Author: dsahlberg
Date: Tue Jun 24 21:50:29 2025
New Revision: 1926705
URL: http://svn.apache.org/viewvc?rev=1926705&view=rev
Log:
Add a dedicated flag for server signature check failure.
This helps to detect for example a server certificate signed by an unsupported
signature algorithm (as happens in for example Fedora 42 due to removal of
the MD5 algorithm).
* serf_bucket_types.h
Add the SERF_SSL_SIGNATURE_FAILURE flag
* buckets/ssl_buckets.c
(validate_server_certificate): Return SERF_SSL_SIGNATURE_FAILURE in case
of error verifying the CRL or Certificate signature.
* test/test_ssl.c
(format_cert_failures): Manage the SERF_SSL_SIGNATURE_FAILURE flag
Patch by: Graham Leggett <minfrin>
See GitHub PR #7 (second part)
Modified:
serf/trunk/buckets/ssl_buckets.c
serf/trunk/serf_bucket_types.h
serf/trunk/test/test_ssl.c
Modified: serf/trunk/buckets/ssl_buckets.c
URL:
http://svn.apache.org/viewvc/serf/trunk/buckets/ssl_buckets.c?rev=1926705&r1=1926704&r2=1926705&view=diff
==============================================================================
--- serf/trunk/buckets/ssl_buckets.c (original)
+++ serf/trunk/buckets/ssl_buckets.c Tue Jun 24 21:50:29 2025
@@ -890,6 +890,10 @@ validate_server_certificate(int cert_val
case X509_V_ERR_UNABLE_TO_GET_CRL:
failures |= SERF_SSL_CERT_UNABLE_TO_GET_CRL;
break;
+ case X509_V_ERR_CERT_SIGNATURE_FAILURE:
+ case X509_V_ERR_CRL_SIGNATURE_FAILURE:
+ failures |= SERF_SSL_SIGNATURE_FAILURE;
+ break;
default:
serf__log(LOGLVL_WARNING, LOGCOMP_SSL, __FILE__,
ctx->config,
Modified: serf/trunk/serf_bucket_types.h
URL:
http://svn.apache.org/viewvc/serf/trunk/serf_bucket_types.h?rev=1926705&r1=1926704&r2=1926705&view=diff
==============================================================================
--- serf/trunk/serf_bucket_types.h (original)
+++ serf/trunk/serf_bucket_types.h Tue Jun 24 21:50:29 2025
@@ -583,6 +583,8 @@ serf_bucket_t *serf_bucket_limit_create(
#define SERF_SSL_OCSP_RESPONDER_ERROR 0x0200
#define SERF_SSL_OCSP_RESPONDER_UNKNOWN_FAILURE 0x0400
+#define SERF_SSL_SIGNATURE_FAILURE 0x0800
+
extern const serf_bucket_type_t serf_bucket_type_ssl_encrypt;
#define SERF_BUCKET_IS_SSL_ENCRYPT(b) SERF_BUCKET_CHECK((b), ssl_encrypt)
Modified: serf/trunk/test/test_ssl.c
URL:
http://svn.apache.org/viewvc/serf/trunk/test/test_ssl.c?rev=1926705&r1=1926704&r2=1926705&view=diff
==============================================================================
--- serf/trunk/test/test_ssl.c (original)
+++ serf/trunk/test/test_ssl.c Tue Jun 24 21:50:29 2025
@@ -502,6 +502,11 @@ static const char *format_cert_failures(
failures &= ~SERF_SSL_OCSP_RESPONDER_UNKNOWN_FAILURE;
}
+ if (failures & SERF_SSL_SIGNATURE_FAILURE) {
+ str = apr_pstrcat(pool, str, *str ? "|" : "", "SIGNATURE_FAILURE",
NULL);
+ failures &= ~SERF_SSL_SIGNATURE_FAILURE;
+ }
+
if (failures) {
/* Unexpected or unknown cert failure. */
REPORT_TEST_SUITE_ERROR();
