Bug ID: 64262
           Summary: Unsafe error handling: when using OpenSSL API
           Product: Apache httpd-2
           Version: 2.5-HEAD
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_ssl
  Target Milestone: ---

There is a potential bug in modules/ssl/ssl_engine_init.c:1715-1727. 

According to OpenSSL API document, "X509_STORE_CTX_get1_chain() returns a
complete validate chain if a previous call to X509_verify_cert() is successful.
If the call to X509_verify_cert() is not successful the returned chain may be
incomplete or invalid. "

So it's unsafe to just log the error and execute the
'X509_STORE_CTX_get1_chain' when (X509_verify_cert(sctx) != 1.

1715:   if (X509_verify_cert(sctx) != 1) {
            int err = X509_STORE_CTX_get_error(sctx);
            ssl_log_xerror(SSLLOG_MARK, APLOG_WARNING, 0, ptemp, s, inf->x509,
                           APLOGNO(02270) "SSL proxy client cert chain "
                           "verification failed: %s :",

        /* Clear X509_verify_cert errors */

        /* Obtain a copy of the verified chain */
        chain = X509_STORE_CTX_get1_chain(sctx);

You are receiving this mail because:
You are the assignee for the bug.
To unsubscribe, e-mail:
For additional commands, e-mail:

Reply via email to