Fix a denial of service attack against mod_reqtimeout.
[Stefan Fritsch]
+ *) mod_ssl: Make sure to always log an error if loading of CA certificates
+ fails. PR 40312. [Paul Tiemann <issues apache org ourdetour com>]
+
*) mod_dav: Send 501 error if unknown Content-* header is received for a PUT
request (RFC 2616 9.6). PR 42978. [Stefan Fritsch]
ca_list = ssl_init_FindCAList(s, ptemp,
mctx->auth.ca_cert_file,
mctx->auth.ca_cert_path);
- if (!ca_list) {
+ if (sk_X509_NAME_num(ca_list) == 0) {
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s,
"Unable to determine list of acceptable "
"CA certificates for client authentication");
*/
if (ca_file) {
ssl_init_PushCAList(ca_list, s, ca_file);
+ /*
+ * If ca_list is still empty after trying to load ca_file
+ * then the file failed to load, and users should hear about that.
+ */
+ if (sk_X509_NAME_num(ca_list) == 0) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+ "Failed to load SSLCACertificateFile: %s", ca_file);
+ ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s);
+ }
}
/*