From e6cc70b01f04726bec55199ef2cfe9d29a5924b9 Mon Sep 17 00:00:00 2001
From: Remi Collet <fedora@famillecollet.com>
Date: Tue, 21 Aug 2012 18:18:24 +0200
Subject: httpd: sync with rawhide, update to 2.4.3

---
 httpd-2.4.2-r1374214+.patch | 45 +++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 45 insertions(+)
 create mode 100644 httpd-2.4.2-r1374214+.patch

(limited to 'httpd-2.4.2-r1374214+.patch')

diff --git a/httpd-2.4.2-r1374214+.patch b/httpd-2.4.2-r1374214+.patch
new file mode 100644
index 0000000..af5d2ab
--- /dev/null
+++ b/httpd-2.4.2-r1374214+.patch
@@ -0,0 +1,45 @@
+# ./pullrev.sh 1374214 1375445
+
+http://svn.apache.org/viewvc?view=revision&revision=1374214
+http://svn.apache.org/viewvc?view=revision&revision=1375445
+
+--- httpd-2.4.2/modules/ssl/ssl_engine_init.c
++++ httpd-2.4.2/modules/ssl/ssl_engine_init.c
+@@ -1381,7 +1381,7 @@
+     for (n = 0; n < ncerts; n++) {
+         X509_INFO *inf = sk_X509_INFO_value(sk, n);
+ 
+-        if (!inf->x509 || !inf->x_pkey) {
++        if (!inf->x509 || !inf->x_pkey || !inf->x_pkey->dec_pkey) {
+             sk_X509_INFO_free(sk);
+             ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, APLOGNO(02252)
+                          "incomplete client cert configured for SSL proxy "
+@@ -1389,6 +1389,15 @@
+             ssl_die(s);
+             return;
+         }
++        
++        if (X509_check_private_key(inf->x509, inf->x_pkey->dec_pkey) != 1) {
++            ssl_log_xerror(SSLLOG_MARK, APLOG_STARTUP, 0, ptemp, s, inf->x509,
++                           APLOGNO(02326) "proxy client certificate and "
++                           "private key do not match");
++            ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s);
++            ssl_die(s);
++            return;
++        }
+     }
+ 
+     ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02207)
+@@ -1401,7 +1410,11 @@
+         return;
+     }
+ 
+-    /* Load all of the CA certs and construct a chain */
++    /* If SSLProxyMachineCertificateChainFile is configured, load all
++     * the CA certs and have OpenSSL attempt to construct a full chain
++     * from each configured end-entity cert up to a root.  This will
++     * allow selection of the correct cert given a list of root CA
++     * names in the certificate request from the server.  */
+     pkp->ca_certs = (STACK_OF(X509) **) apr_pcalloc(p, ncerts * sizeof(sk));
+     sctx = X509_STORE_CTX_new();
+ 
-- 
cgit