DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUGĀ· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=35083>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED ANDĀ· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=35083 ------- Additional Comments From [EMAIL PROTECTED] 2005-11-24 11:13 ------- While waiting for the best integration as requested, here is how to integrate it correctly with 2.0.54 (and probably above) - I added some other traps during renegociation. mod_ssl.h: add extern int sslErrorRedirected; ssl_engine_init.c: add int sslErrorRedirected = -1; in ssl_engine_io.c: at the beginning of ssl_io_filter_connect(): add if ( sslErrorRedirected == -1 ) { /* Check if mod_ssl_error is loaded */ extern AP_DECLARE_DATA module *ap_top_module; module *modp; sslErrorRedirected = FALSE; for ( modp = ap_top_module; modp; modp = modp->next ) if ( strcmp(modp->name, "mod_ssl_error.c") == 0 ) { sslErrorRedirected = TRUE; break; } } in ssl_engine_io.c: in ssl_io_filter_connect(), after orig_verify_mode = filter_ctx->pssl->verify_mode; /* Accept if no certs are sent (user hits Esc) */ if ( sslErrorRedirected ) filter_ctx->pssl->verify_mode &= ~SSL_VERIFY_FAIL_IF_NO_PEER_CERT; in ssl_engine_io.c: in ssl_io_filter_connect(), replace if (ssl_verify_error_is_optional(verify_result) && ...) { ... } else { return ssl_filter_io_shutdown(filter_ctx, c, 1); } by if (ssl_verify_error_is_optional(verify_result) && ...) { ... } else { if ( sslErrorRedirected ) return APR_SUCCESS; return ssl_filter_io_shutdown(filter_ctx, c, 1); } in ssl_engine_io.c: in ssl_io_filter_connect(), replace if ((sc->server->auth.verify_mode == SSL_CVERIFY_REQUIRE) && ... ){ return ssl_filter_io_shutdown(filter_ctx, c, 1); } by if ((sc->server->auth.verify_mode == SSL_CVERIFY_REQUIRE) && ... ){ if ( sslErrorRedirected ) return APR_SUCCESS; return ssl_filter_io_shutdown(filter_ctx, c, 1); } in ssl_engine_kernel.c: replace SSL_do_handshake(ssl); if (SSL_get_state(ssl) != SSL_ST_OK) { by SSL_do_handshake(ssl); if (!sslErrorRedirected && SSL_get_state(ssl) != SSL_ST_OK) { in ssl_engine_kernel.c in ssl_hook_Access(): replace if (do_verify && (SSL_get_verify_result(ssl) != X509_V_OK)) { ... return HTTP_FORBIDDEN; by if (do_verify && (SSL_get_verify_result(ssl) != X509_V_OK)) { ... if (!sslErrorRedirected) return HTTP_FORBIDDEN; in ssl_engine_kernel.c in ssl_callback_SSLVerify(): before if (!ok) { ... } /* * And finally signal OpenSSL the (perhaps changed) state */ return ok; add if (sslErrorRedirected) ok = TRUE; /* MSTERN: SSL errors are trapped later */ -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
