From ea6e3445a7d058cd030648d3a70b2f415c7d598f Mon Sep 17 00:00:00 2001 From: Glenn Strauss Date: Sat, 13 Mar 2021 01:30:13 -0500 Subject: [PATCH] [mod_nss] avoid NSS crash w/ config file error NSS crashes with SIGFPE if SSL_REQUEST_CERTIFICATE is PR_TRUE, but trust anchors have not been set with SSL_SetTrustAnchors() (e.g. if ssl.verifyclient.activate = "enable" but ssl.ca-file has not been configured in lighttpd.conf) --- src/mod_nss.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/src/mod_nss.c b/src/mod_nss.c index d96a42d7..ad796a70 100644 --- a/src/mod_nss.c +++ b/src/mod_nss.c @@ -2317,12 +2317,16 @@ CONNECTION_FUNC(mod_nss_handle_con_accept) CERTCertList * const certList = hctx->conf.ssl_ca_dn_file ? hctx->conf.ssl_ca_dn_file : hctx->conf.ssl_ca_file; - if (NULL == certList) + if (NULL == certList) { log_error(hctx->r->conf.errh, __FILE__, __LINE__, "NSS: can't verify client without ssl.ca-file " "for TLS server name %s", hctx->r->uri.authority.ptr); /*(might not be set yet if no SNI)*/ - if (certList && SSL_SetTrustAnchors(hctx->ssl, certList) < 0) { + return hctx->conf.ssl_verifyclient_enforce + ? HANDLER_ERROR + : HANDLER_GO_ON; + } + if (SSL_SetTrustAnchors(hctx->ssl, certList) < 0) { elog(r->conf.errh, __FILE__, __LINE__, "SSL_SetTrustAnchors()"); return HANDLER_ERROR; }