* modules/ssl/mod_ssl_ct.c(client_extension_add_callback,
server_extension_add_callback):
Variable ext_type is unsigned, so use %u instead of %hu.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1916924 13f79535-47bb-0310-9956-ffa450edef68
* mod_ssl_openssl.h:
Make it the first openssl to be included openssl header, selecting the
OpenSSL api based on OPENSSL_API_COMPAT eventually.
* ssl_private.h;
Define OPENSSL_API_COMPAT to version 1.1.1 (last one supporting EGINE_ API)
before including mod_ssl_openssl.h to enable the ENGINE_ api (TODO: switch to
new "providers" api before the ENGINE_ api is abandonned..).
mod_ssl.h is now implicitely included from there.
Fix preprocessor "#define FOO (COND)" to "#if COND #define FOO 1 #else #define FOO 0".
Define MODSSL_HAVE_ENGINE_API iff OPENSSL_API_COMPAT < 3.0 (otherwise all the
engine features are disabled, only "builtin" is accepted).
Define HAVE_SRP iff OPENSSL_API_COMPAT < 3.0 (no replacement for this api
above, so it might not be implemenentedain httpd anymore at some point..).
Define X509_get_not{Before,After} if missing to the non deprecated version.
New modssl_set_io_callbacks() to factorize compat code for io callbacks.
ssl_dh_GetParamFromFile() becomes modssl_dh_from_file() for openssl < 3.0 and
modssl_dh_pkey_from_file() for openssl >= 3.0.
* mod_ssl.c, mod_ssl_ct.c, ssl_util_stapling:
Including "ssl_private.h" only is suited/enough now.
* mod_ssl_ct.c, ssl_ct_log_config:
Use EVP api with openssl >= 3 instead of the deprecated SHA256 one.
* ssl_engine_config.c(ssl_cmd_SSLCryptoDevice):
Disabled engines (besides NULL/"builtin"/NULL) unless MODSSL_HAVE_ENGINE_API.
* ssl_engine_init:
New compat modssl_runtime_lib_version() to address deprecated SSLeay().
ssl_init_Engine() does nothing unless MODSSL_HAVE_ENGINE_API.
Simplify ssl_init_server_certs() (less #ifdef-ery) with scoped local vars.
Compat loading DH parameters and EC curve from cert.
* ssl_engine_io.c, ssl_engine_kernel.c:
Implement common modssl_set_io_callbacks() and use it.
* ssl_engine_pphrase(modssl_load_engine_keypair):
Depend on MODSSL_HAVE_ENGINE_API, or return ENOTIMPL.
* ssl_util.c(modssl_is_engine_id):
No engine supported unless MODSSL_HAVE_ENGINE_API.
* ssl_util_ssl.c(modssl_dh_pkey_from_file, modssl_ec_group_from_file):
Compat with openssl >= 3.0.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1908537 13f79535-47bb-0310-9956-ffa450edef68
#define ap_thread_create, ap_thread_current_create and ap_thread_current to
their apr-1.8+ equivalent if available, or implement them using the compiler's
thread_local mechanism if available, or finally provide stubs otherwise.
#define AP_HAS_THREAD_LOCAL to 1 in the two former case or 0 otherwise, while
AP_THREAD_LOCAL is defined to the compiler's keyword iff AP_HAS_THREAD_LOCAL.
Replace all apr_thread_create() calls with ap_thread_create() so that httpd
threads can use ap_thread_current()'s pool data as Thread Local Storage.
Bump MMN minor.
* include/httpd.h():
Define AP_HAS_THREAD_LOCAL, AP_THREAD_LOCAL (eventually), ap_thread_create(),
ap_thread_current_create() and ap_thread_current().
* server/util.c:
Implement ap_thread_create(), ap_thread_current_create() and
ap_thread_current() when APR < 1.8.
* modules/core/mod_watchdog.c, modules/http2/h2_workers.c,
modules/ssl/mod_ssl_ct.c:
Use ap_thread_create() instead of apr_thread_create.
* server/main.c:
Use AP_HAS_THREAD_LOCAL and ap_thread_current_create instead of APR's.
* server/util_pcre.c:
Use AP_HAS_THREAD_LOCAL and ap_thread_current instead of APR's.
* server/mpm/event/event.c, server/mpm/worker/worker.c,
server/mpm/prefork/prefork.c:
Use ap_thread_create() instead of apr_thread_create.
Create an apr_thread_t/ap_thread_current() for the main chaild thread usable
at child_init().
* server/mpm/winnt/child.c:
Use ap_thread_create() instead of CreateThread().
Create an apr_thread_t/ap_thread_current() for the main chaild thread usable
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1897460 13f79535-47bb-0310-9956-ffa450edef68
This can happen on stop/restart for the daeomon thread, or on clean_child_exit()
for the service thread.
When an apr_thread_create()d thread exits it destroys its pool (in any case),
either explicitely when apr_thread_exit() is called, or implicitely after the
function returns (only in APR 2.0 for now).
So we should make sure that mod_ssl_ct's daemon and service threads exit before
pconf and pchild (the parent pools, respectively) destroy their children pools,
otherwise the threads' pool will be destroyed twice and cause a crash.
Using a pre_cleanup to wait for the threads avoids this.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1883667 13f79535-47bb-0310-9956-ffa450edef68
This is most likely a follow-up to r1628833.
At some point during the OpenSSL 1.0.2 beta, the contract for custom
extension callbacks changed from "returning -1 skips the extension" to
"returning -1 will issue a TLS fatal alert". This caused mod_ssl_ct to
abort TLS connections that it intended to ignore. Zero is the correct
return value for "do nothing" in 1.0.2.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1791845 13f79535-47bb-0310-9956-ffa450edef68
doesn't contain mod_ssl_ct's own directives, because the
module config needs to represent that vhost's certificates.
PR: 57533
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1661540 13f79535-47bb-0310-9956-ffa450edef68
The hard-coded 2 byte offset to get to the list (in lieu of
the proper logic) didn't survive the addition of the SCT
from an additional log.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1645546 13f79535-47bb-0310-9956-ffa450edef68
(e.g., as of certificate-transparency commit
3f03188fe89974d45345fddee64a8227bd2ec26a)
The interface to the "ct" tool now requires the log's URL and
public key, resulting in a bit of refactoring in the module.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1630624 13f79535-47bb-0310-9956-ffa450edef68
Transparency (RFC 6962) for httpd.
mod_ssl_ct requires OpenSSL 1.0.2 (in beta) and must be explicitly
enabled via configure.
Note that support/ctauditscts is purposefully not installed; it
does not properly function due to a dependency on a
certificate-transparency open source project tool which itself is
not sufficiently complete at this time.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1588987 13f79535-47bb-0310-9956-ffa450edef68
