More finishing touches for SSLOpenSSLConfCmd:

- add documentation - clear the error queue before executing the next SSL_CONF_cmd - if needed, configure OCSP stapling after a "Certificate" command - ifdef ssl_cmd_SSLOpenSSLConfCmd in ssl_private.h git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1555464 13f79535-47bb-0310-9956-ffa450edef68
2025-08-08 15:02:10 +03:00 · 2014-01-05 07:38:28 +00:00
parent c0e4f862ad
commit a84af8f546
3 changed files with 58 additions and 0 deletions
--- a/docs/manual/mod/mod_ssl.xml
+++ b/docs/manual/mod/mod_ssl.xml
@@ -2563,5 +2563,43 @@ CRIME attack).</p>
 </usage>
 </directivesynopsis>

+<directivesynopsis>
+<name>SSLOpenSSLConfCmd</name>
+<description>Configure OpenSSL parameters through its <em>SSL_CONF</em> API</description>
+<syntax>SSLOpenSSLConfCmd <em>command-name</em> <em>command-value</em></syntax>
+<contextlist><context>server config</context>
+<context>virtual host</context></contextlist>
+<compatibility>Available in httpd 2.5.0-dev and later, if using OpenSSL 1.0.2 or later</compatibility>
+
+<usage>
+<p>This directive exposes OpenSSL's <em>SSL_CONF</em> API to mod_ssl,
+allowing a flexible configuration of OpenSSL parameters without the need
+of implementing additional <module>mod_ssl</module> directives when new
+features are added to OpenSSL.</p>
+
+<p>The set of available <directive>SSLOpenSSLConfCmd</directive> commands
+depends on the OpenSSL version being used for <module>mod_ssl</module>
+(at least version 1.0.2 is required). For a list of supported command
+names, see the section <em>Supported configuration file commands</em> in the
+<a href="http://www.openssl.org/docs/ssl/SSL_CONF_cmd.html#SUPPORTED_CONFIGURATION_FILE_COM">SSL_CONF_cmd(3)</a> manual page for OpenSSL.</p>
+
+<p>Some of the <directive>SSLOpenSSLConfCmd</directive> commands can be used
+as an alternative to existing directives (such as
+<directive module="mod_ssl">SSLCipherSuite</directive> or
+<directive module="mod_ssl">SSLProtocol</directive>),
+though it should be noted that the syntax / allowable values for the parameters
+may sometimes differ.</p>
+
+<example><title>Examples</title>
+<highlight language="config">
+SSLOpenSSLConfCmd Options -SessionTicket,ServerPreference
+SSLOpenSSLConfCmd ECDHParameters brainpoolP256r1
+SSLOpenSSLConfCmd ServerInfoFile /usr/local/apache2/conf/server-info.pem
+SSLOpenSSLConfCmd Protocol "-ALL, TLSv1.2"
+SSLOpenSSLConfCmd SignatureAlgorithms RSA+SHA384:ECDSA+SHA256
+</highlight>
+</example>
+</usage>
+</directivesynopsis>

 </modulesynopsis>
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -1286,6 +1286,7 @@ static apr_status_t ssl_init_server_ctx(server_rec *s,
 #ifdef HAVE_SSL_CONF_CMD
    SSL_CONF_CTX_set_ssl_ctx(cctx, sc->server->ssl_ctx);
    for (i = 0; i < sc->server->ssl_ctx_param->nelts; i++, param++) {
+        ERR_clear_error();
        if (SSL_CONF_cmd(cctx, param->name, param->value) <= 0) {
            ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02407)
                         "\"SSLOpenSSLConfCmd %s %s\" failed for %s",
@@ -1297,6 +1298,23 @@ static apr_status_t ssl_init_server_ctx(server_rec *s,
                         "\"SSLOpenSSLConfCmd %s %s\" applied to %s",
                         param->name, param->value, sc->vhost_id);
        }
+#ifdef HAVE_OCSP_STAPLING
+        /*
+         * Special case: if OCSP stapling is enabled, and a certificate
+         * has been loaded via "SSLOpenSSLConfCmd Certificate ...", then
+         * we also need to call ssl_stapling_init_cert here.
+         */
+        if ((sc->server->stapling_enabled == TRUE) &&
+            !strcasecmp(param->name, "Certificate")) {
+            X509 *cert = SSL_CTX_get0_certificate(sc->server->ssl_ctx);
+            if (!cert || !ssl_stapling_init_cert(s, sc->server, cert)) {
+                ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02571)
+                             "Unable to configure certificate loaded "
+                             "from %s for %s for stapling",
+                             param->value, sc->vhost_id);
+            }
+        }
+#endif
    }
    if (SSL_CONF_CTX_finish(cctx) == 0) {
            ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02547)
--- a/modules/ssl/ssl_private.h
+++ b/modules/ssl/ssl_private.h
@@ -733,7 +733,9 @@ const char *ssl_cmd_SSLOCSPResponseMaxAge(cmd_parms *cmd, void *dcfg, const char
 const char *ssl_cmd_SSLOCSPResponderTimeout(cmd_parms *cmd, void *dcfg, const char *arg);
 const char *ssl_cmd_SSLOCSPEnable(cmd_parms *cmd, void *dcfg, int flag);

+#ifdef HAVE_SSL_CONF_CMD
 const char *ssl_cmd_SSLOpenSSLConfCmd(cmd_parms *cmd, void *dcfg, const char *arg1, const char *arg2);
+#endif

 #ifdef HAVE_SRP
 const char *ssl_cmd_SSLSRPVerifierFile(cmd_parms *cmd, void *dcfg, const char *arg);