Excelent - thank you - this has bitten me so many times ! Dw.
On Wed, 10 Nov 2004 [EMAIL PROTECTED] wrote: > jorton 2004/11/10 03:49:38 > > Modified: modules/ssl Tag: APACHE_2_0_BRANCH ssl_engine_init.c > Log: > Backport from HEAD: > > * modules/ssl/ssl_engine_init.c (ssl_init_proxy_certs): Fail early > (rather than segfault later) if a client cert is configured which is > missing either the certificate or private key. > > PR: 24030 > Reviewed by: jorton, minfrin, jerenkrantz, wrowe > > Revision Changes Path > No revision > No revision > 1.106.2.15 +24 -10 httpd-2.0/modules/ssl/ssl_engine_init.c > > Index: ssl_engine_init.c > =================================================================== > RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_engine_init.c,v > retrieving revision 1.106.2.14 > retrieving revision 1.106.2.15 > diff -d -w -u -r1.106.2.14 -r1.106.2.15 > --- ssl_engine_init.c 10 Nov 2004 11:42:05 -0000 1.106.2.14 > +++ ssl_engine_init.c 10 Nov 2004 11:49:37 -0000 1.106.2.15 > @@ -892,7 +892,7 @@ > apr_pool_t *ptemp, > modssl_ctx_t *mctx) > { > - int ncerts = 0; > + int n, ncerts = 0; > STACK_OF(X509_INFO) *sk; > modssl_pk_proxy_t *pkp = mctx->pkp; > > @@ -913,18 +913,32 @@ > SSL_X509_INFO_load_path(ptemp, sk, pkp->cert_path); > } > > - if ((ncerts = sk_X509_INFO_num(sk)) > 0) { > - ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, > - "loaded %d client certs for SSL proxy", > - ncerts); > - > - pkp->certs = sk; > - } > - else { > + if ((ncerts = sk_X509_INFO_num(sk)) <= 0) { > + sk_X509_INFO_free(sk); > ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, > "no client certs found for SSL proxy"); > + return; > + } > + > + /* Check that all client certs have got certificates and private > + * keys. */ > + for (n = 0; n < ncerts; n++) { > + X509_INFO *inf = sk_X509_INFO_value(sk, n); > + > + if (!inf->x509 || !inf->x_pkey) { > sk_X509_INFO_free(sk); > + ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, > + "incomplete client cert configured for SSL proxy " > + "(missing or encrypted private key?)"); > + ssl_die(); > + return; > } > + } > + > + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, > + "loaded %d client certs for SSL proxy", > + ncerts); > + pkp->certs = sk; > } > > static void ssl_init_proxy_ctx(server_rec *s, > > > >