httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dirk-Willem van Gulik <di...@webweaving.org>
Subject Re: cvs commit: httpd-2.0/modules/ssl ssl_engine_init.c
Date Wed, 10 Nov 2004 11:54:48 GMT

Excelent - thank you - this has bitten me so many times !

Dw.

On Wed, 10 Nov 2004 jorton@apache.org wrote:

> jorton      2004/11/10 03:49:38
>
>   Modified:    modules/ssl Tag: APACHE_2_0_BRANCH ssl_engine_init.c
>   Log:
>   Backport from HEAD:
>
>   * modules/ssl/ssl_engine_init.c (ssl_init_proxy_certs): Fail early
>   (rather than segfault later) if a client cert is configured which is
>   missing either the certificate or private key.
>
>   PR: 24030
>   Reviewed by: jorton, minfrin, jerenkrantz, wrowe
>
>   Revision  Changes    Path
>   No                   revision
>   No                   revision
>   1.106.2.15 +24 -10    httpd-2.0/modules/ssl/ssl_engine_init.c
>
>   Index: ssl_engine_init.c
>   ===================================================================
>   RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_engine_init.c,v
>   retrieving revision 1.106.2.14
>   retrieving revision 1.106.2.15
>   diff -d -w -u -r1.106.2.14 -r1.106.2.15
>   --- ssl_engine_init.c	10 Nov 2004 11:42:05 -0000	1.106.2.14
>   +++ ssl_engine_init.c	10 Nov 2004 11:49:37 -0000	1.106.2.15
>   @@ -892,7 +892,7 @@
>                                     apr_pool_t *ptemp,
>                                     modssl_ctx_t *mctx)
>    {
>   -    int ncerts = 0;
>   +    int n, ncerts = 0;
>        STACK_OF(X509_INFO) *sk;
>        modssl_pk_proxy_t *pkp = mctx->pkp;
>
>   @@ -913,18 +913,32 @@
>            SSL_X509_INFO_load_path(ptemp, sk, pkp->cert_path);
>        }
>
>   -    if ((ncerts = sk_X509_INFO_num(sk)) > 0) {
>   -        ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
>   -                     "loaded %d client certs for SSL proxy",
>   -                     ncerts);
>   -
>   -        pkp->certs = sk;
>   -    }
>   -    else {
>   +    if ((ncerts = sk_X509_INFO_num(sk)) <= 0) {
>   +        sk_X509_INFO_free(sk);
>            ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
>                         "no client certs found for SSL proxy");
>   +        return;
>   +    }
>   +
>   +    /* Check that all client certs have got certificates and private
>   +     * keys. */
>   +    for (n = 0; n < ncerts; n++) {
>   +        X509_INFO *inf = sk_X509_INFO_value(sk, n);
>   +
>   +        if (!inf->x509 || !inf->x_pkey) {
>            sk_X509_INFO_free(sk);
>   +            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
>   +                         "incomplete client cert configured for SSL proxy "
>   +                         "(missing or encrypted private key?)");
>   +            ssl_die();
>   +            return;
>        }
>   +    }
>   +
>   +    ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
>   +                 "loaded %d client certs for SSL proxy",
>   +                 ncerts);
>   +    pkp->certs = sk;
>    }
>
>    static void ssl_init_proxy_ctx(server_rec *s,
>
>
>
>

Mime
View raw message