diff options
Diffstat (limited to 'httpd-2.4.2-r1374214+.patch')
| -rw-r--r-- | httpd-2.4.2-r1374214+.patch | 45 |
1 files changed, 45 insertions, 0 deletions
diff --git a/httpd-2.4.2-r1374214+.patch b/httpd-2.4.2-r1374214+.patch new file mode 100644 index 0000000..af5d2ab --- /dev/null +++ b/httpd-2.4.2-r1374214+.patch @@ -0,0 +1,45 @@ +# ./pullrev.sh 1374214 1375445 + +http://svn.apache.org/viewvc?view=revision&revision=1374214 +http://svn.apache.org/viewvc?view=revision&revision=1375445 + +--- httpd-2.4.2/modules/ssl/ssl_engine_init.c ++++ httpd-2.4.2/modules/ssl/ssl_engine_init.c +@@ -1381,7 +1381,7 @@ + for (n = 0; n < ncerts; n++) { + X509_INFO *inf = sk_X509_INFO_value(sk, n); + +- if (!inf->x509 || !inf->x_pkey) { ++ if (!inf->x509 || !inf->x_pkey || !inf->x_pkey->dec_pkey) { + sk_X509_INFO_free(sk); + ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, APLOGNO(02252) + "incomplete client cert configured for SSL proxy " +@@ -1389,6 +1389,15 @@ + ssl_die(s); + return; + } ++ ++ if (X509_check_private_key(inf->x509, inf->x_pkey->dec_pkey) != 1) { ++ ssl_log_xerror(SSLLOG_MARK, APLOG_STARTUP, 0, ptemp, s, inf->x509, ++ APLOGNO(02326) "proxy client certificate and " ++ "private key do not match"); ++ ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s); ++ ssl_die(s); ++ return; ++ } + } + + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02207) +@@ -1401,7 +1410,11 @@ + return; + } + +- /* Load all of the CA certs and construct a chain */ ++ /* If SSLProxyMachineCertificateChainFile is configured, load all ++ * the CA certs and have OpenSSL attempt to construct a full chain ++ * from each configured end-entity cert up to a root. This will ++ * allow selection of the correct cert given a list of root CA ++ * names in the certificate request from the server. */ + pkp->ca_certs = (STACK_OF(X509) **) apr_pcalloc(p, ncerts * sizeof(sk)); + sctx = X509_STORE_CTX_new(); + |