httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From wr...@apache.org
Subject svn commit: r1497096 - in /httpd/httpd/branches/2.2.x: CHANGES STATUS modules/ssl/ssl_engine_init.c
Date Wed, 26 Jun 2013 21:07:06 GMT
Author: wrowe
Date: Wed Jun 26 21:07:06 2013
New Revision: 1497096

URL: http://svn.apache.org/r1497096
Log:
mod_ssl: Catch missing, mismatched or encrypted client cert/key pairs
with SSLProxyMachineCertificateFile/Path directives. 
(check at startup, to prevent segfaults at proxy request time)

PR: 52212, 54698
Backports: r1374214, r1374216, r1375445, r1467593
Submitted by: Keith Burdis <keith burdis.org>, Joe Orton, Kaspar Brand
Reviewed by: kbrand, minfrin, wrowe


Modified:
    httpd/httpd/branches/2.2.x/CHANGES
    httpd/httpd/branches/2.2.x/STATUS
    httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_init.c

Modified: httpd/httpd/branches/2.2.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/CHANGES?rev=1497096&r1=1497095&r2=1497096&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.2.x/CHANGES [utf-8] Wed Jun 26 21:07:06 2013
@@ -12,6 +12,9 @@ Changes with Apache 2.2.25
   *) htdigest: Fix buffer overflow when reading digest password file
      with very long lines. PR 54893. [Rainer Jung]
 
+  *) mod_ssl: Catch missing, mismatched or encrypted client cert/key pairs
+     with SSLProxyMachineCertificateFile/Path directives. PR 52212, PR 54698.
+     [Keith Burdis <keith burdis.org>, Joe Orton, Kaspar Brand]
 
 Changes with Apache 2.2.24
 

Modified: httpd/httpd/branches/2.2.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/STATUS?rev=1497096&r1=1497095&r2=1497096&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/STATUS (original)
+++ httpd/httpd/branches/2.2.x/STATUS Wed Jun 26 21:07:06 2013
@@ -114,17 +114,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
   
-  * mod_ssl: Catch missing, mismatched or encrypted client cert/key pairs
-    with SSLProxyMachineCertificateFile/Path directives. PR 52212, PR 54698.
-    (check at startup, to prevent segfaults at proxy request time)
-    trunk patches: https://svn.apache.org/r1374214
-                   https://svn.apache.org/r1374216
-                   https://svn.apache.org/r1375445
-                   https://svn.apache.org/r1467593
-    2.4.x patch: https://people.apache.org/~kbrand/PR52212_54698_2.4.x.patch
-    2.2.x patch: https://people.apache.org/~kbrand/PR52212_54698_2.2.x.patch
-    +1: kbrand, minfrin, wrowe
-
   * mod_cache: Fix uninitialized tmppath variable. PR 54949
     trunk patch: Variable removed from trunk in http://svn.apache.org/r1407381
     2.2.x patch: http://people.apache.org/~minfrin/httpd-mod_cache-tmppath.patch

Modified: httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_init.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_init.c?rev=1497096&r1=1497095&r2=1497096&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_init.c (original)
+++ httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_init.c Wed Jun 26 21:07:06 2013
@@ -1051,7 +1051,8 @@ static void ssl_init_proxy_certs(server_
     for (n = 0; n < ncerts; n++) {
         X509_INFO *inf = sk_X509_INFO_value(sk, n);
 
-        if (!inf->x509 || !inf->x_pkey) {
+        if (!inf->x509 || !inf->x_pkey || !inf->x_pkey->dec_pkey ||
+            inf->enc_data) {
             sk_X509_INFO_free(sk);
             ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
                          "incomplete client cert configured for SSL proxy "
@@ -1059,6 +1060,15 @@ static void ssl_init_proxy_certs(server_
             ssl_die();
             return;
         }
+        
+        if (X509_check_private_key(inf->x509, inf->x_pkey->dec_pkey) != 1) {
+            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+                           "proxy client certificate and "
+                           "private key do not match");
+            ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
+            ssl_die();
+            return;
+        }
     }
 
     ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
@@ -1070,7 +1080,11 @@ static void ssl_init_proxy_certs(server_
         return;
     }
 
-    /* Load all of the CA certs and construct a chain */
+    /* If SSLProxyMachineCertificateChainFile is configured, load all
+     * the CA certs and have OpenSSL attempt to construct a full chain
+     * from each configured end-entity cert up to a root.  This will
+     * allow selection of the correct cert given a list of root CA
+     * names in the certificate request from the server.  */
     pkp->ca_certs = (STACK_OF(X509) **) apr_pcalloc(p, ncerts * sizeof(sk));
     sctx = X509_STORE_CTX_new();
 



Mime
View raw message