mod_ssl: add check for proxy keypair match (upstream r1374214)
This commit is contained in:
parent
130d45741f
commit
7d53cc989e
45
httpd-2.4.2-r1374214+.patch
Normal file
45
httpd-2.4.2-r1374214+.patch
Normal file
@ -0,0 +1,45 @@
|
||||
# ./pullrev.sh 1374214 1375445
|
||||
|
||||
http://svn.apache.org/viewvc?view=revision&revision=1374214
|
||||
http://svn.apache.org/viewvc?view=revision&revision=1375445
|
||||
|
||||
--- httpd-2.4.2/modules/ssl/ssl_engine_init.c
|
||||
+++ httpd-2.4.2/modules/ssl/ssl_engine_init.c
|
||||
@@ -1381,7 +1381,7 @@
|
||||
for (n = 0; n < ncerts; n++) {
|
||||
X509_INFO *inf = sk_X509_INFO_value(sk, n);
|
||||
|
||||
- if (!inf->x509 || !inf->x_pkey) {
|
||||
+ if (!inf->x509 || !inf->x_pkey || !inf->x_pkey->dec_pkey) {
|
||||
sk_X509_INFO_free(sk);
|
||||
ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, APLOGNO(02252)
|
||||
"incomplete client cert configured for SSL proxy "
|
||||
@@ -1389,6 +1389,15 @@
|
||||
ssl_die(s);
|
||||
return;
|
||||
}
|
||||
+
|
||||
+ if (X509_check_private_key(inf->x509, inf->x_pkey->dec_pkey) != 1) {
|
||||
+ ssl_log_xerror(SSLLOG_MARK, APLOG_STARTUP, 0, ptemp, s, inf->x509,
|
||||
+ APLOGNO(02326) "proxy client certificate and "
|
||||
+ "private key do not match");
|
||||
+ ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s);
|
||||
+ ssl_die(s);
|
||||
+ return;
|
||||
+ }
|
||||
}
|
||||
|
||||
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02207)
|
||||
@@ -1401,7 +1410,11 @@
|
||||
return;
|
||||
}
|
||||
|
||||
- /* Load all of the CA certs and construct a chain */
|
||||
+ /* If SSLProxyMachineCertificateChainFile is configured, load all
|
||||
+ * the CA certs and have OpenSSL attempt to construct a full chain
|
||||
+ * from each configured end-entity cert up to a root. This will
|
||||
+ * allow selection of the correct cert given a list of root CA
|
||||
+ * names in the certificate request from the server. */
|
||||
pkp->ca_certs = (STACK_OF(X509) **) apr_pcalloc(p, ncerts * sizeof(sk));
|
||||
sctx = X509_STORE_CTX_new();
|
||||
|
@ -8,7 +8,7 @@
|
||||
Summary: Apache HTTP Server
|
||||
Name: httpd
|
||||
Version: 2.4.3
|
||||
Release: 1%{?dist}
|
||||
Release: 2%{?dist}
|
||||
URL: http://httpd.apache.org/
|
||||
Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
|
||||
Source1: index.html
|
||||
@ -48,6 +48,8 @@ Patch25: httpd-2.4.1-selinux.patch
|
||||
Patch26: httpd-2.4.2-r1337344+.patch
|
||||
Patch27: httpd-2.4.2-icons.patch
|
||||
Patch28: httpd-2.4.2-r1332643+.patch
|
||||
# Bug fixes
|
||||
Patch50: httpd-2.4.2-r1374214+.patch
|
||||
License: ASL 2.0
|
||||
Group: System Environment/Daemons
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
|
||||
@ -156,6 +158,8 @@ authentication to the Apache HTTP Server.
|
||||
%patch27 -p1 -b .icons
|
||||
%patch28 -p1 -b .r1332643+
|
||||
|
||||
%patch50 -p1 -b .r1374214+
|
||||
|
||||
# Patch in vendor/release string
|
||||
sed "s/@RELEASE@/%{vstring}/" < %{PATCH20} | patch --fuzz=%{_default_patch_fuzz} -p1
|
||||
|
||||
@ -570,6 +574,9 @@ rm -rf $RPM_BUILD_ROOT
|
||||
%{_sysconfdir}/rpm/macros.httpd
|
||||
|
||||
%changelog
|
||||
* Tue Aug 21 2012 Joe Orton <jorton@redhat.com> - 2.4.3-2
|
||||
- mod_ssl: add check for proxy keypair match (upstream r1374214)
|
||||
|
||||
* Tue Aug 21 2012 Joe Orton <jorton@redhat.com> - 2.4.3-1
|
||||
- update to 2.4.3 (#849883)
|
||||
- own the docroot (#848121)
|
||||
|
Loading…
Reference in New Issue
Block a user