From: Joe Orton Date: Tue, 19 Mar 2019 17:26:38 +0000 (+0000) Subject: * modules/ssl/ssl_engine_kernel.c (ssl_hook_Access_modern): Correctly X-Git-Tag: 2.5.0-alpha2-ci-test-only~2091 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=67ef6b94174b89708574a5c66f95a864f227dd03;p=thirdparty%2Fapache%2Fhttpd.git * modules/ssl/ssl_engine_kernel.c (ssl_hook_Access_modern): Correctly restore SSL verify state after PHA failure in TLSv1.3. Submitted by: Michael Kaufmann git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1855849 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 7bd6a34c03d..7553b451712 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,9 @@ -*- coding: utf-8 -*- Changes with Apache 2.5.1 + *) mod_ssl: Correctly restore SSL verify state after TLSv1.3 PHA failure. + [Michael Kaufmann ] + *) mod_md: Explicitly setting file permissions to break out of umasks. We want our non-privilegded apache user to be able to read them. See github issue . [Stefan Eissing] diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c index ba045f95f5b..488e6abf357 100644 --- a/modules/ssl/ssl_engine_kernel.c +++ b/modules/ssl/ssl_engine_kernel.c @@ -1155,6 +1155,7 @@ static int ssl_hook_Access_modern(request_rec *r, SSLSrvConfigRec *sc, SSLDirCon ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server); apr_table_setn(r->notes, "error-notes", "Reason: Cannot perform Post-Handshake Authentication.
"); + SSL_set_verify(ssl, vmode_inplace, NULL); return HTTP_FORBIDDEN; } @@ -1176,6 +1177,7 @@ static int ssl_hook_Access_modern(request_rec *r, SSLSrvConfigRec *sc, SSLDirCon * Finally check for acceptable renegotiation results */ if (OK != (rc = ssl_check_post_client_verify(r, sc, dc, sslconn, ssl))) { + SSL_set_verify(ssl, vmode_inplace, NULL); return rc; } }