From 59d4757c65a5def31ea5baf780fab6bbc9ce61f4 Mon Sep 17 00:00:00 2001
From: Stefan Fritsch <sf@apache.org>
Date: Sun, 24 Oct 2010 22:14:15 +0000
Subject: [PATCH] Make sure to always log an error if loading of CA
 certificates fails

PR: 40312
Submitted by: Paul Tiemann <issues apache org ourdetour com>


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1026906 13f79535-47bb-0310-9956-ffa450edef68
---
 CHANGES                       |  3 +++
 modules/ssl/ssl_engine_init.c | 11 ++++++++++-
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/CHANGES b/CHANGES
index 2cd6e4dbb3..47eb0ec671 100644
--- a/CHANGES
+++ b/CHANGES
@@ -6,6 +6,9 @@ Changes with Apache 2.3.9
      Fix a denial of service attack against mod_reqtimeout.
      [Stefan Fritsch]
 
+  *) mod_ssl: Make sure to always log an error if loading of CA certificates
+     fails. PR 40312. [Paul Tiemann <issues apache org ourdetour com>]
+
   *) mod_dav: Send 501 error if unknown Content-* header is received for a PUT
      request (RFC 2616 9.6). PR 42978. [Stefan Fritsch]
 
diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
index 295fd72d83..4cfa1d3b7d 100644
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -658,7 +658,7 @@ static void ssl_init_ctx_verify(server_rec *s,
             ca_list = ssl_init_FindCAList(s, ptemp,
                                           mctx->auth.ca_cert_file,
                                           mctx->auth.ca_cert_path);
-        if (!ca_list) {
+        if (sk_X509_NAME_num(ca_list) == 0) {
             ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s,
                     "Unable to determine list of acceptable "
                     "CA certificates for client authentication");
@@ -1334,6 +1334,15 @@ STACK_OF(X509_NAME) *ssl_init_FindCAList(server_rec *s,
      */
     if (ca_file) {
         ssl_init_PushCAList(ca_list, s, ca_file);
+        /*
+         * If ca_list is still empty after trying to load ca_file
+         * then the file failed to load, and users should hear about that.
+         */
+        if (sk_X509_NAME_num(ca_list) == 0) {
+            ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+                    "Failed to load SSLCACertificateFile: %s", ca_file);
+            ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s);
+        }
     }
 
     /*
-- 
2.40.0