From: Rainer Jung Date: Wed, 10 Aug 2016 20:00:26 +0000 (+0000) Subject: OpenSSl 1.1.0 support X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=bdebca817ed8e4d2ac2159873efd7d5de8d4b813;p=thirdparty%2Fapache%2Fhttpd.git OpenSSl 1.1.0 support - improve renegotiation loop. Should now also work in case only the cipher changes. Should now also work in case the handshake ends with an error. Backport of r1729498 from trunk. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x-openssl-1.1.0-compat@1755824 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c index 442ad377a0b..ef5f77740b9 100644 --- a/modules/ssl/ssl_engine_kernel.c +++ b/modules/ssl/ssl_engine_kernel.c @@ -1039,16 +1039,9 @@ int ssl_hook_Access(request_rec *r) * See: http://marc.info/?t=145493359200002&r=1&w=2 */ /* XXX: Polling is bad, alternatives? */ - /* XXX: What about renegotiations which do not need to - * send client certs, e.g. if only the cipher needs - * to switch? We need a better success criterion here - * or the loop will poll until SSL_HANDSHAKE_MAX_POLLS - * is reached. - */ for (i = 0; i < SSL_HANDSHAKE_MAX_POLLS; i++) { has_buffered_data(r); - cert = SSL_get_peer_certificate(ssl); - if (cert != NULL) { + if (sslconn->ssl == NULL || SSL_is_init_finished(ssl)) { break; } apr_sleep(SSL_HANDSHAKE_POLL_MS); @@ -1056,10 +1049,11 @@ int ssl_hook_Access(request_rec *r) ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r, APLOGNO() "Renegotiation loop %d iterations, " "in_init=%d, init_finished=%d, " - "state=%s, peer_certs=%s", + "state=%s, sslconn->ssl=%s, peer_certs=%s", i, SSL_in_init(ssl), SSL_is_init_finished(ssl), SSL_state_string_long(ssl), - cert != NULL ? "yes" : "no"); + sslconn->ssl != NULL ? "yes" : "no", + SSL_get_peer_certificate(ssl) != NULL ? "yes" : "no"); #endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L */