|
 |
8335b1 |
--- a/modules/ssl/ssl_engine_kernel.c 2015/02/27 06:05:11 1662639
|
|
|
8335b1 |
+++ b/modules/ssl/ssl_engine_kernel.c 2015/02/27 06:18:31 1662640
|
|
|
8335b1 |
@@ -80,7 +80,8 @@
|
|
|
8335b1 |
|
|
|
8335b1 |
if (SSL_get_state(ssl) != SSL_ST_OK) {
|
|
|
8335b1 |
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02030)
|
|
|
8335b1 |
- "TLS upgrade handshake failed: not accepted by client!?");
|
|
|
8335b1 |
+ "TLS upgrade handshake failed");
|
|
|
8335b1 |
+ ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server);
|
|
|
8335b1 |
|
|
|
8335b1 |
return APR_ECONNABORTED;
|
|
|
8335b1 |
}
|
|
|
8335b1 |
@@ -314,6 +315,16 @@
|
|
|
8335b1 |
int depth, verify_old, verify, n;
|
|
|
8335b1 |
|
|
|
8335b1 |
if (ssl) {
|
|
|
8335b1 |
+ /*
|
|
|
8335b1 |
+ * We should have handshaken here (on handshakeserver),
|
|
|
8335b1 |
+ * otherwise we are being redirected (ErrorDocument) from
|
|
|
8335b1 |
+ * a renegotiation failure below. The access is still
|
|
|
8335b1 |
+ * forbidden in the latter case, let ap_die() handle
|
|
|
8335b1 |
+ * this recursive (same) error.
|
|
|
8335b1 |
+ */
|
|
|
8335b1 |
+ if (SSL_get_state(ssl) != SSL_ST_OK) {
|
|
|
8335b1 |
+ return HTTP_FORBIDDEN;
|
|
|
8335b1 |
+ }
|
|
|
8335b1 |
ctx = SSL_get_SSL_CTX(ssl);
|
|
|
8335b1 |
}
|
|
|
8335b1 |
|
|
|
8335b1 |
@@ -828,8 +839,8 @@
|
|
|
8335b1 |
|
|
|
8335b1 |
if (SSL_get_state(ssl) != SSL_ST_OK) {
|
|
|
8335b1 |
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02261)
|
|
|
8335b1 |
- "Re-negotiation handshake failed: "
|
|
|
8335b1 |
- "Not accepted by client!?");
|
|
|
8335b1 |
+ "Re-negotiation handshake failed");
|
|
|
8335b1 |
+ ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server);
|
|
|
8335b1 |
|
|
|
8335b1 |
r->connection->keepalive = AP_CONN_CLOSE;
|
|
|
8335b1 |
return HTTP_FORBIDDEN;
|