You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by rj...@apache.org on 2018/10/18 10:03:52 UTC

svn commit: r1844223 - in /httpd/httpd/branches/2.4.x: CHANGES STATUS modules/ssl/ssl_engine_kernel.c

Author: rjung
Date: Thu Oct 18 10:03:52 2018
New Revision: 1844223

URL: http://svn.apache.org/viewvc?rev=1844223&view=rev
Log:
mod_ssl: We need to get the SSL_CTX for further processing
down below.

This fixes a crash during SSL renegotiation with OptRenegotiate set,
when client certificates are available from the original handshake
but were originally not verified and should get verified now.
This is a regression in 2.4.36 (unreleased).

Backport of r1828793 from trunk.

Submitted by: rjung
Reviewed by: rjung, rpluem, jorton

Modified:
    httpd/httpd/branches/2.4.x/CHANGES
    httpd/httpd/branches/2.4.x/STATUS
    httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_kernel.c

Modified: httpd/httpd/branches/2.4.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/CHANGES?rev=1844223&r1=1844222&r2=1844223&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.4.x/CHANGES [utf-8] Thu Oct 18 10:03:52 2018
@@ -3,6 +3,11 @@ Changes with Apache 2.4.37
 
   *) mod_ssl: Fix HTTP/2 failures when using OpenSSL 1.1.1. [Rainer Jung]
 
+  *) mod_ssl: Fix crash during SSL renegotiation with OptRenegotiate set,
+     when client certificates are available from the original handshake
+     but were originally not verified and should get verified now.
+     This is a regression in 2.4.36 (unreleased). [Ruediger Pluem]
+
 Changes with Apache 2.4.36
 
   *) mod_brotli, mod_deflate: Restore the separate handling of 304 Not Modified

Modified: httpd/httpd/branches/2.4.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/STATUS?rev=1844223&r1=1844222&r2=1844223&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/STATUS (original)
+++ httpd/httpd/branches/2.4.x/STATUS Thu Oct 18 10:03:52 2018
@@ -125,11 +125,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-  *) mod_ssl: We need to get the SSL_CTX for further processing down below.
-     trunk patch: http://svn.apache.org/r1828793
-     2.4.x patch: svn merge -c 1828793 ^/httpd/httpd/trunk .
-     +1: rjung, rpluem, jorton
-
   *) mod_ssl: Correctly merge configurations that have client certificates set
    by SSLProxyMachineCertificate{File|Path}.
    The certificates and keys loaded during configuration time got lost during

Modified: httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_kernel.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_kernel.c?rev=1844223&r1=1844222&r2=1844223&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_kernel.c (original)
+++ httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_kernel.c Thu Oct 18 10:03:52 2018
@@ -485,7 +485,7 @@ static int ssl_hook_Access_classic(reque
 {
     server_rec *handshakeserver = sslconn ? sslconn->server : NULL;
     SSLSrvConfigRec *hssc       = handshakeserver? mySrvConfig(handshakeserver) : NULL;
-    SSL_CTX *ctx = NULL;
+    SSL_CTX *ctx = ssl ? SSL_get_SSL_CTX(ssl) : NULL;
     BOOL renegotiate = FALSE, renegotiate_quick = FALSE;
     X509 *peercert;
     X509_STORE *cert_store = NULL;