You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by yl...@apache.org on 2016/08/16 18:24:57 UTC
svn commit: r1756542 - in /httpd/httpd/trunk: CHANGES
modules/ssl/ssl_engine_kernel.c
Author: ylavic
Date: Tue Aug 16 18:24:56 2016
New Revision: 1756542
URL: http://svn.apache.org/viewvc?rev=1756542&view=rev
Log:
mod_ssl: Fix quick renegotiation (OptRenegotiaton) with no intermediate
in the client certificate chain. PR 55786.
This is done by handling an empty cert chain as no/NULL chain.
Modified:
httpd/httpd/trunk/CHANGES
httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1756542&r1=1756541&r2=1756542&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Tue Aug 16 18:24:56 2016
@@ -1,6 +1,9 @@
-*- coding: utf-8 -*-
Changes with Apache 2.5.0
+ *) mod_ssl: Fix quick renegotiation (OptRenegotiaton) with no intermediate
+ in the client certificate chain. PR 55786. [Yann Ylavic]
+
*) mod_http2: adding support for intermediate responses.
[Stefan Eissing]
Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c?rev=1756542&r1=1756541&r2=1756542&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c Tue Aug 16 18:24:56 2016
@@ -886,7 +886,14 @@ int ssl_hook_Access(request_rec *r)
cert = SSL_get_peer_certificate(ssl);
- if (!cert_stack && cert) {
+ if (!cert_stack || (sk_X509_num(cert_stack) == 0)) {
+ if (!cert) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02222)
+ "Cannot find peer certificate chain");
+
+ return HTTP_FORBIDDEN;
+ }
+
/* client cert is in the session cache, but there is
* no chain, since ssl3_get_client_certificate()
* sk_X509_shift-ed the peer cert out of the chain.
@@ -896,13 +903,6 @@ int ssl_hook_Access(request_rec *r)
sk_X509_push(cert_stack, cert);
}
- if (!cert_stack || (sk_X509_num(cert_stack) == 0)) {
- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02222)
- "Cannot find peer certificate chain");
-
- return HTTP_FORBIDDEN;
- }
-
if (!(cert_store ||
(cert_store = SSL_CTX_get_cert_store(ctx))))
{