You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by jo...@apache.org on 2011/02/11 13:26:57 UTC
svn commit: r1069772 - in /httpd/httpd/trunk: CHANGES
modules/ssl/ssl_engine_pphrase.c
Author: jorton
Date: Fri Feb 11 12:26:57 2011
New Revision: 1069772
URL: http://svn.apache.org/viewvc?rev=1069772&view=rev
Log:
* modules/ssl/ssl_engine_pphrase.c (ssl_pphrase_Handle): Fix possible
startup failure in cases where multiple vhosts share the same
"vhost-id" and private key file. The cached-key case would
previously cause an abrupt return from the function, which could
prevent processing of configured keypairs for other vhosts. There
is no apparent reason to check for a "cache hit" against cached keys
using *any* algorithm types; instead only check against a key with
the matching type.
Submitted by: Masahiro Matsuya <matsuya redhat.com>, jorton
Modified:
httpd/httpd/trunk/CHANGES
httpd/httpd/trunk/modules/ssl/ssl_engine_pphrase.c
Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1069772&r1=1069771&r2=1069772&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Fri Feb 11 12:26:57 2011
@@ -2,6 +2,10 @@
Changes with Apache 2.3.11
+ *) mod_ssl: Fix a possible startup failure if multiple SSL vhosts
+ are configured with the same ServerName and private key file.
+ [Masahiro Matsuya <mmatsuya redhat.com>, Joe Orton]
+
*) mod_socache_dc: Make module compile by fixing some typos.
PR 50735 [Mark Montague <mark catseye.org>]
Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_pphrase.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_pphrase.c?rev=1069772&r1=1069771&r2=1069772&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_pphrase.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_pphrase.c Fri Feb 11 12:26:57 2011
@@ -211,6 +211,7 @@ void ssl_pphrase_Handle(server_rec *s, a
&& (sc->server->pks->cert_files[i] != NULL
|| sc->server->pkcs7); i++) {
const char *key_id;
+ int using_cache = 0;
if (sc->server->pkcs7) {
STACK_OF(X509) *certs = ssl_read_pkcs7(pServ,
@@ -349,22 +350,17 @@ void ssl_pphrase_Handle(server_rec *s, a
* are used to give a better idea as to what failed.
*/
if (pkey_mtime) {
- int i;
-
- for (i=0; i < SSL_AIDX_MAX; i++) {
- const char *key_id =
- ssl_asn1_table_keyfmt(p, cpVHostID, i);
- ssl_asn1_t *asn1 =
- ssl_asn1_table_get(mc->tPrivateKey, key_id);
-
- if (asn1 && (asn1->source_mtime == pkey_mtime)) {
- ap_log_error(APLOG_MARK, APLOG_INFO,
- 0, pServ,
- "%s reusing existing "
- "%s private key on restart",
- cpVHostID, ssl_asn1_keystr(i));
- return;
- }
+ ssl_asn1_t *asn1 =
+ ssl_asn1_table_get(mc->tPrivateKey, key_id);
+
+ if (asn1 && (asn1->source_mtime == pkey_mtime)) {
+ ap_log_error(APLOG_MARK, APLOG_INFO,
+ 0, pServ,
+ "%s reusing existing "
+ "%s private key on restart",
+ cpVHostID, ssl_asn1_keystr(i));
+ using_cache = 1;
+ break;
}
}
@@ -468,6 +464,12 @@ void ssl_pphrase_Handle(server_rec *s, a
ssl_die();
}
+ /* If a cached private key was found, nothing more to do
+ * here; loop through to the next configured cert for this
+ * vhost. */
+ if (using_cache)
+ continue;
+
if (pPrivateKey == NULL) {
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s,
"Init: Unable to read server private key from "