[mod_gnutls-devel] `GnuTLSClientVerify` behavior incorrect?
Ramkumar Chinchani
ramkumar.chinchani at gmail.com
Mon Mar 3 07:03:12 CET 2014
This is the complete patch.
Basically two changes,
1) dc->client_verify_mode = -1 unless there is a explicit directory
directive
2) msgs_cert_verify() does correctly come with HTTP_FORBIDDEN but if client
cert is "required" it must be honored
diff --git a/src/gnutls_hooks.c b/src/gnutls_hooks.c
index d068ebb..2cc8af1 100644
--- a/src/gnutls_hooks.c
+++ b/src/gnutls_hooks.c
@@ -849,7 +849,8 @@ int mgs_hook_authz(request_rec * r) {
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
"GnuTLS: Directory set to Ignore Client Certificate!");
} else {
- if (ctxt->sc->client_verify_mode < dc->client_verify_mode) {
+ if (dc->client_verify_mode >= 0 &&
+ ctxt->sc->client_verify_mode < dc->client_verify_mode) {
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
"GnuTLS: Attempting to rehandshake with peer. %d %d",
ctxt->sc->client_verify_mode,
@@ -878,7 +879,8 @@ int mgs_hook_authz(request_rec * r) {
rv = mgs_cert_verify(r, ctxt);
if (rv != DECLINED &&
(rv != HTTP_FORBIDDEN ||
- dc->client_verify_mode == GNUTLS_CERT_REQUIRE)) {
+ dc->client_verify_mode == GNUTLS_CERT_REQUIRE ||
+ ctxt->sc->client_verify_mode == GNUTLS_CERT_REQUIRE)) {
return rv;
}
}
On Tue, Feb 25, 2014 at 9:48 PM, Ramkumar Chinchani <
ramkumar.chinchani at gmail.com> wrote:
> As per current config model, it is possible that `GnuTLSClientVerify` is
> defined in server or vhost but not under directory, in which case this is
> probably what is desired?
>
> Kindly review.
>
>
> diff --git a/src/gnutls_hooks.c b/src/gnutls_hooks.c
> index d068ebb..335ae3f 100644
> --- a/src/gnutls_hooks.c
> +++ b/src/gnutls_hooks.c
> @@ -849,7 +849,8 @@ int mgs_hook_authz(request_rec * r) {
> ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
> "GnuTLS: Directory set to Ignore Client Certificate!");
> } else {
> - if (ctxt->sc->client_verify_mode < dc->client_verify_mode) {
> + if (dc->client_verify_mode >= 0 &&
> + ctxt->sc->client_verify_mode < dc->client_verify_mode) {
> ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
> "GnuTLS: Attempting to rehandshake with peer. %d %d",
> ctxt->sc->client_verify_mode,
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20140303/015a91fe/attachment.html>
More information about the mod_gnutls-devel
mailing list