1 --- a/contrib/mod_tls.c

     2 +++ b/contrib/mod_tls.c

     3 @@ -3962,6 +3962,7 @@ static int tls_verify_cb(int ok, X509_STORE_CTX *ctx) {

     4        case X509_V_ERR_CERT_HAS_EXPIRED:

     5        case X509_V_ERR_CERT_REVOKED:

     6        case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:

     7 +      case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:

     8        case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:

     9        case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:

    10        case X509_V_ERR_APPLICATION_VERIFICATION:

    11 @@ -3986,17 +3987,6 @@ static int tls_verify_cb(int ok, X509_STORE_CTX *ctx) {

    12          break;

    13        }

    14  

    15 -      case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:

    16 -        /* XXX this is strange. we get this error for certain clients

    17 -         * (i.e. Jeff Altman's kftp) when all is ok. I think it's because the

    18 -         * client is actually sending the whole CA cert. This must be figured

    19 -         * out, but we let it pass for now. If the CA cert isn't available

    20 -         * locally, we will fail anyway.

    21 -         */

    22 -        tls_log("%s", X509_verify_cert_error_string(ctx->error));

    23 -        ok = 1;

    24 -        break;

    25 -

    26        default:

    27          tls_log("error verifying client certificate: [%d] %s",

    28            ctx->error, X509_verify_cert_error_string(ctx->error));

    29