* Access Handler, modern flavour, for SSL/TLS v1.3 and onward. * Only client certificates can be requested, everything else stays. */
| 911 | * Only client certificates can be requested, everything else stays. |
| 912 | */ |
| 913 | static int ssl_hook_Access_modern(request_rec *r, SSLSrvConfigRec *sc, SSLDirConfigRec *dc, |
| 914 | SSLConnRec *sslconn, SSL *ssl) |
| 915 | { |
| 916 | if ((dc->nVerifyClient != SSL_CVERIFY_UNSET) || |
| 917 | (sc->server->auth.verify_mode != SSL_CVERIFY_UNSET)) { |
| 918 | int vmode_inplace, vmode_needed; |
| 919 | int change_vmode = FALSE; |
| 920 | int n, rc; |
| 921 | |
| 922 | vmode_inplace = SSL_get_verify_mode(ssl); |
| 923 | vmode_needed = SSL_VERIFY_NONE; |
| 924 | |
| 925 | if ((dc->nVerifyClient == SSL_CVERIFY_REQUIRE) || |
| 926 | (sc->server->auth.verify_mode == SSL_CVERIFY_REQUIRE)) { |
| 927 | vmode_needed |= SSL_VERIFY_PEER_STRICT; |
| 928 | } |
| 929 | |
| 930 | if ((dc->nVerifyClient == SSL_CVERIFY_OPTIONAL) || |
| 931 | (dc->nVerifyClient == SSL_CVERIFY_OPTIONAL_NO_CA) || |
| 932 | (sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL) || |
| 933 | (sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA)) |
| 934 | { |
| 935 | vmode_needed |= SSL_VERIFY_PEER; |
| 936 | } |
| 937 | |
| 938 | if (vmode_needed == SSL_VERIFY_NONE) { |
| 939 | return DECLINED; |
| 940 | } |
| 941 | |
| 942 | vmode_needed |= SSL_VERIFY_CLIENT_ONCE; |
| 943 | if (vmode_inplace != vmode_needed) { |
| 944 | /* Need to change, if new setting is more restrictive than existing one */ |
| 945 | |
| 946 | if ((vmode_inplace == SSL_VERIFY_NONE) |
| 947 | || (!(vmode_inplace & SSL_VERIFY_PEER) |
| 948 | && (vmode_needed & SSL_VERIFY_PEER)) |
| 949 | || (!(vmode_inplace & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) |
| 950 | && (vmode_needed & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))) { |
| 951 | /* need to change the effective verify mode */ |
| 952 | change_vmode = TRUE; |
| 953 | } |
| 954 | else { |
| 955 | /* FIXME: does this work with TLSv1.3? Is this more than re-inspecting |
| 956 | * the certificate we should already have? */ |
| 957 | /* |
| 958 | * override of SSLVerifyDepth |
| 959 | * |
| 960 | * The depth checks are handled by us manually inside the |
| 961 | * verify callback function and not by OpenSSL internally |
| 962 | * (and our function is aware of both the per-server and |
| 963 | * per-directory contexts). So we cannot ask OpenSSL about |
| 964 | * the currently verify depth. Instead we remember it in our |
| 965 | * SSLConnRec attached to the SSL* of OpenSSL. We've to force |
| 966 | * the renegotiation if the reconfigured/new verify depth is |
| 967 | * less than the currently active/remembered verify depth |
| 968 | * (because this means more restriction on the certificate |
| 969 | * chain). |
| 970 | */ |
no test coverage detected