diff --git a/docs/manual/mod/mod_ssl.xml b/docs/manual/mod/mod_ssl.xml index d3f75ac2b6..dd3c0d40ba 100644 --- a/docs/manual/mod/mod_ssl.xml +++ b/docs/manual/mod/mod_ssl.xml @@ -2563,5 +2563,43 @@ CRIME attack).

+ +SSLOpenSSLConfCmd +Configure OpenSSL parameters through its SSL_CONF API +SSLOpenSSLConfCmd command-name command-value +server config +virtual host +Available in httpd 2.5.0-dev and later, if using OpenSSL 1.0.2 or later + + +

This directive exposes OpenSSL's SSL_CONF API to mod_ssl, +allowing a flexible configuration of OpenSSL parameters without the need +of implementing additional mod_ssl directives when new +features are added to OpenSSL.

+ +

The set of available SSLOpenSSLConfCmd commands +depends on the OpenSSL version being used for mod_ssl +(at least version 1.0.2 is required). For a list of supported command +names, see the section Supported configuration file commands in the +SSL_CONF_cmd(3) manual page for OpenSSL.

+ +

Some of the SSLOpenSSLConfCmd commands can be used +as an alternative to existing directives (such as +SSLCipherSuite or +SSLProtocol), +though it should be noted that the syntax / allowable values for the parameters +may sometimes differ.

+ +Examples + +SSLOpenSSLConfCmd Options -SessionTicket,ServerPreference +SSLOpenSSLConfCmd ECDHParameters brainpoolP256r1 +SSLOpenSSLConfCmd ServerInfoFile /usr/local/apache2/conf/server-info.pem +SSLOpenSSLConfCmd Protocol "-ALL, TLSv1.2" +SSLOpenSSLConfCmd SignatureAlgorithms RSA+SHA384:ECDSA+SHA256 + + + + diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c index daf4ea161f..6ecde6a216 100644 --- a/modules/ssl/ssl_engine_init.c +++ b/modules/ssl/ssl_engine_init.c @@ -1286,6 +1286,7 @@ static apr_status_t ssl_init_server_ctx(server_rec *s, #ifdef HAVE_SSL_CONF_CMD SSL_CONF_CTX_set_ssl_ctx(cctx, sc->server->ssl_ctx); for (i = 0; i < sc->server->ssl_ctx_param->nelts; i++, param++) { + ERR_clear_error(); if (SSL_CONF_cmd(cctx, param->name, param->value) <= 0) { ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02407) "\"SSLOpenSSLConfCmd %s %s\" failed for %s", @@ -1297,6 +1298,23 @@ static apr_status_t ssl_init_server_ctx(server_rec *s, "\"SSLOpenSSLConfCmd %s %s\" applied to %s", param->name, param->value, sc->vhost_id); } +#ifdef HAVE_OCSP_STAPLING + /* + * Special case: if OCSP stapling is enabled, and a certificate + * has been loaded via "SSLOpenSSLConfCmd Certificate ...", then + * we also need to call ssl_stapling_init_cert here. + */ + if ((sc->server->stapling_enabled == TRUE) && + !strcasecmp(param->name, "Certificate")) { + X509 *cert = SSL_CTX_get0_certificate(sc->server->ssl_ctx); + if (!cert || !ssl_stapling_init_cert(s, sc->server, cert)) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02571) + "Unable to configure certificate loaded " + "from %s for %s for stapling", + param->value, sc->vhost_id); + } + } +#endif } if (SSL_CONF_CTX_finish(cctx) == 0) { ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02547) diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h index 5f1fb23d2e..87b178a37b 100644 --- a/modules/ssl/ssl_private.h +++ b/modules/ssl/ssl_private.h @@ -733,7 +733,9 @@ const char *ssl_cmd_SSLOCSPResponseMaxAge(cmd_parms *cmd, void *dcfg, const char const char *ssl_cmd_SSLOCSPResponderTimeout(cmd_parms *cmd, void *dcfg, const char *arg); const char *ssl_cmd_SSLOCSPEnable(cmd_parms *cmd, void *dcfg, int flag); +#ifdef HAVE_SSL_CONF_CMD const char *ssl_cmd_SSLOpenSSLConfCmd(cmd_parms *cmd, void *dcfg, const char *arg1, const char *arg2); +#endif #ifdef HAVE_SRP const char *ssl_cmd_SSLSRPVerifierFile(cmd_parms *cmd, void *dcfg, const char *arg);