You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by mi...@apache.org on 2013/04/28 00:18:15 UTC
svn commit: r1476685 - in /httpd/httpd/branches/2.4.x: CHANGES STATUS
modules/ssl/ssl_engine_init.c
Author: minfrin
Date: Sat Apr 27 22:18:02 2013
New Revision: 1476685
URL: http://svn.apache.org/r1476685
Log:
mod_ssl: Catch missing, mismatched or encrypted client cert/key pairs
with SSLProxyMachineCertificateFile/Path directives. PR 52212, PR 54698.
(check at startup, to prevent segfaults at proxy request time)
trunk patches: https://svn.apache.org/r1374214
https://svn.apache.org/r1374216
https://svn.apache.org/r1375445
https://svn.apache.org/r1467593
2.4.x patch: https://people.apache.org/~kbrand/PR52212_54698_2.4.x.patch
Submitted by: kbrand
Reviewed by: jorton, minfrin
Modified:
httpd/httpd/branches/2.4.x/CHANGES
httpd/httpd/branches/2.4.x/STATUS
httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c
Modified: httpd/httpd/branches/2.4.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/CHANGES?rev=1476685&r1=1476684&r2=1476685&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.4.x/CHANGES [utf-8] Sat Apr 27 22:18:02 2013
@@ -22,6 +22,10 @@ Changes with Apache 2.4.5
*) mod_log_config: Fix crash when logging request end time for a failed
request. PR 54828 [Rainer Jung]
+ *) mod_ssl: Catch missing, mismatched or encrypted client cert/key pairs
+ with SSLProxyMachineCertificateFile/Path directives. PR 52212, PR 54698.
+ [Keith Burdis <keith burdis.org>, Joe Orton, Kaspar Brand]
+
*) mod_ssl: Quiet FIPS mode weak keys disabled and FIPS not selected emits
in the error log to debug level. [William Rowe]
Modified: httpd/httpd/branches/2.4.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/STATUS?rev=1476685&r1=1476684&r2=1476685&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/STATUS (original)
+++ httpd/httpd/branches/2.4.x/STATUS Sat Apr 27 22:18:02 2013
@@ -90,16 +90,6 @@ RELEASE SHOWSTOPPERS:
PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
[ start all new proposals below, under PATCHES PROPOSED. ]
- * mod_ssl: Catch missing, mismatched or encrypted client cert/key pairs
- with SSLProxyMachineCertificateFile/Path directives. PR 52212, PR 54698.
- (check at startup, to prevent segfaults at proxy request time)
- trunk patches: https://svn.apache.org/r1374214
- https://svn.apache.org/r1374216
- https://svn.apache.org/r1375445
- https://svn.apache.org/r1467593
- 2.4.x patch: https://people.apache.org/~kbrand/PR52212_54698_2.4.x.patch
- 2.2.x patch: https://people.apache.org/~kbrand/PR52212_54698_2.2.x.patch
- +1: kbrand, jorton, minfrin
PATCHES PROPOSED TO BACKPORT FROM TRUNK:
Modified: httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c?rev=1476685&r1=1476684&r2=1476685&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c (original)
+++ httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c Sat Apr 27 22:18:02 2013
@@ -1354,7 +1354,8 @@ static void ssl_init_proxy_certs(server_
for (n = 0; n < ncerts; n++) {
X509_INFO *inf = sk_X509_INFO_value(sk, n);
- if (!inf->x509 || !inf->x_pkey) {
+ if (!inf->x509 || !inf->x_pkey || !inf->x_pkey->dec_pkey ||
+ inf->enc_data) {
sk_X509_INFO_free(sk);
ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, APLOGNO(02252)
"incomplete client cert configured for SSL proxy "
@@ -1362,6 +1363,15 @@ static void ssl_init_proxy_certs(server_
ssl_die(s);
return;
}
+
+ if (X509_check_private_key(inf->x509, inf->x_pkey->dec_pkey) != 1) {
+ ssl_log_xerror(SSLLOG_MARK, APLOG_STARTUP, 0, ptemp, s, inf->x509,
+ APLOGNO(02326) "proxy client certificate and "
+ "private key do not match");
+ ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s);
+ ssl_die(s);
+ return;
+ }
}
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02207)
@@ -1374,7 +1384,11 @@ static void ssl_init_proxy_certs(server_
return;
}
- /* Load all of the CA certs and construct a chain */
+ /* If SSLProxyMachineCertificateChainFile is configured, load all
+ * the CA certs and have OpenSSL attempt to construct a full chain
+ * from each configured end-entity cert up to a root. This will
+ * allow selection of the correct cert given a list of root CA
+ * names in the certificate request from the server. */
pkp->ca_certs = (STACK_OF(X509) **) apr_pcalloc(p, ncerts * sizeof(sk));
sctx = X509_STORE_CTX_new();