On Saturday 29 July 2017 20:49:18 Jan Klemkow wrote: > Hi Jack, > > On Fri, Jul 28, 2017 at 02:05:34AM +0930, Jack Burton wrote: > > On Thu, 27 Jul 2017 13:10:14 +0200 > > > > > But, I found a bug in the part of the FastCGI variables. The > > > following condition is always false. > > > > > > > Index: usr.sbin/httpd/server_fcgi.c > > > > =================================================================== > > > > RCS file: /cvs/src/usr.sbin/httpd/server_fcgi.c,v > > > > retrieving revision 1.74 > > > > diff -u -p -r1.74 server_fcgi.c > > > > --- usr.sbin/httpd/server_fcgi.c 21 Jan 2017 11:32:04 > > > > -0000 1.74 +++ usr.sbin/httpd/server_fcgi.c 21 Jul > > > > 2017 08:25:57 -0000 @@ -282,11 +283,57 @@ server_fcgi(struct httpd > > > > *env, struct cl > > > > > > ... > > > > > > > + if (srv_conf->tls_ca != NULL) { > > > > > > ... > > > > That's odd -- I'm not seeing that behaviour here -- in my tests > > srv_conf->tls_ca always behaved just as expected (it's NULL iff the "tls > > client ca" directive is not given for that server). > > In the End, I found and fixed the real bug here: > > @@ -430,7 +438,11 @@ config_getserver_config(struct httpd *en > } > > f = SRVFLAG_TLS; > - srv_conf->flags |= parent->flags & f; > + if ((srv_conf->flags & f) == 0) { > + srv_conf->flags |= parent->flags & f; > + srv_conf->tls_ca = parent->tls_ca; > + srv_conf->tls_crl = parent->tls_crl;
I'd have to double check, however I'm pretty sure that this will result in a double-free since you're copying the pointer (without a reference count) across server config structs. Both will likely be passed to serverconfig_free(), which means free() will then be passed the same pointer twice. > + } > > f = SRVFLAG_ACCESS_LOG; > if ((srv_conf->flags & f) == 0) { > > This additional copy fixes the bug I have seen by this config: > > server "default" { > listen on 127.0.0.1 tls port 443 > > # TLS certificate and key files created with acme-client(1) > tls certificate "/root/ca/server.crt" > tls key "/root/ca/server.key" > #tls client ca "/root/ca/ca.crt" crl "/root/ca/ca.crl" > tls client ca "/root/ca/ca.crt" > > location "*.cgi" { > fastcgi > root "/var/www/cgi-bin/env.cgi" > } > > root "/htdocs/" > } > > You find the whole diff below. > I tested: > - TLS without client certs > - TLS with client certs and without CRL > - TLS with client certs and with CRL > - as well as environment variables in CGI-Scripts > > Everything should work now. > > Bye, > Jan