mod_ssl: Catch missing, mismatched or encrypted client cert/key pairs (e6624bfb) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP Apache Httpd

CHANGES

+3 −0

Original line number	Diff line number	Diff line
		@@ -12,6 +12,9 @@ Changes with Apache 2.2.25
		*) htdigest: Fix buffer overflow when reading digest password file
		with very long lines. PR 54893. [Rainer Jung]

		*) mod_ssl: Catch missing, mismatched or encrypted client cert/key pairs
		with SSLProxyMachineCertificateFile/Path directives. PR 52212, PR 54698.
		[Keith Burdis <keith burdis.org>, Joe Orton, Kaspar Brand]

		Changes with Apache 2.2.24

+0 −11

Original line number	Diff line number	Diff line
		@@ -114,17 +114,6 @@ RELEASE SHOWSTOPPERS:
		PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
		[ start all new proposals below, under PATCHES PROPOSED. ]

		* mod_ssl: Catch missing, mismatched or encrypted client cert/key pairs
		with SSLProxyMachineCertificateFile/Path directives. PR 52212, PR 54698.
		(check at startup, to prevent segfaults at proxy request time)
		trunk patches: https://svn.apache.org/r1374214
		https://svn.apache.org/r1374216
		https://svn.apache.org/r1375445
		https://svn.apache.org/r1467593
		2.4.x patch: https://people.apache.org/~kbrand/PR52212_54698_2.4.x.patch
		2.2.x patch: https://people.apache.org/~kbrand/PR52212_54698_2.2.x.patch
		+1: kbrand, minfrin, wrowe

		* mod_cache: Fix uninitialized tmppath variable. PR 54949
		trunk patch: Variable removed from trunk in http://svn.apache.org/r1407381
		2.2.x patch: http://people.apache.org/~minfrin/httpd-mod_cache-tmppath.patch

+16 −2

Original line number	Diff line number	Diff line
		@@ -1051,7 +1051,8 @@ static void ssl_init_proxy_certs(server_rec *s,
		for (n = 0; n < ncerts; n++) {
		X509_INFO *inf = sk_X509_INFO_value(sk, n);

		if (!inf->x509 \|\| !inf->x_pkey) {
		if (!inf->x509 \|\| !inf->x_pkey \|\| !inf->x_pkey->dec_pkey \|\|
		inf->enc_data) {
		sk_X509_INFO_free(sk);
		ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
		"incomplete client cert configured for SSL proxy "
		@@ -1059,6 +1060,15 @@ static void ssl_init_proxy_certs(server_rec *s,
		ssl_die();
		return;
		}

		if (X509_check_private_key(inf->x509, inf->x_pkey->dec_pkey) != 1) {
		ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
		"proxy client certificate and "
		"private key do not match");
		ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
		ssl_die();
		return;
		}
		}

		ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
		@@ -1070,7 +1080,11 @@ static void ssl_init_proxy_certs(server_rec *s,
		return;
		}

		/* Load all of the CA certs and construct a chain */
		/* If SSLProxyMachineCertificateChainFile is configured, load all
		* the CA certs and have OpenSSL attempt to construct a full chain
		* from each configured end-entity cert up to a root. This will
		* allow selection of the correct cert given a list of root CA
		* names in the certificate request from the server. */
		pkp->ca_certs = (STACK_OF(X509) *) apr_pcalloc(p, ncerts sizeof(sk));
		sctx = X509_STORE_CTX_new();