rpms/httpd
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Resolves: #2004143 - RFE: mod_ssl: allow sending multiple CA names which

Browse Source 
differ only in case
This commit is contained in:
Luboš Uhliarik 2021-09-15 13:23:58 +02:00
parent c77124140b
commit d826352e8c
2 changed files with 107 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

99
httpd-2.4.48-r1825120.patch Normal file
View File

@ -0,0 +1,99 @@
diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
index 4e2e80d..10a2c86 100644
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -2256,51 +2256,6 @@ int ssl_proxy_section_post_config(apr_pool_t *p, apr_pool_t *plog,
return OK;
}
-static int ssl_init_FindCAList_X509NameCmp(const X509_NAME * const *a,
- const X509_NAME * const *b)
-{
- return(X509_NAME_cmp(*a, *b));
-}
-
-static void ssl_init_PushCAList(STACK_OF(X509_NAME) *ca_list,
- server_rec *s, apr_pool_t *ptemp,
- const char *file)
-{
- int n;
- STACK_OF(X509_NAME) *sk;
-
- sk = (STACK_OF(X509_NAME) *)
- SSL_load_client_CA_file(file);
-
- if (!sk) {
- return;
- }
-
- for (n = 0; n < sk_X509_NAME_num(sk); n++) {
- X509_NAME *name = sk_X509_NAME_value(sk, n);
-
- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02209)
- "CA certificate: %s",
- modssl_X509_NAME_to_string(ptemp, name, 0));
-
- /*
- * note that SSL_load_client_CA_file() checks for duplicates,
- * but since we call it multiple times when reading a directory
- * we must also check for duplicates ourselves.
- */
-
- if (sk_X509_NAME_find(ca_list, name) < 0) {
- /* this will be freed when ca_list is */
- sk_X509_NAME_push(ca_list, name);
- }
- else {
- /* need to free this ourselves, else it will leak */
- X509_NAME_free(name);
- }
- }
-
- sk_X509_NAME_free(sk);
-}
static apr_status_t ssl_init_ca_cert_path(server_rec *s,
apr_pool_t *ptemp,
@@ -2324,7 +2279,7 @@ static apr_status_t ssl_init_ca_cert_path(server_rec *s,
}
file = apr_pstrcat(ptemp, path, "/", direntry.name, NULL);
if (ca_list) {
- ssl_init_PushCAList(ca_list, s, ptemp, file);
+ SSL_add_file_cert_subjects_to_stack(ca_list, file);
}
if (xi_list) {
load_x509_info(ptemp, xi_list, file);
@@ -2341,19 +2296,13 @@ STACK_OF(X509_NAME) *ssl_init_FindCAList(server_rec *s,
const char *ca_file,
const char *ca_path)
{
- STACK_OF(X509_NAME) *ca_list;
-
- /*
- * Start with a empty stack/list where new
- * entries get added in sorted order.
- */
- ca_list = sk_X509_NAME_new(ssl_init_FindCAList_X509NameCmp);
+ STACK_OF(X509_NAME) *ca_list = sk_X509_NAME_new_null();;
/*
* Process CA certificate bundle file
*/
if (ca_file) {
- ssl_init_PushCAList(ca_list, s, ptemp, ca_file);
+ SSL_add_file_cert_subjects_to_stack(ca_list, ca_file);
/*
* If ca_list is still empty after trying to load ca_file
* then the file failed to load, and users should hear about that.
@@ -2377,11 +2326,6 @@ STACK_OF(X509_NAME) *ssl_init_FindCAList(server_rec *s,
return NULL;
}
- /*
- * Cleanup
- */
- (void) sk_X509_NAME_set_cmp_func(ca_list, NULL);
-
return ca_list;
}

9
httpd.spec
View File

@ -13,7 +13,7 @@
Summary: Apache HTTP Server Summary: Apache HTTP Server
Name: httpd Name: httpd
Version: 2.4.48 Version: 2.4.48
Release: 17%{?dist} Release: 18%{?dist}
URL: https://httpd.apache.org/ URL: https://httpd.apache.org/
Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2 Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
Source1: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2.asc Source1: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2.asc
@ -91,6 +91,8 @@ Patch47: httpd-2.4.43-pr37355.patch
Patch48: httpd-2.4.46-freebind.patch Patch48: httpd-2.4.46-freebind.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1950021 # https://bugzilla.redhat.com/show_bug.cgi?id=1950021
Patch49: httpd-2.4.48-ssl-proxy-chains.patch Patch49: httpd-2.4.48-ssl-proxy-chains.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2004143
Patch50: httpd-2.4.48-r1825120.patch
# Bug fixes # Bug fixes
@ -254,6 +256,7 @@ written in the Lua programming language.
%patch47 -p1 -b .pr37355 %patch47 -p1 -b .pr37355
%patch48 -p1 -b .freebind %patch48 -p1 -b .freebind
%patch49 -p1 -b .ssl-proxy-chains %patch49 -p1 -b .ssl-proxy-chains
%patch50 -p1 -b .r1825120
%patch60 -p1 -b .enable-sslv3 %patch60 -p1 -b .enable-sslv3
%patch61 -p1 -b .htcacheclean-dont-break %patch61 -p1 -b .htcacheclean-dont-break
@ -806,6 +809,10 @@ exit $rv
%{_rpmconfigdir}/macros.d/macros.httpd %{_rpmconfigdir}/macros.d/macros.httpd
%changelog %changelog
* Wed Sep 15 2021 Luboš Uhliarik <luhliari@redhat.com> - 2.4.48-18
- Resolves: #2004143 - RFE: mod_ssl: allow sending multiple CA names which
differ only in case
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2.4.48-17 * Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2.4.48-17
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688 Related: rhbz#1991688