From 86041647f8a6228f9fc55ce09ceaf1ceaa7fd13d Mon Sep 17 00:00:00 2001 From: Yann Ylavic Date: Fri, 21 Feb 2020 00:10:01 +0000 Subject: [PATCH] Merge r1873888 from trunk: *) mod_ssl: Disable client verification on ACME ALPN challenges. Fixes github issue mod_md#172 (https://github.com/icing/mod_md/issues/172). [Michael Kaufmann , Stefan Eissing] Submitted by: icing Reviewed by: icing, jim, ylavic git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1874283 13f79535-47bb-0310-9956-ffa450edef68 --- CHANGES | 4 ++++ modules/ssl/ssl_engine_kernel.c | 2 ++ 2 files changed, 6 insertions(+) diff --git a/CHANGES b/CHANGES index a8cf17250f0..a1a5b2dfec9 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,10 @@ -*- coding: utf-8 -*- Changes with Apache 2.4.42 + *) mod_ssl: Disable client verification on ACME ALPN challenges. Fixes github + issue mod_md#172 (https://github.com/icing/mod_md/issues/172). + [Michael Kaufmann , Stefan Eissing] + *) mod_ssl: use OPENSSL_init_ssl() to initialise OpenSSL on versions 1.1+. [Graham Leggett] diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c index 4a9474318ea..6580385e1a1 100644 --- a/modules/ssl/ssl_engine_kernel.c +++ b/modules/ssl/ssl_engine_kernel.c @@ -2362,6 +2362,7 @@ static apr_status_t init_vhost(conn_rec *c, SSL *ssl, const char *servername) if (set_challenge_creds(c, servername, ssl, cert, key) != APR_SUCCESS) { return APR_EGENERAL; } + SSL_set_verify(ssl, SSL_VERIFY_NONE, ssl_callback_SSLVerify); } else { ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(02044) @@ -2742,6 +2743,7 @@ int ssl_callback_alpn_select(SSL *ssl, if (set_challenge_creds(c, servername, ssl, cert, key) != APR_SUCCESS) { return SSL_TLSEXT_ERR_ALERT_FATAL; } + SSL_set_verify(ssl, SSL_VERIFY_NONE, ssl_callback_SSLVerify); } } } -- 2.47.3