From: Joe Orton Date: Fri, 11 Feb 2011 12:26:57 +0000 (+0000) Subject: * modules/ssl/ssl_engine_pphrase.c (ssl_pphrase_Handle): Fix possible X-Git-Tag: 2.3.11~76 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fd6d4d2e48a3c85b55519071a159e73a2a04b778;p=thirdparty%2Fapache%2Fhttpd.git * modules/ssl/ssl_engine_pphrase.c (ssl_pphrase_Handle): Fix possible startup failure in cases where multiple vhosts share the same "vhost-id" and private key file. The cached-key case would previously cause an abrupt return from the function, which could prevent processing of configured keypairs for other vhosts. There is no apparent reason to check for a "cache hit" against cached keys using *any* algorithm types; instead only check against a key with the matching type. Submitted by: Masahiro Matsuya , jorton git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1069772 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index a89d2af1fc5..fe9cc6ca299 100644 --- a/CHANGES +++ b/CHANGES @@ -2,6 +2,10 @@ Changes with Apache 2.3.11 + *) mod_ssl: Fix a possible startup failure if multiple SSL vhosts + are configured with the same ServerName and private key file. + [Masahiro Matsuya , Joe Orton] + *) mod_socache_dc: Make module compile by fixing some typos. PR 50735 [Mark Montague ] diff --git a/modules/ssl/ssl_engine_pphrase.c b/modules/ssl/ssl_engine_pphrase.c index e8644111deb..3cea72df279 100644 --- a/modules/ssl/ssl_engine_pphrase.c +++ b/modules/ssl/ssl_engine_pphrase.c @@ -211,6 +211,7 @@ void ssl_pphrase_Handle(server_rec *s, apr_pool_t *p) && (sc->server->pks->cert_files[i] != NULL || sc->server->pkcs7); i++) { const char *key_id; + int using_cache = 0; if (sc->server->pkcs7) { STACK_OF(X509) *certs = ssl_read_pkcs7(pServ, @@ -349,22 +350,17 @@ void ssl_pphrase_Handle(server_rec *s, apr_pool_t *p) * are used to give a better idea as to what failed. */ if (pkey_mtime) { - int i; - - for (i=0; i < SSL_AIDX_MAX; i++) { - const char *key_id = - ssl_asn1_table_keyfmt(p, cpVHostID, i); - ssl_asn1_t *asn1 = - ssl_asn1_table_get(mc->tPrivateKey, key_id); - - if (asn1 && (asn1->source_mtime == pkey_mtime)) { - ap_log_error(APLOG_MARK, APLOG_INFO, - 0, pServ, - "%s reusing existing " - "%s private key on restart", - cpVHostID, ssl_asn1_keystr(i)); - return; - } + ssl_asn1_t *asn1 = + ssl_asn1_table_get(mc->tPrivateKey, key_id); + + if (asn1 && (asn1->source_mtime == pkey_mtime)) { + ap_log_error(APLOG_MARK, APLOG_INFO, + 0, pServ, + "%s reusing existing " + "%s private key on restart", + cpVHostID, ssl_asn1_keystr(i)); + using_cache = 1; + break; } } @@ -468,6 +464,12 @@ void ssl_pphrase_Handle(server_rec *s, apr_pool_t *p) ssl_die(); } + /* If a cached private key was found, nothing more to do + * here; loop through to the next configured cert for this + * vhost. */ + if (using_cache) + continue; + if (pPrivateKey == NULL) { ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, "Init: Unable to read server private key from "