equal
deleted
inserted
replaced
|
1 --- a/contrib/mod_tls.c |
|
2 +++ b/contrib/mod_tls.c |
|
3 @@ -3962,6 +3962,7 @@ static int tls_verify_cb(int ok, X509_STORE_CTX *ctx) { |
|
4 case X509_V_ERR_CERT_HAS_EXPIRED: |
|
5 case X509_V_ERR_CERT_REVOKED: |
|
6 case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: |
|
7 + case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: |
|
8 case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: |
|
9 case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: |
|
10 case X509_V_ERR_APPLICATION_VERIFICATION: |
|
11 @@ -3986,17 +3987,6 @@ static int tls_verify_cb(int ok, X509_STORE_CTX *ctx) { |
|
12 break; |
|
13 } |
|
14 |
|
15 - case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: |
|
16 - /* XXX this is strange. we get this error for certain clients |
|
17 - * (i.e. Jeff Altman's kftp) when all is ok. I think it's because the |
|
18 - * client is actually sending the whole CA cert. This must be figured |
|
19 - * out, but we let it pass for now. If the CA cert isn't available |
|
20 - * locally, we will fail anyway. |
|
21 - */ |
|
22 - tls_log("%s", X509_verify_cert_error_string(ctx->error)); |
|
23 - ok = 1; |
|
24 - break; |
|
25 - |
|
26 default: |
|
27 tls_log("error verifying client certificate: [%d] %s", |
|
28 ctx->error, X509_verify_cert_error_string(ctx->error)); |
|
29 |