|
 |
ca8514 |
diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
|
|
|
ca8514 |
index 8b6c34f..3587fb5 100644
|
|
|
ca8514 |
--- a/modules/ssl/ssl_engine_init.c
|
|
|
ca8514 |
+++ b/modules/ssl/ssl_engine_init.c
|
|
|
ca8514 |
@@ -1609,6 +1609,10 @@ static apr_status_t ssl_init_proxy_certs(server_rec *s,
|
|
|
ca8514 |
STACK_OF(X509) *chain;
|
|
|
ca8514 |
X509_STORE_CTX *sctx;
|
|
|
ca8514 |
X509_STORE *store = SSL_CTX_get_cert_store(mctx->ssl_ctx);
|
|
|
ca8514 |
+ int addl_chain = 0; /* non-zero if additional chain certs were
|
|
|
ca8514 |
+ * added to store */
|
|
|
ca8514 |
+
|
|
|
ca8514 |
+ ap_assert(store != NULL); /* safe to assume always non-NULL? */
|
|
|
ca8514 |
|
|
|
ca8514 |
#if OPENSSL_VERSION_NUMBER >= 0x1010100fL
|
|
|
ca8514 |
/* For OpenSSL >=1.1.1, turn on client cert support which is
|
|
|
ca8514 |
@@ -1653,20 +1657,28 @@ static apr_status_t ssl_init_proxy_certs(server_rec *s,
|
|
|
ca8514 |
}
|
|
|
ca8514 |
}
|
|
|
ca8514 |
|
|
|
ca8514 |
- if ((ncerts = sk_X509_INFO_num(sk)) <= 0) {
|
|
|
ca8514 |
- sk_X509_INFO_free(sk);
|
|
|
ca8514 |
- ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, APLOGNO(02206)
|
|
|
ca8514 |
- "no client certs found for SSL proxy");
|
|
|
ca8514 |
- return APR_SUCCESS;
|
|
|
ca8514 |
- }
|
|
|
ca8514 |
-
|
|
|
ca8514 |
/* Check that all client certs have got certificates and private
|
|
|
ca8514 |
- * keys. */
|
|
|
ca8514 |
- for (n = 0; n < ncerts; n++) {
|
|
|
ca8514 |
+ * keys. Note the number of certs in the stack may decrease
|
|
|
ca8514 |
+ * during the loop. */
|
|
|
ca8514 |
+ for (n = 0; n < sk_X509_INFO_num(sk); n++) {
|
|
|
ca8514 |
X509_INFO *inf = sk_X509_INFO_value(sk, n);
|
|
|
ca8514 |
+ int has_privkey = inf->x_pkey && inf->x_pkey->dec_pkey;
|
|
|
ca8514 |
+
|
|
|
ca8514 |
+ /* For a lone certificate in the file, trust it as a
|
|
|
ca8514 |
+ * CA/intermediate certificate. */
|
|
|
ca8514 |
+ if (inf->x509 && !has_privkey && !inf->enc_data) {
|
|
|
ca8514 |
+ ssl_log_xerror(SSLLOG_MARK, APLOG_DEBUG, 0, ptemp, s, inf->x509,
|
|
|
ca8514 |
+ APLOGNO(10261) "Trusting non-leaf certificate");
|
|
|
ca8514 |
+ X509_STORE_add_cert(store, inf->x509); /* increments inf->x509 */
|
|
|
ca8514 |
+ /* Delete from the stack and iterate again. */
|
|
|
ca8514 |
+ X509_INFO_free(inf);
|
|
|
ca8514 |
+ sk_X509_INFO_delete(sk, n);
|
|
|
ca8514 |
+ n--;
|
|
|
ca8514 |
+ addl_chain = 1;
|
|
|
ca8514 |
+ continue;
|
|
|
ca8514 |
+ }
|
|
|
ca8514 |
|
|
|
ca8514 |
- if (!inf->x509 || !inf->x_pkey || !inf->x_pkey->dec_pkey ||
|
|
|
ca8514 |
- inf->enc_data) {
|
|
|
ca8514 |
+ if (!has_privkey || inf->enc_data) {
|
|
|
ca8514 |
sk_X509_INFO_free(sk);
|
|
|
ca8514 |
ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, APLOGNO(02252)
|
|
|
ca8514 |
"incomplete client cert configured for SSL proxy "
|
|
|
ca8514 |
@@ -1683,13 +1695,21 @@ static apr_status_t ssl_init_proxy_certs(server_rec *s,
|
|
|
ca8514 |
}
|
|
|
ca8514 |
}
|
|
|
ca8514 |
|
|
|
ca8514 |
+ if ((ncerts = sk_X509_INFO_num(sk)) <= 0) {
|
|
|
ca8514 |
+ sk_X509_INFO_free(sk);
|
|
|
ca8514 |
+ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, APLOGNO(02206)
|
|
|
ca8514 |
+ "no client certs found for SSL proxy");
|
|
|
ca8514 |
+ return APR_SUCCESS;
|
|
|
ca8514 |
+ }
|
|
|
ca8514 |
+
|
|
|
ca8514 |
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02207)
|
|
|
ca8514 |
"loaded %d client certs for SSL proxy",
|
|
|
ca8514 |
ncerts);
|
|
|
ca8514 |
pkp->certs = sk;
|
|
|
ca8514 |
|
|
|
ca8514 |
-
|
|
|
ca8514 |
- if (!pkp->ca_cert_file || !store) {
|
|
|
ca8514 |
+ /* If any chain certs are configured, build the ->ca_certs chains
|
|
|
ca8514 |
+ * corresponding to the loaded keypairs. */
|
|
|
ca8514 |
+ if (!pkp->ca_cert_file && !addl_chain) {
|
|
|
ca8514 |
return APR_SUCCESS;
|
|
|
ca8514 |
}
|
|
|
ca8514 |
|
|
|
ca8514 |
diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
|
|
|
ca8514 |
index 2a08d1c..8055200 100644
|
|
|
ca8514 |
--- a/modules/ssl/ssl_private.h
|
|
|
ca8514 |
+++ b/modules/ssl/ssl_private.h
|
|
|
ca8514 |
@@ -655,10 +655,13 @@ typedef struct {
|
|
|
ca8514 |
const char *cert_file;
|
|
|
ca8514 |
const char *cert_path;
|
|
|
ca8514 |
const char *ca_cert_file;
|
|
|
ca8514 |
- STACK_OF(X509_INFO) *certs; /* Contains End Entity certs */
|
|
|
ca8514 |
- STACK_OF(X509) **ca_certs; /* Contains ONLY chain certs for
|
|
|
ca8514 |
- * each item in certs.
|
|
|
ca8514 |
- * (ptr to array of ptrs) */
|
|
|
ca8514 |
+ /* certs is a stack of configured cert, key pairs. */
|
|
|
ca8514 |
+ STACK_OF(X509_INFO) *certs;
|
|
|
ca8514 |
+ /* ca_certs contains ONLY chain certs for each item in certs.
|
|
|
ca8514 |
+ * ca_certs[n] is a pointer to the (STACK_OF(X509) *) stack which
|
|
|
ca8514 |
+ * holds the cert chain for the 'n'th cert in the certs stack, or
|
|
|
ca8514 |
+ * NULL if no chain is configured. */
|
|
|
ca8514 |
+ STACK_OF(X509) **ca_certs;
|
|
|
ca8514 |
} modssl_pk_proxy_t;
|
|
|
ca8514 |
|
|
|
ca8514 |
/** stuff related to authentication that can also be per-dir */
|