From: Jim Jagielski <jim@apache.org>
Date: Tue, 22 Nov 2016 13:42:51 +0000 (+0000)
Subject: Merge r1756542 from trunk:
X-Git-Tag: 2.4.24~104
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=781c54516f0e4d1948ecf3ee0d011cf193594301;p=thirdparty%2Fapache%2Fhttpd.git

Merge r1756542 from trunk:

mod_ssl: Fix quick renegotiation (OptRenegotiaton) with no intermediate
in the client certificate chain.  PR 55786.

This is done by handling an empty cert chain as no/NULL chain.


Submitted by: ylavic
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1770838 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index 4faf997abc4..2861e585759 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2,6 +2,9 @@
 
 Changes with Apache 2.4.24
 
+  *) mod_ssl: Fix quick renegotiation (OptRenegotiaton) with no intermediate
+     in the client certificate chain.  PR 55786.  [Yann Ylavic]
+
   *) mod_dir: Responses that go through "FallbackResource" might appear to
      hang due to unterminated chunked encoding. PR58292. [Eric Covener]
 
diff --git a/STATUS b/STATUS
index b82e9f83a9d..31b59ce3511 100644
--- a/STATUS
+++ b/STATUS
@@ -117,11 +117,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-  *) mod_ssl: Fix quick renegotiation (OptRenegotiaton) with no intermediate
-     in the client certificate chain.  PR 55786.
-     trunk patch: http://svn.apache.org/r1756542
-     2.4.x patch: trunk works (modulo CHANGES)
-     +1: ylavic, icing (by inspectin), jim
 
 
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:
diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
index 97c794d6f24..d4459a2f265 100644
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -884,7 +884,14 @@ int ssl_hook_Access(request_rec *r)
 
             cert = SSL_get_peer_certificate(ssl);
 
-            if (!cert_stack && cert) {
+            if (!cert_stack || (sk_X509_num(cert_stack) == 0)) {
+                if (!cert) {
+                    ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02222)
+                                  "Cannot find peer certificate chain");
+
+                    return HTTP_FORBIDDEN;
+                }
+
                 /* client cert is in the session cache, but there is
                  * no chain, since ssl3_get_client_certificate()
                  * sk_X509_shift-ed the peer cert out of the chain.
@@ -894,13 +901,6 @@ int ssl_hook_Access(request_rec *r)
                 sk_X509_push(cert_stack, cert);
             }
 
-            if (!cert_stack || (sk_X509_num(cert_stack) == 0)) {
-                ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02222)
-                              "Cannot find peer certificate chain");
-
-                return HTTP_FORBIDDEN;
-            }
-
             if (!(cert_store ||
                   (cert_store = SSL_CTX_get_cert_store(ctx))))
             {