From eb8bacbb7e7d12c8fda08cd9eccfb670093c04cb Mon Sep 17 00:00:00 2001 From: Eric Covener Date: Tue, 9 Oct 2018 23:26:35 +0000 Subject: [PATCH] Merge r1842540 from trunk: * Pickup the proxy related configuration for verify mode and verify depth and not the configuration settings for frontend connections in case of connections by the proxy to the backend. PR: 62769 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1843370 13f79535-47bb-0310-9956-ffa450edef68 --- CHANGES | 4 ++++ STATUS | 9 --------- modules/ssl/ssl_engine_kernel.c | 25 ++++++++++++++++++------- 3 files changed, 22 insertions(+), 16 deletions(-) diff --git a/CHANGES b/CHANGES index 96434120a48..fc5c1883cfe 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,10 @@ -*- coding: utf-8 -*- Changes with Apache 2.4.36 + *) mod_ssl: Fix a regression that the configuration settings for verify mode + and verify depth were taken from the frontend connection in case of + connections by the proxy to the backend. PR 62769. [Ruediger Pluem] + *) MPMs: Initialize all runtime/asynchronous objects on a dedicated pool and before signals handling to avoid lifetime issues on restart or shutdown. PR 62658. [Yann Ylavic] diff --git a/STATUS b/STATUS index 36b87ce5836..3d8ca3373b3 100644 --- a/STATUS +++ b/STATUS @@ -136,15 +136,6 @@ PATCHES ACCEPTED TO BACKPORT FROM TRUNK: (requires r1738415 and r1826930 above to resolve conflict) +1: minfrin, jim, ylavic - *) mod_ssl: Fix a regression that the configuration settings for verify mode - and verify depth were taken from the frontend connection in case of - connections by the proxy to the backend. PR 62769. - trunk patch: http://svn.apache.org/r1842540 - 2.4.x: trunk works (modulo CHANGES) - svn merge -c r1842540 ^/httpd/httpd/trunk . - +1: ylavic, icing (by inspection), covener - - PATCHES PROPOSED TO BACKPORT FROM TRUNK: [ New proposals should be added at the end of the list ] diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c index d576a298ec7..6cd0da527f4 100644 --- a/modules/ssl/ssl_engine_kernel.c +++ b/modules/ssl/ssl_engine_kernel.c @@ -1740,7 +1740,8 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx) /* Get verify ingredients */ int errnum = X509_STORE_CTX_get_error(ctx); int errdepth = X509_STORE_CTX_get_error_depth(ctx); - int depth, verify; + int depth = UNSET; + int verify = SSL_CVERIFY_UNSET; /* * Log verification information @@ -1756,10 +1757,15 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx) /* * Check for optionally acceptable non-verifiable issuer situation */ - if (dc && (dc->nVerifyClient != SSL_CVERIFY_UNSET)) { - verify = dc->nVerifyClient; + if (dc) { + if (sslconn->is_proxy) { + verify = dc->proxy->auth.verify_mode; + } + else { + verify = dc->nVerifyClient; + } } - else { + if (!dc || (verify == SSL_CVERIFY_UNSET)) { verify = mctx->auth.verify_mode; } @@ -1863,10 +1869,15 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx) /* * Finally check the depth of the certificate verification */ - if (dc && (dc->nVerifyDepth != UNSET)) { - depth = dc->nVerifyDepth; + if (dc) { + if (sslconn->is_proxy) { + depth = dc->proxy->auth.verify_depth; + } + else { + depth = dc->nVerifyDepth; + } } - else { + if (!dc || (depth == UNSET)) { depth = mctx->auth.verify_depth; } -- 2.47.3