mirror of
https://github.com/apache/httpd.git
synced 2025-08-08 15:02:10 +03:00
*) core/mod_proxy/mod_ssl:
Adding `outgoing` flag to conn_rec, indicating a connection is
initiated by the server to somewhere, in contrast to incoming
connections from clients.
Adding 'ap_ssl_bind_outgoing()` function that marks a connection
as outgoing and is used by mod_proxy instead of the previous
optional function `ssl_engine_set`. This enables other SSL
module to secure proxy connections.
The optional functions `ssl_engine_set`, `ssl_engine_disable` and
`ssl_proxy_enable` are now provided by the core to have backward
compatibility with non-httpd modules that might use them. mod_ssl
itself no longer registers these functions, but keeps them in its
header for backward compatibility.
The core provided optional function wrap any registered function
like it was done for `ssl_is_ssl`.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1890605 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Stefan Eissing
@@ -1768,7 +1768,7 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx)
|
||||
SSLSrvConfigRec *sc = mySrvConfig(s);
|
||||
SSLConnRec *sslconn = myConnConfig(conn);
|
||||
SSLDirConfigRec *dc = r ? myDirConfig(r) : sslconn->dc;
|
||||
modssl_ctx_t *mctx = myCtxConfig(sslconn, sc);
|
||||
modssl_ctx_t *mctx = myConnCtxConfig(conn, sc);
|
||||
int crl_check_mode = mctx->crl_check_mask & ~SSL_CRLCHECK_FLAGS;
|
||||
|
||||
/* Get verify ingredients */
|
||||
@@ -1792,7 +1792,7 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx)
|
||||
* Check for optionally acceptable non-verifiable issuer situation
|
||||
*/
|
||||
if (dc) {
|
||||
if (sslconn->is_proxy) {
|
||||
if (conn->outgoing) {
|
||||
verify = dc->proxy->auth.verify_mode;
|
||||
}
|
||||
else {
|
||||
@@ -1904,7 +1904,7 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx)
|
||||
* Finally check the depth of the certificate verification
|
||||
*/
|
||||
if (dc) {
|
||||
if (sslconn->is_proxy) {
|
||||
if (conn->outgoing) {
|
||||
depth = dc->proxy->auth.verify_depth;
|
||||
}
|
||||
else {
|
||||
@@ -2300,7 +2300,7 @@ void ssl_callback_Info(const SSL *ssl, int where, int rc)
|
||||
/* If the reneg state is to reject renegotiations, check the SSL
|
||||
* state machine and move to ABORT if a Client Hello is being
|
||||
* read. */
|
||||
if (!sslconn->is_proxy &&
|
||||
if (!c->outgoing &&
|
||||
(where & SSL_CB_HANDSHAKE_START) &&
|
||||
sslconn->reneg_state == RENEG_REJECT) {
|
||||
sslconn->reneg_state = RENEG_ABORT;
|
||||
@@ -2543,7 +2543,7 @@ static int ssl_find_vhost(void *servername, conn_rec *c, server_rec *s)
|
||||
* Don't switch the protocol if none is configured for this vhost,
|
||||
* the default in this case is still the base server's SSLProtocol.
|
||||
*/
|
||||
if (myCtxConfig(sslcon, sc)->protocol_set) {
|
||||
if (myConnCtxConfig(c, sc)->protocol_set) {
|
||||
SSL_set_min_proto_version(ssl, SSL_CTX_get_min_proto_version(ctx));
|
||||
SSL_set_max_proto_version(ssl, SSL_CTX_get_max_proto_version(ctx));
|
||||
}
|
||||
@@ -2629,8 +2629,7 @@ int ssl_callback_SessionTicket(SSL *ssl,
|
||||
conn_rec *c = (conn_rec *)SSL_get_app_data(ssl);
|
||||
server_rec *s = mySrvFromConn(c);
|
||||
SSLSrvConfigRec *sc = mySrvConfig(s);
|
||||
SSLConnRec *sslconn = myConnConfig(c);
|
||||
modssl_ctx_t *mctx = myCtxConfig(sslconn, sc);
|
||||
modssl_ctx_t *mctx = myConnCtxConfig(c, sc);
|
||||
modssl_ticket_key_t *ticket_key = mctx->ticket_key;
|
||||
|
||||
if (mode == 1) {
|
||||
|
||||
Reference in New Issue
Block a user