diff options
| author | Giovanni Bechis <gbechis@apache.org> | 2023-04-04 18:46:05 +0200 |
|---|---|---|
| committer | Giovanni Bechis <gbechis@apache.org> | 2023-04-04 18:46:05 +0200 |
| commit | 132d4ee48f1c1ee786d13b61017e8e549a70d2de (patch) | |
| tree | d99165589490f867d3d7505c68973f0615f6dc42 /modules | |
| parent | SSL_do_handshake can fail with 0 or <0 status codes. (diff) | |
| download | apache2-132d4ee48f1c1ee786d13b61017e8e549a70d2de.tar.xz apache2-132d4ee48f1c1ee786d13b61017e8e549a70d2de.zip | |
check SSL_do_handshake(3) return value
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1908964 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'modules')
| -rw-r--r-- | modules/ssl/ssl_engine_kernel.c | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c index f63865c37a..96aaf6602d 100644 --- a/modules/ssl/ssl_engine_kernel.c +++ b/modules/ssl/ssl_engine_kernel.c @@ -78,9 +78,8 @@ static apr_status_t upgrade_connection(request_rec *r) /* Perform initial SSL handshake. */ SSL_set_accept_state(ssl); - SSL_do_handshake(ssl); - if (!SSL_is_init_finished(ssl)) { + if ((SSL_do_handshake(ssl) != 1) || !SSL_is_init_finished(ssl)) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02030) "TLS upgrade handshake failed"); ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server); @@ -1182,7 +1181,12 @@ static int ssl_hook_Access_modern(request_rec *r, SSLSrvConfigRec *sc, SSLDirCon modssl_set_app_data2(ssl, r); - SSL_do_handshake(ssl); + if(SSL_do_handshake(ssl) != 1) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10421) + "TLS handshake failure"); + ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server); + return HTTP_FORBIDDEN; + } /* Need to trigger renegotiation handshake by reading. * Peeking 0 bytes actually works. * See: http://marc.info/?t=145493359200002&r=1&w=2 |