diff options
| -rw-r--r-- | acinclude.m4 | 1 | ||||
| -rw-r--r-- | modules/ssl/ssl_engine_config.c | 25 | ||||
| -rw-r--r-- | modules/ssl/ssl_engine_kernel.c | 61 |
3 files changed, 9 insertions, 78 deletions
diff --git a/acinclude.m4 b/acinclude.m4 index 7acca90995..e9dcec8425 100644 --- a/acinclude.m4 +++ b/acinclude.m4 @@ -475,7 +475,6 @@ if test "x$ap_ssltk_configured" = "x"; then AC_CHECK_FUNCS([SSLC_library_version SSL_CTX_new], [], [liberrors="yes"]) AC_CHECK_FUNCS(SSL_set_state) fi - AC_CHECK_FUNCS(SSL_set_cert_store) dnl restore CPPFLAGS="$saved_CPPFLAGS" LIBS="$saved_LIBS" diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c index 6e4a1f26e1..23bc8f9b70 100644 --- a/modules/ssl/ssl_engine_config.c +++ b/modules/ssl/ssl_engine_config.c @@ -749,22 +749,7 @@ const char *ssl_cmd_SSLPKCS7CertificateFile(cmd_parms *cmd, } #define NO_PER_DIR_SSL_CA \ - "Your ssl library does not have support for per-directory CA" - -#ifdef HAVE_SSL_SET_CERT_STORE -# define MODSSL_HAVE_SSL_SET_CERT_STORE 1 -#else -# define MODSSL_HAVE_SSL_SET_CERT_STORE 0 -#endif - -#define MODSSL_SET_CA(f) \ - if (cmd->path) \ - if (MODSSL_HAVE_SSL_SET_CERT_STORE) \ - dc->f = arg; \ - else \ - return NO_PER_DIR_SSL_CA; \ - else \ - sc->f = arg \ + "Your SSL library does not have support for per-directory CA" const char *ssl_cmd_SSLCACertificatePath(cmd_parms *cmd, void *dcfg, @@ -777,6 +762,10 @@ const char *ssl_cmd_SSLCACertificatePath(cmd_parms *cmd, if ((err = ssl_cmd_check_dir(cmd, &arg))) { return err; } + + if (cmd->path) { + return NO_PER_DIR_SSL_CA; + } /* XXX: bring back per-dir */ sc->server->auth.ca_cert_path = arg; @@ -796,6 +785,10 @@ const char *ssl_cmd_SSLCACertificateFile(cmd_parms *cmd, return err; } + if (cmd->path) { + return NO_PER_DIR_SSL_CA; + } + /* XXX: bring back per-dir */ sc->server->auth.ca_cert_file = arg; diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c index 0a2ea7be5a..83a035c83a 100644 --- a/modules/ssl/ssl_engine_kernel.c +++ b/modules/ssl/ssl_engine_kernel.c @@ -540,67 +540,6 @@ int ssl_hook_Access(request_rec *r) } } - /* - * override SSLCACertificateFile & SSLCACertificatePath - * This is only enabled if the SSL_set_cert_store() function - * is available in the ssl library. the 1.x based mod_ssl - * used SSL_CTX_set_cert_store which is not thread safe. - */ - -#ifdef HAVE_SSL_SET_CERT_STORE - /* - * check if per-dir and per-server config field are not the same. - * if f is defined in per-dir and not defined in per-server - * or f is defined in both but not the equal ... - */ -#define MODSSL_CFG_NE(f) \ - (dc->f && (!sc->f || (sc->f && strNE(dc->f, sc->f)))) - -#define MODSSL_CFG_CA(f) \ - (dc->f ? dc->f : sc->f) - - if (MODSSL_CFG_NE(szCACertificateFile) || - MODSSL_CFG_NE(szCACertificatePath)) - { - STACK_OF(X509_NAME) *ca_list; - const char *ca_file = MODSSL_CFG_CA(szCACertificateFile); - const char *ca_path = MODSSL_CFG_CA(szCACertificatePath); - - cert_store = X509_STORE_new(); - - if (!X509_STORE_load_locations(cert_store, ca_file, ca_path)) { - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, - "Unable to reconfigure verify locations " - "for client authentication"); - ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, r->server); - - X509_STORE_free(cert_store); - - return HTTP_FORBIDDEN; - } - - /* SSL_free will free cert_store */ - SSL_set_cert_store(ssl, cert_store); - - if (!(ca_list = ssl_init_FindCAList(r->server, r->pool, - ca_file, ca_path))) - { - ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, - "Unable to determine list of available " - "CA certificates for client authentication"); - - return HTTP_FORBIDDEN; - } - - SSL_set_client_CA_list(ssl, ca_list); - renegotiate = TRUE; - - ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, - "Changed client verification locations will force " - "renegotiation"); - } -#endif /* HAVE_SSL_SET_CERT_STORE */ - /* If a renegotiation is now required for this location, and the * request includes a message body (and the client has not * requested a "100 Continue" response), then the client will be |