Tweaks for SSLOpenSSLConfCmd:

- use cfgMergeArray, and reduce the size of the initial array - move SSL_CONF_cmd calls from ssl_init_ctx_protocol to ssl_init_server_ctx (so they are applied after ssl_init_server_certs) - add APLOG_DEBUG-level logging for the SSL_CONF_cmd success case - call SSL_CONF_CTX_free(cctx) when done in ssl_init_server_ctx git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1546693 13f79535-47bb-0310-9956-ffa450edef68
2025-08-08 15:02:10 +03:00 · 2013-11-30 07:44:27 +00:00
parent 6cabf7d3dc
commit 5289285387
3 changed files with 51 additions and 40 deletions
--- a/docs/log-message-tags/next-number
+++ b/docs/log-message-tags/next-number
@@ -1 +1 @@
-2556
+2557
--- a/modules/ssl/ssl_engine_config.c
+++ b/modules/ssl/ssl_engine_config.c
@@ -157,7 +157,7 @@ static void modssl_ctx_init(modssl_ctx_t *mctx, apr_pool_t *p)
    SSL_CONF_CTX_set_flags(mctx->ssl_ctx_config, SSL_CONF_FLAG_FILE);
    SSL_CONF_CTX_set_flags(mctx->ssl_ctx_config, SSL_CONF_FLAG_SERVER);
    SSL_CONF_CTX_set_flags(mctx->ssl_ctx_config, SSL_CONF_FLAG_CERTIFICATE);
-    mctx->ssl_ctx_param = apr_array_make(p, 10, sizeof(ssl_ctx_param_t));
+    mctx->ssl_ctx_param = apr_array_make(p, 5, sizeof(ssl_ctx_param_t));
 #endif
 }

@@ -247,7 +247,8 @@ void *ssl_config_server_create(apr_pool_t *p, server_rec *s)
 #define cfgMergeBool(el)    cfgMerge(el, UNSET)
 #define cfgMergeInt(el)     cfgMerge(el, UNSET)

-static void modssl_ctx_cfg_merge(modssl_ctx_t *base,
+static void modssl_ctx_cfg_merge(apr_pool_t *p,
+                                 modssl_ctx_t *base,
                                 modssl_ctx_t *add,
                                 modssl_ctx_t *mrg)
 {
@@ -292,29 +293,30 @@ static void modssl_ctx_cfg_merge(modssl_ctx_t *base,
 #endif

 #ifdef HAVE_SSL_CONF_CMD
-    apr_array_cat(mrg->ssl_ctx_param,  base->ssl_ctx_param);
-    apr_array_cat(mrg->ssl_ctx_param,  add->ssl_ctx_param);
+    cfgMergeArray(ssl_ctx_param);
 #endif
 }

-static void modssl_ctx_cfg_merge_proxy(modssl_ctx_t *base,
+static void modssl_ctx_cfg_merge_proxy(apr_pool_t *p,
+                                       modssl_ctx_t *base,
                                       modssl_ctx_t *add,
                                       modssl_ctx_t *mrg)
 {
-    modssl_ctx_cfg_merge(base, add, mrg);
+    modssl_ctx_cfg_merge(p, base, add, mrg);

    cfgMergeString(pkp->cert_file);
    cfgMergeString(pkp->cert_path);
    cfgMergeString(pkp->ca_cert_file);
 }

-static void modssl_ctx_cfg_merge_server(modssl_ctx_t *base,
+static void modssl_ctx_cfg_merge_server(apr_pool_t *p,
+                                        modssl_ctx_t *base,
                                        modssl_ctx_t *add,
                                        modssl_ctx_t *mrg)
 {
    int i;

-    modssl_ctx_cfg_merge(base, add, mrg);
+    modssl_ctx_cfg_merge(p, base, add, mrg);

    for (i = 0; i < SSL_AIDX_MAX; i++) {
        cfgMergeString(pks->cert_files[i]);
@@ -357,9 +359,9 @@ void *ssl_config_server_merge(apr_pool_t *p, void *basev, void *addv)
    cfgMergeBool(compression);
 #endif

-    modssl_ctx_cfg_merge_proxy(base->proxy, add->proxy, mrg->proxy);
+    modssl_ctx_cfg_merge_proxy(p, base->proxy, add->proxy, mrg->proxy);

-    modssl_ctx_cfg_merge_server(base->server, add->server, mrg->server);
+    modssl_ctx_cfg_merge_server(p, base->server, add->server, mrg->server);

    return mrg;
 }
@@ -1809,20 +1811,23 @@ const char *ssl_cmd_SSLStaplingForceURL(cmd_parms *cmd, void *dcfg,
 }

 #endif /* HAVE_OCSP_STAPLING */
+
 #ifdef HAVE_SSL_CONF_CMD
 const char *ssl_cmd_SSLOpenSSLConfCmd(cmd_parms *cmd, void *dcfg,
 					const char *arg1, const char *arg2)
 {
    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
-    ssl_ctx_param_t *param = apr_array_push(sc->server->ssl_ctx_param);
    SSL_CONF_CTX *cctx = sc->server->ssl_ctx_config;
-    const char *err;
    int value_type = SSL_CONF_cmd_value_type(cctx, arg1);
+    const char *err;
+    ssl_ctx_param_t *param;
+
    if (value_type == SSL_CONF_TYPE_UNKNOWN) {
        return apr_psprintf(cmd->pool,
                            "'%s': invalid OpenSSL configuration command",
                            arg1);
    }
+
    if (value_type == SSL_CONF_TYPE_FILE) {
        if ((err = ssl_cmd_check_file(cmd, &arg2)))
            return err;
@@ -1831,11 +1836,14 @@ const char *ssl_cmd_SSLOpenSSLConfCmd(cmd_parms *cmd, void *dcfg,
        if ((err = ssl_cmd_check_dir(cmd, &arg2)))
            return err;
    }
+
+    param = apr_array_push(sc->server->ssl_ctx_param);
    param->name = arg1;
    param->value = arg2;
    return NULL;
 }
 #endif
+
 #ifdef HAVE_SRP

 const char *ssl_cmd_SSLSRPVerifierFile(cmd_parms *cmd, void *dcfg,
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -535,30 +535,6 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
    SSL_CTX_set_options(ctx, SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
 #endif

-#ifdef HAVE_SSL_CONF_CMD
-{
-    ssl_ctx_param_t *param = (ssl_ctx_param_t *)mctx->ssl_ctx_param->elts;
-    SSL_CONF_CTX *cctx = mctx->ssl_ctx_config;
-    int i;
-    SSL_CONF_CTX_set_ssl_ctx(cctx, ctx);
-    for (i = 0; i < mctx->ssl_ctx_param->nelts; i++, param++) {
-        if (SSL_CONF_cmd(cctx, param->name, param->value) <= 0) {
-            ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02407)
-                         "Error SSL_CONF_cmd(\"%s\",\"%s\")",
-                         param->name, param->value);
-            ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
-            return ssl_die(s);
-        }
-    }
-    if (SSL_CONF_CTX_finish(cctx) == 0) {
-            ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02547)
-                         "Error SSL_CONF_CTX_finish()");
-            ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
-            return ssl_die(s);
-    }
-}
-#endif
-
 #ifdef SSL_MODE_RELEASE_BUFFERS
    /* If httpd is configured to reduce mem usage, ask openssl to do so, too */
    if (ap_max_mem_free != APR_ALLOCATOR_MAX_FREE_UNLIMITED)
@@ -1359,6 +1335,11 @@ static apr_status_t ssl_init_server_ctx(server_rec *s,
                                        SSLSrvConfigRec *sc)
 {
    apr_status_t rv;
+#ifdef HAVE_SSL_CONF_CMD
+    ssl_ctx_param_t *param = (ssl_ctx_param_t *)sc->server->ssl_ctx_param->elts;
+    SSL_CONF_CTX *cctx = sc->server->ssl_ctx_config;
+    int i;
+#endif

    if ((rv = ssl_init_server_check(s, p, ptemp, sc->server)) != APR_SUCCESS) {
        return rv;
@@ -1372,6 +1353,31 @@ static apr_status_t ssl_init_server_ctx(server_rec *s,
        return rv;
    }

+#ifdef HAVE_SSL_CONF_CMD
+    SSL_CONF_CTX_set_ssl_ctx(cctx, sc->server->ssl_ctx);
+    for (i = 0; i < sc->server->ssl_ctx_param->nelts; i++, param++) {
+        if (SSL_CONF_cmd(cctx, param->name, param->value) <= 0) {
+            ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02407)
+                         "\"SSLOpenSSLConfCmd %s %s\" failed for %s",
+                         param->name, param->value, sc->vhost_id);
+            ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
+            return ssl_die(s);
+        } else {
+            ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02556)
+                         "\"SSLOpenSSLConfCmd %s %s\" applied to %s",
+                         param->name, param->value, sc->vhost_id);
+        }
+    }
+    if (SSL_CONF_CTX_finish(cctx) == 0) {
+            ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02547)
+                         "SSL_CONF_CTX_finish() failed");
+            SSL_CONF_CTX_free(cctx);
+            ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
+            return ssl_die(s);
+    }
+    SSL_CONF_CTX_free(cctx);
+#endif
+
 #ifdef HAVE_TLS_SESSION_TICKETS
    if ((rv = ssl_init_ticket_key(s, p, ptemp, sc->server)) != APR_SUCCESS) {
        return rv;
@@ -1643,9 +1649,6 @@ void ssl_init_Child(apr_pool_t *p, server_rec *s)
 static void ssl_init_ctx_cleanup(modssl_ctx_t *mctx)
 {
    MODSSL_CFG_ITEM_FREE(SSL_CTX_free, mctx->ssl_ctx);
-#ifdef HAVE_SSL_CONF_CMD
-    MODSSL_CFG_ITEM_FREE(SSL_CONF_CTX_free, mctx->ssl_ctx_config);
-#endif

 #ifdef HAVE_SRP
    if (mctx->srp_vbase != NULL) {