You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
40 lines
1.5 KiB
40 lines
1.5 KiB
--- a/modules/ssl/ssl_engine_kernel.c 2015/02/27 06:05:11 1662639 |
|
+++ b/modules/ssl/ssl_engine_kernel.c 2015/02/27 06:18:31 1662640 |
|
@@ -80,7 +80,8 @@ |
|
|
|
if (SSL_get_state(ssl) != SSL_ST_OK) { |
|
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02030) |
|
- "TLS upgrade handshake failed: not accepted by client!?"); |
|
+ "TLS upgrade handshake failed"); |
|
+ ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server); |
|
|
|
return APR_ECONNABORTED; |
|
} |
|
@@ -314,6 +315,16 @@ |
|
int depth, verify_old, verify, n; |
|
|
|
if (ssl) { |
|
+ /* |
|
+ * We should have handshaken here (on handshakeserver), |
|
+ * otherwise we are being redirected (ErrorDocument) from |
|
+ * a renegotiation failure below. The access is still |
|
+ * forbidden in the latter case, let ap_die() handle |
|
+ * this recursive (same) error. |
|
+ */ |
|
+ if (SSL_get_state(ssl) != SSL_ST_OK) { |
|
+ return HTTP_FORBIDDEN; |
|
+ } |
|
ctx = SSL_get_SSL_CTX(ssl); |
|
} |
|
|
|
@@ -828,8 +839,8 @@ |
|
|
|
if (SSL_get_state(ssl) != SSL_ST_OK) { |
|
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02261) |
|
- "Re-negotiation handshake failed: " |
|
- "Not accepted by client!?"); |
|
+ "Re-negotiation handshake failed"); |
|
+ ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server); |
|
|
|
r->connection->keepalive = AP_CONN_CLOSE; |
|
return HTTP_FORBIDDEN;
|
|
|