You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by jo...@apache.org on 2021/06/29 11:24:17 UTC
svn commit: r1891138 - in /httpd/httpd/trunk: modules/ssl/ssl_engine_init.c
test/travis_run_linux.sh
Author: jorton
Date: Tue Jun 29 11:24:17 2021
New Revision: 1891138
URL: http://svn.apache.org/viewvc?rev=1891138&view=rev
Log:
* modules/ssl/ssl_engine_init.c (ssl_init_server_certs): Fix use of
encrypted private keys with OpenSSL 3.0.
* test/travis_run_linux.sh: For TEST_SSL, test loading encrypted
private keys.
Github: closes #{197}
Modified:
httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
httpd/httpd/trunk/test/travis_run_linux.sh
Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_init.c?rev=1891138&r1=1891137&r2=1891138&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_init.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_init.c Tue Jun 29 11:24:17 2021
@@ -1378,6 +1378,22 @@ static APR_INLINE int modssl_DH_bits(DH
#endif
}
+/* SSL_CTX_use_PrivateKey_file() can fail either because the private
+ * key was encrypted, or due to a mismatch between an already-loaded
+ * cert and the key - a common misconfiguration - from calling
+ * X509_check_private_key(). This macro is passed the last error code
+ * off the OpenSSL stack and evaluates to true only for the first
+ * case. With OpenSSL < 3 the second case is identifiable by the
+ * function code, but function codes are not used from 3.0. */
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
+#define CHECK_PRIVKEY_ERROR(ec) (ERR_GET_FUNC(ec) != X509_F_X509_CHECK_PRIVATE_KEY)
+#else
+#define CHECK_PRIVKEY_ERROR(ec) (ERR_GET_LIB != ERR_LIB_X509 \
+ || (ERR_GET_REASON(ec) != X509_R_KEY_TYPE_MISMATCH \
+ && ERR_GET_REASON(ec) != X509_R_KEY_VALUES_MISMATCH \
+ && ERR_GET_REASON(ec) != X509_R_UNKNOWN_KEY_TYPE))
+#endif
+
static apr_status_t ssl_init_server_certs(server_rec *s,
apr_pool_t *p,
apr_pool_t *ptemp,
@@ -1483,8 +1499,7 @@ static apr_status_t ssl_init_server_cert
}
else if ((SSL_CTX_use_PrivateKey_file(mctx->ssl_ctx, keyfile,
SSL_FILETYPE_PEM) < 1)
- && (ERR_GET_FUNC(ERR_peek_last_error())
- != X509_F_X509_CHECK_PRIVATE_KEY)) {
+ && CHECK_PRIVKEY_ERROR(ERR_peek_last_error())) {
ssl_asn1_t *asn1;
const unsigned char *ptr;
Modified: httpd/httpd/trunk/test/travis_run_linux.sh
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/test/travis_run_linux.sh?rev=1891138&r1=1891137&r2=1891138&view=diff
==============================================================================
--- httpd/httpd/trunk/test/travis_run_linux.sh (original)
+++ httpd/httpd/trunk/test/travis_run_linux.sh Tue Jun 29 11:24:17 2021
@@ -113,7 +113,14 @@ if ! test -v SKIP_TESTING; then
if test -v TEST_SSL -a $RV -eq 0; then
pushd test/perl-framework
+ # Test loading encrypted private keys
+ ./t/TEST -defines "TEST_SSL_DES3_KEY TEST_SSL_PASSPHRASE_EXEC" t/ssl
+ RV=$?
+
+ # Test various session cache backends
for cache in shmcb redis:localhost:6379 memcache:localhost:11211; do
+ test $RV -eq 0 || break
+
SSL_SESSCACHE=$cache ./t/TEST -sslproto TLSv1.2 -defines TEST_SSL_SESSCACHE -start
./t/TEST t/ssl
RV=$?
@@ -129,7 +136,6 @@ if ! test -v SKIP_TESTING; then
if test $RV -eq 0 -a $SRV -ne 0; then
RV=$SRV
fi
- test $RV -eq 0 || break
done
popd
fi