Attachment #19457 for bug #35083

View | Details | Raw Unified | Return to bug 35083
Collapse All | Expand All




     */
    verify_result = SSL_get_verify_result(filter_ctx->pssl);

    if ( (verify_result != X509_V_OK) || sslconn->verify_error ) {
        /* MSTERN: Always accept to establish SSL connection
		   if SSLVerifyClient="optional_no_ca"
        if (ssl_verify_error_is_optional(verify_result) &&
            (sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA))
        {
            /* leaving this log message as an error for the moment,
             * according to the mod_ssl docs:
             * "level optional_no_ca is actually against the idea
             *  of authentication (but can be used to establish
             * SSL test pages, etc.)"
             * optional_no_ca doesn't appear to work as advertised
             * in 1.x
             */
        if ( sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA ) {
            ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c,
                          "SSL client authentication failed, "
                          "accepting certificate based on "
                          "\"SSLVerifyClient optional_no_ca\" "
                          "configuration");
            ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, c->base_server);
			sslconn->verify_info = "GENEROUS";
			return APR_SUCCESS;
        }
        else {
            const char *error = sslconn->verify_error ?

    if ((sc->server->auth.verify_mode == SSL_CVERIFY_REQUIRE) &&
        !sslconn->client_cert)
    {
        /* MSTERN: Always accept to establish SSL connection
		   if SSLVerifyClient="optional_no_ca"
		*/
        if ( sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA ) {
            ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c,
                          "SSL client authentication failed, "
                          "accepting certificate based on "
                          "\"SSLVerifyClient optional_no_ca\" configuration");
            ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, c->base_server);
			sslconn->verify_info = "GENEROUS";
			return APR_SUCCESS;
        }

        ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c,
                      "No acceptable peer certificate available");


Lines 568-573 int ssl_hook_Access(request_rec *r) Link Here

(-)orig\ssl_engine_kernel.c (-12 / +38 lines)
568	ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,	568	ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
569	"Cannot find peer certificate chain");	569	"Cannot find peer certificate chain");
570		570
		571	/* MSTERN: Always accept to establish SSL connection
		572	* if SSLVerifyClient="optional_no_ca"
		573	*/
		574	if ( dc->nVerifyClient == SSL_CVERIFY_OPTIONAL_NO_CA ) {
		575	ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "Missing certs will be trapped later");
		576	ssl_log_ssl_error(APLOG_MARK, APLOG_DEBUG, r->server);
		577	sslconn->verify_error = X509_verify_cert_error_string(X509_V_ERR_CERT_REJECTED);
		578	sslconn->verify_info = "GENEROUS";
		579	}
		580	else
571	return HTTP_FORBIDDEN;	581	return HTTP_FORBIDDEN;
572	}	582	}
573		583
Lines 577-582 int ssl_hook_Access(request_rec *r) Link Here
577	ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,	587	ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
578	"Cannot find certificate storage");	588	"Cannot find certificate storage");
579		589
		590	/* MSTERN: Always accept to establish SSL connection
		591	* if SSLVerifyClient="optional_no_ca"
		592	*/
		593	if ( dc->nVerifyClient == SSL_CVERIFY_OPTIONAL_NO_CA ) {
		594	ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "Missing certs will be trapped later");
		595	ssl_log_ssl_error(APLOG_MARK, APLOG_DEBUG, r->server);
		596	sslconn->verify_error = X509_verify_cert_error_string(X509_V_ERR_CERT_REJECTED);
		597	sslconn->verify_info = "GENEROUS";
		598	}
		599	else
580	return HTTP_FORBIDDEN;	600	return HTTP_FORBIDDEN;
581	}	601	}
582		602
Lines 1222-1239 int ssl_callback_SSLVerify(int ok, X509_ Link Here
1222	return TRUE;	1242	return TRUE;
1223	}	1243	}
1224		1244
1225	if (ssl_verify_error_is_optional(errnum) &&
1226	(verify == SSL_CVERIFY_OPTIONAL_NO_CA))
1227	{
1228	ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
1229	"Certificate Verification: Verifiable Issuer is "
1230	"configured as optional, therefore we're accepting "
1231	"the certificate");
1232
1233	sslconn->verify_info = "GENEROUS";
1234	ok = TRUE;
1235	}
1236
1237	/*	1245	/*
1238	* Additionally perform CRL-based revocation checks	1246	* Additionally perform CRL-based revocation checks
1239	*/	1247	*/
Lines 1251-1261 int ssl_callback_SSLVerify(int ok, X509_ Link Here
1251	"Certificate Verification: Error (%d): %s",	1259	"Certificate Verification: Error (%d): %s",
1252	errnum, X509_verify_cert_error_string(errnum));	1260	errnum, X509_verify_cert_error_string(errnum));
1253		1261
		1262	/* MSTERN: Always accept to establish SSL connection
		1263	* if SSLVerifyClient="optional_no_ca"
		1264	*/
		1265	if ( verify != SSL_CVERIFY_OPTIONAL_NO_CA ) {
1254	if (sslconn->client_cert) {	1266	if (sslconn->client_cert) {
1255	X509_free(sslconn->client_cert);	1267	X509_free(sslconn->client_cert);
1256	sslconn->client_cert = NULL;	1268	sslconn->client_cert = NULL;
1257	}	1269	}
1258	sslconn->client_dn = NULL;	1270	sslconn->client_dn = NULL;
		1271	}
1259	sslconn->verify_error = X509_verify_cert_error_string(errnum);	1272	sslconn->verify_error = X509_verify_cert_error_string(errnum);
1260	}	1273	}
1261		1274
Lines 1282-1287 int ssl_callback_SSLVerify(int ok, X509_ Link Here
1282	ok = FALSE;	1295	ok = FALSE;
1283	}	1296	}
1284		1297
		1298	/* MSTERN: Always accept to establish SSL connection
		1299	* if SSLVerifyClient="optional_no_ca"
		1300	*/
		1301	if ( !ok && (verify == SSL_CVERIFY_OPTIONAL_NO_CA) ) {
		1302	ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
		1303	"SSL client authentication failed, "
		1304	"accepting certificate based on "
		1305	"\"SSLVerifyClient optional_no_ca\" configuration");
		1306
		1307	sslconn->verify_info = "GENEROUS";
		1308	ok = TRUE;
		1309	}
		1310
1285	/*	1311	/*
1286	* And finally signal OpenSSL the (perhaps changed) state	1312	* And finally signal OpenSSL the (perhaps changed) state
1287	*/	1313	*/

Return to bug 35083

Lines 1108-1133 static int ssl_io_filter_connect(ssl_fil Link Here

(-)orig\ssl_engine_io.c (-13 / +19 lines)
1108	*/	1108	*/
1109	verify_result = SSL_get_verify_result(filter_ctx->pssl);	1109	verify_result = SSL_get_verify_result(filter_ctx->pssl);
1110		1110
1111	if ((verify_result != X509_V_OK) \|\|	1111	if ( (verify_result != X509_V_OK) \|\| sslconn->verify_error ) {
1112	sslconn->verify_error)	1112	/* MSTERN: Always accept to establish SSL connection
1113	{	1113	if SSLVerifyClient="optional_no_ca"
1114	if (ssl_verify_error_is_optional(verify_result) &&
1115	(sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA))
1116	{
1117	/* leaving this log message as an error for the moment,
1118	* according to the mod_ssl docs:
1119	* "level optional_no_ca is actually against the idea
1120	* of authentication (but can be used to establish
1121	* SSL test pages, etc.)"
1122	* optional_no_ca doesn't appear to work as advertised
1123	* in 1.x
1124	*/	1114	*/
		1115	if ( sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA ) {
1125	ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c,	1116	ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c,
1126	"SSL client authentication failed, "	1117	"SSL client authentication failed, "
1127	"accepting certificate based on "	1118	"accepting certificate based on "
1128	"\"SSLVerifyClient optional_no_ca\" "	1119	"\"SSLVerifyClient optional_no_ca\" "
1129	"configuration");	1120	"configuration");
1130	ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, c->base_server);	1121	ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, c->base_server);
		1122	sslconn->verify_info = "GENEROUS";
		1123	return APR_SUCCESS;
1131	}	1124	}
1132	else {	1125	else {
1133	const char *error = sslconn->verify_error ?	1126	const char *error = sslconn->verify_error ?
Lines 1161-1166 static int ssl_io_filter_connect(ssl_fil Link Here
1161	if ((sc->server->auth.verify_mode == SSL_CVERIFY_REQUIRE) &&	1154	if ((sc->server->auth.verify_mode == SSL_CVERIFY_REQUIRE) &&
1162	!sslconn->client_cert)	1155	!sslconn->client_cert)
1163	{	1156	{
		1157	/* MSTERN: Always accept to establish SSL connection
		1158	if SSLVerifyClient="optional_no_ca"
		1159	*/
		1160	if ( sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA ) {
		1161	ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c,
		1162	"SSL client authentication failed, "
		1163	"accepting certificate based on "
		1164	"\"SSLVerifyClient optional_no_ca\" configuration");
		1165	ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, c->base_server);
		1166	sslconn->verify_info = "GENEROUS";
		1167	return APR_SUCCESS;
		1168	}
		1169
1164	ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c,	1170	ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c,
1165	"No acceptable peer certificate available");	1171	"No acceptable peer certificate available");
1166		1172