You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by ji...@apache.org on 2014/05/07 14:51:38 UTC
svn commit: r1593001 - in /httpd/httpd/branches/2.4.x: ./ STATUS
modules/ssl/ssl_engine_kernel.c
Author: jim
Date: Wed May 7 12:51:38 2014
New Revision: 1593001
URL: http://svn.apache.org/r1593001
Log:
Merge r1588851 from trunk:
ssl_callback_TmpDH: for OpenSSL 1.0.2 and later, set the current cert to the
one actually used for the connection before calling SSL_get_privatekey(ssl)
Submitted by: kbrand
Reviewed/backported by: jim
Modified:
httpd/httpd/branches/2.4.x/ (props changed)
httpd/httpd/branches/2.4.x/STATUS
httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_kernel.c
Propchange: httpd/httpd/branches/2.4.x/
------------------------------------------------------------------------------
Merged /httpd/httpd/trunk:r1588851
Modified: httpd/httpd/branches/2.4.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/STATUS?rev=1593001&r1=1593000&r2=1593001&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/STATUS (original)
+++ httpd/httpd/branches/2.4.x/STATUS Wed May 7 12:51:38 2014
@@ -100,12 +100,6 @@ RELEASE SHOWSTOPPERS:
PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
[ start all new proposals below, under PATCHES PROPOSED. ]
- * mod_ssl: set the current cert in ssl_callback_TmpDH before calling
- SSL_get_privatekey(ssl)
- trunk patch: https://svn.apache.org/r1588851
- 2.4.x patch: trunk patch works
- +1: kbrand, ylavic, jim
-
* mod_ssl: make SSL stapling init more robust for certs w/o responder URI
trunk patch: https://svn.apache.org/r1588853
2.4.x patch: trunk patch works (w/o docs/log-message-tags/next-number)
Modified: httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_kernel.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_kernel.c?rev=1593001&r1=1593000&r2=1593001&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_kernel.c (original)
+++ httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_kernel.c Wed May 7 12:51:38 2014
@@ -1331,8 +1331,19 @@ make_get_dh(rfc3526, 4096, 2)
DH *ssl_callback_TmpDH(SSL *ssl, int export, int keylen)
{
conn_rec *c = (conn_rec *)SSL_get_app_data(ssl);
- EVP_PKEY *pkey = SSL_get_privatekey(ssl);
- int type = pkey ? EVP_PKEY_type(pkey->type) : EVP_PKEY_NONE;
+ EVP_PKEY *pkey;
+ int type;
+
+#ifdef SSL_CERT_SET_SERVER
+ /*
+ * When multiple certs/keys are configured for the SSL_CTX: make sure
+ * that we get the private key which is indeed used for the current
+ * SSL connection (available in OpenSSL 1.0.2 or later only)
+ */
+ SSL_set_current_cert(ssl, SSL_CERT_SET_SERVER);
+#endif
+ pkey = SSL_get_privatekey(ssl);
+ type = pkey ? EVP_PKEY_type(pkey->type) : EVP_PKEY_NONE;
/*
* OpenSSL will call us with either keylen == 512 or keylen == 1024