diff options
| author | Natanael Copa <ncopa@alpinelinux.org> | 2018-12-17 17:43:56 +0000 |
|---|---|---|
| committer | Natanael Copa <ncopa@alpinelinux.org> | 2018-12-17 17:43:56 +0000 |
| commit | e8785cd30cbfb35a072ddee57a01c458c30e9e80 (patch) | |
| tree | 922f112b93e78a39ce1c491ca10e2858252f2674 /main/perl-net-ssleay/Net-SSLeay-1.85-Expose_SSL_CTX_set_post_handshake_auth.patch | |
| parent | 1bb10be828a20ae7f1277536b08c7dfa4bcc7fd6 (diff) | |
| download | aports-e8785cd30cbfb35a072ddee57a01c458c30e9e80.tar.bz2 aports-e8785cd30cbfb35a072ddee57a01c458c30e9e80.tar.xz | |
main/perl-net-ssleay: and another patch from fedora
Diffstat (limited to 'main/perl-net-ssleay/Net-SSLeay-1.85-Expose_SSL_CTX_set_post_handshake_auth.patch')
| -rw-r--r-- | main/perl-net-ssleay/Net-SSLeay-1.85-Expose_SSL_CTX_set_post_handshake_auth.patch | 42 |
1 files changed, 42 insertions, 0 deletions
diff --git a/main/perl-net-ssleay/Net-SSLeay-1.85-Expose_SSL_CTX_set_post_handshake_auth.patch b/main/perl-net-ssleay/Net-SSLeay-1.85-Expose_SSL_CTX_set_post_handshake_auth.patch new file mode 100644 index 0000000000..452e6e2355 --- /dev/null +++ b/main/perl-net-ssleay/Net-SSLeay-1.85-Expose_SSL_CTX_set_post_handshake_auth.patch @@ -0,0 +1,42 @@ +commit 6a6bcf3d96115a6ef62289838cea418c185d8c88 +Author: Paul Howarth <paul@city-fan.org> +Date: Wed Sep 19 09:38:40 2018 +0100 + + Expose SSL_CTX_set_post_handshake_auth + + TLS 1.3 removed renegotiation in favor of rekeying and post handshake + authentication (PHA). With PHA, a server can request a client certificate from + a client at some point after the handshake. The feature is commonly used by + HTTP servers for conditional and path specific TLS client auth. For example, a + server can decide to require a cert based on HTTP method and/or path. A client + must announce support for PHA during the handshake. + + Apache mod_ssl uses PHA: + https://github.com/apache/httpd/blob/trunk/modules/ssl/ssl_engine_kernel.c#L1207 + + As of OpenSSL ticket https://github.com/openssl/openssl/issues/6933, TLS 1.3 + clients no longer send the PHA TLS extension by default. For on-demand auth, + PHA extension must be enabled with SSL_CTX_set_post_handshake_auth(), + https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_post_handshake_auth.html . + + This function is needed for the Apache httpd upstream test suite: + https://bugzilla.redhat.com/show_bug.cgi?id=1630391 . + +diff --git a/SSLeay.xs b/SSLeay.xs +index a4dcb0a..5777ffc 100644 +--- a/SSLeay.xs ++++ b/SSLeay.xs +@@ -7291,4 +7291,13 @@ SSL_export_keying_material(ssl, outlen, label, p) + + #endif + ++#if OPENSSL_VERSION_NUMBER >= 0x1010100fL && !defined(LIBRESSL_VERSION_NUMBER) /* OpenSSL 1.1.1 */ ++ ++void ++SSL_CTX_set_post_handshake_auth(s,val) ++ SSL_CTX * s ++ int val ++ ++#endif ++ + #define REM_EOF "/* EOF - SSLeay.xs */" |