1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
|
From 84edf5f49db23ced03259812bbf9426685f7d82a Mon Sep 17 00:00:00 2001
From: Joe Orton <jorton@apache.org>
Date: Wed, 20 Mar 2019 15:45:16 +0000
Subject: [PATCH] Merge r1855849 from trunk:
* modules/ssl/ssl_engine_kernel.c (ssl_hook_Access_modern): Correctly
restore SSL verify state after PHA failure in TLSv1.3.
Submitted by: Michael Kaufmann <mail michael-kaufmann.ch>
Reviewed by: jorton, covener, jim
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1855917 13f79535-47bb-0310-9956-ffa450edef68
---
CHANGES | 3 +++
modules/ssl/ssl_engine_kernel.c | 2 ++
2 files changed, 5 insertions(+)
#diff --git a/CHANGES b/CHANGES
#index 6b03eadfa07..6f20d688ece 100644
#--- a/CHANGES
#+++ b/CHANGES
#@@ -1,6 +1,9 @@
# -*- coding: utf-8 -*-
# Changes with Apache 2.4.39
#
#+ *) mod_ssl: Correctly restore SSL verify state after TLSv1.3 PHA failure.
#+ [Michael Kaufmann <mail michael-kaufmann.ch>]
#+
# *) mod_log_config: Support %{c}h for conn-hostname, %h for useragent_host
# PR 55348
#
Index: apache2-2.4.38/modules/ssl/ssl_engine_kernel.c
===================================================================
--- apache2-2.4.38.orig/modules/ssl/ssl_engine_kernel.c 2019-04-03 14:31:14.279214679 -0400
+++ apache2-2.4.38/modules/ssl/ssl_engine_kernel.c 2019-04-03 14:31:14.279214679 -0400
@@ -1154,6 +1154,7 @@ static int ssl_hook_Access_modern(reques
ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server);
apr_table_setn(r->notes, "error-notes",
"Reason: Cannot perform Post-Handshake Authentication.<br />");
+ SSL_set_verify(ssl, vmode_inplace, NULL);
return HTTP_FORBIDDEN;
}
@@ -1175,6 +1176,7 @@ static int ssl_hook_Access_modern(reques
* Finally check for acceptable renegotiation results
*/
if (OK != (rc = ssl_check_post_client_verify(r, sc, dc, sslconn, ssl))) {
+ SSL_set_verify(ssl, vmode_inplace, NULL);
return rc;
}
}
|
