www/apache
1
0
Fork 0
mirror of https://github.com/apache/httpd.git synced 2025-08-07 04:02:58 +03:00
Code Activity

* modules/ssl/ssl_engine_init.c (ssl_init_server_certs): Fix use of

Browse Source 
encrypted private keys with OpenSSL 3.0.

* test/travis_run_linux.sh: For TEST_SSL, test loading encrypted
  private keys.

Github: closes #{197}


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1891138 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Joe Orton
2021-06-29 11:24:17 +00:00
parent 3602bd591f
commit 1fa837533c
2 changed files with 24 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
modules/ssl/ssl_engine_init.c
View File

@@ -1378,6 +1378,22 @@ static APR_INLINE int modssl_DH_bits(DH *dh)
#endif #endif
} }
/* SSL_CTX_use_PrivateKey_file() can fail either because the private
* key was encrypted, or due to a mismatch between an already-loaded
* cert and the key - a common misconfiguration - from calling
* X509_check_private_key(). This macro is passed the last error code
* off the OpenSSL stack and evaluates to true only for the first
* case. With OpenSSL < 3 the second case is identifiable by the
* function code, but function codes are not used from 3.0. */
#if OPENSSL_VERSION_NUMBER < 0x30000000L
#define CHECK_PRIVKEY_ERROR(ec) (ERR_GET_FUNC(ec) != X509_F_X509_CHECK_PRIVATE_KEY)
#else
#define CHECK_PRIVKEY_ERROR(ec) (ERR_GET_LIB != ERR_LIB_X509 \
|| (ERR_GET_REASON(ec) != X509_R_KEY_TYPE_MISMATCH \
&& ERR_GET_REASON(ec) != X509_R_KEY_VALUES_MISMATCH \
&& ERR_GET_REASON(ec) != X509_R_UNKNOWN_KEY_TYPE))
#endif
static apr_status_t ssl_init_server_certs(server_rec *s, static apr_status_t ssl_init_server_certs(server_rec *s,
apr_pool_t *p, apr_pool_t *p,
apr_pool_t *ptemp, apr_pool_t *ptemp,
@@ -1483,8 +1499,7 @@ static apr_status_t ssl_init_server_certs(server_rec *s,
} }
else if ((SSL_CTX_use_PrivateKey_file(mctx->ssl_ctx, keyfile, else if ((SSL_CTX_use_PrivateKey_file(mctx->ssl_ctx, keyfile,
SSL_FILETYPE_PEM) < 1) SSL_FILETYPE_PEM) < 1)
&& (ERR_GET_FUNC(ERR_peek_last_error()) && CHECK_PRIVKEY_ERROR(ERR_peek_last_error())) {
!= X509_F_X509_CHECK_PRIVATE_KEY)) {
ssl_asn1_t *asn1; ssl_asn1_t *asn1;
const unsigned char *ptr; const unsigned char *ptr;

8
test/travis_run_linux.sh
View File

@@ -113,7 +113,14 @@ if ! test -v SKIP_TESTING; then
if test -v TEST_SSL -a $RV -eq 0; then if test -v TEST_SSL -a $RV -eq 0; then
pushd test/perl-framework pushd test/perl-framework
# Test loading encrypted private keys
./t/TEST -defines "TEST_SSL_DES3_KEY TEST_SSL_PASSPHRASE_EXEC" t/ssl
RV=$?
# Test various session cache backends
for cache in shmcb redis:localhost:6379 memcache:localhost:11211; do for cache in shmcb redis:localhost:6379 memcache:localhost:11211; do
test $RV -eq 0 || break
SSL_SESSCACHE=$cache ./t/TEST -sslproto TLSv1.2 -defines TEST_SSL_SESSCACHE -start SSL_SESSCACHE=$cache ./t/TEST -sslproto TLSv1.2 -defines TEST_SSL_SESSCACHE -start
./t/TEST t/ssl ./t/TEST t/ssl
RV=$? RV=$?
@@ -129,7 +136,6 @@ if ! test -v SKIP_TESTING; then
if test $RV -eq 0 -a $SRV -ne 0; then if test $RV -eq 0 -a $SRV -ne 0; then
RV=$SRV RV=$SRV
fi fi
test $RV -eq 0 || break
done done
popd popd
fi fi