-*- coding: utf-8 -*-
Changes with Apache 2.5.0
+ *) mod_ssl: Catch missing or mismatched client cert/key pairs with
+ SSLProxyCACertificateFile/Path directives. PR 52212.
+ [Keith Burdis <keith burdis.org>, Joe Orton]
+
*) mod_lua: Allow scripts handled by the lua-script handler to return
a status code to the client (such as a 302 or a 500) [Daniel Gruno]
for (n = 0; n < ncerts; n++) {
X509_INFO *inf = sk_X509_INFO_value(sk, n);
- if (!inf->x509 || !inf->x_pkey) {
+ if (!inf->x509 || !inf->x_pkey || !inf->x_pkey->dec_pkey) {
sk_X509_INFO_free(sk);
ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, APLOGNO(02252)
"incomplete client cert configured for SSL proxy "
ssl_die(s);
return;
}
+
+ if (X509_check_private_key(inf->x509, inf->x_pkey->dec_pkey) != 1) {
+ ssl_log_xerror(SSLLOG_MARK, APLOG_STARTUP, 0, ptemp, s, inf->x509,
+ APLOGNO(02326) "proxy client certificate and "
+ "private key do not match");
+ ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s);
+ ssl_die(s);
+ return;
+ }
}
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02207)
ssl_die(s);
}
+ /* ### Why is all the following done? Why is it necessary or
+ * useful for the server to try to verify its own client cert? */
X509_STORE_load_locations(store, pkp->ca_cert_file, NULL);
for (n = 0; n < ncerts; n++) {
projects / thirdparty / apache / httpd.git / commitdiff
