Re: svn commit: r1920597 - in /httpd/httpd/trunk: changes-entries/modssl-engine-fallback.txt modules/ssl/ssl_engine_pphrase.c

Fri, 27 Sep 2024 08:18:49 -0700 


On 9/12/24 6:04 PM, jor...@apache.org wrote:
> Author: jorton
> Date: Thu Sep 12 16:04:39 2024
> New Revision: 1920597
> 
> URL: http://svn.apache.org/viewvc?rev=1920597&view=rev
> Log:
> mod_ssl: Fix regression in r1914365 preventing pkcs11: key/cert lookup
> via the ENGINE API without SSLCryptoDevice configured.
> 
> * modules/ssl/ssl_engine_pphrase.c
>   (modssl_load_keypair_engine): Return APR_ENOTIMPL if the ENGINE
>   could not be loaded for the key.
>   (modssl_load_engine_keypair): Always try loading via ENGINE
>   (as prior to r1914365) but fall back to the STORE API for
>   the new APR_ENOTIMPL case.
> 
> Github: closes #480
> 
> Added:
>     httpd/httpd/trunk/changes-entries/modssl-engine-fallback.txt
> Modified:
>     httpd/httpd/trunk/modules/ssl/ssl_engine_pphrase.c
> 

> Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_pphrase.c
> URL: 
> http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_pphrase.c?rev=1920597&r1=1920596&r2=1920597&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/modules/ssl/ssl_engine_pphrase.c (original)
> +++ httpd/httpd/trunk/modules/ssl/ssl_engine_pphrase.c Thu Sep 12 16:04:39 
> 2024

> @@ -831,7 +834,7 @@ static apr_status_t modssl_load_keypair_
>          ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10131)
>                       "Init: Unrecognized private key identifier `%s'",
>                       keyid);

Shouldn't we switch from APLOG_EMERG to APLOG_NOTICE above?

> -        return ssl_die(s);
> +        return APR_ENOTIMPL;
>      }
>  
>      scheme = apr_pstrmemdup(ptemp, keyid, c - keyid);
> @@ -839,8 +842,8 @@ static apr_status_t modssl_load_keypair_
>          ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10132)
>                       "Init: Failed to load engine for private key %s",
>                       keyid);

Shouldn't we switch from APLOG_EMERG to APLOG_NOTICE above?

> -        ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
> -        return ssl_die(s);
> +        ssl_log_ssl_error(SSLLOG_MARK, APLOG_NOTICE, s);
> +        return APR_ENOTIMPL;
>      }
>  
>      if (!ENGINE_init(e)) {

Regards

RĂ¼diger






















					Reply via email to