Author: mturk Date: Wed Jul 23 02:03:38 2008 New Revision: 679036 URL: http://svn.apache.org/viewvc?rev=679036&view=rev Log: Fix #44864 by using additional check like with mod_ssl
Modified: tomcat/connectors/trunk/jni/native/src/sslnetwork.c tomcat/connectors/trunk/jni/xdocs/miscellaneous/changelog.xml Modified: tomcat/connectors/trunk/jni/native/src/sslnetwork.c URL: http://svn.apache.org/viewvc/tomcat/connectors/trunk/jni/native/src/sslnetwork.c?rev=679036&r1=679035&r2=679036&view=diff ============================================================================== --- tomcat/connectors/trunk/jni/native/src/sslnetwork.c (original) +++ tomcat/connectors/trunk/jni/native/src/sslnetwork.c Wed Jul 23 02:03:38 2008 @@ -302,6 +302,7 @@ tcn_socket_t *ss = J2P(sock, tcn_socket_t *); tcn_ssl_conn_t *con; int s, i; + long vr; apr_status_t rv; X509 *peer; @@ -351,11 +352,17 @@ /* * Check for failed client authentication */ - if (SSL_get_verify_result(con->ssl) != X509_V_OK) { - /* TODO: Log SSL client authentication failed */ - con->shutdown_type = SSL_SHUTDOWN_TYPE_UNCLEAN; - /* TODO: Figure out the correct return value */ - return APR_EGENERAL; + if ((vr = SSL_get_verify_result(con->ssl)) != X509_V_OK) { + if (SSL_VERIFY_ERROR_IS_OPTIONAL(vr) && + con->ctx->verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA) { + /* TODO: Log optionalNoCA */ + } + else { + /* TODO: Log SSL client authentication failed */ + con->shutdown_type = SSL_SHUTDOWN_TYPE_UNCLEAN; + /* TODO: Figure out the correct return value */ + return APR_EGENERAL; + } } /* Modified: tomcat/connectors/trunk/jni/xdocs/miscellaneous/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/connectors/trunk/jni/xdocs/miscellaneous/changelog.xml?rev=679036&r1=679035&r2=679036&view=diff ============================================================================== --- tomcat/connectors/trunk/jni/xdocs/miscellaneous/changelog.xml (original) +++ tomcat/connectors/trunk/jni/xdocs/miscellaneous/changelog.xml Wed Jul 23 02:03:38 2008 @@ -36,6 +36,15 @@ new documentation project for Tomcat Native was started. </p> </section> +<section name="Changes between 1.1.14 and 1.1.15"> + <changelog> + <fix> + <bug>44864</bug>: Use additional check for SSL verify like + with mod_ssl for SSLVerifyClient=optionalNoCA. (mturk) + </fix> + </changelog> +</section> + <section name="Changes between 1.1.13 and 1.1.14"> <changelog> <fix> --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]