41a6c3
--- a/modules/ssl/ssl_engine_kernel.c  2015/02/27 06:05:11 1662639
41a6c3
+++ b/modules/ssl/ssl_engine_kernel.c  2015/02/27 06:18:31 1662640
41a6c3
@@ -80,7 +80,8 @@
41a6c3
 
41a6c3
     if (SSL_get_state(ssl) != SSL_ST_OK) {
41a6c3
         ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02030)
41a6c3
-                      "TLS upgrade handshake failed: not accepted by client!?");
41a6c3
+                      "TLS upgrade handshake failed");
41a6c3
+        ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server);
41a6c3
 
41a6c3
         return APR_ECONNABORTED;
41a6c3
     }
41a6c3
@@ -314,6 +315,16 @@
41a6c3
     int depth, verify_old, verify, n;
41a6c3
 
41a6c3
     if (ssl) {
41a6c3
+        /*
41a6c3
+         * We should have handshaken here (on handshakeserver),
41a6c3
+         * otherwise we are being redirected (ErrorDocument) from
41a6c3
+         * a renegotiation failure below. The access is still 
41a6c3
+         * forbidden in the latter case, let ap_die() handle
41a6c3
+         * this recursive (same) error.
41a6c3
+         */
41a6c3
+        if (SSL_get_state(ssl) != SSL_ST_OK) {
41a6c3
+            return HTTP_FORBIDDEN;
41a6c3
+        }
41a6c3
         ctx = SSL_get_SSL_CTX(ssl);
41a6c3
     }
41a6c3
 
41a6c3
@@ -828,8 +839,8 @@
41a6c3
 
41a6c3
             if (SSL_get_state(ssl) != SSL_ST_OK) {
41a6c3
                 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02261)
41a6c3
-                              "Re-negotiation handshake failed: "
41a6c3
-                              "Not accepted by client!?");
41a6c3
+                              "Re-negotiation handshake failed");
41a6c3
+                ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server);
41a6c3
 
41a6c3
                 r->connection->keepalive = AP_CONN_CLOSE;
41a6c3
                 return HTTP_FORBIDDEN;