httpd/httpd-2.4.2-r1374214+.patch

46 lines
1.7 KiB
Diff
Raw Normal View History

# ./pullrev.sh 1374214 1375445
http://svn.apache.org/viewvc?view=revision&revision=1374214
http://svn.apache.org/viewvc?view=revision&revision=1375445
--- httpd-2.4.2/modules/ssl/ssl_engine_init.c
+++ httpd-2.4.2/modules/ssl/ssl_engine_init.c
@@ -1381,7 +1381,7 @@
for (n = 0; n < ncerts; n++) {
X509_INFO *inf = sk_X509_INFO_value(sk, n);
- if (!inf->x509 || !inf->x_pkey) {
+ if (!inf->x509 || !inf->x_pkey || !inf->x_pkey->dec_pkey) {
sk_X509_INFO_free(sk);
ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, APLOGNO(02252)
"incomplete client cert configured for SSL proxy "
@@ -1389,6 +1389,15 @@
ssl_die(s);
return;
}
+
+ if (X509_check_private_key(inf->x509, inf->x_pkey->dec_pkey) != 1) {
+ ssl_log_xerror(SSLLOG_MARK, APLOG_STARTUP, 0, ptemp, s, inf->x509,
+ APLOGNO(02326) "proxy client certificate and "
+ "private key do not match");
+ ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s);
+ ssl_die(s);
+ return;
+ }
}
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02207)
@@ -1401,7 +1410,11 @@
return;
}
- /* Load all of the CA certs and construct a chain */
+ /* If SSLProxyMachineCertificateChainFile is configured, load all
+ * the CA certs and have OpenSSL attempt to construct a full chain
+ * from each configured end-entity cert up to a root. This will
+ * allow selection of the correct cert given a list of root CA
+ * names in the certificate request from the server. */
pkp->ca_certs = (STACK_OF(X509) **) apr_pcalloc(p, ncerts * sizeof(sk));
sctx = X509_STORE_CTX_new();