[PATCH] mod_SSL with Client Authentication

MATHIHALLI,MADHUSUDAN (HP-Cupertino,ex1) Tue, 21 Aug 2001 15:27:58 -0700
Hi,
        I've enabled Client Auth in mod_ssl. The change is pretty simple -
the only thing that was to be done was to verify if the return value of a
SSL handshake had given an error. (Most part of the code was borrowed from
the existing logic in ssl_engine_kernel.c).

        It'll be great if the code could be reviewed and committed
accordingly

Thanks
-Madhu


Index: mod_ssl.c
===================================================================
RCS file: /home/cvspublic/httpd-2.0/modules/ssl/mod_ssl.c,v
retrieving revision 1.19
diff -u -r1.19 mod_ssl.c
--- mod_ssl.c   2001/08/21 06:08:04     1.19
+++ mod_ssl.c   2001/08/21 22:37:14
@@ -316,7 +316,10 @@
 int ssl_hook_process_connection(SSLFilterRec *pRec)
 {
     int n, err;
+    X509 *xs;
+    char *cp;
     conn_rec *c = SSL_get_app_data (pRec->pssl);
+    SSLSrvConfigRec *sc = mySrvConfig(c->base_server);

     if (!SSL_is_init_finished(pRec->pssl))
     {
@@ -422,6 +425,48 @@
             SSL_smart_shutdown(pRec->pssl);
             SSL_free(pRec->pssl);
             pRec->pssl = NULL; /* so filters know we've been shutdown */
+            apr_table_setn(c->notes, "ssl", NULL);
+            c->aborted = 1;
+            return APR_EGENERAL;
+        }
+
+        /*
+         * Check for failed client authentication
+         */
+        if (   SSL_get_verify_result(pRec->pssl) != X509_V_OK
+            || apr_table_get (c->notes, "ssl::verify::error") != NULL) {
+            cp = (char *)apr_table_get(c->notes, "ssl::verify::error");
+            ssl_log(c->base_server, SSL_LOG_ERROR|SSL_ADD_SSLERR,
+                    "SSL client authentication failed: %s",
+                    cp != NULL ? cp : "unknown reason");
+            SSL_set_shutdown(pRec->pssl, SSL_RECEIVED_SHUTDOWN);
+            SSL_smart_shutdown(pRec->pssl);
+            SSL_free(pRec->pssl);
+            apr_table_setn(c->notes, "ssl", NULL);
+            c->aborted = 1;
+            return APR_EGENERAL;
+        }
+
+        /*
+         * Remember the peer certificate's DN
+         */
+        if ((xs = SSL_get_peer_certificate(pRec->pssl)) != NULL) {
+            cp = X509_NAME_oneline(X509_get_subject_name(xs), NULL, 0);
+            apr_table_setn(c->notes,"ssl::client::dn",apr_pstrdup(c->pool,
cp))
;
+            free(cp);
+        }
+
+        /*
+         * Make really sure that when a peer certificate
+         * is required we really got one... (be paranoid)
+         */
+        if (sc->nVerifyClient == SSL_CVERIFY_REQUIRE
+            && apr_table_get(c->notes, "ssl::client::dn") == NULL) {
+            ssl_log(c->base_server, SSL_LOG_ERROR,
+                    "No acceptable peer certificate available");
+            SSL_set_shutdown(pRec->pssl, SSL_RECEIVED_SHUTDOWN);
+            SSL_smart_shutdown(pRec->pssl);
+            SSL_free(pRec->pssl);
             apr_table_setn(c->notes, "ssl", NULL);
             c->aborted = 1;
             return APR_EGENERAL;
[PATCH] mod_SSL with Client Authentication

Reply via email to
