rpms/httpd
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Resolves: #1950021 - [RFE] Update httpd directive SSLProxyMachineCertificateFile

Browse Source 
to be able to handle certs without matching private key
This commit is contained in:
Luboš Uhliarik 2021-07-01 14:16:33 +02:00
parent dc59040381
commit 2be7e43256
2 changed files with 88 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

79
httpd-2.4.48-ssl-proxy-chains.patch Normal file
View File

@ -0,0 +1,79 @@
diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
index 15f68f9..e67c81d 100644
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -1682,6 +1682,10 @@ static apr_status_t ssl_init_proxy_certs(server_rec *s,
STACK_OF(X509) *chain;
X509_STORE_CTX *sctx;
X509_STORE *store = SSL_CTX_get_cert_store(mctx->ssl_ctx);
+ int addl_chain = 0; /* non-zero if additional chain certs were
+ * added to store */
+
+ ap_assert(store != NULL); /* safe to assume always non-NULL? */
#if OPENSSL_VERSION_NUMBER >= 0x1010100fL
/* For OpenSSL >=1.1.1, turn on client cert support which is
@@ -1707,20 +1711,28 @@ static apr_status_t ssl_init_proxy_certs(server_rec *s,
ssl_init_ca_cert_path(s, ptemp, pkp->cert_path, NULL, sk);
}
- if ((ncerts = sk_X509_INFO_num(sk)) <= 0) {
- sk_X509_INFO_free(sk);
- ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, APLOGNO(02206)
- "no client certs found for SSL proxy");
- return APR_SUCCESS;
- }
-
/* Check that all client certs have got certificates and private
- * keys. */
- for (n = 0; n < ncerts; n++) {
+ * keys. Note the number of certs in the stack may decrease
+ * during the loop. */
+ for (n = 0; n < sk_X509_INFO_num(sk); n++) {
X509_INFO *inf = sk_X509_INFO_value(sk, n);
+ int has_privkey = inf->x_pkey && inf->x_pkey->dec_pkey;
- if (!inf->x509 || !inf->x_pkey || !inf->x_pkey->dec_pkey ||
- inf->enc_data) {
+ /* For a lone certificate in the file, trust it as a
+ * CA/intermediate certificate. */
+ if (inf->x509 && !has_privkey && !inf->enc_data) {
+ ssl_log_xerror(SSLLOG_MARK, APLOG_DEBUG, 0, ptemp, s, inf->x509,
+ APLOGNO(10261) "Trusting non-leaf certificate");
+ X509_STORE_add_cert(store, inf->x509); /* increments inf->x509 */
+ /* Delete from the stack and iterate again. */
+ X509_INFO_free(inf);
+ sk_X509_INFO_delete(sk, n);
+ n--;
+ addl_chain = 1;
+ continue;
+ }
+
+ if (!has_privkey || inf->enc_data) {
sk_X509_INFO_free(sk);
ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, APLOGNO(02252)
"incomplete client cert configured for SSL proxy "
@@ -1737,13 +1749,21 @@ static apr_status_t ssl_init_proxy_certs(server_rec *s,
}
}
+ if ((ncerts = sk_X509_INFO_num(sk)) <= 0) {
+ sk_X509_INFO_free(sk);
+ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, APLOGNO(02206)
+ "no client certs found for SSL proxy");
+ return APR_SUCCESS;
+ }
+
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02207)
"loaded %d client certs for SSL proxy",
ncerts);
pkp->certs = sk;
-
- if (!pkp->ca_cert_file || !store) {
+ /* If any chain certs are configured, build the ->ca_certs chains
+ * corresponding to the loaded keypairs. */
+ if (!pkp->ca_cert_file && !addl_chain) {
return APR_SUCCESS;
}

10
httpd.spec
View File

@ -13,7 +13,7 @@
Summary: Apache HTTP Server Summary: Apache HTTP Server
Name: httpd Name: httpd
Version: 2.4.48 Version: 2.4.48
Release: 7%{?dist} Release: 8%{?dist}
URL: https://httpd.apache.org/ URL: https://httpd.apache.org/
Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2 Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
Source1: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2.asc Source1: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2.asc
@ -89,6 +89,8 @@ Patch46: httpd-2.4.48-proxy-ws-idle-timeout.patch
Patch47: httpd-2.4.43-pr37355.patch Patch47: httpd-2.4.43-pr37355.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1949606 # https://bugzilla.redhat.com/show_bug.cgi?id=1949606
Patch48: httpd-2.4.46-freebind.patch Patch48: httpd-2.4.46-freebind.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1950021
Patch49: httpd-2.4.48-ssl-proxy-chains.patch
# Bug fixes # Bug fixes
@ -102,6 +104,7 @@ Patch64: httpd-2.4.48-full-release.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1950011 # https://bugzilla.redhat.com/show_bug.cgi?id=1950011
Patch65: httpd-2.4.48-r1877397.patch Patch65: httpd-2.4.48-r1877397.patch
# Security fixes # Security fixes
License: ASL 2.0 License: ASL 2.0
@ -249,6 +252,7 @@ written in the Lua programming language.
%patch46 -p1 -b .proxy-ws-idle-timeout %patch46 -p1 -b .proxy-ws-idle-timeout
%patch47 -p1 -b .pr37355 %patch47 -p1 -b .pr37355
%patch48 -p1 -b .freebind %patch48 -p1 -b .freebind
%patch49 -p1 -b .ssl-proxy-chains
%patch60 -p1 -b .enable-sslv3 %patch60 -p1 -b .enable-sslv3
%patch61 -p1 -b .htcacheclean-dont-break %patch61 -p1 -b .htcacheclean-dont-break
@ -797,6 +801,10 @@ exit $rv
%{_rpmconfigdir}/macros.d/macros.httpd %{_rpmconfigdir}/macros.d/macros.httpd
%changelog %changelog
* Thu Jul 01 2021 Luboš Uhliarik <luhliari@redhat.com> - 2.4.48-8
- Resolves: #1950021 - [RFE] Update httpd directive SSLProxyMachineCertificateFile
to be able to handle certs without matching private key
* Thu Jul 01 2021 Luboš Uhliarik <luhliari@redhat.com> - 2.4.48-7 * Thu Jul 01 2021 Luboš Uhliarik <luhliari@redhat.com> - 2.4.48-7
- Resolves: #1950011 - unorderly connection close when client attempts - Resolves: #1950011 - unorderly connection close when client attempts
renegotiation renegotiation