ASF Bugzilla – Attachment 19457 Details for
Bug 35083
Certificate validation problems trapping
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch based on SSL_CVERIFY_OPTIONAL_NO_CA
error.patch (text/plain), 6.38 KB, created by
Marc Stern
on 2007-01-25 04:26:41 UTC
(
hide
)
Description:
Patch based on SSL_CVERIFY_OPTIONAL_NO_CA
Filename:
MIME Type:
Creator:
Marc Stern
Created:
2007-01-25 04:26:41 UTC
Size:
6.38 KB
patch
obsolete
>--- orig\ssl_engine_io.c 2006-07-11 23:38:44.000000000 +0200 >+++ ssl_engine_io.c 2007-01-25 12:04:24.714989800 +0100 >@@ -1108,26 +1108,19 @@ static int ssl_io_filter_connect(ssl_fil > */ > verify_result = SSL_get_verify_result(filter_ctx->pssl); > >- if ((verify_result != X509_V_OK) || >- sslconn->verify_error) >- { >- if (ssl_verify_error_is_optional(verify_result) && >- (sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA)) >- { >- /* leaving this log message as an error for the moment, >- * according to the mod_ssl docs: >- * "level optional_no_ca is actually against the idea >- * of authentication (but can be used to establish >- * SSL test pages, etc.)" >- * optional_no_ca doesn't appear to work as advertised >- * in 1.x >+ if ( (verify_result != X509_V_OK) || sslconn->verify_error ) { >+ /* MSTERN: Always accept to establish SSL connection >+ if SSLVerifyClient="optional_no_ca" > */ >+ if ( sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA ) { > ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c, > "SSL client authentication failed, " > "accepting certificate based on " > "\"SSLVerifyClient optional_no_ca\" " > "configuration"); > ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, c->base_server); >+ sslconn->verify_info = "GENEROUS"; >+ return APR_SUCCESS; > } > else { > const char *error = sslconn->verify_error ? >@@ -1161,6 +1154,19 @@ static int ssl_io_filter_connect(ssl_fil > if ((sc->server->auth.verify_mode == SSL_CVERIFY_REQUIRE) && > !sslconn->client_cert) > { >+ /* MSTERN: Always accept to establish SSL connection >+ if SSLVerifyClient="optional_no_ca" >+ */ >+ if ( sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA ) { >+ ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c, >+ "SSL client authentication failed, " >+ "accepting certificate based on " >+ "\"SSLVerifyClient optional_no_ca\" configuration"); >+ ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, c->base_server); >+ sslconn->verify_info = "GENEROUS"; >+ return APR_SUCCESS; >+ } >+ > ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c, > "No acceptable peer certificate available"); > >--- orig\ssl_engine_kernel.c 2006-07-11 23:38:44.000000000 +0200 >+++ ssl_engine_kernel.c 2007-01-25 11:57:11.572209800 +0100 >@@ -568,6 +568,16 @@ int ssl_hook_Access(request_rec *r) > ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, > "Cannot find peer certificate chain"); > >+ /* MSTERN: Always accept to establish SSL connection >+ * if SSLVerifyClient="optional_no_ca" >+ */ >+ if ( dc->nVerifyClient == SSL_CVERIFY_OPTIONAL_NO_CA ) { >+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "Missing certs will be trapped later"); >+ ssl_log_ssl_error(APLOG_MARK, APLOG_DEBUG, r->server); >+ sslconn->verify_error = X509_verify_cert_error_string(X509_V_ERR_CERT_REJECTED); >+ sslconn->verify_info = "GENEROUS"; >+ } >+ else > return HTTP_FORBIDDEN; > } > >@@ -577,6 +587,16 @@ int ssl_hook_Access(request_rec *r) > ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, > "Cannot find certificate storage"); > >+ /* MSTERN: Always accept to establish SSL connection >+ * if SSLVerifyClient="optional_no_ca" >+ */ >+ if ( dc->nVerifyClient == SSL_CVERIFY_OPTIONAL_NO_CA ) { >+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "Missing certs will be trapped later"); >+ ssl_log_ssl_error(APLOG_MARK, APLOG_DEBUG, r->server); >+ sslconn->verify_error = X509_verify_cert_error_string(X509_V_ERR_CERT_REJECTED); >+ sslconn->verify_info = "GENEROUS"; >+ } >+ else > return HTTP_FORBIDDEN; > } > >@@ -1222,18 +1242,6 @@ int ssl_callback_SSLVerify(int ok, X509_ > return TRUE; > } > >- if (ssl_verify_error_is_optional(errnum) && >- (verify == SSL_CVERIFY_OPTIONAL_NO_CA)) >- { >- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, >- "Certificate Verification: Verifiable Issuer is " >- "configured as optional, therefore we're accepting " >- "the certificate"); >- >- sslconn->verify_info = "GENEROUS"; >- ok = TRUE; >- } >- > /* > * Additionally perform CRL-based revocation checks > */ >@@ -1251,11 +1259,16 @@ int ssl_callback_SSLVerify(int ok, X509_ > "Certificate Verification: Error (%d): %s", > errnum, X509_verify_cert_error_string(errnum)); > >+ /* MSTERN: Always accept to establish SSL connection >+ * if SSLVerifyClient="optional_no_ca" >+ */ >+ if ( verify != SSL_CVERIFY_OPTIONAL_NO_CA ) { > if (sslconn->client_cert) { > X509_free(sslconn->client_cert); > sslconn->client_cert = NULL; > } > sslconn->client_dn = NULL; >+ } > sslconn->verify_error = X509_verify_cert_error_string(errnum); > } > >@@ -1282,6 +1295,19 @@ int ssl_callback_SSLVerify(int ok, X509_ > ok = FALSE; > } > >+ /* MSTERN: Always accept to establish SSL connection >+ * if SSLVerifyClient="optional_no_ca" >+ */ >+ if ( !ok && (verify == SSL_CVERIFY_OPTIONAL_NO_CA) ) { >+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, >+ "SSL client authentication failed, " >+ "accepting certificate based on " >+ "\"SSLVerifyClient optional_no_ca\" configuration"); >+ >+ sslconn->verify_info = "GENEROUS"; >+ ok = TRUE; >+ } >+ > /* > * And finally signal OpenSSL the (perhaps changed) state > */
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=19457">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 35083
: 19457