From: Joe Orton Date: Tue, 25 Nov 2003 12:35:45 +0000 (+0000) Subject: * modules/ssl/ssl_engine_init.c (ssl_init_proxy_certs): Fail early X-Git-Tag: pre_ajp_proxy~1010 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=2c999f855adbee34e3114dba2bbc5282c16ff232;p=apache * modules/ssl/ssl_engine_init.c (ssl_init_proxy_certs): Fail early (rather than segfault later) if a client cert is configured which is missing either the certificate or private key. PR: 24030 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@101878 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c index 2885925dae..f5ab29560d 100644 --- a/modules/ssl/ssl_engine_init.c +++ b/modules/ssl/ssl_engine_init.c @@ -913,7 +913,7 @@ static void ssl_init_proxy_certs(server_rec *s, apr_pool_t *ptemp, modssl_ctx_t *mctx) { - int ncerts = 0; + int n, ncerts = 0; STACK_OF(X509_INFO) *sk; modssl_pk_proxy_t *pkp = mctx->pkp; @@ -934,18 +934,32 @@ static void ssl_init_proxy_certs(server_rec *s, SSL_X509_INFO_load_path(ptemp, sk, pkp->cert_path); } - if ((ncerts = sk_X509_INFO_num(sk)) > 0) { - ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, - "loaded %d client certs for SSL proxy", - ncerts); - - pkp->certs = sk; - } - else { + if ((ncerts = sk_X509_INFO_num(sk)) <= 0) { + sk_X509_INFO_free(sk); ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, "no client certs found for SSL proxy"); - sk_X509_INFO_free(sk); + return; } + + /* Check that all client certs have got certificates and private + * keys. */ + for (n = 0; n < ncerts; n++) { + X509_INFO *inf = sk_X509_INFO_value(sk, n); + + if (!inf->x509 || !inf->x_pkey) { + sk_X509_INFO_free(sk); + ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, + "incomplete client cert configured for SSL proxy " + "(missing or encrypted private key?)"); + ssl_die(); + return; + } + } + + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, + "loaded %d client certs for SSL proxy", + ncerts); + pkp->certs = sk; } static void ssl_init_proxy_ctx(server_rec *s,