You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2020/03/25 08:22:15 UTC
[Bug 64262] New: Unsafe error handling: when using OpenSSL API
https://bz.apache.org/bugzilla/show_bug.cgi?id=64262
Bug ID: 64262
Summary: Unsafe error handling: when using OpenSSL API
Product: Apache httpd-2
Version: 2.5-HEAD
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: mod_ssl
Assignee: bugs@httpd.apache.org
Reporter: summerlinasity@gmail.com
Target Milestone: ---
There is a potential bug in modules/ssl/ssl_engine_init.c:1715-1727.
According to OpenSSL API document, "X509_STORE_CTX_get1_chain() returns a
complete validate chain if a previous call to X509_verify_cert() is successful.
If the call to X509_verify_cert() is not successful the returned chain may be
incomplete or invalid. "
So it's unsafe to just log the error and execute the
'X509_STORE_CTX_get1_chain' when (X509_verify_cert(sctx) != 1.
1715: if (X509_verify_cert(sctx) != 1) {
int err = X509_STORE_CTX_get_error(sctx);
ssl_log_xerror(SSLLOG_MARK, APLOG_WARNING, 0, ptemp, s, inf->x509,
APLOGNO(02270) "SSL proxy client cert chain "
"verification failed: %s :",
X509_verify_cert_error_string(err));
}
/* Clear X509_verify_cert errors */
ERR_clear_error();
/* Obtain a copy of the verified chain */
chain = X509_STORE_CTX_get1_chain(sctx);
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org