From 5f15191cfa048af5b2fd486a4198ecef4423f84c Mon Sep 17 00:00:00 2001 From: Jim Jagielski Date: Thu, 13 Mar 2014 12:39:33 +0000 Subject: [PATCH] Merge r1576741 from trunk: A bug in some older versions of OpenSSL will cause a crash in SSL_get_certificate for servers where the certificate hasn't been sent. Workaround by setting the ssl structure to client mode which bypasses the faulty code in OpenSSL. Normally setting a server ssl structure to client mode would cause problems later on: but we are freeing the structure immediately without attempting to use it. Submitted by: drh Reviewed/backported by: jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1577137 13f79535-47bb-0310-9956-ffa450edef68 --- modules/ssl/ssl_engine_init.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c index dc3849177b..21c68a1a2f 100644 --- a/modules/ssl/ssl_engine_init.c +++ b/modules/ssl/ssl_engine_init.c @@ -956,8 +956,13 @@ static apr_status_t ssl_init_server_certs(server_rec *s, */ if (!(cert = SSL_CTX_get0_certificate(mctx->ssl_ctx))) { #else - if (!(ssl = SSL_new(mctx->ssl_ctx)) || - !(cert = SSL_get_certificate(ssl))) { + ssl = SSL_new(mctx->ssl_ctx); + if (ssl) { + /* Workaround bug in SSL_get_certificate in OpenSSL 0.9.8y */ + SSL_set_connect_state(ssl); + cert = SSL_get_certificate(ssl); + } + if (!ssl || !cert) { #endif ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02566) "Unable to retrieve certificate %s", key_id); -- 2.40.0