https://issues.apache.org/bugzilla/show_bug.cgi?id=54698
--- Comment #8 from [email protected] --- Compilation failed: ................... /usr/share/apr-1.0/build/libtool --silent --mode=compile i486-linux-gnu-gcc -pthread -D_REENTRANT -D_GNU_SOURCE -D_LARGEFILE64_SOURCE -I/root/httpd-2.2.24-PATCH/httpd-2.2.24/srclib/pcre -I. -I/root/httpd-2.2.24-PATCH/httpd-2.2.24/os/unix -I/root/httpd-2.2.24-PATCH/httpd-2.2.24/server/mpm/prefork -I/root/httpd-2.2.24-PATCH/httpd-2.2.24/modules/http -I/root/httpd-2.2.24-PATCH/httpd-2.2.24/modules/filters -I/root/httpd-2.2.24-PATCH/httpd-2.2.24/modules/proxy -I/root/httpd-2.2.24-PATCH/httpd-2.2.24/include -I/root/httpd-2.2.24-PATCH/httpd-2.2.24/modules/generators -I/root/httpd-2.2.24-PATCH/httpd-2.2.24/modules/mappers -I/root/httpd-2.2.24-PATCH/httpd-2.2.24/modules/database -I/usr/include/apr-1.0 -I/root/httpd-2.2.24-PATCH/httpd-2.2.24/modules/proxy/../generators -I/root/httpd-2.2.24-PATCH/httpd-2.2.24/modules/ssl -I/root/httpd-2.2.24-PATCH/httpd-2.2.24/modules/dav/main -prefer-non-pic -static -c ssl_engine_dh.c && touch ssl_engine_dh.lo /usr/share/apr-1.0/build/libtool --silent --mode=compile i486-linux-gnu-gcc -pthread -D_REENTRANT -D_GNU_SOURCE -D_LARGEFILE64_SOURCE -I/root/httpd-2.2.24-PATCH/httpd-2.2.24/srclib/pcre -I. -I/root/httpd-2.2.24-PATCH/httpd-2.2.24/os/unix -I/root/httpd-2.2.24-PATCH/httpd-2.2.24/server/mpm/prefork -I/root/httpd-2.2.24-PATCH/httpd-2.2.24/modules/http -I/root/httpd-2.2.24-PATCH/httpd-2.2.24/modules/filters -I/root/httpd-2.2.24-PATCH/httpd-2.2.24/modules/proxy -I/root/httpd-2.2.24-PATCH/httpd-2.2.24/include -I/root/httpd-2.2.24-PATCH/httpd-2.2.24/modules/generators -I/root/httpd-2.2.24-PATCH/httpd-2.2.24/modules/mappers -I/root/httpd-2.2.24-PATCH/httpd-2.2.24/modules/database -I/usr/include/apr-1.0 -I/root/httpd-2.2.24-PATCH/httpd-2.2.24/modules/proxy/../generators -I/root/httpd-2.2.24-PATCH/httpd-2.2.24/modules/ssl -I/root/httpd-2.2.24-PATCH/httpd-2.2.24/modules/dav/main -prefer-non-pic -static -c ssl_engine_init.c && touch ssl_engine_init.lo ssl_engine_init.c: In function ‘ssl_init_proxy_certs’: ssl_engine_init.c:1064: error: ‘SSLLOG_MARK’ undeclared (first use in this function) ssl_engine_init.c:1064: error: (Each undeclared identifier is reported only once ssl_engine_init.c:1064: error: for each function it appears in.) ssl_engine_init.c:1065: error: expected ‘)’ before string constant ssl_engine_init.c:1067: warning: passing argument 3 of ‘ssl_log_ssl_error’ makes integer from pointer without a cast ssl_private.h:728: note: expected ‘int’ but argument is of type ‘struct server_rec *’ ssl_engine_init.c:1067: error: too few arguments to function ‘ssl_log_ssl_error’ ssl_engine_init.c:1068: error: too many arguments to function ‘ssl_die’ make[3]: *** [ssl_engine_init.lo] Error 1 make[3]: Leaving directory `/root/httpd-2.2.24-PATCH/httpd-2.2.24/modules/ssl' make[2]: *** [install-recursive] Error 1 make[2]: Leaving directory `/root/httpd-2.2.24-PATCH/httpd-2.2.24/modules/ssl' make[1]: *** [install-recursive] Error 1 make[1]: Leaving directory `/root/httpd-2.2.24-PATCH/httpd-2.2.24/modules' make: *** [install-recursive] Error 1 I verified the patch, looks good: diff -u /root/httpd-2.2.24/modules/ssl/ssl_engine_init.c ssl_engine_init.c --- /root/httpd-2.2.24/modules/ssl/ssl_engine_init.c 2012-10-07 08:39:16.000000000 +0200 +++ ssl_engine_init.c 2013-03-20 19:39:48.000000000 +0100 @@ -1051,7 +1051,7 @@ for (n = 0; n < ncerts; n++) { X509_INFO *inf = sk_X509_INFO_value(sk, n); - if (!inf->x509 || !inf->x_pkey) { + if (!inf->x509 || !inf->x_pkey || !inf->x_pkey->dec_pkey) { sk_X509_INFO_free(sk); ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, "incomplete client cert configured for SSL proxy " @@ -1059,6 +1059,15 @@ ssl_die(); return; } + + if (X509_check_private_key(inf->x509, inf->x_pkey->dec_pkey) != 1) { + ssl_log_xerror(SSLLOG_MARK, APLOG_STARTUP, 0, ptemp, s, inf->x509, + APLOGNO(02326) "proxy client certificate and " + "private key do not match"); + ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s); + ssl_die(s); + return; + } } ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, @@ -1070,7 +1079,11 @@ return; } - /* Load all of the CA certs and construct a chain */ + /* If SSLProxyMachineCertificateChainFile is configured, load all + * the CA certs and have OpenSSL attempt to construct a full chain + * from each configured end-entity cert up to a root. This will + * allow selection of the correct cert given a list of root CA + * names in the certificate request from the server. */ pkp->ca_certs = (STACK_OF(X509) **) apr_pcalloc(p, ncerts * sizeof(sk)); sctx = X509_STORE_CTX_new(); -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
