]> granicus.if.org Git - apache/commitdiff
projects / apache / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: d658afd)
Make sure to always log an error if loading of CA certificates fails
authorStefan Fritsch <sf@apache.org>
Sun, 24 Oct 2010 22:14:15 +0000 (22:14 +0000)
committerStefan Fritsch <sf@apache.org>
Sun, 24 Oct 2010 22:14:15 +0000 (22:14 +0000)
PR: 40312
Submitted by: Paul Tiemann <issues apache org ourdetour com>

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1026906 13f79535-47bb-0310-9956-ffa450edef68

CHANGES patch | blob | history
modules/ssl/ssl_engine_init.c patch | blob | history

diff --git a/CHANGES b/CHANGES
index 2cd6e4dbb32f2a31a479f2dd8e68e421efbc05c4..47eb0ec6715470e2b47952bd196c7c9a45eccf65 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -6,6 +6,9 @@ Changes with Apache 2.3.9
      Fix a denial of service attack against mod_reqtimeout.
      [Stefan Fritsch]
 
+  *) mod_ssl: Make sure to always log an error if loading of CA certificates
+     fails. PR 40312. [Paul Tiemann <issues apache org ourdetour com>]
+
   *) mod_dav: Send 501 error if unknown Content-* header is received for a PUT
      request (RFC 2616 9.6). PR 42978. [Stefan Fritsch]
 
diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
index 295fd72d83e672af1099face97d6d1205aba1a49..4cfa1d3b7d87ffb93e41705979fe147bf2c63593 100644 (file)
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -658,7 +658,7 @@ static void ssl_init_ctx_verify(server_rec *s,
             ca_list = ssl_init_FindCAList(s, ptemp,
                                           mctx->auth.ca_cert_file,
                                           mctx->auth.ca_cert_path);
-        if (!ca_list) {
+        if (sk_X509_NAME_num(ca_list) == 0) {
             ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s,
                     "Unable to determine list of acceptable "
                     "CA certificates for client authentication");
@@ -1334,6 +1334,15 @@ STACK_OF(X509_NAME) *ssl_init_FindCAList(server_rec *s,
      */
     if (ca_file) {
         ssl_init_PushCAList(ca_list, s, ca_file);
+        /*
+         * If ca_list is still empty after trying to load ca_file
+         * then the file failed to load, and users should hear about that.
+         */
+        if (sk_X509_NAME_num(ca_list) == 0) {
+            ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+                    "Failed to load SSLCACertificateFile: %s", ca_file);
+            ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s);
+        }
     }
 
     /*
Unnamed repository; edit this file 'description' to name the repository.