httpd/Merge-r1842540-from-trunk.patch

From 5c1995151ab80cd71bc845bd288b90fd55665e2e Mon Sep 17 00:00:00 2001
From: Eric Covener <covener@apache.org>
Date: Tue, 9 Oct 2018 23:26:35 +0000
Subject: [PATCH 209/504] Merge r1842540 from trunk:

* Pickup the proxy related configuration for verify mode and verify depth and
  not the configuration settings for frontend connections in case of
  connections by the proxy to the backend.

PR: 62769


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1843370 13f79535-47bb-0310-9956-ffa450edef68
---
 CHANGES                         |  4 ++++
 STATUS                          |  9 ---------
 modules/ssl/ssl_engine_kernel.c | 25 ++++++++++++++++++-------
 3 files changed, 22 insertions(+), 16 deletions(-)

diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
index d576a298ec..6cd0da527f 100644
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -1740,7 +1740,8 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx)
     /* Get verify ingredients */
     int errnum   = X509_STORE_CTX_get_error(ctx);
     int errdepth = X509_STORE_CTX_get_error_depth(ctx);
-    int depth, verify;
+    int depth = UNSET;
+    int verify = SSL_CVERIFY_UNSET;
 
     /*
      * Log verification information
@@ -1756,10 +1757,15 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx)
     /*
      * Check for optionally acceptable non-verifiable issuer situation
      */
-    if (dc && (dc->nVerifyClient != SSL_CVERIFY_UNSET)) {
-        verify = dc->nVerifyClient;
+    if (dc) {
+        if (sslconn->is_proxy) {
+            verify = dc->proxy->auth.verify_mode;
+        }
+        else {
+            verify = dc->nVerifyClient;
+        }
     }
-    else {
+    if (!dc || (verify == SSL_CVERIFY_UNSET)) {
         verify = mctx->auth.verify_mode;
     }
 
@@ -1863,10 +1869,15 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx)
     /*
      * Finally check the depth of the certificate verification
      */
-    if (dc && (dc->nVerifyDepth != UNSET)) {
-        depth = dc->nVerifyDepth;
+    if (dc) {
+        if (sslconn->is_proxy) {
+            depth = dc->proxy->auth.verify_depth;
+        }
+        else {
+            depth = dc->nVerifyDepth;
+        }
     }
-    else {
+    if (!dc || (depth == UNSET)) {
         depth = mctx->auth.verify_depth;
     }
 
-- 
2.19.1
Package init 2019-12-26 15:53:32 +08:00			`From 5c1995151ab80cd71bc845bd288b90fd55665e2e Mon Sep 17 00:00:00 2001`
			`From: Eric Covener <covener@apache.org>`
			`Date: Tue, 9 Oct 2018 23:26:35 +0000`
			`Subject: [PATCH 209/504] Merge r1842540 from trunk:`

			`* Pickup the proxy related configuration for verify mode and verify depth and`
			`not the configuration settings for frontend connections in case of`
			`connections by the proxy to the backend.`

			`PR: 62769`



			`git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1843370 13f79535-47bb-0310-9956-ffa450edef68`
			`---`
			`CHANGES \| 4 ++++`
			`STATUS \| 9 ---------`
			`modules/ssl/ssl_engine_kernel.c \| 25 ++++++++++++++++++-------`
			`3 files changed, 22 insertions(+), 16 deletions(-)`

			`diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c`
			`index d576a298ec..6cd0da527f 100644`
			`--- a/modules/ssl/ssl_engine_kernel.c`
			`+++ b/modules/ssl/ssl_engine_kernel.c`
			`@@ -1740,7 +1740,8 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx)`
			`/* Get verify ingredients */`
			`int errnum = X509_STORE_CTX_get_error(ctx);`
			`int errdepth = X509_STORE_CTX_get_error_depth(ctx);`
			`- int depth, verify;`
			`+ int depth = UNSET;`
			`+ int verify = SSL_CVERIFY_UNSET;`

			`/*`
			`* Log verification information`
			`@@ -1756,10 +1757,15 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx)`
			`/*`
			`* Check for optionally acceptable non-verifiable issuer situation`
			`*/`
			`- if (dc && (dc->nVerifyClient != SSL_CVERIFY_UNSET)) {`
			`- verify = dc->nVerifyClient;`
			`+ if (dc) {`
			`+ if (sslconn->is_proxy) {`
			`+ verify = dc->proxy->auth.verify_mode;`
			`+ }`
			`+ else {`
			`+ verify = dc->nVerifyClient;`
			`+ }`
			`}`
			`- else {`
			`+ if (!dc \|\| (verify == SSL_CVERIFY_UNSET)) {`
			`verify = mctx->auth.verify_mode;`
			`}`

			`@@ -1863,10 +1869,15 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx)`
			`/*`
			`* Finally check the depth of the certificate verification`
			`*/`
			`- if (dc && (dc->nVerifyDepth != UNSET)) {`
			`- depth = dc->nVerifyDepth;`
			`+ if (dc) {`
			`+ if (sslconn->is_proxy) {`
			`+ depth = dc->proxy->auth.verify_depth;`
			`+ }`
			`+ else {`
			`+ depth = dc->nVerifyDepth;`
			`+ }`
			`}`
			`- else {`
			`+ if (!dc \|\| (depth == UNSET)) {`
			`depth = mctx->auth.verify_depth;`
			`}`

			`--`
			`2.19.1`