WARNING! Gitlab maintenance operation scheduled for Monday, 20 April between 12:00 and 14:00 (CET). During this time window, short service interruptions (less than 5 minutes) may occur. Thank you in advance for your understanding.

Commit 5b0b68bd authored Oct 18, 2018 by Rainer Jung

mod_ssl: We need to get the SSL_CTX for further processing

down below.

This fixes a crash during SSL renegotiation with OptRenegotiate set,
when client certificates are available from the original handshake
but were originally not verified and should get verified now.
This is a regression in 2.4.36 (unreleased).

Backport of r1828793 from trunk.

Submitted by: rjung
Reviewed by: rjung, rpluem, jorton


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1844223 13f79535-47bb-0310-9956-ffa450edef68

parent bb345927

CHANGES

+5 −0

Original line number	Original line	Diff line number	Diff line
	@@ -3,6 +3,11 @@ Changes with Apache 2.4.37

	*) mod_ssl: Fix HTTP/2 failures when using OpenSSL 1.1.1. [Rainer Jung]		*) mod_ssl: Fix HTTP/2 failures when using OpenSSL 1.1.1. [Rainer Jung]

			*) mod_ssl: Fix crash during SSL renegotiation with OptRenegotiate set,
			when client certificates are available from the original handshake
			but were originally not verified and should get verified now.
			This is a regression in 2.4.36 (unreleased). [Ruediger Pluem]

	Changes with Apache 2.4.36		Changes with Apache 2.4.36

	*) mod_brotli, mod_deflate: Restore the separate handling of 304 Not Modified		*) mod_brotli, mod_deflate: Restore the separate handling of 304 Not Modified

STATUS

+0 −5

Original line number	Original line	Diff line number	Diff line
	@@ -125,11 +125,6 @@ RELEASE SHOWSTOPPERS:
	PATCHES ACCEPTED TO BACKPORT FROM TRUNK:		PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
	[ start all new proposals below, under PATCHES PROPOSED. ]		[ start all new proposals below, under PATCHES PROPOSED. ]

	*) mod_ssl: We need to get the SSL_CTX for further processing down below.
	trunk patch: http://svn.apache.org/r1828793
	2.4.x patch: svn merge -c 1828793 ^/httpd/httpd/trunk .
	+1: rjung, rpluem, jorton

	*) mod_ssl: Correctly merge configurations that have client certificates set		*) mod_ssl: Correctly merge configurations that have client certificates set
	by SSLProxyMachineCertificate{File\|Path}.		by SSLProxyMachineCertificate{File\|Path}.
	The certificates and keys loaded during configuration time got lost during		The certificates and keys loaded during configuration time got lost during

modules/ssl/ssl_engine_kernel.c

+1 −1

Original line number	Original line	Diff line number	Diff line
	@@ -485,7 +485,7 @@ static int ssl_hook_Access_classic(request_rec r, SSLSrvConfigRec sc, SSLDirCo
	{		{
	server_rec *handshakeserver = sslconn ? sslconn->server : NULL;		server_rec *handshakeserver = sslconn ? sslconn->server : NULL;
	SSLSrvConfigRec *hssc = handshakeserver? mySrvConfig(handshakeserver) : NULL;		SSLSrvConfigRec *hssc = handshakeserver? mySrvConfig(handshakeserver) : NULL;
	SSL_CTX *ctx = NULL;		SSL_CTX *ctx = ssl ? SSL_get_SSL_CTX(ssl) : NULL;
	BOOL renegotiate = FALSE, renegotiate_quick = FALSE;		BOOL renegotiate = FALSE, renegotiate_quick = FALSE;
	X509 *peercert;		X509 *peercert;
	X509_STORE *cert_store = NULL;		X509_STORE *cert_store = NULL;