Lines 568-573
int ssl_hook_Access(request_rec *r)
Link Here
|
568 |
ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, |
568 |
ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, |
569 |
"Cannot find peer certificate chain"); |
569 |
"Cannot find peer certificate chain"); |
570 |
|
570 |
|
|
|
571 |
/* MSTERN: Always accept to establish SSL connection |
572 |
* if SSLVerifyClient="optional_no_ca" |
573 |
*/ |
574 |
if ( dc->nVerifyClient == SSL_CVERIFY_OPTIONAL_NO_CA ) { |
575 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "Missing certs will be trapped later"); |
576 |
ssl_log_ssl_error(APLOG_MARK, APLOG_DEBUG, r->server); |
577 |
sslconn->verify_error = X509_verify_cert_error_string(X509_V_ERR_CERT_REJECTED); |
578 |
sslconn->verify_info = "GENEROUS"; |
579 |
} |
580 |
else |
571 |
return HTTP_FORBIDDEN; |
581 |
return HTTP_FORBIDDEN; |
572 |
} |
582 |
} |
573 |
|
583 |
|
Lines 577-582
int ssl_hook_Access(request_rec *r)
Link Here
|
577 |
ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, |
587 |
ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, |
578 |
"Cannot find certificate storage"); |
588 |
"Cannot find certificate storage"); |
579 |
|
589 |
|
|
|
590 |
/* MSTERN: Always accept to establish SSL connection |
591 |
* if SSLVerifyClient="optional_no_ca" |
592 |
*/ |
593 |
if ( dc->nVerifyClient == SSL_CVERIFY_OPTIONAL_NO_CA ) { |
594 |
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "Missing certs will be trapped later"); |
595 |
ssl_log_ssl_error(APLOG_MARK, APLOG_DEBUG, r->server); |
596 |
sslconn->verify_error = X509_verify_cert_error_string(X509_V_ERR_CERT_REJECTED); |
597 |
sslconn->verify_info = "GENEROUS"; |
598 |
} |
599 |
else |
580 |
return HTTP_FORBIDDEN; |
600 |
return HTTP_FORBIDDEN; |
581 |
} |
601 |
} |
582 |
|
602 |
|
Lines 1222-1239
int ssl_callback_SSLVerify(int ok, X509_
Link Here
|
1222 |
return TRUE; |
1242 |
return TRUE; |
1223 |
} |
1243 |
} |
1224 |
|
1244 |
|
1225 |
if (ssl_verify_error_is_optional(errnum) && |
|
|
1226 |
(verify == SSL_CVERIFY_OPTIONAL_NO_CA)) |
1227 |
{ |
1228 |
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, |
1229 |
"Certificate Verification: Verifiable Issuer is " |
1230 |
"configured as optional, therefore we're accepting " |
1231 |
"the certificate"); |
1232 |
|
1233 |
sslconn->verify_info = "GENEROUS"; |
1234 |
ok = TRUE; |
1235 |
} |
1236 |
|
1237 |
/* |
1245 |
/* |
1238 |
* Additionally perform CRL-based revocation checks |
1246 |
* Additionally perform CRL-based revocation checks |
1239 |
*/ |
1247 |
*/ |
Lines 1251-1261
int ssl_callback_SSLVerify(int ok, X509_
Link Here
|
1251 |
"Certificate Verification: Error (%d): %s", |
1259 |
"Certificate Verification: Error (%d): %s", |
1252 |
errnum, X509_verify_cert_error_string(errnum)); |
1260 |
errnum, X509_verify_cert_error_string(errnum)); |
1253 |
|
1261 |
|
|
|
1262 |
/* MSTERN: Always accept to establish SSL connection |
1263 |
* if SSLVerifyClient="optional_no_ca" |
1264 |
*/ |
1265 |
if ( verify != SSL_CVERIFY_OPTIONAL_NO_CA ) { |
1254 |
if (sslconn->client_cert) { |
1266 |
if (sslconn->client_cert) { |
1255 |
X509_free(sslconn->client_cert); |
1267 |
X509_free(sslconn->client_cert); |
1256 |
sslconn->client_cert = NULL; |
1268 |
sslconn->client_cert = NULL; |
1257 |
} |
1269 |
} |
1258 |
sslconn->client_dn = NULL; |
1270 |
sslconn->client_dn = NULL; |
|
|
1271 |
} |
1259 |
sslconn->verify_error = X509_verify_cert_error_string(errnum); |
1272 |
sslconn->verify_error = X509_verify_cert_error_string(errnum); |
1260 |
} |
1273 |
} |
1261 |
|
1274 |
|
Lines 1282-1287
int ssl_callback_SSLVerify(int ok, X509_
Link Here
|
1282 |
ok = FALSE; |
1295 |
ok = FALSE; |
1283 |
} |
1296 |
} |
1284 |
|
1297 |
|
|
|
1298 |
/* MSTERN: Always accept to establish SSL connection |
1299 |
* if SSLVerifyClient="optional_no_ca" |
1300 |
*/ |
1301 |
if ( !ok && (verify == SSL_CVERIFY_OPTIONAL_NO_CA) ) { |
1302 |
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, |
1303 |
"SSL client authentication failed, " |
1304 |
"accepting certificate based on " |
1305 |
"\"SSLVerifyClient optional_no_ca\" configuration"); |
1306 |
|
1307 |
sslconn->verify_info = "GENEROUS"; |
1308 |
ok = TRUE; |
1309 |
} |
1310 |
|
1285 |
/* |
1311 |
/* |
1286 |
* And finally signal OpenSSL the (perhaps changed) state |
1312 |
* And finally signal OpenSSL the (perhaps changed) state |
1287 |
*/ |
1313 |
*/ |