ASF Bugzilla – Attachment 28460 Details for
Bug 52874
Support Use TrustedFirst checking when verifying client certificate chain
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch to incorporate SSLTrustedFirst (On|Off) and the X509 Flag in openssl
httpd-2.2.3-ssl-trusted_first.patch (text/plain), 4.72 KB, created by
KV
on 2012-03-13 14:59:29 UTC
(
hide
)
Description:
Patch to incorporate SSLTrustedFirst (On|Off) and the X509 Flag in openssl
Filename:
MIME Type:
Creator:
KV
Created:
2012-03-13 14:59:29 UTC
Size:
4.72 KB
patch
obsolete
>diff -Naur httpd-2.2.3-source/httpd-2.2.3/modules/ssl/mod_ssl.c httpd-2.2.3-source-vargo/httpd-2.2.3/modules/ssl/mod_ssl.c >--- httpd-2.2.3-source/httpd-2.2.3/modules/ssl/mod_ssl.c 2006-07-23 07:11:58.000000000 -0400 >+++ httpd-2.2.3-source-vargo/httpd-2.2.3/modules/ssl/mod_ssl.c 2012-03-09 08:40:42.000000000 -0500 >@@ -145,6 +145,9 @@ > "Use the server's cipher ordering preference") > SSL_CMD_ALL(UserName, TAKE1, > "Set user name to SSL variable value") >+ SSL_CMD_SRV(TrustedFirst, TAKE1, >+ "SSL Client Check Trusted Store first " >+ "(`on', `off')") > > /* > * Proxy configuration for remote SSL connections >diff -Naur httpd-2.2.3-source/httpd-2.2.3/modules/ssl/ssl_engine_config.c httpd-2.2.3-source-vargo/httpd-2.2.3/modules/ssl/ssl_engine_config.c >--- httpd-2.2.3-source/httpd-2.2.3/modules/ssl/ssl_engine_config.c 2006-07-23 07:11:58.000000000 -0400 >+++ httpd-2.2.3-source-vargo/httpd-2.2.3/modules/ssl/ssl_engine_config.c 2012-03-09 09:07:26.000000000 -0500 >@@ -125,6 +125,7 @@ > mctx->auth.ca_cert_file = NULL; > mctx->auth.cipher_suite = NULL; > mctx->auth.verify_depth = UNSET; >+ mctx->auth.trusted_first = UNSET; > mctx->auth.verify_mode = SSL_CVERIFY_UNSET; > } > >@@ -213,6 +214,7 @@ > cfgMergeString(auth.ca_cert_file); > cfgMergeString(auth.cipher_suite); > cfgMergeInt(auth.verify_depth); >+ cfgMergeInt(auth.trusted_first); > cfgMerge(auth.verify_mode, SSL_CVERIFY_UNSET); > } > >@@ -977,6 +979,24 @@ > return NULL; > } > >+const char *ssl_cmd_SSLTrustedFirst(cmd_parms *cmd, >+ void *dcfg, >+ const char *arg) >+{ >+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server); >+ >+ if (!strcasecmp(arg, "On")) { >+ sc->server->auth.trusted_first = 1; >+ return NULL; >+ } >+ else if (!strcasecmp(arg, "Off")) { >+ sc->server->auth.trusted_first = 0; >+ return NULL; >+ } >+ >+ return "Argument must be On or Off"; >+} >+ > #define MODSSL_NO_SHARED_MEMORY_ERROR \ > "SSLSessionCache: shared memory cache not useable on this platform" > >diff -Naur httpd-2.2.3-source/httpd-2.2.3/modules/ssl/ssl_engine_init.c httpd-2.2.3-source-vargo/httpd-2.2.3/modules/ssl/ssl_engine_init.c >--- httpd-2.2.3-source/httpd-2.2.3/modules/ssl/ssl_engine_init.c 2006-07-23 07:11:58.000000000 -0400 >+++ httpd-2.2.3-source-vargo/httpd-2.2.3/modules/ssl/ssl_engine_init.c 2012-03-09 08:40:38.000000000 -0500 >@@ -516,6 +516,18 @@ > mctx->auth.verify_depth = 1; > } > >+ /** >+ * If requested, set flag for using Trusted set of CA >+ * Certificates first. (Backport from openssl-1.0.2) >+ */ >+ if (mctx->auth.trusted_first == SSL_CVERIFY_TRUSTED_ON) { >+ if (s->loglevel >= APLOG_INFO) { >+ ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, >+ "Setting Use Trusted First Flag for Client Verification"); >+ } >+ ctx->param->flags |= X509_V_FLAG_TRUSTED_FIRST; >+ } >+ > /* > * Configure callbacks for SSL context > */ >diff -Naur httpd-2.2.3-source/httpd-2.2.3/modules/ssl/ssl_private.h httpd-2.2.3-source-vargo/httpd-2.2.3/modules/ssl/ssl_private.h >--- httpd-2.2.3-source/httpd-2.2.3/modules/ssl/ssl_private.h 2006-07-23 07:11:58.000000000 -0400 >+++ httpd-2.2.3-source-vargo/httpd-2.2.3/modules/ssl/ssl_private.h 2012-03-09 08:27:59.000000000 -0500 >@@ -238,6 +238,26 @@ > || (errnum == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE)) > > /** >+ * Define SSL Verification Flags >+ * (Backport from openssl-1.0.2) >+ */ >+ >+#ifndef X509_V_FLAG_TRUSTED_FIRST >+#define X509_V_FLAG_TRUSTED_FIRST 0x8000 >+#endif >+ >+/** >+ * Define the values for Client Verification Trust enabled or not >+ */ >+#ifndef SSL_CVERIFY_TRUSTED >+#define SSL_CVERIFY_TRUSTED_ON 1 >+#define SSL_CVERIFY_TRUSTED_OFF 0 >+ >+#define SSL_CVERIFY_TRUSTED >+#endif >+ >+ >+/** > * Define the SSL pass phrase dialog types > */ > typedef enum { >@@ -344,6 +364,7 @@ > const char *verify_info; > const char *verify_error; > int verify_depth; >+ int trusted_first; > int is_proxy; > int disabled; > int non_ssl_request; >@@ -410,6 +431,7 @@ > > /** for client or downstream server authentication */ > int verify_depth; >+ int trusted_first; > ssl_verify_t verify_mode; > } modssl_auth_ctx_t; > >@@ -506,6 +528,7 @@ > const char *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag); > const char *ssl_cmd_SSLVerifyClient(cmd_parms *, void *, const char *); > const char *ssl_cmd_SSLVerifyDepth(cmd_parms *, void *, const char *); >+const char *ssl_cmd_SSLTrustedFirst(cmd_parms *, void *, const char *); > const char *ssl_cmd_SSLSessionCache(cmd_parms *, void *, const char *); > const char *ssl_cmd_SSLSessionCacheTimeout(cmd_parms *, void *, const char *); > const char *ssl_cmd_SSLProtocol(cmd_parms *, void *, const char *);
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=28460">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 52874
:
28448
| 28460