Kaspar Brand wrote:
Has a configuration
with an SSLVerifyClient specified in the named vhost been tested?
Yes, and one specific configuration actually made me tweak the code in
the servername callback further: [...]
It turns out that this change was too radical, actually - it prevented
per-directory specific SSLVerifyClient settings [1] from working
correctly. I have updated the patch to fix this, as shown by the
attached interdiff (against the version attached to
http://mail-archives.apache.org/mod_mbox/httpd-dev/200801.mbox/[EMAIL PROTECTED]).
The complete patch against trunk is attached to PR 34607
(http://issues.apache.org/bugzilla/show_bug.cgi?id=34607):
http://issues.apache.org/bugzilla/attachment.cgi?id=21365
And a proposed backport for 2.2.x is available at:
http://sni.velox.ch/httpd-2.2.x-sni.diff
These versions should fix the remaining issues I'm aware of, so it would
be great if there's a chance to consider this for inclusion in 2.2.8.
Please let me know if there's anything else I can do to help with this
process.
Thanks,
Kaspar
[1] I've also verified that other per-directory mod_ssl settings, such
as SSLCipherSuite, will work as expected, e.g. with a configuration like
the following:
NameVirtualHost *:443
<VirtualHost *:443>
ServerName www1.example.net
SSLCertificateFile www1.crt
SSLCertificateKeyFile www1.key
SSLCipherSuite ALL
</VirtualHost>
<VirtualHost *:443>
ServerName www2.example.net
SSLCertificateFile www2.crt
SSLCertificateKeyFile www2.key
SSLCACertificateFile my_ca.crt
SSLVerifyClient optional_no_ca
SSLCipherSuite MEDIUM:HIGH
<Location /topsecret>
SSLVerifyClient require
SSLCipherSuite HIGH
</Location>
</VirtualHost>
In this case, more restrictive requirements are enforced for
www2.example.net (at least 128-bit ciphers, client auth optional), and
even more restrictive settings for www2.example.net/topsecret (stronger
ciphers, and mandatory client auth).
diff -u ssl_engine_init.c ssl_engine_init.c
--- ssl_engine_init.c (working copy)
+++ ssl_engine_init.c (working copy)
@@ -1095,7 +1095,7 @@
#ifdef OPENSSL_NO_TLSEXT
"Init: SSL server IP/port conflict: "
#else
- "Init: SSL server IP/port congruence: "
+ "Init: SSL server IP/port overlap: "
#endif
"%s (%s:%d) vs. %s (%s:%d)",
ssl_util_vhostid(p, s),
diff -u ssl_engine_kernel.c ssl_engine_kernel.c
--- ssl_engine_kernel.c (working copy)
+++ ssl_engine_kernel.c (working copy)
@@ -2009,8 +2009,18 @@
* from the ctx by hand
*/
SSL_set_options(ssl, SSL_CTX_get_options(ssl->ctx));
- SSL_set_verify(ssl, SSL_CTX_get_verify_mode(ssl->ctx),
- SSL_CTX_get_verify_callback(ssl->ctx));
+ if ((SSL_get_verify_mode(ssl) == SSL_VERIFY_NONE) ||
+ (SSL_num_renegotiations(ssl) == 0)) {
+ /*
+ * Only initialize the verification settings from the ctx
+ * if they are not yet set, or if we're called when a new
+ * SSL connection is set up (num_renegotiations == 0).
+ * Otherwise, we would possibly reset a per-directory
+ * configuration which was put into effect by ssl_hook_Access.
+ */
+ SSL_set_verify(ssl, SSL_CTX_get_verify_mode(ssl->ctx),
+ SSL_CTX_get_verify_callback(ssl->ctx));
+ }
return 1;
}
