Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

mod_ssl: Fix reading custom DH parameters from CertificateFile with OpenSSL 3.X #447

Open
wants to merge 1 commit into
base: trunk
Choose a base branch
from
Open

mod_ssl: Fix reading custom DH parameters from CertificateFile with OpenSSL 3.X #447

wants to merge 1 commit into from

Conversation

o8vm
Copy link

@o8vm o8vm commented May 23, 2024

This commit addresses an issue where Apache HTTPD with OpenSSL 3.0 or later is unable to load custom DH parameters specified in the CertificateFile configuration option. PEM_read_bio_Parameters() is unable to extract just the DH parameters and returns NULL when a CertificateFile contains signed certificates, intermediate certificates, and DH parameters all together in one file. A new approach is needed for OpenSSL 3.0. This patch implements a solution using OpenSSL's decoding framework to selectively load only the custom DH parameters from a composite CertificateFile.

Testing confirmed custom DH params can now be properly extracted from CertificateFile as intended.

@o8vm
Fix reading custom DH parameters from CertificateFile.
45fbb7f 
This commit addresses an issue where Apache HTTPD with OpenSSL 3.0 or later is unable to load custom DH parameters specified in the CertificateFile configuration option.
PEM_read_bio_Parameters is unable to extract just the DH parameters and returns NULL when a CertificateFile contains signed certificates, intermediate certificates, and DH parameters all together in one file. A new approach is needed for OpenSSL 3.0.
This patch implements a solution using OpenSSL's decoding framework to selectively load only the custom DH parameters from a composite CertificateFile.

Testing confirmed custom DH params can now be properly extracted from CertificateFile as intended.
@o8vm
Copy link
Author

o8vm commented May 24, 2024

https://bz.apache.org/bugzilla/show_bug.cgi?id=69045

@notroj
Copy link
Collaborator

notroj commented May 28, 2024

Thank you for sending in the PR but I think this is already addressed by dee1eb3 on trunk, can you confirm that also fixes this issue for you?

@o8vm
Copy link
Author

o8vm commented May 28, 2024
edited

Thank you for checking, but this issue is still not fixed in the latest HEAD of the trunk branch. I tested it, and the issue is also not addressed by the dee1eb3 commit, which seems to be effective only for OPENSSL_VERSION_NUMBER < 0x30000000L. My patch included in the PR specifically addresses this issue in OpenSSL 3.0 and later versions.

@notroj
Copy link
Collaborator

notroj commented Jun 17, 2024

dee1eb3 definitely affects the OpenSSL 3.0+ code path as well as the pre-3.0 code path.

I am still not sure what your patch here fixes. Can you explain why using PEM_read_bio_Parameters is an inappropriate way to load the DH parameters? Does it fail? Can you add logging on the error path, if so, to show the failure? Or is the call to SSL_CTX_set0_tmp_dh_pkey failing?

Testing with trunk and a custom DH parameter appended to the file referenced from SSLCertificateFile now works as expected for me with OpenSSL 3.2.1.

t/logs/error_log:[Mon Jun 17 14:02:14.950767 2024] [ssl:debug] [pid 63509:tid 63509] ssl_engine_init.c(1611): AH02540: Custom DH parameters (4096 bits) for localhost:8553 loaded from ... /conf/ssl/ca/asf/certs/server.crt

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@o8vm @notroj