[httpd] mod_ssl: add check for proxy keypair match (upstream r1374214)
jorton
jorton at fedoraproject.org
Tue Aug 21 14:57:54 UTC 2012
commit 7d53cc989ec1ba37d8061d6e19c098511a62e214
Author: Joe Orton <jorton at redhat.com>
Date: Tue Aug 21 15:57:50 2012 +0100
mod_ssl: add check for proxy keypair match (upstream r1374214)
httpd-2.4.2-r1374214+.patch | 45 +++++++++++++++++++++++++++++++++++++++++++
httpd.spec | 9 +++++++-
2 files changed, 53 insertions(+), 1 deletions(-)
---
diff --git a/httpd-2.4.2-r1374214+.patch b/httpd-2.4.2-r1374214+.patch
new file mode 100644
index 0000000..af5d2ab
--- /dev/null
+++ b/httpd-2.4.2-r1374214+.patch
@@ -0,0 +1,45 @@
+# ./pullrev.sh 1374214 1375445
+
+http://svn.apache.org/viewvc?view=revision&revision=1374214
+http://svn.apache.org/viewvc?view=revision&revision=1375445
+
+--- httpd-2.4.2/modules/ssl/ssl_engine_init.c
++++ httpd-2.4.2/modules/ssl/ssl_engine_init.c
+@@ -1381,7 +1381,7 @@
+ for (n = 0; n < ncerts; n++) {
+ X509_INFO *inf = sk_X509_INFO_value(sk, n);
+
+- if (!inf->x509 || !inf->x_pkey) {
++ if (!inf->x509 || !inf->x_pkey || !inf->x_pkey->dec_pkey) {
+ sk_X509_INFO_free(sk);
+ ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, APLOGNO(02252)
+ "incomplete client cert configured for SSL proxy "
+@@ -1389,6 +1389,15 @@
+ ssl_die(s);
+ return;
+ }
++
++ if (X509_check_private_key(inf->x509, inf->x_pkey->dec_pkey) != 1) {
++ ssl_log_xerror(SSLLOG_MARK, APLOG_STARTUP, 0, ptemp, s, inf->x509,
++ APLOGNO(02326) "proxy client certificate and "
++ "private key do not match");
++ ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s);
++ ssl_die(s);
++ return;
++ }
+ }
+
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02207)
+@@ -1401,7 +1410,11 @@
+ return;
+ }
+
+- /* Load all of the CA certs and construct a chain */
++ /* If SSLProxyMachineCertificateChainFile is configured, load all
++ * the CA certs and have OpenSSL attempt to construct a full chain
++ * from each configured end-entity cert up to a root. This will
++ * allow selection of the correct cert given a list of root CA
++ * names in the certificate request from the server. */
+ pkp->ca_certs = (STACK_OF(X509) **) apr_pcalloc(p, ncerts * sizeof(sk));
+ sctx = X509_STORE_CTX_new();
+
diff --git a/httpd.spec b/httpd.spec
index 134ea77..1d47b85 100644
--- a/httpd.spec
+++ b/httpd.spec
@@ -8,7 +8,7 @@
Summary: Apache HTTP Server
Name: httpd
Version: 2.4.3
-Release: 1%{?dist}
+Release: 2%{?dist}
URL: http://httpd.apache.org/
Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
Source1: index.html
@@ -48,6 +48,8 @@ Patch25: httpd-2.4.1-selinux.patch
Patch26: httpd-2.4.2-r1337344+.patch
Patch27: httpd-2.4.2-icons.patch
Patch28: httpd-2.4.2-r1332643+.patch
+# Bug fixes
+Patch50: httpd-2.4.2-r1374214+.patch
License: ASL 2.0
Group: System Environment/Daemons
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
@@ -156,6 +158,8 @@ authentication to the Apache HTTP Server.
%patch27 -p1 -b .icons
%patch28 -p1 -b .r1332643+
+%patch50 -p1 -b .r1374214+
+
# Patch in vendor/release string
sed "s/@RELEASE@/%{vstring}/" < %{PATCH20} | patch --fuzz=%{_default_patch_fuzz} -p1
@@ -570,6 +574,9 @@ rm -rf $RPM_BUILD_ROOT
%{_sysconfdir}/rpm/macros.httpd
%changelog
+* Tue Aug 21 2012 Joe Orton <jorton at redhat.com> - 2.4.3-2
+- mod_ssl: add check for proxy keypair match (upstream r1374214)
+
* Tue Aug 21 2012 Joe Orton <jorton at redhat.com> - 2.4.3-1
- update to 2.4.3 (#849883)
- own the docroot (#848121)
More information about the scm-commits
mailing list