From 4658737147cc968e330c22d51f829075307e5d45 Mon Sep 17 00:00:00 2001 From: Joe Orton Date: Wed, 12 Sep 2018 15:54:59 +0000 Subject: [PATCH] Merge r1840710 from trunk: * modules/ssl/ssl_engine_init.c (ssl_init_ctx_protocol): Disable AUTO_RETRY mode for OpenSSL 1.1.1, which fixes post-handshake authentication. (ssl_init_proxy_certs): Fix proxy client cert support with TLSv1.3, which is now crippled by default. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/tlsv1.3-for-2.4.x@1840711 13f79535-47bb-0310-9956-ffa450edef68 --- modules/ssl/ssl_engine_init.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c index 85d43376b2..b7b2be796c 100644 --- a/modules/ssl/ssl_engine_init.c +++ b/modules/ssl/ssl_engine_init.c @@ -761,6 +761,13 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s, SSL_CTX_set_mode(ctx, SSL_MODE_RELEASE_BUFFERS); #endif +#if OPENSSL_VERSION_NUMBER >= 0x1010100fL + /* For OpenSSL >=1.1.1, disable auto-retry mode so it's possible + * to consume handshake records without blocking for app-data. + * https://github.com/openssl/openssl/issues/7178 */ + SSL_CTX_clear_mode(ctx, SSL_MODE_AUTO_RETRY); +#endif + return APR_SUCCESS; } @@ -1485,6 +1492,13 @@ static apr_status_t ssl_init_proxy_certs(server_rec *s, X509_STORE_CTX *sctx; X509_STORE *store = SSL_CTX_get_cert_store(mctx->ssl_ctx); +#if OPENSSL_VERSION_NUMBER >= 0x1010100fL + /* For OpenSSL >=1.1.1, turn on client cert support which is + * otherwise turned off by default (by design). + * https://github.com/openssl/openssl/issues/6933 */ + SSL_CTX_set_post_handshake_auth(mctx->ssl_ctx, 1); +#endif + SSL_CTX_set_client_cert_cb(mctx->ssl_ctx, ssl_callback_proxy_cert);