From: Graham Leggett Date: Sat, 27 Apr 2013 22:18:02 +0000 (+0000) Subject: mod_ssl: Catch missing, mismatched or encrypted client cert/key pairs X-Git-Tag: 2.4.5~365 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=059505bfac62de21ca44bb4aca4ffa2c24056ebc;p=apache mod_ssl: Catch missing, mismatched or encrypted client cert/key pairs with SSLProxyMachineCertificateFile/Path directives. PR 52212, PR 54698. (check at startup, to prevent segfaults at proxy request time) trunk patches: https://svn.apache.org/r1374214 https://svn.apache.org/r1374216 https://svn.apache.org/r1375445 https://svn.apache.org/r1467593 2.4.x patch: https://people.apache.org/~kbrand/PR52212_54698_2.4.x.patch Submitted by: kbrand Reviewed by: jorton, minfrin git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1476685 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 8dd8a68e5e..670d210489 100644 --- a/CHANGES +++ b/CHANGES @@ -22,6 +22,10 @@ Changes with Apache 2.4.5 *) mod_log_config: Fix crash when logging request end time for a failed request. PR 54828 [Rainer Jung] + *) mod_ssl: Catch missing, mismatched or encrypted client cert/key pairs + with SSLProxyMachineCertificateFile/Path directives. PR 52212, PR 54698. + [Keith Burdis , Joe Orton, Kaspar Brand] + *) mod_ssl: Quiet FIPS mode weak keys disabled and FIPS not selected emits in the error log to debug level. [William Rowe] diff --git a/STATUS b/STATUS index b07d7b8928..3278aacce3 100644 --- a/STATUS +++ b/STATUS @@ -90,16 +90,6 @@ RELEASE SHOWSTOPPERS: PATCHES ACCEPTED TO BACKPORT FROM TRUNK: [ start all new proposals below, under PATCHES PROPOSED. ] - * mod_ssl: Catch missing, mismatched or encrypted client cert/key pairs - with SSLProxyMachineCertificateFile/Path directives. PR 52212, PR 54698. - (check at startup, to prevent segfaults at proxy request time) - trunk patches: https://svn.apache.org/r1374214 - https://svn.apache.org/r1374216 - https://svn.apache.org/r1375445 - https://svn.apache.org/r1467593 - 2.4.x patch: https://people.apache.org/~kbrand/PR52212_54698_2.4.x.patch - 2.2.x patch: https://people.apache.org/~kbrand/PR52212_54698_2.2.x.patch - +1: kbrand, jorton, minfrin PATCHES PROPOSED TO BACKPORT FROM TRUNK: diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c index 80d74946b9..59931dcac9 100644 --- a/modules/ssl/ssl_engine_init.c +++ b/modules/ssl/ssl_engine_init.c @@ -1354,7 +1354,8 @@ static void ssl_init_proxy_certs(server_rec *s, for (n = 0; n < ncerts; n++) { X509_INFO *inf = sk_X509_INFO_value(sk, n); - if (!inf->x509 || !inf->x_pkey) { + if (!inf->x509 || !inf->x_pkey || !inf->x_pkey->dec_pkey || + inf->enc_data) { sk_X509_INFO_free(sk); ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, APLOGNO(02252) "incomplete client cert configured for SSL proxy " @@ -1362,6 +1363,15 @@ static void ssl_init_proxy_certs(server_rec *s, ssl_die(s); return; } + + if (X509_check_private_key(inf->x509, inf->x_pkey->dec_pkey) != 1) { + ssl_log_xerror(SSLLOG_MARK, APLOG_STARTUP, 0, ptemp, s, inf->x509, + APLOGNO(02326) "proxy client certificate and " + "private key do not match"); + ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s); + ssl_die(s); + return; + } } ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02207) @@ -1374,7 +1384,11 @@ static void ssl_init_proxy_certs(server_rec *s, return; } - /* Load all of the CA certs and construct a chain */ + /* If SSLProxyMachineCertificateChainFile is configured, load all + * the CA certs and have OpenSSL attempt to construct a full chain + * from each configured end-entity cert up to a root. This will + * allow selection of the correct cert given a list of root CA + * names in the certificate request from the server. */ pkp->ca_certs = (STACK_OF(X509) **) apr_pcalloc(p, ncerts * sizeof(sk)); sctx = X509_STORE_CTX_new();