https://issues.apache.org/bugzilla/show_bug.cgi?id=45054
--- Comment #1 from Paul Donohue <[email protected]> 2010-04-13 13:52:53 EDT --- I've run into the same problem. If 'SSLVerifyClient optional_no_ca' is used, the SSL_CLIENT_VERIFY environment variable will contain either 'SUCCESS' or 'FAILED:' (with no error string). It will never contain 'GENEROUS', as stated by the documentation. As Benjamin stated, this happens because ssl_callback_SSLVerify() in ssl_engine_kernel.c only sets sslconn->verify_info = "GENEROUS" if validation failed with an "optional" error, and only sets sslconn->verify_error if optional_no_ca is used and validation failed with a non-optional error. Thus, the 'if (vrc == X509_V_OK && vinfo != NULL && strEQ(vinfo, "GENEROUS"))' statement in ssl_var_lookup_ssl_cert_verify() in ssl_engine_vars.c will never match because vinfo will not have been set if vrc is set to X509_V_OK, and the FAILED message will not contain an error string since sslconn->verify_error was never set. I get the sense that the original mistake was in the if statement in ssl_engine_vars.c, so the second approach mentioned by Benjamin is probably the best fix. However, the ssl_verify_error_is_optional(vrc) check that Benjamin used isn't actually needed, since sslconn->verify_info will not be set if the error is optional, so you only really need to check for sslconn->verify_info == GENEROUS. I'm attaching two patches (one for 2.2.x, and one for trunk) to correct this. Hopefully someone will apply them, as this is a simple but annoying bug. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
