From aa34530365eb56b00ab6812f3d177e6f9fe7df07 Mon Sep 17 00:00:00 2001 From: Graham Leggett Date: Fri, 23 Nov 2018 14:57:22 +0000 Subject: [PATCH] mod_ssl: Fixes PR 62880 where certificate loading fails bc SSL ERRs are not cleared beforehand. +1: icing, jim, minfrin git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1847280 13f79535-47bb-0310-9956-ffa450edef68 --- CHANGES | 4 ++++ STATUS | 6 ------ modules/ssl/ssl_engine_init.c | 2 ++ modules/ssl/ssl_util_ocsp.c | 2 ++ 4 files changed, 8 insertions(+), 6 deletions(-) diff --git a/CHANGES b/CHANGES index 2d5d335f14c..7190ebcf2b0 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,10 @@ -*- coding: utf-8 -*- Changes with Apache 2.4.38 + *) mod_ssl: clear *SSL errors before loading certificates and checking + afterwards. Otherwise errors are reported when other SSL using modules + are in play. Fixes PR 62880. [Michael Kaufmann] + *) mod_ssl: Fix the error code returned in an error path of 'ssl_io_filter_handshake()'. This messes-up error handling performed in 'ssl_io_filter_error()' [Yann Ylavic] diff --git a/STATUS b/STATUS index 05696ac93e8..8cbc54bd694 100644 --- a/STATUS +++ b/STATUS @@ -126,12 +126,6 @@ RELEASE SHOWSTOPPERS: PATCHES ACCEPTED TO BACKPORT FROM TRUNK: [ start all new proposals below, under PATCHES PROPOSED. ] - *) mod_ssl: Fixes PR 62880 where certificate loading fails bc SSL ERRs are - not cleared beforehand. - trunk patch: http://svn.apache.org/r1845768 - 2.4.x patch: svn merge -c 1845768 ^/httpd/httpd/trunk . - +1: icing, jim, minfrin - PATCHES PROPOSED TO BACKPORT FROM TRUNK: [ New proposals should be added at the end of the list ] diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c index b7b2be796c2..753ed4b3a96 100644 --- a/modules/ssl/ssl_engine_init.c +++ b/modules/ssl/ssl_engine_init.c @@ -1038,8 +1038,10 @@ static int use_certificate_chain( ctx->extra_certs = NULL; } #endif + /* create new extra chain by loading the certs */ n = 0; + ERR_clear_error(); while ((x509 = PEM_read_bio_X509(bio, NULL, cb, NULL)) != NULL) { if (!SSL_CTX_add_extra_chain_cert(ctx, x509)) { X509_free(x509); diff --git a/modules/ssl/ssl_util_ocsp.c b/modules/ssl/ssl_util_ocsp.c index b11a6e924e5..b66e15146c8 100644 --- a/modules/ssl/ssl_util_ocsp.c +++ b/modules/ssl/ssl_util_ocsp.c @@ -363,7 +363,9 @@ static STACK_OF(X509) *modssl_read_ocsp_certificates(const char *file) BIO_free(bio); return NULL; } + /* create new extra chain by loading the certs */ + ERR_clear_error(); while ((x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL)) != NULL) { if (!other_certs) { other_certs = sk_X509_new_null(); -- 2.47.3