You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by ji...@apache.org on 2014/05/07 14:51:38 UTC

svn commit: r1593001 - in /httpd/httpd/branches/2.4.x: ./ STATUS modules/ssl/ssl_engine_kernel.c

Author: jim
Date: Wed May  7 12:51:38 2014
New Revision: 1593001

URL: http://svn.apache.org/r1593001
Log:
Merge r1588851 from trunk:

ssl_callback_TmpDH: for OpenSSL 1.0.2 and later, set the current cert to the
one actually used for the connection before calling SSL_get_privatekey(ssl)

Submitted by: kbrand
Reviewed/backported by: jim

Modified:
    httpd/httpd/branches/2.4.x/   (props changed)
    httpd/httpd/branches/2.4.x/STATUS
    httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_kernel.c

Propchange: httpd/httpd/branches/2.4.x/
------------------------------------------------------------------------------
  Merged /httpd/httpd/trunk:r1588851

Modified: httpd/httpd/branches/2.4.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/STATUS?rev=1593001&r1=1593000&r2=1593001&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/STATUS (original)
+++ httpd/httpd/branches/2.4.x/STATUS Wed May  7 12:51:38 2014
@@ -100,12 +100,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-   * mod_ssl: set the current cert in ssl_callback_TmpDH before calling
-     SSL_get_privatekey(ssl)
-     trunk patch: https://svn.apache.org/r1588851
-     2.4.x patch: trunk patch works
-     +1: kbrand, ylavic, jim
-
    * mod_ssl: make SSL stapling init more robust for certs w/o responder URI
      trunk patch: https://svn.apache.org/r1588853
      2.4.x patch: trunk patch works (w/o docs/log-message-tags/next-number)

Modified: httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_kernel.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_kernel.c?rev=1593001&r1=1593000&r2=1593001&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_kernel.c (original)
+++ httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_kernel.c Wed May  7 12:51:38 2014
@@ -1331,8 +1331,19 @@ make_get_dh(rfc3526, 4096, 2)
 DH *ssl_callback_TmpDH(SSL *ssl, int export, int keylen)
 {
     conn_rec *c = (conn_rec *)SSL_get_app_data(ssl);
-    EVP_PKEY *pkey = SSL_get_privatekey(ssl);
-    int type = pkey ? EVP_PKEY_type(pkey->type) : EVP_PKEY_NONE;
+    EVP_PKEY *pkey;
+    int type;
+
+#ifdef SSL_CERT_SET_SERVER
+    /*
+     * When multiple certs/keys are configured for the SSL_CTX: make sure
+     * that we get the private key which is indeed used for the current
+     * SSL connection (available in OpenSSL 1.0.2 or later only)
+     */
+    SSL_set_current_cert(ssl, SSL_CERT_SET_SERVER);
+#endif
+    pkey = SSL_get_privatekey(ssl);
+    type = pkey ? EVP_PKEY_type(pkey->type) : EVP_PKEY_NONE;
 
     /*
      * OpenSSL will call us with either keylen == 512 or keylen == 1024