www/apache
1
0
Fork 0
mirror of https://github.com/apache/httpd.git synced 2025-08-08 15:02:10 +03:00
Code Activity

On the trunk:

Browse Source 
mod_ssl: Added configuration directives for TLSv1.3 cipher suites (which
     are separate from previous ones) as SSL(Proxy)CipherSuiteV1_3. A great opportunity
     to find a better name.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1827924 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Stefan Eissing
2018-03-28 15:38:51 +00:00
parent 2ab41d39d8
commit 8b305c8397
6 changed files with 63 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
CHANGES
View File

@@ -2,7 +2,10 @@
Changes with Apache 2.5.1 Changes with Apache 2.5.1
*) mod_ssl: add support for TLSv1.3 (tested with OpenSSL v1.1.1-pre3, other libs may *) mod_ssl: add support for TLSv1.3 (tested with OpenSSL v1.1.1-pre3, other libs may
need more sugar). [Stefan Eissing] need more sugar). Added configuration directives for TLSv1.3 cipher suites (which
are separate from previous ones) as SSL(Proxy)CipherSuiteV1_3. A great opportunity
to find a better name.
[Stefan Eissing]
*) mod_remoteip: Restore compatibility with APR 1.4 (apr_sockaddr_is_wildcard). *) mod_remoteip: Restore compatibility with APR 1.4 (apr_sockaddr_is_wildcard).
[Eric Covener] [Eric Covener]

10
modules/ssl/mod_ssl.c
View File

@@ -100,6 +100,11 @@ static const command_rec ssl_config_cmds[] = {
SSL_CMD_ALL(CipherSuite, TAKE1, SSL_CMD_ALL(CipherSuite, TAKE1,
"Colon-delimited list of permitted SSL Ciphers " "Colon-delimited list of permitted SSL Ciphers "
"('XXX:...:XXX' - see manual)") "('XXX:...:XXX' - see manual)")
#ifdef SSL_OP_NO_TLSv1_3
SSL_CMD_SRV(CipherSuiteV1_3, TAKE1,
"Colon-delimited list of permitted TLSv1.3 Ciphers "
"('XXX:...:XXX' - see manual)")
#endif
SSL_CMD_SRV(CertificateFile, TAKE1, SSL_CMD_SRV(CertificateFile, TAKE1,
"SSL Server Certificate file " "SSL Server Certificate file "
"('/path/to/file' - PEM or DER encoded)") "('/path/to/file' - PEM or DER encoded)")
@@ -192,6 +197,11 @@ static const command_rec ssl_config_cmds[] = {
SSL_CMD_PXY(ProxyCipherSuite, TAKE1, SSL_CMD_PXY(ProxyCipherSuite, TAKE1,
"SSL Proxy: colon-delimited list of permitted SSL ciphers " "SSL Proxy: colon-delimited list of permitted SSL ciphers "
"('XXX:...:XXX' - see manual)") "('XXX:...:XXX' - see manual)")
#ifdef SSL_OP_NO_TLSv1_3
SSL_CMD_PXY(ProxyCipherSuiteV1_3, TAKE1,
"SSL Proxy: colon-delimited list of permitted TLSv1.3 ciphers "
"('XXX:...:XXX' - see manual)")
#endif
SSL_CMD_PXY(ProxyVerify, TAKE1, SSL_CMD_PXY(ProxyVerify, TAKE1,
"SSL Proxy: whether to verify the remote certificate " "SSL Proxy: whether to verify the remote certificate "
"('on' or 'off')") "('on' or 'off')")

27
modules/ssl/ssl_engine_config.c
View File

@@ -140,6 +140,7 @@ static void modssl_ctx_init(modssl_ctx_t *mctx, apr_pool_t *p)
mctx->auth.cipher_suite = NULL; mctx->auth.cipher_suite = NULL;
mctx->auth.verify_depth = UNSET; mctx->auth.verify_depth = UNSET;
mctx->auth.verify_mode = SSL_CVERIFY_UNSET; mctx->auth.verify_mode = SSL_CVERIFY_UNSET;
mctx->auth.cipher_suite_tlsv1_3 = NULL;
mctx->ocsp_mask = UNSET; mctx->ocsp_mask = UNSET;
mctx->ocsp_force_default = UNSET; mctx->ocsp_force_default = UNSET;
@@ -284,6 +285,7 @@ static void modssl_ctx_cfg_merge(apr_pool_t *p,
cfgMergeString(auth.cipher_suite); cfgMergeString(auth.cipher_suite);
cfgMergeInt(auth.verify_depth); cfgMergeInt(auth.verify_depth);
cfgMerge(auth.verify_mode, SSL_CVERIFY_UNSET); cfgMerge(auth.verify_mode, SSL_CVERIFY_UNSET);
cfgMergeString(auth.cipher_suite_tlsv1_3);
cfgMergeInt(ocsp_mask); cfgMergeInt(ocsp_mask);
cfgMergeBool(ocsp_force_default); cfgMergeBool(ocsp_force_default);
@@ -868,6 +870,17 @@ const char *ssl_cmd_SSLCipherSuite(cmd_parms *cmd,
return NULL; return NULL;
} }
const char *ssl_cmd_SSLCipherSuiteV1_3(cmd_parms *cmd,
void *dcfg,
const char *arg)
{
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
sc->server->auth.cipher_suite_tlsv1_3 = arg;
return NULL;
}
#define SSL_FLAGS_CHECK_FILE \ #define SSL_FLAGS_CHECK_FILE \
(SSL_PCM_EXISTS|SSL_PCM_ISREG|SSL_PCM_ISNONZERO) (SSL_PCM_EXISTS|SSL_PCM_ISREG|SSL_PCM_ISNONZERO)
@@ -1613,6 +1626,17 @@ const char *ssl_cmd_SSLProxyCipherSuite(cmd_parms *cmd,
return NULL; return NULL;
} }
const char *ssl_cmd_SSLProxyCipherSuiteV1_3(cmd_parms *cmd,
void *dcfg,
const char *arg)
{
SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;
dc->proxy->auth.cipher_suite_tlsv1_3 = arg;
return NULL;
}
const char *ssl_cmd_SSLProxyVerify(cmd_parms *cmd, const char *ssl_cmd_SSLProxyVerify(cmd_parms *cmd,
void *dcfg, void *dcfg,
const char *arg) const char *arg)
@@ -2487,6 +2511,9 @@ static void modssl_auth_ctx_dump(modssl_auth_ctx_t *auth, apr_pool_t *p, int pro
apr_file_t *out, const char *indent, const char **psep) apr_file_t *out, const char *indent, const char **psep)
{ {
DMP_STRING(proxy? "SSLProxyCipherSuite" : "SSLCipherSuite", auth->cipher_suite); DMP_STRING(proxy? "SSLProxyCipherSuite" : "SSLCipherSuite", auth->cipher_suite);
#ifdef SSL_OP_NO_TLSv1_3
DMP_STRING(proxy? "SSLProxyCipherSuiteV1.3" : "SSLCipherSuiteV1.3", auth->cipher_suite_tlsv1_3);
#endif
DMP_VERIFY(proxy? "SSLProxyVerify" : "SSLVerifyClient", auth->verify_mode); DMP_VERIFY(proxy? "SSLProxyVerify" : "SSLVerifyClient", auth->verify_mode);
DMP_LONG( proxy? "SSLProxyVerify" : "SSLVerifyDepth", auth->verify_depth); DMP_LONG( proxy? "SSLProxyVerify" : "SSLVerifyDepth", auth->verify_depth);
DMP_STRING(proxy? "SSLProxyCACertificateFile" : "SSLCACertificateFile", auth->ca_cert_file); DMP_STRING(proxy? "SSLProxyCACertificateFile" : "SSLCACertificateFile", auth->ca_cert_file);

10
modules/ssl/ssl_engine_init.c
View File

@@ -935,7 +935,15 @@ static apr_status_t ssl_init_ctx_cipher_suite(server_rec *s,
ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s); ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
return ssl_die(s); return ssl_die(s);
} }
#ifdef SSL_OP_NO_TLSv1_3
if (mctx->auth.cipher_suite_tlsv1_3
&& !SSL_CTX_set_ciphersuites(ctx, mctx->auth.cipher_suite_tlsv1_3)) {
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO()
"Unable to configure permitted TLSv1.3 ciphers");
ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
return ssl_die(s);
}
#endif
return APR_SUCCESS; return APR_SUCCESS;
} }

6
modules/ssl/ssl_engine_kernel.c
View File

@@ -188,6 +188,12 @@ static int ssl_auth_compatible(modssl_auth_ctx_t *a1,
|| strcmp(a1->cipher_suite, a2->cipher_suite))) { || strcmp(a1->cipher_suite, a2->cipher_suite))) {
return 0; return 0;
} }
/* both have the same ca cipher suite string */
if ((a1->cipher_suite_tlsv1_3 != a2->cipher_suite_tlsv1_3)
&& (!a1->cipher_suite_tlsv1_3 || !a2->cipher_suite_tlsv1_3
|| strcmp(a1->cipher_suite_tlsv1_3, a2->cipher_suite_tlsv1_3))) {
return 0;
}
return 1; return 1;
} }

7
modules/ssl/ssl_private.h
View File

@@ -640,6 +640,11 @@ typedef struct {
/** for client or downstream server authentication */ /** for client or downstream server authentication */
int verify_depth; int verify_depth;
ssl_verify_t verify_mode; ssl_verify_t verify_mode;
/** TLSv1.3 has its separate cipher list, separate from the
settings for older TLS protocol versions. Since which one takes
effect is a matter of negotiation, we need separate settings */
const char *cipher_suite_tlsv1_3;
} modssl_auth_ctx_t; } modssl_auth_ctx_t;
#ifdef HAVE_TLS_SESSION_TICKETS #ifdef HAVE_TLS_SESSION_TICKETS
@@ -806,6 +811,7 @@ const char *ssl_cmd_SSLCryptoDevice(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLRandomSeed(cmd_parms *, void *, const char *, const char *, const char *); const char *ssl_cmd_SSLRandomSeed(cmd_parms *, void *, const char *, const char *, const char *);
const char *ssl_cmd_SSLEngine(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLEngine(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLCipherSuite(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLCipherSuite(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLCipherSuiteV1_3(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLCertificateFile(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLCertificateFile(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLCertificateKeyFile(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLCertificateKeyFile(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLCertificateChainFile(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLCertificateChainFile(cmd_parms *, void *, const char *);
@@ -835,6 +841,7 @@ const char *ssl_cmd_SSLInsecureRenegotiation(cmd_parms *cmd, void *dcfg, int fla
const char *ssl_cmd_SSLProxyEngine(cmd_parms *cmd, void *dcfg, int flag); const char *ssl_cmd_SSLProxyEngine(cmd_parms *cmd, void *dcfg, int flag);
const char *ssl_cmd_SSLProxyProtocol(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLProxyProtocol(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLProxyCipherSuite(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLProxyCipherSuite(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLProxyCipherSuiteV1_3(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLProxyVerify(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLProxyVerify(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLProxyVerifyDepth(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLProxyVerifyDepth(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLProxyCACertificatePath(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLProxyCACertificatePath(cmd_parms *, void *, const char *);