www/apache
1
0
Fork 0
mirror of https://github.com/apache/httpd.git synced 2025-08-07 04:02:58 +03:00
Code Activity

* modules/ssl/ssl_engine_init.c (ssl_init_server_certs): Fix use of

Browse Source 
encrypted private keys with OpenSSL 3.0.

* test/travis_run_linux.sh: For TEST_SSL, test loading encrypted
  private keys.

Github: closes #{197}


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1891138 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Joe Orton
2021-06-29 11:24:17 +00:00
parent 3602bd591f
commit 1fa837533c
2 changed files with 24 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
modules/ssl/ssl_engine_init.c
View File

@@ -1378,6 +1378,22 @@ static APR_INLINE int modssl_DH_bits(DH *dh)
#endif
}
/* SSL_CTX_use_PrivateKey_file() can fail either because the private
* key was encrypted, or due to a mismatch between an already-loaded
* cert and the key - a common misconfiguration - from calling
* X509_check_private_key(). This macro is passed the last error code
* off the OpenSSL stack and evaluates to true only for the first
* case. With OpenSSL < 3 the second case is identifiable by the
* function code, but function codes are not used from 3.0. */
#if OPENSSL_VERSION_NUMBER < 0x30000000L
#define CHECK_PRIVKEY_ERROR(ec) (ERR_GET_FUNC(ec) != X509_F_X509_CHECK_PRIVATE_KEY)
#else
#define CHECK_PRIVKEY_ERROR(ec) (ERR_GET_LIB != ERR_LIB_X509 \
|| (ERR_GET_REASON(ec) != X509_R_KEY_TYPE_MISMATCH \
&& ERR_GET_REASON(ec) != X509_R_KEY_VALUES_MISMATCH \
&& ERR_GET_REASON(ec) != X509_R_UNKNOWN_KEY_TYPE))
#endif
static apr_status_t ssl_init_server_certs(server_rec *s,
apr_pool_t *p,
apr_pool_t *ptemp,
@@ -1483,8 +1499,7 @@ static apr_status_t ssl_init_server_certs(server_rec *s,
}
else if ((SSL_CTX_use_PrivateKey_file(mctx->ssl_ctx, keyfile,
SSL_FILETYPE_PEM) < 1)
&& (ERR_GET_FUNC(ERR_peek_last_error())
!= X509_F_X509_CHECK_PRIVATE_KEY)) {
&& CHECK_PRIVKEY_ERROR(ERR_peek_last_error())) {
ssl_asn1_t *asn1;
const unsigned char *ptr;