* modules/ssl/ssl_engine_pphrase.c (ssl_pphrase_Handle): Fix possible

  startup failure in cases where multiple vhosts share the same
  "vhost-id" and private key file.  The cached-key case would
  previously cause an abrupt return from the function, which could
  prevent processing of configured keypairs for other vhosts.  There
  is no apparent reason to check for a "cache hit" against cached keys
  using *any* algorithm types; instead only check against a key with
  the matching type.

Submitted by: Masahiro Matsuya <matsuya redhat.com>, jorton

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1069772 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index a89d2af1fc5041b8a1db5bbe25e4603b820e5b69..fe9cc6ca299161604218420a1c74bbf7812e998d 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -2,6 +2,10 @@
 
 Changes with Apache 2.3.11
 
+  *) mod_ssl: Fix a possible startup failure if multiple SSL vhosts
+     are configured with the same ServerName and private key file.
+     [Masahiro Matsuya <mmatsuya redhat.com>, Joe Orton]
+
   *) mod_socache_dc: Make module compile by fixing some typos.
      PR 50735 [Mark Montague <mark catseye.org>]
 

diff --git a/modules/ssl/ssl_engine_pphrase.c b/modules/ssl/ssl_engine_pphrase.c
index e8644111debf6b47356bfd13a373fccc8f7bbff8..3cea72df279564fd2a265157a43fcc22788de899 100644 (file)
--- a/modules/ssl/ssl_engine_pphrase.c
+++ b/modules/ssl/ssl_engine_pphrase.c
@@ -211,6 +211,7 @@ void ssl_pphrase_Handle(server_rec *s, apr_pool_t *p)
                  && (sc->server->pks->cert_files[i] != NULL
                      || sc->server->pkcs7); i++) {
             const char *key_id;
+            int using_cache = 0;
 
             if (sc->server->pkcs7) {
                 STACK_OF(X509) *certs = ssl_read_pkcs7(pServ,
@@ -349,22 +350,17 @@ void ssl_pphrase_Handle(server_rec *s, apr_pool_t *p)
                  * are used to give a better idea as to what failed.
                  */
                 if (pkey_mtime) {
-                    int i;
-
-                    for (i=0; i < SSL_AIDX_MAX; i++) {
-                        const char *key_id =
-                            ssl_asn1_table_keyfmt(p, cpVHostID, i);
-                        ssl_asn1_t *asn1 =
-                            ssl_asn1_table_get(mc->tPrivateKey, key_id);
-
-                        if (asn1 && (asn1->source_mtime == pkey_mtime)) {
-                            ap_log_error(APLOG_MARK, APLOG_INFO,
-                                         0, pServ,
-                                         "%s reusing existing "
-                                         "%s private key on restart",
-                                         cpVHostID, ssl_asn1_keystr(i));
-                            return;
-                        }
+                    ssl_asn1_t *asn1 =
+                        ssl_asn1_table_get(mc->tPrivateKey, key_id);
+                    
+                    if (asn1 && (asn1->source_mtime == pkey_mtime)) {
+                        ap_log_error(APLOG_MARK, APLOG_INFO,
+                                     0, pServ,
+                                     "%s reusing existing "
+                                     "%s private key on restart",
+                                     cpVHostID, ssl_asn1_keystr(i));
+                        using_cache = 1;
+                        break;
                     }
                 }
 
@@ -468,6 +464,12 @@ void ssl_pphrase_Handle(server_rec *s, apr_pool_t *p)
                 ssl_die();
             }
 
+            /* If a cached private key was found, nothing more to do
+             * here; loop through to the next configured cert for this
+             * vhost. */
+            if (using_cache)
+                continue;
+
             if (pPrivateKey == NULL) {
                 ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s,
                             "Init: Unable to read server private key from "