From: Rainer Jung Date: Thu, 18 Oct 2018 10:03:52 +0000 (+0000) Subject: mod_ssl: We need to get the SSL_CTX for further processing X-Git-Tag: 2.4.37~5 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=33c014d8c7cb1acc87b3fa3853c9297053292c35;p=thirdparty%2Fapache%2Fhttpd.git mod_ssl: We need to get the SSL_CTX for further processing down below. This fixes a crash during SSL renegotiation with OptRenegotiate set, when client certificates are available from the original handshake but were originally not verified and should get verified now. This is a regression in 2.4.36 (unreleased). Backport of r1828793 from trunk. Submitted by: rjung Reviewed by: rjung, rpluem, jorton git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1844223 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index f2eee6e1b76..27cf12257a1 100644 --- a/CHANGES +++ b/CHANGES @@ -3,6 +3,11 @@ Changes with Apache 2.4.37 *) mod_ssl: Fix HTTP/2 failures when using OpenSSL 1.1.1. [Rainer Jung] + *) mod_ssl: Fix crash during SSL renegotiation with OptRenegotiate set, + when client certificates are available from the original handshake + but were originally not verified and should get verified now. + This is a regression in 2.4.36 (unreleased). [Ruediger Pluem] + Changes with Apache 2.4.36 *) mod_brotli, mod_deflate: Restore the separate handling of 304 Not Modified diff --git a/STATUS b/STATUS index 32eca96562e..6bd211c95e5 100644 --- a/STATUS +++ b/STATUS @@ -125,11 +125,6 @@ RELEASE SHOWSTOPPERS: PATCHES ACCEPTED TO BACKPORT FROM TRUNK: [ start all new proposals below, under PATCHES PROPOSED. ] - *) mod_ssl: We need to get the SSL_CTX for further processing down below. - trunk patch: http://svn.apache.org/r1828793 - 2.4.x patch: svn merge -c 1828793 ^/httpd/httpd/trunk . - +1: rjung, rpluem, jorton - *) mod_ssl: Correctly merge configurations that have client certificates set by SSLProxyMachineCertificate{File|Path}. The certificates and keys loaded during configuration time got lost during diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c index 6cd0da527f4..de0ffb09eff 100644 --- a/modules/ssl/ssl_engine_kernel.c +++ b/modules/ssl/ssl_engine_kernel.c @@ -485,7 +485,7 @@ static int ssl_hook_Access_classic(request_rec *r, SSLSrvConfigRec *sc, SSLDirCo { server_rec *handshakeserver = sslconn ? sslconn->server : NULL; SSLSrvConfigRec *hssc = handshakeserver? mySrvConfig(handshakeserver) : NULL; - SSL_CTX *ctx = NULL; + SSL_CTX *ctx = ssl ? SSL_get_SSL_CTX(ssl) : NULL; BOOL renegotiate = FALSE, renegotiate_quick = FALSE; X509 *peercert; X509_STORE *cert_store = NULL;