diff --git a/CHANGES b/CHANGES index 36250c224d..128145e6ec 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,10 @@ -*- coding: utf-8 -*- Changes with Apache 2.5.1 + *) mod_ssl: heavily simplified SSLPolicy. No more user defines, no propxy policies, + just the basic "modern", "intermediate" and "old" as specified by Mozilla security. + [Stefan Eissing] + *) mod_remoteip: make proxy-protocol work on slave connections, e.g. in HTTP/2 requests. See also https://github.com/roadrunner2/mod-proxy-protocol/issues/6 [Stefan Eissing] diff --git a/docs/manual/mod/mod_ssl.xml b/docs/manual/mod/mod_ssl.xml index 0dff8cf696..1d240f2b43 100644 --- a/docs/manual/mod/mod_ssl.xml +++ b/docs/manual/mod/mod_ssl.xml @@ -2841,119 +2841,6 @@ SSLOpenSSLConfCmd SignatureAlgorithms RSA+SHA384:ECDSA+SHA256 - -SSLPolicyDefine -Define a named set of SSL configurations -<SSLPolicyDefine name> -server config -Available in httpd 2.4.30 and later - - -

This directive defines a set of SSL* configurations under -and gives it a name. This name can be used in the directives -SSLPolicy and SSLProxyPolicy -to apply this configuration set in the current context.

- -Define and Use of a Policy - -<SSLPolicyDefine safe-stapling> - SSLUseStapling on - SSLStaplingResponderTimeout 2 - SSLStaplingReturnResponderErrors off - SSLStaplingFakeTryLater off - SSLStaplingStandardCacheTimeout 86400 -</SSLPolicyDefine> - - ... - <VirtualHost...> - SSLPolicy safe-stapling - ... - - - -

On the one hand, this can make server configurations easier to -read and maintain. On the other hand, it is -intended to make SSL easier and safer to use. For the -latter, Apache httpd ships with a set of pre-defined policies -that reflect good open source practise. The policy "modern", -for example, carries the settings to make your server work -compatible and securely with current browsers.

- -

The list of predefined policies in your Apache can be obtained -by running the following command. This list shows you the -detailed configurations each policy is made of:

- -List all Defined Policies - -httpd -t -D DUMP_SSL_POLICIES - - - -

The directive can only be used in the server config (global context). It can take -most SSL* directives, however a few can only be set once and are not allowed inside -policy defintions. These are SSLCryptoDevice, -SSLRandomSeed, -SSLSessionCache and -SSLStaplingCache. -

-

Two policies cannot have the same name. However, policies can -be redefined:

- -Policy Overwrite - -<SSLPolicyDefine proxy-trust> - SSLProxyVerify require -</SSLPolicyDefine> - ... -<SSLPolicyDefine proxy-trust> - SSLProxyVerify none -</SSLPolicyDefine> - - - -

Policy definitions are added in the order they appear, but are -applied when the whole configuration has been read. This means that any -use of 'proxy-trust' will mean 'SSLProxyVerify none'. The first definition -has no effect at all. That allows pre-installed policies to be replaced -without the need to disable them.

- -

Additional to replacing policies, redefinitions may just alter -an aspect of a policy:

- -Policy Redefine - -<SSLPolicyDefine proxy-trust> - SSLProxyVerify require -</SSLPolicyDefine> - ... -<SSLPolicyDefine proxy-trust> - SSLPolicy proxy-trust - SSLProxyVerifyDepth 10 -</SSLPolicyDefine> - - - -

This re-uses all settings from the previous 'proxy-trust' and adds -one directive on top of it. All others still apply. This is very handy -when pre-defined policies (from Apache itself or a distributor) -that almost what you need. Previously, such definitions were -(copied and) edited. This made updating them difficult. Now they can -be setup like this:

- -Tweak a Pre-Defined Policy - -Include ssl-policies.conf - -<SSLPolicyDefine modern> - SSLPolicy modern - SSLProxyVerify none -</SSLPolicyDefine> - - - - - - SSLPolicy Apply a SSLPolicy by name @@ -2975,6 +2862,9 @@ for a detailed description by them.):
  • intermediate: the fallback if you need to support old (but not very old) clients.
  • old: when you need to give Windows XP/Internet Explorer 6 access. The last resort.
    • +

    SSLPolicy applies configuration settings in place, meaning previous values are +overwritten. Configuration directives following an SSLPolicy may overwrite it. +

    You can check the detailed description of all defined policies via the command line:

    List all Defined Policies @@ -2983,76 +2873,6 @@ httpd -t -D DUMP_SSL_POLICIES -

    A SSLPolicy defines the baseline for the context it is used in. That means that any -other SSL* directives in the same context override it. As an example of this, see the effective -SSLProtocol value in the following settings:

    - -Policy Precedence - -<VirtualHost...> # effective: 'all' - SSLPolicy modern - SSLProtocol all -</VirtualHost> - -<VirtualHost...> # effective: 'all' - SSLProtocol all - SSLPolicy modern -</VirtualHost> - -SSLPolicy modern -<VirtualHost...> # effective: 'all' - SSLProtocol all -</VirtualHost> - -SSLProtocol all -<VirtualHost...> # effective: '+TLSv1.2' - SSLPolicy modern -</VirtualHost> - - - -

    There can be more than one policy applied in a context. The -later ones overshadowing the earlier ones:

    - -Policy Ordering - -<VirtualHost...> # effective protocol: 'all -SSLv3' - SSLPolicy modern - SSLPolicy intermediate -</VirtualHost> - -<VirtualHost...> # effective protocol: '+TLSv1.2' - SSLPolicy intermediate - SSLPolicy modern -</VirtualHost> - - - - -     - - -SSLProxyPolicy -Apply the SSLProxy* parts alone of a SSLPolicy -SSLProxyPolicy name -server config -virtual host -Available in httpd 2.4.30 and later - - -

    This directive is similar to SSLPolicy, but -applies only the SSLProxy* directives defined in the policy. This helps -when you need different policies for front and backends:

    - -Another Policies for Proxy Only - -SSLPolicy modern -SSLProxyPolicy intermediate - - - -

    In this example, the 'modern' policy is first applied for front- and backend. The backend -parts are then overwritten by the 'intermediate' policy settings.

         diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c index 7d2d9380ad..3780d8c89b 100644 --- a/modules/ssl/mod_ssl.c +++ b/modules/ssl/mod_ssl.c @@ -312,15 +312,8 @@ static const command_rec ssl_config_cmds[] = { AP_INIT_RAW_ARGS("SSLLogLevel", ap_set_deprecated, NULL, OR_ALL, "SSLLogLevel directive is no longer supported - use LogLevel."), - AP_INIT_TAKE1("compression = UNSET; #endif sc->session_tickets = UNSET; - sc->policies = NULL; - sc->error_policy = NULL; sc->enabled_on = NULL; modssl_ctx_init_server(sc, p); @@ -346,19 +344,12 @@ static void modssl_ctx_cfg_merge_server(apr_pool_t *p, #endif } -static void ssl_policy_apply(SSLSrvConfigRec *sc, apr_pool_t *p); -static void ssl_dir_policy_apply(SSLDirConfigRec *dc, apr_pool_t *p); - void *ssl_config_server_merge(apr_pool_t *p, void *basev, void *addv) { SSLSrvConfigRec *base = (SSLSrvConfigRec *)basev; SSLSrvConfigRec *add = (SSLSrvConfigRec *)addv; SSLSrvConfigRec *mrg = ssl_config_server_new(p); - /* This is a NOP, unless a policy has not been applied yet */ - ssl_policy_apply(base, p); - ssl_policy_apply(add, p); - cfgMerge(mc, NULL); cfgMerge(enabled, SSL_ENABLED_UNSET); cfgMergeInt(session_cache_timeout); @@ -375,9 +366,6 @@ void *ssl_config_server_merge(apr_pool_t *p, void *basev, void *addv) #endif cfgMergeBool(session_tickets); - mrg->policies = NULL; - cfgMergeString(error_policy); - mrg->enabled_on = (add->enabled == SSL_ENABLED_UNSET)? base->enabled_on : add->enabled_on; modssl_ctx_cfg_merge_server(p, base->server, add->server, mrg->server); @@ -429,9 +417,6 @@ void *ssl_config_perdir_create(apr_pool_t *p, char *dir) modssl_ctx_init_proxy(dc, p); dc->proxy_post_config = FALSE; - dc->policies = NULL; - dc->error_policy = NULL; - return dc; } @@ -457,9 +442,6 @@ void *ssl_config_perdir_merge(apr_pool_t *p, void *basev, void *addv) SSLDirConfigRec *add = (SSLDirConfigRec *)addv; SSLDirConfigRec *mrg = (SSLDirConfigRec *)apr_palloc(p, sizeof(*mrg)); - ssl_dir_policy_apply(base, p); - ssl_dir_policy_apply(add, p); - cfgMerge(bSSLRequired, FALSE); cfgMergeArray(aRequirement); @@ -499,9 +481,6 @@ void *ssl_config_perdir_merge(apr_pool_t *p, void *basev, void *addv) mrg->proxy = add->proxy; } - mrg->policies = NULL; - cfgMergeString(error_policy); - return mrg; } @@ -524,26 +503,21 @@ void ssl_config_proxy_merge(apr_pool_t *p, static void add_policy(apr_hash_t *policies, apr_pool_t *p, const char *name, int protocols, const char *ciphers, - int honor_order, int compression, int session_tickets, - ssl_verify_t proxy_verify_mode, int proxy_verify_depth) + int honor_order, int compression, int session_tickets) { SSLPolicyRec *policy; policy = apr_pcalloc(p, sizeof(*policy)); policy->name = name; policy->sc = ssl_config_server_new(p); - policy->dc = ssl_config_perdir_create(p, "/"); if (protocols || ciphers) { policy->sc->server->protocol_set = 1; policy->sc->server->protocol = protocols; - policy->dc->proxy->protocol_set = 1; - policy->dc->proxy->protocol = protocols; } if (ciphers) { policy->sc->server->auth.cipher_suite = ciphers; - policy->dc->proxy->auth.cipher_suite = ciphers; } #ifndef OPENSSL_NO_COMP @@ -551,11 +525,6 @@ static void add_policy(apr_hash_t *policies, apr_pool_t *p, const char *name, #endif policy->sc->session_tickets = session_tickets ? TRUE : FALSE; - policy->dc->proxy->auth.verify_mode = proxy_verify_mode; - if (proxy_verify_depth >= 0) { - policy->dc->proxy->auth.verify_depth = proxy_verify_depth; - } - apr_hash_set(policies, policy->name, APR_HASH_KEY_STRING, policy); } @@ -577,9 +546,7 @@ static apr_hash_t *get_policies(apr_pool_t *p, int create) SSL_POLICY_MODERN_CIPHERS, SSL_POLICY_HONOR_ORDER, SSL_POLICY_COMPRESSION, - SSL_POLICY_SESSION_TICKETS, - SSL_POLICY_PROXY_VERIFY_MODE, - SSL_POLICY_PROXY_VERIFY_DEPTH); + SSL_POLICY_SESSION_TICKETS); #endif #if SSL_POLICY_INTERMEDIATE add_policy(policies, p, "intermediate", @@ -587,9 +554,7 @@ static apr_hash_t *get_policies(apr_pool_t *p, int create) SSL_POLICY_INTERMEDIATE_CIPHERS, SSL_POLICY_HONOR_ORDER, SSL_POLICY_COMPRESSION, - SSL_POLICY_SESSION_TICKETS, - SSL_POLICY_PROXY_VERIFY_MODE, - SSL_POLICY_PROXY_VERIFY_DEPTH); + SSL_POLICY_SESSION_TICKETS); #endif #if SSL_POLICY_OLD add_policy(policies, p, "old", @@ -597,9 +562,7 @@ static apr_hash_t *get_policies(apr_pool_t *p, int create) SSL_POLICY_OLD_CIPHERS, SSL_POLICY_HONOR_ORDER, SSL_POLICY_COMPRESSION, - SSL_POLICY_SESSION_TICKETS, - SSL_CVERIFY_NONE, - SSL_POLICY_PROXY_VERIFY_DEPTH); + SSL_POLICY_SESSION_TICKETS); #endif apr_pool_userdata_set(policies, SSL_MOD_POLICIES_KEY, @@ -639,143 +602,21 @@ SSLPolicyRec *ssl_policy_lookup(apr_pool_t *pool, const char *name) return apr_hash_get(policies, name, APR_HASH_KEY_STRING); } -static void ssl_policy_set(apr_pool_t *pool, SSLPolicyRec *policy) -{ - apr_hash_t *policies = get_policies(pool, 1); - return apr_hash_set(policies, policy->name, APR_HASH_KEY_STRING, policy); -} - -const char *ssl_cmd_SSLPolicyDefine(cmd_parms *cmd, void *mconfig, const char *arg) -{ - server_rec *s = cmd->server; - SSLSrvConfigRec *sc = mySrvConfig(s); - SSLDirConfigRec *dc = ap_get_module_config(s->lookup_defaults, &ssl_module); - SSLPolicyRec *policy; - const char *endp = ap_strrchr_c(arg, '>'); - const char *err, *name; - - if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) { - return err; - } - - if (endp == NULL) { - return apr_pstrcat(cmd->pool, cmd->cmd->name, "> directive missing closing '>'", NULL); - } - - arg = apr_pstrndup(cmd->pool, arg, endp-arg); - if (!arg || !*arg) { - return " block must specify a name"; - } - - name = ap_getword_white(cmd->pool, &arg); - if (*arg != '\0') { - return apr_pstrcat(cmd->pool, cmd->cmd->name, "> takes only 1 argument", NULL); - } - - policy = apr_pcalloc(cmd->pool, sizeof(*policy)); - policy->name = name; - policy->sc = ssl_config_server_new(cmd->pool); - policy->sc->mc = NULL; /* No global configs during SSLPolicy definition */ - policy->dc = ssl_config_perdir_create(cmd->pool, "/");/* TODO */ - - ap_set_module_config(s->module_config, &ssl_module, policy->sc); - ap_set_module_config(s->lookup_defaults, &ssl_module, policy->dc); - - err = ap_walk_config(cmd->directive->first_child, cmd, cmd->context); - if (!err) { - /* If this new policy uses other policies, we need to merge it - * before adding, otherwise a policy cannot re-use an existing one */ - ssl_policy_apply(policy->sc, cmd->pool); - ssl_dir_policy_apply(policy->dc, cmd->pool); - /* time to persist */ - ssl_policy_set(cmd->pool, policy); - } - - ap_set_module_config(s->module_config, &ssl_module, sc); - ap_set_module_config(s->lookup_defaults, &ssl_module, dc); - - return err; -} - const char *ssl_cmd_SSLPolicyApply(cmd_parms *cmd, void *mconfig, const char *arg) { - SSLSrvConfigRec *sc = mySrvConfig(cmd->server); - - if (!sc->policies) { - sc->policies = apr_array_make(cmd->pool, 5, sizeof(const char*)); - } - APR_ARRAY_PUSH(sc->policies, const char *) = arg; - - /* Also apply the proxy parts of the policy */ - return ssl_cmd_SSLProxyPolicyApply(cmd, mconfig, arg); -} - -const char *ssl_cmd_SSLProxyPolicyApply(cmd_parms *cmd, void *mconfig, const char *arg) -{ - SSLDirConfigRec *dc = ap_get_module_config(cmd->server->lookup_defaults, &ssl_module); - - if (!dc->policies) { - dc->policies = apr_array_make(cmd->pool, 5, sizeof(const char*)); - } - APR_ARRAY_PUSH(dc->policies, const char *) = arg; - - return NULL; -} - -void ssl_policy_apply(SSLSrvConfigRec *sc, apr_pool_t *p) -{ - SSLSrvConfigRec *mrg; + SSLSrvConfigRec *mrg, *sc = mySrvConfig(cmd->server); SSLPolicyRec *policy; - apr_array_header_t *policies; - const char *name; - int i; - - policies = sc->policies; - if (policies && policies->nelts > 0 && !sc->error_policy) { - sc->policies = NULL; - for (i = policies->nelts - 1; i >= 0; --i) { - name = APR_ARRAY_IDX(policies, i, const char *); - policy = ssl_policy_lookup(p, name); - if (policy) { - mrg = ssl_config_server_merge(p, policy->sc, sc); - /* apply in place */ - memcpy(sc, mrg, sizeof(*sc)); - } - else { - sc->error_policy = name; - break; - /* report error policies in post_config */ - } - } - } -} - -void ssl_dir_policy_apply(SSLDirConfigRec *dc, apr_pool_t *p) -{ - SSLDirConfigRec *mrg; - SSLPolicyRec *policy; - apr_array_header_t *policies; - const char *name; - int i; - policies = dc->policies; - if (policies && policies->nelts > 0 &&!dc->error_policy) { - dc->policies = NULL; - for (i = policies->nelts - 1; i >= 0; --i) { - name = APR_ARRAY_IDX(policies, i, const char *); - policy = ssl_policy_lookup(p, name); - if (policy) { - mrg = ssl_config_perdir_merge(p, policy->dc, dc); - /* apply in place */ - memcpy(dc, mrg, sizeof(*dc)); - } - else { - dc->error_policy = name; - break; - /* report error policies in post_config */ - } - } + policy = ssl_policy_lookup(cmd->pool, arg); + if (policy) { + mrg = ssl_config_server_merge(cmd->pool, policy->sc, sc); + /* apply in place */ + memcpy(sc, mrg, sizeof(*sc)); + return NULL; } + return apr_pstrcat(cmd->pool, + "An SSLPolicy with the name '", arg, + "' does not exist", NULL); } /* @@ -2366,8 +2207,6 @@ const char *ssl_cmd_SSLOCSPResponderCertificateFile(cmd_parms *cmd, void *dcfg, static void ssl_srv_dump(SSLSrvConfigRec *sc, apr_pool_t *p, apr_file_t *out, const char *indent, const char **psep); -static void ssl_dir_dump(SSLDirConfigRec *dc, apr_pool_t *p, - apr_file_t *out, const char *indent, const char **psep); static void ssl_policy_dump(SSLPolicyRec *policy, apr_pool_t *p, apr_file_t *out, const char *indent); @@ -2622,20 +2461,6 @@ static void val_crl_check_dump(apr_file_t *out, const char *key, int mask, } } -static void val_option_dump(apr_file_t *out, const char *key, const char *optname, - int val, int set_mask, int add_mask, int del_mask, - apr_pool_t *p, const char *indent, const char **psep) -{ - const char *op = ((val & set_mask)? "" : - ((val & add_mask)? "+" : - (val & del_mask)? "-" : NULL)); - if (op) { - apr_file_printf(out, "%s\n%s\"%s\": \"%s%s\"", *psep, indent, key, op, - json_quote(optname, p)); - *psep = ", "; - } -} - static const char *protocol_str(ssl_proto_t proto, apr_pool_t *p) { if (SSL_PROTOCOL_NONE == proto) { @@ -2798,34 +2623,6 @@ static void ssl_srv_dump(SSLSrvConfigRec *sc, apr_pool_t *p, DMP_ON_OFF("SSLFIPS", sc->fips); #endif DMP_ON_OFF("SSLSessionTickets", sc->session_tickets); - DMP_STRARR("SSLPolicy", sc->policies); -} - -static void ssl_dir_dump(SSLDirConfigRec *dc, apr_pool_t *p, - apr_file_t *out, const char *indent, const char **psep) -{ - int i; - - DMP_ON_OFF("SSLProxyEngine", dc->proxy_enabled); - - modssl_ctx_dump(dc->proxy, p, 1, out, indent, psep); - - if (dc->bSSLRequired == TRUE) { - DMP_ON_OFF("SSLRequireSSL", dc->bSSLRequired); - } - if (dc->aRequirement && dc->aRequirement->nelts > 0) { - ssl_require_t *r = (ssl_require_t *)dc->aRequirement->elts; - for (i = 0; i < dc->aRequirement->nelts; ++i, ++r) { - DMP_STRING("SSLRequire", r->cpExpr); - } - } - DMP_OPTION("StdEnvVars", SSL_OPT_STDENVVARS); - DMP_OPTION("ExportCertData", SSL_OPT_EXPORTCERTDATA); - DMP_OPTION("FakeBasicAuth", SSL_OPT_FAKEBASICAUTH); - DMP_OPTION("StrictRequire", SSL_OPT_STRICTREQUIRE); - DMP_OPTION("OptRenegotiate", SSL_OPT_OPTRENEGOTIATE); - DMP_OPTION("LegacyDNStringFormat", SSL_OPT_LEGACYDNFORMAT); - DMP_STRARR("SSLProxyPolicy", dc->policies); } static void ssl_policy_dump(SSLPolicyRec *policy, apr_pool_t *p, @@ -2835,9 +2632,6 @@ static void ssl_policy_dump(SSLPolicyRec *policy, apr_pool_t *p, if (policy->sc) { ssl_srv_dump(policy->sc, p, out, indent, &sep); } - if (policy->dc) { - ssl_dir_dump(policy->dc, p, out, indent, &sep); - } } diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c index 347631444e..8ac64d1571 100644 --- a/modules/ssl/ssl_engine_init.c +++ b/modules/ssl/ssl_engine_init.c @@ -297,13 +297,6 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog, sc->fips = FALSE; } #endif - - if (sc->error_policy) { - rv = ssl_policy_lookup(p, sc->error_policy)? APR_EGENERAL : APR_ENOENT; - ap_log_error(APLOG_MARK, APLOG_EMERG, rv, s, APLOGNO(10094) - "Applying SSLPolicy '%s'", sc->error_policy); - return rv; - } } #if APR_HAS_THREADS && MODSSL_USE_OPENSSL_PRE_1_1_API diff --git a/modules/ssl/ssl_policies.h b/modules/ssl/ssl_policies.h index 5ce55b75ea..8b5e070b11 100644 --- a/modules/ssl/ssl_policies.h +++ b/modules/ssl/ssl_policies.h @@ -51,8 +51,6 @@ #define SSL_POLICY_HONOR_ORDER 1 #define SSL_POLICY_COMPRESSION 0 #define SSL_POLICY_SESSION_TICKETS 0 -#define SSL_POLICY_PROXY_VERIFY_MODE SSL_CVERIFY_REQUIRE -#define SSL_POLICY_PROXY_VERIFY_DEPTH -1 /** * Define a core set of policies that are always there: diff --git a/modules/ssl/ssl_policies.h.in b/modules/ssl/ssl_policies.h.in index 164053c8d1..16e3de7faf 100644 --- a/modules/ssl/ssl_policies.h.in +++ b/modules/ssl/ssl_policies.h.in @@ -51,8 +51,6 @@ #define SSL_POLICY_HONOR_ORDER 1 #define SSL_POLICY_COMPRESSION 0 #define SSL_POLICY_SESSION_TICKETS 0 -#define SSL_POLICY_PROXY_VERIFY_MODE SSL_CVERIFY_REQUIRE -#define SSL_POLICY_PROXY_VERIFY_DEPTH -1 /** * Define a core set of policies that are always there: diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h index 2260f0c287..e3f3aa5abc 100644 --- a/modules/ssl/ssl_private.h +++ b/modules/ssl/ssl_private.h @@ -742,8 +742,6 @@ struct SSLSrvConfigRec { #endif BOOL session_tickets; - apr_array_header_t *policies; /* policy that shall be applied to this config */ - const char *error_policy; /* error in policy merge, bubble up */ server_addr_rec *enabled_on; /* optional list of addresses where ssl is enabled */ }; @@ -767,16 +765,12 @@ struct SSLDirConfigRec { modssl_ctx_t *proxy; BOOL proxy_enabled; BOOL proxy_post_config; - - apr_array_header_t *policies; /* policy that shall be applied to this config */ - const char *error_policy; /* error in policy merge, bubble up */ }; typedef struct SSLPolicyRec SSLPolicyRec; struct SSLPolicyRec { const char *name; SSLSrvConfigRec *sc; - SSLDirConfigRec *dc; }; SSLPolicyRec *ssl_policy_lookup(apr_pool_t *pool, const char *name); @@ -798,7 +792,6 @@ void *ssl_config_perdir_create(apr_pool_t *, char *); void *ssl_config_perdir_merge(apr_pool_t *, void *, void *); void ssl_config_proxy_merge(apr_pool_t *, SSLDirConfigRec *, SSLDirConfigRec *); -const char *ssl_cmd_SSLPolicyDefine(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLPolicyApply(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLPassPhraseDialog(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLCryptoDevice(cmd_parms *, void *, const char *); @@ -831,7 +824,6 @@ const char *ssl_cmd_SSLRenegBufferSize(cmd_parms *cmd, void *dcfg, const char * const char *ssl_cmd_SSLStrictSNIVHostCheck(cmd_parms *cmd, void *dcfg, int flag); const char *ssl_cmd_SSLInsecureRenegotiation(cmd_parms *cmd, void *dcfg, int flag); -const char *ssl_cmd_SSLProxyPolicyApply(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLProxyEngine(cmd_parms *cmd, void *dcfg, int flag); const char *ssl_cmd_SSLProxyProtocol(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLProxyCipherSuite(cmd_parms *, void *, const char *);