[BugDB] SSLProxyVerify startup problem (PR#390)

Tue, 30 May 2000 11:18:55 -0700 

Full_Name: Dennis Norgord
Version: 2.6.4-1.3.12
OS: Linux 6.1
Submission from: (NULL) (158.222.45.105)


Apache fails to start when two certificate keys are encrypted with
different pass phrases and SSLProxyVerify is specified.  The problem
can be corrected by calling ERR_clear_error() at the beginning of
ssl_ext_mp_init().

-------  stripped down httpsd.conf -------
<VirtualHost ...>
    SSLCertificateKeyFile /.../www.fred.com.key (passphrase fred)
</VirtualHost>

<VirtualHost ...>
    SSLCertificateKeyFile /.../www.wilma.com.key (passphrase wilma)
</VirtualHost>

<VirtualHost ...>
    SSLProxyVerify on
    SSLProxyCACertificateFile /.../ca-bundle.crt
</VirtualHost>
-------------------------------------------

ssl_engine_ext.c:270

  static void ssl_ext_mp_init(server_rec *s, pool *p)
  {
    SSLSrvConfigRec *sc;
    char *cpVHostID;
    int nVerify;
    SSL_CTX *ctx;
    char *cp;
    STACK_OF(X509_INFO) *sk;

    ERR_clear_error();   <<<<======= Add this function call

    /*
     * Initialize each virtual server 
     */
    ...
  }

The problem is that SSL_CTX_load_verify_locations()
does not detect the end of file condition.

ssl_ext_mp_init()
  SSL_CTX_load_verify_locations()
    X509_STORE_load_locations()
      X509_LOOKUP_load_file()
        ctx->method->ctrl()
          by_file_ctrl()
            X509_load_cert_crl_file()
              PEM_X509_INFO_read_bio()
              {
                ...
                i=PEM_read_bio(bp,&name,&header,&data,&len);
                if (i == 0)
                {

                  /*******  See NOTE below  *******/

                  error=ERR_GET_REASON(ERR_peek_error());              if (error
== PEM_R_NO_START_LINE)
                  {
                    ERR_clear_error();  (Should get here)
                    break;
                  }
                  goto err;             (Gets here instead)
                }
                ...
              }
  

NOTE: ERR_peek_error() picks off the oldest error on the list, not
the last error.  So even though PEM_R_NO_START_LINE is the error we
are trying to detect, it will not be detected if there are other
errors on the list.  In the case of having two private keys encrypted
with different passphrases, I've found that we have entered this code
with ERR_get_state()->top == 3 instead of 0.

______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      [EMAIL PROTECTED]
Automated List Manager                            [EMAIL PROTECTED]

Reply via email to