From a0cddc57d420f5293de1caa43c6e22836e7c2eb7 Mon Sep 17 00:00:00 2001 From: Yann Ylavic Date: Tue, 16 Aug 2016 18:24:56 +0000 Subject: [PATCH] mod_ssl: Fix quick renegotiation (OptRenegotiaton) with no intermediate in the client certificate chain. PR 55786. This is done by handling an empty cert chain as no/NULL chain. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1756542 13f79535-47bb-0310-9956-ffa450edef68 --- CHANGES | 3 +++ modules/ssl/ssl_engine_kernel.c | 16 ++++++++-------- 2 files changed, 11 insertions(+), 8 deletions(-) diff --git a/CHANGES b/CHANGES index df9ed6afc8..3b0b85eed8 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,9 @@ -*- coding: utf-8 -*- Changes with Apache 2.5.0 + *) mod_ssl: Fix quick renegotiation (OptRenegotiaton) with no intermediate + in the client certificate chain. PR 55786. [Yann Ylavic] + *) mod_http2: adding support for intermediate responses. [Stefan Eissing] diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c index d1233ae092..985ae957a5 100644 --- a/modules/ssl/ssl_engine_kernel.c +++ b/modules/ssl/ssl_engine_kernel.c @@ -886,7 +886,14 @@ int ssl_hook_Access(request_rec *r) cert = SSL_get_peer_certificate(ssl); - if (!cert_stack && cert) { + if (!cert_stack || (sk_X509_num(cert_stack) == 0)) { + if (!cert) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02222) + "Cannot find peer certificate chain"); + + return HTTP_FORBIDDEN; + } + /* client cert is in the session cache, but there is * no chain, since ssl3_get_client_certificate() * sk_X509_shift-ed the peer cert out of the chain. @@ -896,13 +903,6 @@ int ssl_hook_Access(request_rec *r) sk_X509_push(cert_stack, cert); } - if (!cert_stack || (sk_X509_num(cert_stack) == 0)) { - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02222) - "Cannot find peer certificate chain"); - - return HTTP_FORBIDDEN; - } - if (!(cert_store || (cert_store = SSL_CTX_get_cert_store(ctx)))) { -- 2.50.1