mod_ssl: Add support for loading keys from OpenSSL 3.x providers via

the STORE API. Separates compile-time support for the STORE API (supported in 3.x) from support for the ENGINE API (deprecated in 3.x). * modules/ssl/ssl_private.h: Define MODSSL_HAVE_OPENSSL_STORE for OpenSSL 3.0+. * modules/ssl/ssl_engine_pphrase.c (modssl_load_store_uri, modssl_load_keypair_store): New functions. (modssl_load_keypair_engine): Renamed from modssl_load_keypair_engine. (modssl_load_engine_keypair): Reimplement to use new STORE-based functions if SSLCryptoDevice was not configured, or else old ENGINE implementation. * modules/ssl/ssl_util.c (modssl_is_engine_id): Match pkcs11: URIs also for the OpenSSL 3.x STORE API. * modules/ssl/ssl_engine_init.c (ssl_init_server_certs): Tweak log message on error paths for the provider/STORE case. Signed-off-by: Ingo Franzki <ifranzki linux.ibm.com> Submitted by: Ingo Franzki <ifranzki linux.ibm.com> Github: closes #397, closes #398 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1914365 13f79535-47bb-0310-9956-ffa450edef68
2025-08-08 15:02:10 +03:00 · 2023-12-05 15:26:22 +00:00
parent 0123a2b0ed
commit cc796e269d
7 changed files with 154 additions and 15 deletions
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -1476,8 +1476,10 @@ static apr_status_t ssl_init_server_certs(server_rec *s,
            if (cert) {
                if (SSL_CTX_use_certificate(mctx->ssl_ctx, cert) < 1) {
                    ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10137)
-                                 "Failed to configure engine certificate %s, check %s",
-                                 key_id, certfile);
+                                 "Failed to configure certificate %s from %s, check %s",
+                                 key_id, mc->szCryptoDevice ?
+                                             mc->szCryptoDevice : "provider",
+                                 certfile);
                    ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
                    return APR_EGENERAL;
                }
@@ -1488,8 +1490,9 @@ static apr_status_t ssl_init_server_certs(server_rec *s,
            
            if (SSL_CTX_use_PrivateKey(mctx->ssl_ctx, pkey) < 1) {
                ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10130)
-                             "Failed to configure private key %s from engine",
-                             keyfile);
+                             "Failed to configure private key %s from %s",
+                             keyfile, mc->szCryptoDevice ?
+                                          mc->szCryptoDevice : "provider");
                ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
                return APR_EGENERAL;
            }