mod_ssl: Catch missing, mismatched or encrypted client cert/key pairs

with SSLProxyMachineCertificateFile/Path directives. PR 52212, PR 54698. (check at startup, to prevent segfaults at proxy request time) trunk patches: https://svn.apache.org/r1374214 https://svn.apache.org/r1374216 https://svn.apache.org/r1375445 https://svn.apache.org/r1467593 2.4.x patch: https://people.apache.org/~kbrand/PR52212_54698_2.4.x.patch Submitted by: kbrand Reviewed by: jorton, minfrin git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1476685 13f79535-47bb-0310-9956-ffa450edef68
2025-08-10 02:56:11 +00:00 · 2013-04-27 22:18:02 +00:00
parent 10f016d7ed
commit 059505bfac
3 changed files with 20 additions and 12 deletions
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@ -1354,7 +1354,8 @@ static void ssl_init_proxy_certs(server_rec *s,
    for (n = 0; n < ncerts; n++) {
        X509_INFO *inf = sk_X509_INFO_value(sk, n);

-        if (!inf->x509 || !inf->x_pkey) {
+        if (!inf->x509 || !inf->x_pkey || !inf->x_pkey->dec_pkey ||
+            inf->enc_data) {
            sk_X509_INFO_free(sk);
            ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, APLOGNO(02252)
                         "incomplete client cert configured for SSL proxy "
@ -1362,6 +1363,15 @@ static void ssl_init_proxy_certs(server_rec *s,
            ssl_die(s);
            return;
        }
+        
+        if (X509_check_private_key(inf->x509, inf->x_pkey->dec_pkey) != 1) {
+            ssl_log_xerror(SSLLOG_MARK, APLOG_STARTUP, 0, ptemp, s, inf->x509,
+                           APLOGNO(02326) "proxy client certificate and "
+                           "private key do not match");
+            ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s);
+            ssl_die(s);
+            return;
+        }
    }

    ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02207)
@ -1374,7 +1384,11 @@ static void ssl_init_proxy_certs(server_rec *s,
        return;
    }

-    /* Load all of the CA certs and construct a chain */
+    /* If SSLProxyMachineCertificateChainFile is configured, load all
+     * the CA certs and have OpenSSL attempt to construct a full chain
+     * from each configured end-entity cert up to a root.  This will
+     * allow selection of the correct cert given a list of root CA
+     * names in the certificate request from the server.  */
    pkp->ca_certs = (STACK_OF(X509) **) apr_pcalloc(p, ncerts * sizeof(sk));
    sctx = X509_STORE_CTX_new();