summaryrefslogtreecommitdiff
path: root/modules/ssl/ssl_engine_init.c
diff options
context:
space:
mode:
authorJoe Orton <jorton@apache.org>2003-11-25 12:35:45 +0000
committerJoe Orton <jorton@apache.org>2003-11-25 12:35:45 +0000
commit2c999f855adbee34e3114dba2bbc5282c16ff232 (patch)
treef37ad9c7e8dba933b35deb345812e96d83c378b0 /modules/ssl/ssl_engine_init.c
parenta7db87b9add29f7543457f53863cee4ee13d58c9 (diff)
downloadhttpd-2c999f855adbee34e3114dba2bbc5282c16ff232.tar.gz
* modules/ssl/ssl_engine_init.c (ssl_init_proxy_certs): Fail early
(rather than segfault later) if a client cert is configured which is missing either the certificate or private key. PR: 24030 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@101878 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'modules/ssl/ssl_engine_init.c')
-rw-r--r--modules/ssl/ssl_engine_init.c34
1 files changed, 24 insertions, 10 deletions
diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
index 2885925dae..f5ab29560d 100644
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -913,7 +913,7 @@ static void ssl_init_proxy_certs(server_rec *s,
apr_pool_t *ptemp,
modssl_ctx_t *mctx)
{
- int ncerts = 0;
+ int n, ncerts = 0;
STACK_OF(X509_INFO) *sk;
modssl_pk_proxy_t *pkp = mctx->pkp;
@@ -934,18 +934,32 @@ static void ssl_init_proxy_certs(server_rec *s,
SSL_X509_INFO_load_path(ptemp, sk, pkp->cert_path);
}
- if ((ncerts = sk_X509_INFO_num(sk)) > 0) {
- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
- "loaded %d client certs for SSL proxy",
- ncerts);
-
- pkp->certs = sk;
- }
- else {
+ if ((ncerts = sk_X509_INFO_num(sk)) <= 0) {
+ sk_X509_INFO_free(sk);
ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
"no client certs found for SSL proxy");
- sk_X509_INFO_free(sk);
+ return;
}
+
+ /* Check that all client certs have got certificates and private
+ * keys. */
+ for (n = 0; n < ncerts; n++) {
+ X509_INFO *inf = sk_X509_INFO_value(sk, n);
+
+ if (!inf->x509 || !inf->x_pkey) {
+ sk_X509_INFO_free(sk);
+ ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
+ "incomplete client cert configured for SSL proxy "
+ "(missing or encrypted private key?)");
+ ssl_die();
+ return;
+ }
+ }
+
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+ "loaded %d client certs for SSL proxy",
+ ncerts);
+ pkp->certs = sk;
}
static void ssl_init_proxy_ctx(server_rec *s,
View Lorry Controller Status