Author: jorton
Date: Mon Feb 12 08:37:35 2024
New Revision: 1915740
URL: http://svn.apache.org/viewvc?rev=1915740&view=rev
Log:
Merge r1825120 from trunk:
* modules/ssl/ssl_engine_init.c (ssl_init_PushCAList): Remove function.
(ssl_init_ca_cert_path): Use SSL_add_file_cert_subjects_to_stack()
instead.
[.Edit: This does change behaviour: the acceptable client CA list is now
always be sent in sorted order rather than configured/file order.
In the case of SSLCACertificatePath and SSLCADNRequestPath, the
order will be stable rather than non-determistic as previously.]
PR: 61574
Github: closes #406
Reviewed by: jorton, jfclere, covener
Added:
httpd/httpd/branches/2.4.x/changes-entries/pr61574.txt
Modified:
httpd/httpd/branches/2.4.x/ (props changed)
httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c
Propchange: httpd/httpd/branches/2.4.x/
------------------------------------------------------------------------------
Merged /httpd/httpd/trunk:r1825120
Added: httpd/httpd/branches/2.4.x/changes-entries/pr61574.txt
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/changes-entries/pr61574.txt?rev=1915740&view=auto
==============================================================================
--- httpd/httpd/branches/2.4.x/changes-entries/pr61574.txt (added)
+++ httpd/httpd/branches/2.4.x/changes-entries/pr61574.txt Mon Feb 12 08:37:35 2024
@@ -0,0 +1,4 @@
+ *) mod_ssl: Use OpenSSL-standard functions to assemble CA
+ name lists for SSLCACertificatePath/SSLCADNRequestPath.
+ Names will now be consistently sorted. PR 61574.
+ [Joe Orton]
Modified: httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c?rev=1915740&r1=1915739&r2=1915740&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c (original)
+++ httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c Mon Feb 12 08:37:35 2024
@@ -2248,46 +2248,6 @@ static int ssl_init_FindCAList_X509NameC
return(X509_NAME_cmp(*a, *b));
}
-static void ssl_init_PushCAList(STACK_OF(X509_NAME) *ca_list,
- server_rec *s, apr_pool_t *ptemp,
- const char *file)
-{
- int n;
- STACK_OF(X509_NAME) *sk;
-
- sk = (STACK_OF(X509_NAME) *)
- SSL_load_client_CA_file(file);
-
- if (!sk) {
- return;
- }
-
- for (n = 0; n < sk_X509_NAME_num(sk); n++) {
- X509_NAME *name = sk_X509_NAME_value(sk, n);
-
- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02209)
- "CA certificate: %s",
- modssl_X509_NAME_to_string(ptemp, name, 0));
-
- /*
- * note that SSL_load_client_CA_file() checks for duplicates,
- * but since we call it multiple times when reading a directory
- * we must also check for duplicates ourselves.
- */
-
- if (sk_X509_NAME_find(ca_list, name) < 0) {
- /* this will be freed when ca_list is */
- sk_X509_NAME_push(ca_list, name);
- }
- else {
- /* need to free this ourselves, else it will leak */
- X509_NAME_free(name);
- }
- }
-
- sk_X509_NAME_free(sk);
-}
-
static apr_status_t ssl_init_ca_cert_path(server_rec *s,
apr_pool_t *ptemp,
const char *path,
@@ -2310,7 +2270,7 @@ static apr_status_t ssl_init_ca_cert_pat
}
file = apr_pstrcat(ptemp, path, "/", direntry.name, NULL);
if (ca_list) {
- ssl_init_PushCAList(ca_list, s, ptemp, file);
+ SSL_add_file_cert_subjects_to_stack(ca_list, file);
}
if (xi_list) {
load_x509_info(ptemp, xi_list, file);
@@ -2339,7 +2299,7 @@ STACK_OF(X509_NAME) *ssl_init_FindCAList
* Process CA certificate bundle file
*/
if (ca_file) {
- ssl_init_PushCAList(ca_list, s, ptemp, ca_file);
+ SSL_add_file_cert_subjects_to_stack(ca_list, ca_file);
/*
* If ca_list is still empty after trying to load ca_file
* then the file failed to load, and users should hear about that.
Date: Mon Feb 12 08:37:35 2024
New Revision: 1915740
URL: http://svn.apache.org/viewvc?rev=1915740&view=rev
Log:
Merge r1825120 from trunk:
* modules/ssl/ssl_engine_init.c (ssl_init_PushCAList): Remove function.
(ssl_init_ca_cert_path): Use SSL_add_file_cert_subjects_to_stack()
instead.
[.Edit: This does change behaviour: the acceptable client CA list is now
always be sent in sorted order rather than configured/file order.
In the case of SSLCACertificatePath and SSLCADNRequestPath, the
order will be stable rather than non-determistic as previously.]
PR: 61574
Github: closes #406
Reviewed by: jorton, jfclere, covener
Added:
httpd/httpd/branches/2.4.x/changes-entries/pr61574.txt
Modified:
httpd/httpd/branches/2.4.x/ (props changed)
httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c
Propchange: httpd/httpd/branches/2.4.x/
------------------------------------------------------------------------------
Merged /httpd/httpd/trunk:r1825120
Added: httpd/httpd/branches/2.4.x/changes-entries/pr61574.txt
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/changes-entries/pr61574.txt?rev=1915740&view=auto
==============================================================================
--- httpd/httpd/branches/2.4.x/changes-entries/pr61574.txt (added)
+++ httpd/httpd/branches/2.4.x/changes-entries/pr61574.txt Mon Feb 12 08:37:35 2024
@@ -0,0 +1,4 @@
+ *) mod_ssl: Use OpenSSL-standard functions to assemble CA
+ name lists for SSLCACertificatePath/SSLCADNRequestPath.
+ Names will now be consistently sorted. PR 61574.
+ [Joe Orton]
Modified: httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c?rev=1915740&r1=1915739&r2=1915740&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c (original)
+++ httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c Mon Feb 12 08:37:35 2024
@@ -2248,46 +2248,6 @@ static int ssl_init_FindCAList_X509NameC
return(X509_NAME_cmp(*a, *b));
}
-static void ssl_init_PushCAList(STACK_OF(X509_NAME) *ca_list,
- server_rec *s, apr_pool_t *ptemp,
- const char *file)
-{
- int n;
- STACK_OF(X509_NAME) *sk;
-
- sk = (STACK_OF(X509_NAME) *)
- SSL_load_client_CA_file(file);
-
- if (!sk) {
- return;
- }
-
- for (n = 0; n < sk_X509_NAME_num(sk); n++) {
- X509_NAME *name = sk_X509_NAME_value(sk, n);
-
- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02209)
- "CA certificate: %s",
- modssl_X509_NAME_to_string(ptemp, name, 0));
-
- /*
- * note that SSL_load_client_CA_file() checks for duplicates,
- * but since we call it multiple times when reading a directory
- * we must also check for duplicates ourselves.
- */
-
- if (sk_X509_NAME_find(ca_list, name) < 0) {
- /* this will be freed when ca_list is */
- sk_X509_NAME_push(ca_list, name);
- }
- else {
- /* need to free this ourselves, else it will leak */
- X509_NAME_free(name);
- }
- }
-
- sk_X509_NAME_free(sk);
-}
-
static apr_status_t ssl_init_ca_cert_path(server_rec *s,
apr_pool_t *ptemp,
const char *path,
@@ -2310,7 +2270,7 @@ static apr_status_t ssl_init_ca_cert_pat
}
file = apr_pstrcat(ptemp, path, "/", direntry.name, NULL);
if (ca_list) {
- ssl_init_PushCAList(ca_list, s, ptemp, file);
+ SSL_add_file_cert_subjects_to_stack(ca_list, file);
}
if (xi_list) {
load_x509_info(ptemp, xi_list, file);
@@ -2339,7 +2299,7 @@ STACK_OF(X509_NAME) *ssl_init_FindCAList
* Process CA certificate bundle file
*/
if (ca_file) {
- ssl_init_PushCAList(ca_list, s, ptemp, ca_file);
+ SSL_add_file_cert_subjects_to_stack(ca_list, ca_file);
/*
* If ca_list is still empty after trying to load ca_file
* then the file failed to load, and users should hear about that.