1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
|
# ./pullrev.sh 1374214 1375445
http://svn.apache.org/viewvc?view=revision&revision=1374214
http://svn.apache.org/viewvc?view=revision&revision=1375445
--- httpd-2.4.2/modules/ssl/ssl_engine_init.c
+++ httpd-2.4.2/modules/ssl/ssl_engine_init.c
@@ -1381,7 +1381,7 @@
for (n = 0; n < ncerts; n++) {
X509_INFO *inf = sk_X509_INFO_value(sk, n);
- if (!inf->x509 || !inf->x_pkey) {
+ if (!inf->x509 || !inf->x_pkey || !inf->x_pkey->dec_pkey) {
sk_X509_INFO_free(sk);
ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, APLOGNO(02252)
"incomplete client cert configured for SSL proxy "
@@ -1389,6 +1389,15 @@
ssl_die(s);
return;
}
+
+ if (X509_check_private_key(inf->x509, inf->x_pkey->dec_pkey) != 1) {
+ ssl_log_xerror(SSLLOG_MARK, APLOG_STARTUP, 0, ptemp, s, inf->x509,
+ APLOGNO(02326) "proxy client certificate and "
+ "private key do not match");
+ ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s);
+ ssl_die(s);
+ return;
+ }
}
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02207)
@@ -1401,7 +1410,11 @@
return;
}
- /* Load all of the CA certs and construct a chain */
+ /* If SSLProxyMachineCertificateChainFile is configured, load all
+ * the CA certs and have OpenSSL attempt to construct a full chain
+ * from each configured end-entity cert up to a root. This will
+ * allow selection of the correct cert given a list of root CA
+ * names in the certificate request from the server. */
pkp->ca_certs = (STACK_OF(X509) **) apr_pcalloc(p, ncerts * sizeof(sk));
sctx = X509_STORE_CTX_new();
|
