1 --- httpd/httpd/trunk/modules/ssl/ssl_engine_init.c 2021/06/29 09:30:24 1891137
2 +++ httpd/httpd/trunk/modules/ssl/ssl_engine_init.c 2021/06/29 11:24:17 1891138
6 +/* SSL_CTX_use_PrivateKey_file() can fail either because the private
7 + * key was encrypted, or due to a mismatch between an already-loaded
8 + * cert and the key - a common misconfiguration - from calling
9 + * X509_check_private_key(). This macro is passed the last error code
10 + * off the OpenSSL stack and evaluates to true only for the first
11 + * case. With OpenSSL < 3 the second case is identifiable by the
12 + * function code, but function codes are not used from 3.0. */
13 +#if OPENSSL_VERSION_NUMBER < 0x30000000L
14 +#define CHECK_PRIVKEY_ERROR(ec) (ERR_GET_FUNC(ec) != X509_F_X509_CHECK_PRIVATE_KEY)
16 +#define CHECK_PRIVKEY_ERROR(ec) (ERR_GET_LIB != ERR_LIB_X509 \
17 + || (ERR_GET_REASON(ec) != X509_R_KEY_TYPE_MISMATCH \
18 + && ERR_GET_REASON(ec) != X509_R_KEY_VALUES_MISMATCH \
19 + && ERR_GET_REASON(ec) != X509_R_UNKNOWN_KEY_TYPE))
22 static apr_status_t ssl_init_server_certs(server_rec *s,
27 else if ((SSL_CTX_use_PrivateKey_file(mctx->ssl_ctx, keyfile,
28 SSL_FILETYPE_PEM) < 1)
29 - && (ERR_GET_FUNC(ERR_peek_last_error())
30 - != X509_F_X509_CHECK_PRIVATE_KEY)) {
31 + && CHECK_PRIVKEY_ERROR(ERR_peek_last_error())) {
33 const unsigned char *ptr;