[mod_gnutls-devel] mgs_hook_authz() handling of return values from mgs_cert_verify()?

Ramkumar Chinchani ramkumar.chinchani at gmail.com
Fri Mar 14 07:58:20 CET 2014


When GnuTLSClientVerify method is set to cartel or msva, mgs_cert_verify()
correctly returns HTTP_FORBIDDEN when verification fails.

However, when GnuTLSClientVerify is set to "require" at server-level and
not at directory-level, mgs_hook_authz() doesn't seem to honor the return
code properly for this case.

Kindly review the following patch.

diff --git a/src/gnutls_hooks.c b/src/gnutls_hooks.c
index d068ebb..5bfc2b6 100644
--- a/src/gnutls_hooks.c
+++ b/src/gnutls_hooks.c
@@ -878,7 +878,8 @@ int mgs_hook_authz(request_rec * r) {
         rv = mgs_cert_verify(r, ctxt);
         if (rv != DECLINED &&
                 (rv != HTTP_FORBIDDEN ||
-                dc->client_verify_mode == GNUTLS_CERT_REQUIRE)) {
+                dc->client_verify_mode == GNUTLS_CERT_REQUIRE ||
+                ctxt->sc->client_verify_mode == GNUTLS_CERT_REQUIRE)) {
             return rv;
         }
     }
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20140313/849147d6/attachment.html>


More information about the mod_gnutls-devel mailing list