You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by ji...@apache.org on 2014/03/13 13:39:34 UTC
svn commit: r1577137 - in /httpd/httpd/branches/2.4.x: ./
modules/ssl/ssl_engine_init.c
Author: jim
Date: Thu Mar 13 12:39:33 2014
New Revision: 1577137
URL: http://svn.apache.org/r1577137
Log:
Merge r1576741 from trunk:
A bug in some older versions of OpenSSL will cause a crash
in SSL_get_certificate for servers where the certificate hasn't
been sent.
Workaround by setting the ssl structure to client mode which
bypasses the faulty code in OpenSSL. Normally setting a server
ssl structure to client mode would cause problems later on:
but we are freeing the structure immediately without attempting
to use it.
Submitted by: drh
Reviewed/backported by: jim
Modified:
httpd/httpd/branches/2.4.x/ (props changed)
httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c
Propchange: httpd/httpd/branches/2.4.x/
------------------------------------------------------------------------------
Merged /httpd/httpd/trunk:r1576741
Modified: httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c?rev=1577137&r1=1577136&r2=1577137&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c (original)
+++ httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c Thu Mar 13 12:39:33 2014
@@ -956,8 +956,13 @@ static apr_status_t ssl_init_server_cert
*/
if (!(cert = SSL_CTX_get0_certificate(mctx->ssl_ctx))) {
#else
- if (!(ssl = SSL_new(mctx->ssl_ctx)) ||
- !(cert = SSL_get_certificate(ssl))) {
+ ssl = SSL_new(mctx->ssl_ctx);
+ if (ssl) {
+ /* Workaround bug in SSL_get_certificate in OpenSSL 0.9.8y */
+ SSL_set_connect_state(ssl);
+ cert = SSL_get_certificate(ssl);
+ }
+ if (!ssl || !cert) {
#endif
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02566)
"Unable to retrieve certificate %s", key_id);