Commit 990ef2a6 authored by Joe Orton's avatar Joe Orton
Browse files

Backport from HEAD: 

* modules/ssl/ssl_engine_init.c (ssl_init_proxy_certs): Fail early
(rather than segfault later) if a client cert is configured which is
missing either the certificate or private key.

PR: 24030
Reviewed by: jorton, minfrin, jerenkrantz, wrowe


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/APACHE_2_0_BRANCH@105733 13f79535-47bb-0310-9956-ffa450edef68
parent b21c91ae

modules/ssl/ssl_engine_init.c

+24 −10
Original line number Diff line number Diff line
@@ -892,7 +892,7 @@ static void ssl_init_proxy_certs(server_rec *s, 
                                 apr_pool_t *ptemp,

                                 modssl_ctx_t *mctx)

{

    int ncerts = 0;

    int n, ncerts = 0;

    STACK_OF(X509_INFO) *sk;

    modssl_pk_proxy_t *pkp = mctx->pkp;
@@ -913,18 +913,32 @@ static void ssl_init_proxy_certs(server_rec *s, 
        SSL_X509_INFO_load_path(ptemp, sk, pkp->cert_path);

    }



    if ((ncerts = sk_X509_INFO_num(sk)) > 0) {

        ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,

                     "loaded %d client certs for SSL proxy",

                     ncerts);



        pkp->certs = sk;

    }

    else {

    if ((ncerts = sk_X509_INFO_num(sk)) <= 0) {

        sk_X509_INFO_free(sk);

        ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,

                     "no client certs found for SSL proxy");

        return;

    }



    /* Check that all client certs have got certificates and private

     * keys. */

    for (n = 0; n < ncerts; n++) {

        X509_INFO *inf = sk_X509_INFO_value(sk, n);



        if (!inf->x509 || !inf->x_pkey) {

            sk_X509_INFO_free(sk);

            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,

                         "incomplete client cert configured for SSL proxy "

                         "(missing or encrypted private key?)");

            ssl_die();

            return;

        }

    }



    ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,

                 "loaded %d client certs for SSL proxy",

                 ncerts);

    pkp->certs = sk;

}



static void ssl_init_proxy_ctx(server_rec *s,