From 5c1995151ab80cd71bc845bd288b90fd55665e2e Mon Sep 17 00:00:00 2001 From: Eric Covener Date: Tue, 9 Oct 2018 23:26:35 +0000 Subject: [PATCH 209/504] Merge r1842540 from trunk: * Pickup the proxy related configuration for verify mode and verify depth and not the configuration settings for frontend connections in case of connections by the proxy to the backend. PR: 62769 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1843370 13f79535-47bb-0310-9956-ffa450edef68 --- CHANGES | 4 ++++ STATUS | 9 --------- modules/ssl/ssl_engine_kernel.c | 25 ++++++++++++++++++------- 3 files changed, 22 insertions(+), 16 deletions(-) diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c index d576a298ec..6cd0da527f 100644 --- a/modules/ssl/ssl_engine_kernel.c +++ b/modules/ssl/ssl_engine_kernel.c @@ -1740,7 +1740,8 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx) /* Get verify ingredients */ int errnum = X509_STORE_CTX_get_error(ctx); int errdepth = X509_STORE_CTX_get_error_depth(ctx); - int depth, verify; + int depth = UNSET; + int verify = SSL_CVERIFY_UNSET; /* * Log verification information @@ -1756,10 +1757,15 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx) /* * Check for optionally acceptable non-verifiable issuer situation */ - if (dc && (dc->nVerifyClient != SSL_CVERIFY_UNSET)) { - verify = dc->nVerifyClient; + if (dc) { + if (sslconn->is_proxy) { + verify = dc->proxy->auth.verify_mode; + } + else { + verify = dc->nVerifyClient; + } } - else { + if (!dc || (verify == SSL_CVERIFY_UNSET)) { verify = mctx->auth.verify_mode; } @@ -1863,10 +1869,15 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx) /* * Finally check the depth of the certificate verification */ - if (dc && (dc->nVerifyDepth != UNSET)) { - depth = dc->nVerifyDepth; + if (dc) { + if (sslconn->is_proxy) { + depth = dc->proxy->auth.verify_depth; + } + else { + depth = dc->nVerifyDepth; + } } - else { + if (!dc || (depth == UNSET)) { depth = mctx->auth.verify_depth; } -- 2.19.1