www/apache
1
0
Fork 0
mirror of https://github.com/apache/httpd.git synced 2025-08-08 15:02:10 +03:00
Code Activity

More finishing touches for SSLOpenSSLConfCmd:

Browse Source 
- add documentation
- clear the error queue before executing the next SSL_CONF_cmd
- if needed, configure OCSP stapling after a "Certificate" command
- ifdef ssl_cmd_SSLOpenSSLConfCmd in ssl_private.h


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1555464 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Kaspar Brand
2014-01-05 07:38:28 +00:00
parent c0e4f862ad
commit a84af8f546
3 changed files with 58 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
docs/manual/mod/mod_ssl.xml
View File

@@ -2563,5 +2563,43 @@ CRIME attack).</p>
</usage> </usage>
</directivesynopsis> </directivesynopsis>
<directivesynopsis>
<name>SSLOpenSSLConfCmd</name>
<description>Configure OpenSSL parameters through its <em>SSL_CONF</em> API</description>
<syntax>SSLOpenSSLConfCmd <em>command-name</em> <em>command-value</em></syntax>
<contextlist><context>server config</context>
<context>virtual host</context></contextlist>
<compatibility>Available in httpd 2.5.0-dev and later, if using OpenSSL 1.0.2 or later</compatibility>
<usage>
<p>This directive exposes OpenSSL's <em>SSL_CONF</em> API to mod_ssl,
allowing a flexible configuration of OpenSSL parameters without the need
of implementing additional <module>mod_ssl</module> directives when new
features are added to OpenSSL.</p>
<p>The set of available <directive>SSLOpenSSLConfCmd</directive> commands
depends on the OpenSSL version being used for <module>mod_ssl</module>
(at least version 1.0.2 is required). For a list of supported command
names, see the section <em>Supported configuration file commands</em> in the
<a href="http://www.openssl.org/docs/ssl/SSL_CONF_cmd.html#SUPPORTED_CONFIGURATION_FILE_COM">SSL_CONF_cmd(3)</a> manual page for OpenSSL.</p>
<p>Some of the <directive>SSLOpenSSLConfCmd</directive> commands can be used
as an alternative to existing directives (such as
<directive module="mod_ssl">SSLCipherSuite</directive> or
<directive module="mod_ssl">SSLProtocol</directive>),
though it should be noted that the syntax / allowable values for the parameters
may sometimes differ.</p>
<example><title>Examples</title>
<highlight language="config">
SSLOpenSSLConfCmd Options -SessionTicket,ServerPreference
SSLOpenSSLConfCmd ECDHParameters brainpoolP256r1
SSLOpenSSLConfCmd ServerInfoFile /usr/local/apache2/conf/server-info.pem
SSLOpenSSLConfCmd Protocol "-ALL, TLSv1.2"
SSLOpenSSLConfCmd SignatureAlgorithms RSA+SHA384:ECDSA+SHA256
</highlight>
</example>
</usage>
</directivesynopsis>
</modulesynopsis> </modulesynopsis>

18
modules/ssl/ssl_engine_init.c
View File

@@ -1286,6 +1286,7 @@ static apr_status_t ssl_init_server_ctx(server_rec *s,
#ifdef HAVE_SSL_CONF_CMD #ifdef HAVE_SSL_CONF_CMD
SSL_CONF_CTX_set_ssl_ctx(cctx, sc->server->ssl_ctx); SSL_CONF_CTX_set_ssl_ctx(cctx, sc->server->ssl_ctx);
for (i = 0; i < sc->server->ssl_ctx_param->nelts; i++, param++) { for (i = 0; i < sc->server->ssl_ctx_param->nelts; i++, param++) {
ERR_clear_error();
if (SSL_CONF_cmd(cctx, param->name, param->value) <= 0) { if (SSL_CONF_cmd(cctx, param->name, param->value) <= 0) {
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02407) ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02407)
"\"SSLOpenSSLConfCmd %s %s\" failed for %s", "\"SSLOpenSSLConfCmd %s %s\" failed for %s",
@@ -1297,6 +1298,23 @@ static apr_status_t ssl_init_server_ctx(server_rec *s,
"\"SSLOpenSSLConfCmd %s %s\" applied to %s", "\"SSLOpenSSLConfCmd %s %s\" applied to %s",
param->name, param->value, sc->vhost_id); param->name, param->value, sc->vhost_id);
} }
#ifdef HAVE_OCSP_STAPLING
/*
* Special case: if OCSP stapling is enabled, and a certificate
* has been loaded via "SSLOpenSSLConfCmd Certificate ...", then
* we also need to call ssl_stapling_init_cert here.
*/
if ((sc->server->stapling_enabled == TRUE) &&
!strcasecmp(param->name, "Certificate")) {
X509 *cert = SSL_CTX_get0_certificate(sc->server->ssl_ctx);
if (!cert || !ssl_stapling_init_cert(s, sc->server, cert)) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02571)
"Unable to configure certificate loaded "
"from %s for %s for stapling",
param->value, sc->vhost_id);
}
}
#endif
} }
if (SSL_CONF_CTX_finish(cctx) == 0) { if (SSL_CONF_CTX_finish(cctx) == 0) {
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02547) ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02547)

2
modules/ssl/ssl_private.h
View File

@@ -733,7 +733,9 @@ const char *ssl_cmd_SSLOCSPResponseMaxAge(cmd_parms *cmd, void *dcfg, const char
const char *ssl_cmd_SSLOCSPResponderTimeout(cmd_parms *cmd, void *dcfg, const char *arg); const char *ssl_cmd_SSLOCSPResponderTimeout(cmd_parms *cmd, void *dcfg, const char *arg);
const char *ssl_cmd_SSLOCSPEnable(cmd_parms *cmd, void *dcfg, int flag); const char *ssl_cmd_SSLOCSPEnable(cmd_parms *cmd, void *dcfg, int flag);
#ifdef HAVE_SSL_CONF_CMD
const char *ssl_cmd_SSLOpenSSLConfCmd(cmd_parms *cmd, void *dcfg, const char *arg1, const char *arg2); const char *ssl_cmd_SSLOpenSSLConfCmd(cmd_parms *cmd, void *dcfg, const char *arg1, const char *arg2);
#endif
#ifdef HAVE_SRP #ifdef HAVE_SRP
const char *ssl_cmd_SSLSRPVerifierFile(cmd_parms *cmd, void *dcfg, const char *arg); const char *ssl_cmd_SSLSRPVerifierFile(cmd_parms *cmd, void *dcfg, const char *arg);