summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDoug MacEachern <dougm@apache.org>2002-06-11 05:45:54 +0200
committerDoug MacEachern <dougm@apache.org>2002-06-11 05:45:54 +0200
commit295e115b4a942cc335425fcd5b38d4244129c5bd (patch)
tree8132e88cc7ac81e494f97c0746c08e57c0bb2dc9
parentPR: (diff)
downloadapache2-295e115b4a942cc335425fcd5b38d4244129c5bd.tar.xz
apache2-295e115b4a942cc335425fcd5b38d4244129c5bd.zip
in case there is actually a cert chain in the cache, we should be
using the value of SSL_get_peer_certificate(ssl) to verify as it will have been removed from the chain before it was put in the cache. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@95603 13f79535-47bb-0310-9956-ffa450edef68
-rw-r--r--modules/ssl/ssl_engine_kernel.c9
1 files changed, 7 insertions, 2 deletions
diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
index 9274298e55..97812e9ea9 100644
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -710,7 +710,9 @@ int ssl_hook_Access(request_rec *r)
cert_stack = (STACK_OF(X509) *)SSL_get_peer_cert_chain(ssl);
- if (!cert_stack && (cert = SSL_get_peer_certificate(ssl))) {
+ cert = SSL_get_peer_certificate(ssl);
+
+ if (!cert_stack && cert) {
/* client cert is in the session cache, but there is
* no chain, since ssl3_get_client_certificate()
* sk_X509_shift-ed the peer cert out of the chain.
@@ -736,7 +738,10 @@ int ssl_hook_Access(request_rec *r)
return HTTP_FORBIDDEN;
}
- cert = sk_X509_value(cert_stack, 0);
+ if (!cert) {
+ cert = sk_X509_value(cert_stack, 0);
+ }
+
X509_STORE_CTX_init(&cert_store_ctx, cert_store, cert, cert_stack);
depth = SSL_get_verify_depth(ssl);