httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From d..@apache.org
Subject svn commit: r1576741 - /httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
Date Wed, 12 Mar 2014 13:52:27 GMT
Author: drh
Date: Wed Mar 12 13:52:26 2014
New Revision: 1576741

URL: http://svn.apache.org/r1576741
Log:
A bug in some older versions of OpenSSL will cause a crash
in SSL_get_certificate for servers where the certificate hasn't
been sent.

Workaround by setting the ssl structure to client mode which
bypasses the faulty code in OpenSSL. Normally setting a server
ssl structure to client mode would cause problems later on:
but we are freeing the structure immediately without attempting
to use it.

Modified:
    httpd/httpd/trunk/modules/ssl/ssl_engine_init.c

Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_init.c?rev=1576741&r1=1576740&r2=1576741&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_init.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_init.c Wed Mar 12 13:52:26 2014
@@ -964,8 +964,13 @@ static apr_status_t ssl_init_server_cert
          */
         if (!(cert = SSL_CTX_get0_certificate(mctx->ssl_ctx))) {
 #else
-        if (!(ssl = SSL_new(mctx->ssl_ctx)) ||
-            !(cert = SSL_get_certificate(ssl))) {
+        ssl = SSL_new(mctx->ssl_ctx);
+	if (ssl) {
+            /* Workaround bug in SSL_get_certificate in OpenSSL 0.9.8y */
+            SSL_set_connect_state(ssl);
+            cert = SSL_get_certificate(ssl);
+        }
+        if (!ssl || !cert) {
 #endif
             ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02566)
                          "Unable to retrieve certificate %s", key_id);



Mime
View raw message