www/apache
1
0
Fork 0
mirror of https://github.com/apache/httpd.git synced 2025-08-07 04:02:58 +03:00
Code Activity

* modules/ssl/ssl_engine_init.c (ssl_init_proxy_certs): Fix test for

Browse Source 
missing decrypted private keys, and ensure that the keypair matches.

PR: 52212
Submitted by: Keith Burdis <keith burdis.org>, jorton


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1374214 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Joe Orton
2012-08-17 11:59:45 +00:00
parent ade526518d
commit f30dd27771
2 changed files with 16 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
CHANGES
View File

@@ -1,6 +1,10 @@
-*- coding: utf-8 -*- -*- coding: utf-8 -*-
Changes with Apache 2.5.0 Changes with Apache 2.5.0
*) mod_ssl: Catch missing or mismatched client cert/key pairs with
SSLProxyCACertificateFile/Path directives. PR 52212.
[Keith Burdis <keith burdis.org>, Joe Orton]
*) mod_lua: Allow scripts handled by the lua-script handler to return *) mod_lua: Allow scripts handled by the lua-script handler to return
a status code to the client (such as a 302 or a 500) [Daniel Gruno] a status code to the client (such as a 302 or a 500) [Daniel Gruno]

13
modules/ssl/ssl_engine_init.c
View File

@@ -1381,7 +1381,7 @@ static void ssl_init_proxy_certs(server_rec *s,
for (n = 0; n < ncerts; n++) { for (n = 0; n < ncerts; n++) {
X509_INFO *inf = sk_X509_INFO_value(sk, n); X509_INFO *inf = sk_X509_INFO_value(sk, n);
if (!inf->x509 || !inf->x_pkey) { if (!inf->x509 || !inf->x_pkey || !inf->x_pkey->dec_pkey) {
sk_X509_INFO_free(sk); sk_X509_INFO_free(sk);
ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, APLOGNO(02252) ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, APLOGNO(02252)
"incomplete client cert configured for SSL proxy " "incomplete client cert configured for SSL proxy "
@@ -1389,6 +1389,15 @@ static void ssl_init_proxy_certs(server_rec *s,
ssl_die(s); ssl_die(s);
return; return;
} }
if (X509_check_private_key(inf->x509, inf->x_pkey->dec_pkey) != 1) {
ssl_log_xerror(SSLLOG_MARK, APLOG_STARTUP, 0, ptemp, s, inf->x509,
APLOGNO(02326) "proxy client certificate and "
"private key do not match");
ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s);
ssl_die(s);
return;
}
} }
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02207) ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02207)
@@ -1412,6 +1421,8 @@ static void ssl_init_proxy_certs(server_rec *s,
ssl_die(s); ssl_die(s);
} }
/* ### Why is all the following done? Why is it necessary or
* useful for the server to try to verify its own client cert? */
X509_STORE_load_locations(store, pkp->ca_cert_file, NULL); X509_STORE_load_locations(store, pkp->ca_cert_file, NULL);
for (n = 0; n < ncerts; n++) { for (n = 0; n < ncerts; n++) {