> -----Ursprüngliche Nachricht-----
> Von: Kaspar Brand
> Gesendet: Samstag, 25. April 2009 09:37
> An: [email protected]
> Betreff: Re: SNI in 2.2.x (Re: Time for 2.2.10?)
>
> >> Mind to sent a version v9 of your patch such that I can review the
> >> complete one again? Thanks for your efforts.
>
> Sorry, please disregard v9 - it makes SSL_VERIFY_CLIENT
> report GENEROUS
> even in cases where it could/should be SUCCESS, actually (if
> the CA list
> stays the same; i.e., v9 doesn't weaken things, security-wise, but
> possibly locks out legitimate [non-SNI] clients).
Sounds reasonable.
>
> I have attached v10. As far as ssl_var_lookup_ssl_cert_verify()
> is concerned, a tweak could look like:
>
> --- modules/ssl/ssl_engine_vars.c (revision 765079)
> +++ modules/ssl/ssl_engine_vars.c (working copy)
> @@ -607,7 +607,7 @@ static char *ssl_var_lookup_ssl_cert_verify(apr_po
> result = "SUCCESS";
> else if (vrc == X509_V_OK && vinfo != NULL &&
> strEQ(vinfo, "GENEROUS"))
> /* client verification done in generous way */
> - result = "GENEROUS";
> + result = xs ? "GENEROUS" : "NONE";
> else
> /* client verification failed */
> result = apr_psprintf(p, "FAILED:%s", verr);
>
>
> [Not included in v10. If it's added, we should probably
> update the comment
> to explain why we're doing it like this, exactly.]
I guess the following one is the better patch
Index: modules/ssl/ssl_engine_vars.c
===================================================================
--- modules/ssl/ssl_engine_vars.c (revision 768231)
+++ modules/ssl/ssl_engine_vars.c (working copy)
@@ -599,7 +599,7 @@
vrc = SSL_get_verify_result(ssl);
xs = SSL_get_peer_certificate(ssl);
- if (vrc == X509_V_OK && verr == NULL && vinfo == NULL && xs == NULL)
+ if (vrc == X509_V_OK && verr == NULL && xs == NULL)
/* no client verification done at all */
result = "NONE";
else if (vrc == X509_V_OK && verr == NULL && vinfo == NULL && xs != NULL)
IMHO we can report NONE whenever there was no error and the client cert is
empty.
Opinions by the SSL Gurus?
Regards
Rüdiger
