mod_ssl: Fix quick renegotiation (OptRenegotiaton) with no intermediate

author Yann Ylavic <ylavic@apache.org>

Tue, 16 Aug 2016 18:24:56 +0000 (18:24 +0000)

committer Yann Ylavic <ylavic@apache.org>

Tue, 16 Aug 2016 18:24:56 +0000 (18:24 +0000)
author Yann Ylavic <ylavic@apache.org>
Tue, 16 Aug 2016 18:24:56 +0000 (18:24 +0000)
committer Yann Ylavic <ylavic@apache.org>
Tue, 16 Aug 2016 18:24:56 +0000 (18:24 +0000)
diff --git a/CHANGES b/CHANGES

index df9ed6afc831064e99502f951278f2cf3ebb8231..3b0b85eed8b04fd88b86336a17971176ada2921b 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,9 @@
                                                           -*- coding: utf-8 -*-
  Changes with Apache 2.5.0
  
+  *) mod_ssl: Fix quick renegotiation (OptRenegotiaton) with no intermediate
+     in the client certificate chain.  PR 55786.  [Yann Ylavic]
+
    *) mod_http2: adding support for intermediate responses.
       [Stefan Eissing]
  
diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c

index d1233ae0928d95c6425bacfc76206cf7a136c09a..985ae957a5ad09f1949620a96421dea4783476ee 100644 (file)
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -886,7 +886,14 @@ int ssl_hook_Access(request_rec *r)
  
              cert = SSL_get_peer_certificate(ssl);
  
-            if (!cert_stack && cert) {
+            if (!cert_stack || (sk_X509_num(cert_stack) == 0)) {
+                if (!cert) {
+                    ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02222)
+                                  "Cannot find peer certificate chain");
+
+                    return HTTP_FORBIDDEN;
+                }
+
                  /* client cert is in the session cache, but there is
                   * no chain, since ssl3_get_client_certificate()
                   * sk_X509_shift-ed the peer cert out of the chain.
@@ -896,13 +903,6 @@ int ssl_hook_Access(request_rec *r)
                  sk_X509_push(cert_stack, cert);
              }
  
-            if (!cert_stack || (sk_X509_num(cert_stack) == 0)) {
-                ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02222)
-                              "Cannot find peer certificate chain");
-
-                return HTTP_FORBIDDEN;
-            }
-
              if (!(cert_store ||
                    (cert_store = SSL_CTX_get_cert_store(ctx))))
              {
author	Yann Ylavic <ylavic@apache.org>
	Tue, 16 Aug 2016 18:24:56 +0000 (18:24 +0000)
committer	Yann Ylavic <ylavic@apache.org>
	Tue, 16 Aug 2016 18:24:56 +0000 (18:24 +0000)
CHANGES		patch \| blob \| history
modules/ssl/ssl_engine_kernel.c		patch \| blob \| history