* modules/ssl/ssl_engine_init.c (ssl_init_proxy_certs): Fix test for

missing decrypted private keys, and ensure that the keypair matches. PR: 52212 Submitted by: Keith Burdis <keith burdis.org>, jorton git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1374214 13f79535-47bb-0310-9956-ffa450edef68
2025-08-08 15:02:10 +03:00 · 2012-08-17 11:59:45 +00:00
parent ade526518d
commit f30dd27771
2 changed files with 16 additions and 1 deletions
--- a/4
+++ b/4
@@ -1,6 +1,10 @@
                                                         -*- coding: utf-8 -*-
 Changes with Apache 2.5.0

+  *) mod_ssl: Catch missing or mismatched client cert/key pairs with
+     SSLProxyCACertificateFile/Path directives.  PR 52212.  
+     [Keith Burdis <keith burdis.org>, Joe Orton]
+
  *) mod_lua: Allow scripts handled by the lua-script handler to return 
     a status code to the client (such as a 302 or a 500) [Daniel Gruno]

--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -1381,7 +1381,7 @@ static void ssl_init_proxy_certs(server_rec *s,
    for (n = 0; n < ncerts; n++) {
        X509_INFO *inf = sk_X509_INFO_value(sk, n);

-        if (!inf->x509 || !inf->x_pkey) {
+        if (!inf->x509 || !inf->x_pkey || !inf->x_pkey->dec_pkey) {
            sk_X509_INFO_free(sk);
            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, APLOGNO(02252)
                         "incomplete client cert configured for SSL proxy "
@@ -1389,6 +1389,15 @@ static void ssl_init_proxy_certs(server_rec *s,
            ssl_die(s);
            return;
        }
+        
+        if (X509_check_private_key(inf->x509, inf->x_pkey->dec_pkey) != 1) {
+            ssl_log_xerror(SSLLOG_MARK, APLOG_STARTUP, 0, ptemp, s, inf->x509,
+                           APLOGNO(02326) "proxy client certificate and "
+                           "private key do not match");
+            ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s);
+            ssl_die(s);
+            return;
+        }
    }

    ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02207)
@@ -1412,6 +1421,8 @@ static void ssl_init_proxy_certs(server_rec *s,
        ssl_die(s);
    }

+    /* ### Why is all the following done?  Why is it necessary or
+     * useful for the server to try to verify its own client cert? */
    X509_STORE_load_locations(store, pkp->ca_cert_file, NULL);

    for (n = 0; n < ncerts; n++) {