]> git.ipfire.org Git - thirdparty/apache/httpd.git/commitdiff
mod_ssl: Fixes PR 62880 where certificate loading fails bc SSL ERRs are
authorGraham Leggett <minfrin@apache.org>
Fri, 23 Nov 2018 14:57:22 +0000 (14:57 +0000)
committerGraham Leggett <minfrin@apache.org>
Fri, 23 Nov 2018 14:57:22 +0000 (14:57 +0000)
         not cleared beforehand.
+1: icing, jim, minfrin

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1847280 13f79535-47bb-0310-9956-ffa450edef68

CHANGES
STATUS
modules/ssl/ssl_engine_init.c
modules/ssl/ssl_util_ocsp.c

diff --git a/CHANGES b/CHANGES
index 2d5d335f14cf6bc7ea4004ec0f8bb1439c1a40fa..7190ebcf2b05644cce0dc20bae95c3da88539655 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,10 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.4.38
 
+  *) mod_ssl: clear *SSL errors before loading certificates and checking
+     afterwards. Otherwise errors are reported when other SSL using modules
+     are in play. Fixes PR 62880. [Michael Kaufmann]
+
   *) mod_ssl: Fix the error code returned in an error path of
      'ssl_io_filter_handshake()'. This messes-up error handling performed
      in 'ssl_io_filter_error()' [Yann Ylavic]
diff --git a/STATUS b/STATUS
index 05696ac93e82ef0b50d717b3e850e68e9ace3f38..8cbc54bd69488e4c722ef67823c0438d5f020149 100644 (file)
--- a/STATUS
+++ b/STATUS
@@ -126,12 +126,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-  *) mod_ssl: Fixes PR 62880 where certificate loading fails bc SSL ERRs are
-              not cleared beforehand.
-     trunk patch: http://svn.apache.org/r1845768
-     2.4.x patch: svn merge -c 1845768 ^/httpd/httpd/trunk .
-     +1: icing, jim, minfrin
-
 
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:
   [ New proposals should be added at the end of the list ]
index b7b2be796c25bdabc3302c705ba03deaabfe1650..753ed4b3a96397341b909f16a3935291b155dd16 100644 (file)
@@ -1038,8 +1038,10 @@ static int use_certificate_chain(
         ctx->extra_certs = NULL;
     }
 #endif
+
     /* create new extra chain by loading the certs */
     n = 0;
+    ERR_clear_error();
     while ((x509 = PEM_read_bio_X509(bio, NULL, cb, NULL)) != NULL) {
         if (!SSL_CTX_add_extra_chain_cert(ctx, x509)) {
             X509_free(x509);
index b11a6e924e5786241986e5dd22dbcc47978880dd..b66e15146c85478398d3a610836026c72477eac5 100644 (file)
@@ -363,7 +363,9 @@ static STACK_OF(X509) *modssl_read_ocsp_certificates(const char *file)
         BIO_free(bio);
         return NULL;
     }
+
     /* create new extra chain by loading the certs */
+    ERR_clear_error();
     while ((x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL)) != NULL) {
         if (!other_certs) {
                 other_certs = sk_X509_new_null();