From: Rainer Jung Date: Tue, 9 Feb 2016 23:18:20 +0000 (+0000) Subject: OpenSSl 1.1.0 support X-Git-Tag: 2.5.0-alpha~2156 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5d55a0052d74ceedd2c2816eba3e75669b7e0395;p=thirdparty%2Fapache%2Fhttpd.git OpenSSl 1.1.0 support - improve renegotiation loop. Should now also work in case only the cipher changes. Should now also work in case the handshake ends with an error. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1729498 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c index 855bed2d46d..31dcb27e204 100644 --- a/modules/ssl/ssl_engine_kernel.c +++ b/modules/ssl/ssl_engine_kernel.c @@ -1038,16 +1038,9 @@ int ssl_hook_Access(request_rec *r) * See: http://marc.info/?t=145493359200002&r=1&w=2 */ /* XXX: Polling is bad, alternatives? */ - /* XXX: What about renegotiations which do not need to - * send client certs, e.g. if only the cipher needs - * to switch? We need a better success criterion here - * or the loop will poll until SSL_HANDSHAKE_MAX_POLLS - * is reached. - */ for (i = 0; i < SSL_HANDSHAKE_MAX_POLLS; i++) { has_buffered_data(r); - cert = SSL_get_peer_certificate(ssl); - if (cert != NULL) { + if (sslconn->ssl == NULL || SSL_is_init_finished(ssl)) { break; } apr_sleep(SSL_HANDSHAKE_POLL_MS); @@ -1055,10 +1048,11 @@ int ssl_hook_Access(request_rec *r) ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r, APLOGNO() "Renegotiation loop %d iterations, " "in_init=%d, init_finished=%d, " - "state=%s, peer_certs=%s", + "state=%s, sslconn->ssl=%s, peer_certs=%s", i, SSL_in_init(ssl), SSL_is_init_finished(ssl), SSL_state_string_long(ssl), - cert != NULL ? "yes" : "no"); + sslconn->ssl != NULL ? "yes" : "no", + SSL_get_peer_certificate(ssl) != NULL ? "yes" : "no"); #endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L */