46 lines
1.7 KiB
Diff
46 lines
1.7 KiB
Diff
# ./pullrev.sh 1374214 1375445
|
|
|
|
http://svn.apache.org/viewvc?view=revision&revision=1374214
|
|
http://svn.apache.org/viewvc?view=revision&revision=1375445
|
|
|
|
--- httpd-2.4.2/modules/ssl/ssl_engine_init.c
|
|
+++ httpd-2.4.2/modules/ssl/ssl_engine_init.c
|
|
@@ -1381,7 +1381,7 @@
|
|
for (n = 0; n < ncerts; n++) {
|
|
X509_INFO *inf = sk_X509_INFO_value(sk, n);
|
|
|
|
- if (!inf->x509 || !inf->x_pkey) {
|
|
+ if (!inf->x509 || !inf->x_pkey || !inf->x_pkey->dec_pkey) {
|
|
sk_X509_INFO_free(sk);
|
|
ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, APLOGNO(02252)
|
|
"incomplete client cert configured for SSL proxy "
|
|
@@ -1389,6 +1389,15 @@
|
|
ssl_die(s);
|
|
return;
|
|
}
|
|
+
|
|
+ if (X509_check_private_key(inf->x509, inf->x_pkey->dec_pkey) != 1) {
|
|
+ ssl_log_xerror(SSLLOG_MARK, APLOG_STARTUP, 0, ptemp, s, inf->x509,
|
|
+ APLOGNO(02326) "proxy client certificate and "
|
|
+ "private key do not match");
|
|
+ ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s);
|
|
+ ssl_die(s);
|
|
+ return;
|
|
+ }
|
|
}
|
|
|
|
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02207)
|
|
@@ -1401,7 +1410,11 @@
|
|
return;
|
|
}
|
|
|
|
- /* Load all of the CA certs and construct a chain */
|
|
+ /* If SSLProxyMachineCertificateChainFile is configured, load all
|
|
+ * the CA certs and have OpenSSL attempt to construct a full chain
|
|
+ * from each configured end-entity cert up to a root. This will
|
|
+ * allow selection of the correct cert given a list of root CA
|
|
+ * names in the certificate request from the server. */
|
|
pkp->ca_certs = (STACK_OF(X509) **) apr_pcalloc(p, ncerts * sizeof(sk));
|
|
sctx = X509_STORE_CTX_new();
|
|
|