Changeset 2b76a9c in mod_gnutls for src/gnutls_hooks.c


Ignore:
Timestamp:
Jan 29, 2013, 3:41:38 PM (7 years ago)
Author:
Daniel Kahn Gillmor <dkg@…>
Branches:
debian/master, debian/stretch-backports, jessie-backports, master, msva, proxy-ticket, upstream
Children:
b8df283
Parents:
303dc6e
git-author:
Daniel Kahn Gillmor <dkg@…> (01/25/13 06:36:51)
git-committer:
Daniel Kahn Gillmor <dkg@…> (01/29/13 15:41:38)
Message:

X.509 certificates are ordered EE first (see https://tools.ietf.org/html/rfc5246#page-48)

File:
1 edited

Legend:

Unmodified
Added
Removed

  • src/gnutls_hooks.c

    r303dc6e r2b76a9c  
    382382#endif
    383383
    384         if (sc->certs_x509_chain == NULL && sc->cert_pgp == NULL && sc->enabled == GNUTLS_ENABLED_TRUE) {
     384        if ((sc->certs_x509_chain == NULL || sc->certs_x509_chain_num < 1) &&
     385            sc->cert_pgp == NULL && sc->enabled == GNUTLS_ENABLED_TRUE) {
    385386                        ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
    386387                                                "[GnuTLS] - Host '%s:%d' is missing a Certificate File!",
     
    389390        }
    390391
    391         if (sc->enabled == GNUTLS_ENABLED_TRUE && ((sc->certs_x509_chain != NULL && sc->privkey_x509 == NULL) || (sc->cert_pgp != NULL && sc->privkey_pgp == NULL))) {
     392        if (sc->enabled == GNUTLS_ENABLED_TRUE &&
     393            ((sc->certs_x509_chain != NULL && sc->certs_x509_chain_num > 0 && sc->privkey_x509 == NULL) ||
     394             (sc->cert_pgp != NULL && sc->privkey_pgp == NULL))) {
    392395                        ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
    393396                                                "[GnuTLS] - Host '%s:%d' is missing a Private Key File!",
     
    397400
    398401        if (sc->enabled == GNUTLS_ENABLED_TRUE) {
    399             rv = read_crt_cn(s, p, sc->certs_x509_chain[sc->certs_x509_chain_num-1], &sc->cert_cn);
     402            rv = -1;
     403            if (sc->certs_x509_chain_num > 0) {
     404                rv = read_crt_cn(s, p, sc->certs_x509_chain[0], &sc->cert_cn);
     405            }
    400406            if (rv < 0 && sc->cert_pgp != NULL) {
    401407                rv = read_pgpcrt_cn(s, p, sc->cert_pgp, &sc->cert_cn);
     
    547553    }
    548554   
    549         int ret = gnutls_x509_crt_check_hostname(tsc->certs_x509_chain[tsc->certs_x509_chain_num-1], s->server_hostname);
     555        int ret = gnutls_x509_crt_check_hostname(tsc->certs_x509_chain[0], s->server_hostname);
    550556    if (0 == ret)
    551557        ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
     
    754760
    755761    if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_X509) {
    756                 mgs_add_common_cert_vars(r, ctxt->sc->certs_x509_chain[ctxt->sc->certs_x509_chain_num], 0);
     762                mgs_add_common_cert_vars(r, ctxt->sc->certs_x509_chain[0], 0);
    757763        } else if (gnutls_certificate_type_get(ctxt->session) == GNUTLS_CRT_OPENPGP) {
    758764        mgs_add_common_pgpcert_vars(r, ctxt->sc->cert_pgp, 0);
Note: See TracChangeset for help on using the changeset viewer.