From 295e115b4a942cc335425fcd5b38d4244129c5bd Mon Sep 17 00:00:00 2001 From: Doug MacEachern Date: Tue, 11 Jun 2002 03:45:54 +0000 Subject: in case there is actually a cert chain in the cache, we should be using the value of SSL_get_peer_certificate(ssl) to verify as it will have been removed from the chain before it was put in the cache. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@95603 13f79535-47bb-0310-9956-ffa450edef68 --- modules/ssl/ssl_engine_kernel.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) (limited to 'modules/ssl') diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c index 9274298e55..97812e9ea9 100644 --- a/modules/ssl/ssl_engine_kernel.c +++ b/modules/ssl/ssl_engine_kernel.c @@ -710,7 +710,9 @@ int ssl_hook_Access(request_rec *r) cert_stack = (STACK_OF(X509) *)SSL_get_peer_cert_chain(ssl); - if (!cert_stack && (cert = SSL_get_peer_certificate(ssl))) { + cert = SSL_get_peer_certificate(ssl); + + if (!cert_stack && cert) { /* client cert is in the session cache, but there is * no chain, since ssl3_get_client_certificate() * sk_X509_shift-ed the peer cert out of the chain. @@ -736,7 +738,10 @@ int ssl_hook_Access(request_rec *r) return HTTP_FORBIDDEN; } - cert = sk_X509_value(cert_stack, 0); + if (!cert) { + cert = sk_X509_value(cert_stack, 0); + } + X509_STORE_CTX_init(&cert_store_ctx, cert_store, cert, cert_stack); depth = SSL_get_verify_depth(ssl); -- cgit v1.2.3