From: Guenter Knauf <fuankg@apache.org>
Date: Tue, 3 Jun 2008 14:49:46 +0000 (+0000)
Subject: Fix client verification problem with SNI and multicerts.
X-Git-Tag: 2.3.0~551
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=556abbde28afa054354d836e5091e7de7521af74;p=thirdparty%2Fapache%2Fhttpd.git

Fix client verification problem with SNI and multicerts.
Submitted by: Kaspar Brand <asfbugz velox.ch>


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@662815 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
index 1c3b5f5c199..e938d0599fe 100644
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -432,6 +432,11 @@ int ssl_hook_Access(request_rec *r)
      * currently active/remembered verify depth (because this means more
      * restriction on the certificate chain).
      */
+    if ((sc->server->auth.verify_depth != UNSET) &&
+        (dc->nVerifyDepth == UNSET)) {
+        /* apply per-vhost setting, if per-directory config is not set */
+        dc->nVerifyDepth = sc->server->auth.verify_depth;
+    }
     if (dc->nVerifyDepth != UNSET) {
         /* XXX: doesnt look like sslconn->verify_depth is actually used */
         if (!(n = sslconn->verify_depth)) {
@@ -461,6 +466,11 @@ int ssl_hook_Access(request_rec *r)
      * verification but at least skip the I/O-intensive renegotation
      * handshake.
      */
+    if ((sc->server->auth.verify_mode != SSL_CVERIFY_UNSET) &&
+        (dc->nVerifyClient == SSL_CVERIFY_UNSET)) {
+        /* apply per-vhost setting, if per-directory config is not set */
+        dc->nVerifyClient = sc->server->auth.verify_mode;
+    }
     if (dc->nVerifyClient != SSL_CVERIFY_UNSET) {
         /* remember old state */
         verify_old = SSL_get_verify_mode(ssl);