs/log-message-tags/next-number +++ b/docs/log-message-tags/next-number @@ -1 +1 @@ -10158 +10159 diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c index 2b0bc75a22b..ddf2a7b6075 100644 --- a/modules/ssl/ssl_engine_kernel.c +++ b/modules/ssl/ssl_engine_kernel.c @@ -1219,8 +1219,16 @@ static int ssl_hook_Access_modern(request_rec *r, SSLSrvConfigRec *sc, SSLDirCon ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10129) "verify client post handshake"); SSL_set_verify(ssl, vmode_needed, ssl_callback_SSLVerify); - SSL_verify_client_post_handshake(ssl); + if (SSL_verify_client_post_handshake(ssl) != 1) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10158) + "cannot perform post-handshake authentication"); + ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server); + apr_table_setn(r->notes, "error-notes", + "Reason: Cannot perform Post-Handshake Authentication.
"); + return HTTP_FORBIDDEN; + } + old_state = sslconn->reneg_state; sslconn->reneg_state = RENEG_ALLOW; modssl_set_app_data2(ssl, r);