From: Joe Orton Date: Wed, 12 Sep 2018 11:52:21 +0000 (+0000) Subject: Merge r1840585 from trunk: X-Git-Tag: 2.4.36~37^2~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8b8c8a066fddffc7f4b7cd0f5d385b6a38cd32c9;p=thirdparty%2Fapache%2Fhttpd.git Merge r1840585 from trunk: * modules/ssl/ssl_engine_kernel.c (ssl_hook_Access_modern): Fail with 403 if SSL_verify_client_post_handshake() fails, e.g. when the TLS/1.3 client didn't send the Post-Handshake Authentication extension. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/tlsv1.3-for-2.4.x@1840664 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c index 1a74e1efb5b..8be437c81d0 100644 --- a/modules/ssl/ssl_engine_kernel.c +++ b/modules/ssl/ssl_engine_kernel.c @@ -1219,8 +1219,16 @@ static int ssl_hook_Access_modern(request_rec *r, SSLSrvConfigRec *sc, SSLDirCon ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO() "verify client post handshake"); SSL_set_verify(ssl, vmode_needed, ssl_callback_SSLVerify); - SSL_verify_client_post_handshake(ssl); + if (SSL_verify_client_post_handshake(ssl) != 1) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10158) + "cannot perform post-handshake authentication"); + ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server); + apr_table_setn(r->notes, "error-notes", + "Reason: Cannot perform Post-Handshake Authentication.
"); + return HTTP_FORBIDDEN; + } + old_state = sslconn->reneg_state; sslconn->reneg_state = RENEG_ALLOW; modssl_set_app_data2(ssl, r);