Remove SSLPKCS7CertificateFile support:

- was never documented, so very unlikely that it was ever used - adds complexity without apparent benefit; PKCS#7 files can be trivially converted to a file for use with SSLCertificateChainFile (concatenated X509 CERTIFICATE chunks, openssl pkcs7 -print_certs...) - only supports PKCS7 files with PEM encoding, i.e. relies on a non-standardized PEM header (cf. RFC 2315 and draft-josefsson-pkix-textual) - issues pointed out in http://mail-archives.apache.org/mod_mbox/httpd-dev/200607.mbox/%3C20060723093125.GA19423@redhat.com%3E were never fully addressed (cf. r424707 and r424735) - has never worked in vhost context due to a cfgMergeString call missing from modssl_ctx_cfg_merge git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1544784 13f79535-47bb-0310-9956-ffa450edef68
2025-08-08 15:02:10 +03:00 · 2013-11-23 13:03:25 +00:00
parent 7d402a24ec
commit e7dc6dd3f4
7 changed files with 18 additions and 135 deletions
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -308,7 +308,7 @@ static apr_status_t ssl_init_server_check(server_rec *s,
     * check for important parameters and the
     * possibility that the user forgot to set them.
     */
-    if (!mctx->pks->cert_files[0] && !mctx->pkcs7) {
+    if (!mctx->pks->cert_files[0]) {
        ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01891)
                "No SSL Certificate set [hint: SSLCertificateFile]");
        return ssl_die(s);
@@ -780,29 +780,6 @@ static apr_status_t ssl_init_ctx_crl(server_rec *s,
    return APR_SUCCESS;
 }

-static apr_status_t ssl_init_ctx_pkcs7_cert_chain(server_rec *s,
-                                                  modssl_ctx_t *mctx)
-{
-    STACK_OF(X509) *certs = ssl_read_pkcs7(s, mctx->pkcs7);
-    int n;
-    STACK_OF(X509) *extra_certs = NULL;
-
-    if (!certs)
-        return APR_EGENERAL;
-
-#ifdef OPENSSL_NO_SSL_INTERN
-    SSL_CTX_get_extra_chain_certs(mctx->ssl_ctx, &extra_certs);
-#else
-    extra_certs = mctx->ssl_ctx->extra_certs;
-#endif
-
-    if (!extra_certs)
-        for (n = 1; n < sk_X509_num(certs); ++n)
-             SSL_CTX_add_extra_chain_cert(mctx->ssl_ctx, sk_X509_value(certs, n));
-
-    return APR_SUCCESS;
-}
-
 static apr_status_t ssl_init_ctx_cert_chain(server_rec *s,
                                            apr_pool_t *p,
                                            apr_pool_t *ptemp,
@@ -812,10 +789,6 @@ static apr_status_t ssl_init_ctx_cert_chain(server_rec *s,
    int i, n;
    const char *chain = mctx->cert_chain;

-    if (mctx->pkcs7) {
-        return ssl_init_ctx_pkcs7_cert_chain(s, mctx);
-    }
-
    /*
     * Optionally configure extra server certificate chain certificates.
     * This is usually done by OpenSSL automatically when one of the