Merge r1576741 from trunk:

A bug in some older versions of OpenSSL will cause a crash in SSL_get_certificate for servers where the certificate hasn't been sent. Workaround by setting the ssl structure to client mode which bypasses the faulty code in OpenSSL. Normally setting a server ssl structure to client mode would cause problems later on: but we are freeing the structure immediately without attempting to use it. Submitted by: drh Reviewed/backported by: jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1577137 13f79535-47bb-0310-9956-ffa450edef68
2025-08-06 11:06:17 +00:00 · 2014-03-13 12:39:33 +00:00
parent 7f8e501aa9
commit 5f15191cfa
1 changed files with 7 additions and 2 deletions
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@ -956,8 +956,13 @@ static apr_status_t ssl_init_server_certs(server_rec *s,
         */
        if (!(cert = SSL_CTX_get0_certificate(mctx->ssl_ctx))) {
 #else
-        if (!(ssl = SSL_new(mctx->ssl_ctx)) ||
-            !(cert = SSL_get_certificate(ssl))) {
+        ssl = SSL_new(mctx->ssl_ctx);
+	if (ssl) {
+            /* Workaround bug in SSL_get_certificate in OpenSSL 0.9.8y */
+            SSL_set_connect_state(ssl);
+            cert = SSL_get_certificate(ssl);
+        }
+        if (!ssl || !cert) {
 #endif
            ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02566)
                         "Unable to retrieve certificate %s", key_id);