| 309 | } |
| 310 | |
| 311 | static int ssl_check_post_client_verify(request_rec *r, SSLSrvConfigRec *sc, |
| 312 | SSLDirConfigRec *dc, SSLConnRec *sslconn, |
| 313 | SSL *ssl) |
| 314 | { |
| 315 | X509 *cert; |
| 316 | |
| 317 | /* |
| 318 | * Remember the peer certificate's DN |
| 319 | */ |
| 320 | if ((cert = SSL_get_peer_certificate(ssl))) { |
| 321 | if (sslconn->client_cert) { |
| 322 | X509_free(sslconn->client_cert); |
| 323 | } |
| 324 | sslconn->client_cert = cert; |
| 325 | sslconn->client_dn = NULL; |
| 326 | } |
| 327 | |
| 328 | /* |
| 329 | * Finally check for acceptable renegotiation results |
| 330 | */ |
| 331 | if ((dc->nVerifyClient != SSL_CVERIFY_NONE) || |
| 332 | (sc->server->auth.verify_mode != SSL_CVERIFY_NONE)) { |
| 333 | BOOL do_verify = ((dc->nVerifyClient == SSL_CVERIFY_REQUIRE) || |
| 334 | (sc->server->auth.verify_mode == SSL_CVERIFY_REQUIRE)); |
| 335 | |
| 336 | if (do_verify && (SSL_get_verify_result(ssl) != X509_V_OK)) { |
| 337 | ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02262) |
| 338 | "Re-negotiation handshake failed: " |
| 339 | "Client verification failed"); |
| 340 | |
| 341 | return HTTP_FORBIDDEN; |
| 342 | } |
| 343 | |
| 344 | if (do_verify) { |
| 345 | if (cert == NULL) { |
| 346 | ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02263) |
| 347 | "Re-negotiation handshake failed: " |
| 348 | "Client certificate missing"); |
| 349 | |
| 350 | return HTTP_FORBIDDEN; |
| 351 | } |
| 352 | } |
| 353 | } |
| 354 | return OK; |
| 355 | } |
| 356 | |
| 357 | /* |
| 358 | * Access Handler, classic flavour, for SSL/TLS up to v1.2 |
no outgoing calls
no test coverage detected