From: Stefan Fritsch Date: Sun, 24 Oct 2010 22:14:15 +0000 (+0000) Subject: Make sure to always log an error if loading of CA certificates fails X-Git-Tag: 2.3.9~223 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=59d4757c65a5def31ea5baf780fab6bbc9ce61f4;p=apache Make sure to always log an error if loading of CA certificates fails PR: 40312 Submitted by: Paul Tiemann git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1026906 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 2cd6e4dbb3..47eb0ec671 100644 --- a/CHANGES +++ b/CHANGES @@ -6,6 +6,9 @@ Changes with Apache 2.3.9 Fix a denial of service attack against mod_reqtimeout. [Stefan Fritsch] + *) mod_ssl: Make sure to always log an error if loading of CA certificates + fails. PR 40312. [Paul Tiemann ] + *) mod_dav: Send 501 error if unknown Content-* header is received for a PUT request (RFC 2616 9.6). PR 42978. [Stefan Fritsch] diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c index 295fd72d83..4cfa1d3b7d 100644 --- a/modules/ssl/ssl_engine_init.c +++ b/modules/ssl/ssl_engine_init.c @@ -658,7 +658,7 @@ static void ssl_init_ctx_verify(server_rec *s, ca_list = ssl_init_FindCAList(s, ptemp, mctx->auth.ca_cert_file, mctx->auth.ca_cert_path); - if (!ca_list) { + if (sk_X509_NAME_num(ca_list) == 0) { ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, "Unable to determine list of acceptable " "CA certificates for client authentication"); @@ -1334,6 +1334,15 @@ STACK_OF(X509_NAME) *ssl_init_FindCAList(server_rec *s, */ if (ca_file) { ssl_init_PushCAList(ca_list, s, ca_file); + /* + * If ca_list is still empty after trying to load ca_file + * then the file failed to load, and users should hear about that. + */ + if (sk_X509_NAME_num(ca_list) == 0) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, + "Failed to load SSLCACertificateFile: %s", ca_file); + ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s); + } } /*