ASF Bugzilla – Attachment 30138 Details for
Bug 54698
Segmentation Fault with SSLProxyMachineCertificateFile
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
2.2.x backport of the fixes from PR 52212, amended
PR54698_2.2.x_v2.patch (text/plain), 1.81 KB, created by
Kaspar Brand
on 2013-04-03 06:53:38 UTC
(
hide
)
Description:
2.2.x backport of the fixes from PR 52212, amended
Filename:
MIME Type:
Creator:
Kaspar Brand
Created:
2013-04-03 06:53:38 UTC
Size:
1.81 KB
patch
obsolete
>Index: modules/ssl/ssl_engine_init.c >=================================================================== >--- modules/ssl/ssl_engine_init.c (revision 1462733) >+++ modules/ssl/ssl_engine_init.c (working copy) >@@ -1051,7 +1051,8 @@ static void ssl_init_proxy_certs(server_rec *s, > for (n = 0; n < ncerts; n++) { > X509_INFO *inf = sk_X509_INFO_value(sk, n); > >- if (!inf->x509 || !inf->x_pkey) { >+ if (!inf->x509 || !inf->x_pkey || !inf->x_pkey->dec_pkey || >+ inf->enc_data) { > sk_X509_INFO_free(sk); > ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, > "incomplete client cert configured for SSL proxy " >@@ -1059,6 +1060,15 @@ static void ssl_init_proxy_certs(server_rec *s, > ssl_die(); > return; > } >+ >+ if (X509_check_private_key(inf->x509, inf->x_pkey->dec_pkey) != 1) { >+ ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, >+ "proxy client certificate and " >+ "private key do not match"); >+ ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s); >+ ssl_die(); >+ return; >+ } > } > > ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, >@@ -1070,7 +1080,11 @@ static void ssl_init_proxy_certs(server_rec *s, > return; > } > >- /* Load all of the CA certs and construct a chain */ >+ /* If SSLProxyMachineCertificateChainFile is configured, load all >+ * the CA certs and have OpenSSL attempt to construct a full chain >+ * from each configured end-entity cert up to a root. This will >+ * allow selection of the correct cert given a list of root CA >+ * names in the certificate request from the server. */ > pkp->ca_certs = (STACK_OF(X509) **) apr_pcalloc(p, ncerts * sizeof(sk)); > sctx = X509_STORE_CTX_new(); >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 54698
:
30091
|
30108
| 30138 |
30180
|
30181