On Wed, 21 Nov 2001, MATHIHALLI,MADHUSUDAN (HP-Cupertino,ex1) wrote:
> If I'm not wrong, what we're trying to do here is to enforce the strongest
> SSLVerifyDepth b/w the directory config and the server-config -
right, but i don't see why ssl::verify::depth was ever needed for that.
i mean, the patch below should continue to do that without this (as far as
i can see) unneeded sslconn->verify_depth.
so we end up with simply:
if (per-dir-verify != unset) {
if (per-dir-verify < per-server-verify) {
rengotiate = TRUE;
}
}
ssl_hook_Access is only going to be called once, the value of
sc->nVerifyDepth isn't going to change even it were called more than once.
Index: modules/ssl/ssl_engine_kernel.c
===================================================================
RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_engine_kernel.c,v
retrieving revision 1.26
diff -u -r1.26 ssl_engine_kernel.c
--- modules/ssl/ssl_engine_kernel.c 2001/11/22 00:42:35 1.26
+++ modules/ssl/ssl_engine_kernel.c 2001/11/22 01:15:37
@@ -518,13 +518,8 @@
* restriction on the certificate chain).
*/
if (dc->nVerifyDepth != UNSET) {
- /* XXX: doesnt look like sslconn->verify_depth is actually used */
- if (!(n = sslconn->verify_depth)) {
- sslconn->verify_depth = n = sc->nVerifyDepth;
- }
-
/* determine whether a renegotiation has to be forced */
- if (dc->nVerifyDepth < n) {
+ if (dc->nVerifyDepth < sc->nVerifyDepth) {
renegotiate = TRUE;
ssl_log(r->server, SSL_LOG_TRACE,
"Reduced client verification depth will force renegotiation");
