View | Details | Raw Unified | Return to bug 47492
Collapse All | Expand All

(-)modules/ssl.orig/mod_ssl.c (-1 / +1 lines)
Lines 131-137 Link Here
131
                "(`/path/to/file' - PEM encoded)")
131
                "(`/path/to/file' - PEM encoded)")
132
    SSL_CMD_ALL(VerifyClient, TAKE1,
132
    SSL_CMD_ALL(VerifyClient, TAKE1,
133
                "SSL Client verify type "
133
                "SSL Client verify type "
134
                "(`none', `optional', `require', `optional_no_ca')")
134
                "(`none', `optional', `require', `optional_no_ca', `require_no_ca')")
135
    SSL_CMD_ALL(VerifyDepth, TAKE1,
135
    SSL_CMD_ALL(VerifyDepth, TAKE1,
136
                "SSL Client verify depth "
136
                "SSL Client verify depth "
137
                "(`N' - number of intermediate certificates)")
137
                "(`N' - number of intermediate certificates)")
(-)modules/ssl.orig/ssl_engine_config.c (+3 lines)
Lines 909-914 Link Here
909
    else if (strcEQ(arg, "optional_no_ca")) {
909
    else if (strcEQ(arg, "optional_no_ca")) {
910
        *id = SSL_CVERIFY_OPTIONAL_NO_CA;
910
        *id = SSL_CVERIFY_OPTIONAL_NO_CA;
911
    }
911
    }
912
    else if (strcEQ(arg, "require_no_ca")) {
913
        *id = SSL_CVERIFY_REQUIRE_NO_CA;
914
    }
912
    else {
915
    else {
913
        return apr_pstrcat(parms->temp_pool, parms->cmd->name,
916
        return apr_pstrcat(parms->temp_pool, parms->cmd->name,
914
                           ": Invalid argument '", arg, "'",
917
                           ": Invalid argument '", arg, "'",
(-)modules/ssl.orig/ssl_engine_init.c (-1 / +2 lines)
Lines 501-507 Link Here
501
    /*
501
    /*
502
     *  Configure callbacks for SSL context
502
     *  Configure callbacks for SSL context
503
     */
503
     */
504
    if (mctx->auth.verify_mode == SSL_CVERIFY_REQUIRE) {
504
    if ((mctx->auth.verify_mode == SSL_CVERIFY_REQUIRE) ||
505
        (mctx->auth.verify_mode == SSL_CVERIFY_REQUIRE_NO_CA)) {
505
        verify |= SSL_VERIFY_PEER_STRICT;
506
        verify |= SSL_VERIFY_PEER_STRICT;
506
    }
507
    }
507
508
(-)modules/ssl.orig/ssl_engine_io.c (-1 / +5 lines)
Lines 1129-1134 Link Here
1129
                          "configuration");
1129
                          "configuration");
1130
            ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, c->base_server);
1130
            ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, c->base_server);
1131
        }
1131
        }
1132
        else if (ssl_verify_error_is_optional(verify_result) &&
1133
            (sc->server->auth.verify_mode == SSL_CVERIFY_REQUIRE_NO_CA)) {
1134
        }
1132
        else {
1135
        else {
1133
            const char *error = sslconn->verify_error ?
1136
            const char *error = sslconn->verify_error ?
1134
                sslconn->verify_error :
1137
                sslconn->verify_error :
Lines 1158-1164 Link Here
1158
     * Make really sure that when a peer certificate
1161
     * Make really sure that when a peer certificate
1159
     * is required we really got one... (be paranoid)
1162
     * is required we really got one... (be paranoid)
1160
     */
1163
     */
1161
    if ((sc->server->auth.verify_mode == SSL_CVERIFY_REQUIRE) &&
1164
    if (((sc->server->auth.verify_mode == SSL_CVERIFY_REQUIRE) ||
1165
         (sc->server->auth.verify_mode == SSL_CVERIFY_REQUIRE_NO_CA)) &&
1162
        !sslconn->client_cert)
1166
        !sslconn->client_cert)
1163
    {
1167
    {
1164
        ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c,
1168
        ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c,
(-)modules/ssl.orig/ssl_engine_kernel.c (-4 / +6 lines)
Lines 388-394 Link Here
388
        /* configure new state */
388
        /* configure new state */
389
        verify = SSL_VERIFY_NONE;
389
        verify = SSL_VERIFY_NONE;
390
390
391
        if (dc->nVerifyClient == SSL_CVERIFY_REQUIRE) {
391
        if ((dc->nVerifyClient == SSL_CVERIFY_REQUIRE) ||
392
            (dc->nVerifyClient == SSL_CVERIFY_REQUIRE_NO_CA)) {
392
            verify |= SSL_VERIFY_PEER_STRICT;
393
            verify |= SSL_VERIFY_PEER_STRICT;
393
        }
394
        }
394
395
Lines 667-673 Link Here
667
         * Finally check for acceptable renegotiation results
668
         * Finally check for acceptable renegotiation results
668
         */
669
         */
669
        if (dc->nVerifyClient != SSL_CVERIFY_NONE) {
670
        if (dc->nVerifyClient != SSL_CVERIFY_NONE) {
670
            BOOL do_verify = (dc->nVerifyClient == SSL_CVERIFY_REQUIRE);
671
            BOOL do_verify = (dc->nVerifyClient == SSL_CVERIFY_REQUIRE) || (dc->nVerifyClient == SSL_CVERIFY_REQUIRE_NO_CA);
671
672
672
            if (do_verify && (SSL_get_verify_result(ssl) != X509_V_OK)) {
673
            if (do_verify && (SSL_get_verify_result(ssl) != X509_V_OK)) {
673
                ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
674
                ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
Lines 1223-1229 Link Here
1223
    }
1224
    }
1224
1225
1225
    if (ssl_verify_error_is_optional(errnum) &&
1226
    if (ssl_verify_error_is_optional(errnum) &&
1226
        (verify == SSL_CVERIFY_OPTIONAL_NO_CA))
1227
        ((verify == SSL_CVERIFY_OPTIONAL_NO_CA) ||
1228
         (verify == SSL_CVERIFY_REQUIRE_NO_CA)))
1227
    {
1229
    {
1228
        ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
1230
        ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
1229
                     "Certificate Verification: Verifiable Issuer is "
1231
                     "Certificate Verification: Verifiable Issuer is "
Lines 1237-1243 Link Here
1237
    /*
1239
    /*
1238
     * Additionally perform CRL-based revocation checks
1240
     * Additionally perform CRL-based revocation checks
1239
     */
1241
     */
1240
    if (ok) {
1242
    if (ok && (verify != SSL_CVERIFY_REQUIRE_NO_CA)) {
1241
        if (!(ok = ssl_callback_SSLVerify_CRL(ok, ctx, conn))) {
1243
        if (!(ok = ssl_callback_SSLVerify_CRL(ok, ctx, conn))) {
1242
            errnum = X509_STORE_CTX_get_error(ctx);
1244
            errnum = X509_STORE_CTX_get_error(ctx);
1243
        }
1245
        }
(-)modules/ssl.orig/ssl_private.h (-1 / +2 lines)
Lines 220-226 Link Here
220
    SSL_CVERIFY_NONE            = 0,
220
    SSL_CVERIFY_NONE            = 0,
221
    SSL_CVERIFY_OPTIONAL        = 1,
221
    SSL_CVERIFY_OPTIONAL        = 1,
222
    SSL_CVERIFY_REQUIRE         = 2,
222
    SSL_CVERIFY_REQUIRE         = 2,
223
    SSL_CVERIFY_OPTIONAL_NO_CA  = 3
223
    SSL_CVERIFY_OPTIONAL_NO_CA  = 3,
224
    SSL_CVERIFY_REQUIRE_NO_CA   = 4
224
} ssl_verify_t;
225
} ssl_verify_t;
225
226
226
#define SSL_VERIFY_PEER_STRICT \
227
#define SSL_VERIFY_PEER_STRICT \

Return to bug 47492