diff options
author | Joe Orton <jorton@apache.org> | 2004-11-10 11:49:37 +0000 |
---|---|---|
committer | Joe Orton <jorton@apache.org> | 2004-11-10 11:49:37 +0000 |
commit | bd0600da0af2b0accfc9cb968ded56a5468698b6 (patch) | |
tree | efeaea7fd40308eacde02745a8e29ac6522f6499 /modules | |
parent | cfed8e1c61f287b0c74dd6a6fef5c58fec1ba49e (diff) | |
download | httpd-bd0600da0af2b0accfc9cb968ded56a5468698b6.tar.gz |
Backport from HEAD:
* modules/ssl/ssl_engine_init.c (ssl_init_proxy_certs): Fail early
(rather than segfault later) if a client cert is configured which is
missing either the certificate or private key.
PR: 24030
Reviewed by: jorton, minfrin, jerenkrantz, wrowe
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/APACHE_2_0_BRANCH@105733 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'modules')
-rw-r--r-- | modules/ssl/ssl_engine_init.c | 34 |
1 files changed, 24 insertions, 10 deletions
diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c index 6023bfebcb..f7de1956cb 100644 --- a/modules/ssl/ssl_engine_init.c +++ b/modules/ssl/ssl_engine_init.c @@ -892,7 +892,7 @@ static void ssl_init_proxy_certs(server_rec *s, apr_pool_t *ptemp, modssl_ctx_t *mctx) { - int ncerts = 0; + int n, ncerts = 0; STACK_OF(X509_INFO) *sk; modssl_pk_proxy_t *pkp = mctx->pkp; @@ -913,18 +913,32 @@ static void ssl_init_proxy_certs(server_rec *s, SSL_X509_INFO_load_path(ptemp, sk, pkp->cert_path); } - if ((ncerts = sk_X509_INFO_num(sk)) > 0) { - ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, - "loaded %d client certs for SSL proxy", - ncerts); - - pkp->certs = sk; - } - else { + if ((ncerts = sk_X509_INFO_num(sk)) <= 0) { + sk_X509_INFO_free(sk); ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, "no client certs found for SSL proxy"); - sk_X509_INFO_free(sk); + return; } + + /* Check that all client certs have got certificates and private + * keys. */ + for (n = 0; n < ncerts; n++) { + X509_INFO *inf = sk_X509_INFO_value(sk, n); + + if (!inf->x509 || !inf->x_pkey) { + sk_X509_INFO_free(sk); + ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, + "incomplete client cert configured for SSL proxy " + "(missing or encrypted private key?)"); + ssl_die(); + return; + } + } + + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, + "loaded %d client certs for SSL proxy", + ncerts); + pkp->certs = sk; } static void ssl_init_proxy_ctx(server_rec *s, |