On 06/30/2016 02:08 PM, ic...@apache.org wrote: > Author: icing > Date: Thu Jun 30 12:08:42 2016 > New Revision: 1750779 > > URL: http://svn.apache.org/viewvc?rev=1750779&view=rev > Log: > modssl: reset client-verify state when renegotiation is aborted > > Modified: > httpd/httpd/trunk/CHANGES > httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c > > Modified: httpd/httpd/trunk/CHANGES > URL: > http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1750779&r1=1750778&r2=1750779&view=diff > ============================================================================== > --- httpd/httpd/trunk/CHANGES [utf-8] (original) > +++ httpd/httpd/trunk/CHANGES [utf-8] Thu Jun 30 12:08:42 2016 > @@ -1,6 +1,9 @@ > -*- coding: utf-8 > -*- > Changes with Apache 2.5.0 > > + *) mod_ssl: reset client-verify state of ssl when aborting renegotiations. > + [Erki Aring <e...@example.ee>, Stefan Eissing] > + > *) mod_proxy_{http,ajp,fcgi}: don't reuse backend connections with data > available before the request is sent. PR 57832. [Yann Ylavic] > > > Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c > URL: > http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c?rev=1750779&r1=1750778&r2=1750779&view=diff > ============================================================================== > --- httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c (original) > +++ httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c Thu Jun 30 12:08:42 2016 > @@ -727,6 +727,7 @@ int ssl_hook_Access(request_rec *r) > * on this connection. > */ > apr_table_setn(r->notes, "ssl-renegotiate-forbidden", > "verify-client"); > + SSL_set_verify(ssl, verify_old, ssl_callback_SSLVerify);
Is there a reson why we use ssl_callback_SSLVerify instead of NULL like we do in asimilar situation below? IMHO we do not want to change the callback here to whatever it may set. I agree that in practice there won't be any difference right now, since we only have one callback. Regards RĂ¼diger
