Previously, the SSLProtocol directive was checked at runtime. Apache quit if
the directive contained an invalid combination of protocols, and logged the
message "AH02231: No SSL protocols available [hint: SSLProtocol]".
With this change, most invalid SSLProtocol directives are detected when
checking the configuration, e.g. with \"httpd -t -f httpd.conf\".
Examples of invalid protocol combinations that are caught:
* SSLProtocol "-TLSv1"
* SSLProtocol "-all"
* SSLProtocol "TLSv1.2 -TLSv1.2"
Submitted by: Michael Kaufmann <mail michael-kaufmann.ch>
Github: closes#523
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1924955 13f79535-47bb-0310-9956-ffa450edef68
has global effect.
* modules/ssl/ssl_engine_config.c (ssl_cmd_SSLOpenSSLConfCmd):
Disallow use within vhost context.
PR: 69397
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1921336 13f79535-47bb-0310-9956-ffa450edef68
is now approaching 15 years old.
* modules/ssl/ssl_engine_config.c (ssl_cmd_SSLInsecureRenegotiation):
Fail if used.
(ssl_config_server_new, ssl_config_server_merge): Remove insecure
reneg handling.
* modules/ssl/ssl_engine_init.c (ssl_init_ctx_protocol): Remove
insecure_reneg handling.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1917600 13f79535-47bb-0310-9956-ffa450edef68
Latest OpenSSL versions have OPENSSL_NO_COMP by default, avoid breaking
existing "SSLCompression off" in configurations since it's a noop.
* modules/ssl/ssl_engine_config.c(ssl_cmd_SSLCompression):
Don't fail for OPENSSL_NO_COMP if the flag is "off".
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1916561 13f79535-47bb-0310-9956-ffa450edef68
Also, always allow for "SSLCryptoDevice builtin" even if the ENGINE API is not
available, OPENSSL_NO_ENGINE or more generally with the new API (providers)
available since OpenSSL >= 3.
* ssl_private.h: Set MODSSL_HAVE_ENGINE_API to 0 if OPENSSL_NO_ENGINE.
* mod_ssl.c, ssl_engine_config.c: Don't depend on HAVE_OPENSSL_ENGINE_H and
HAVE_ENGINE_INIT to provide [ssl_cmd_]SSLCryptoDevice.
Submitted by: ylavic, jorton
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1913815 13f79535-47bb-0310-9956-ffa450edef68
* mod_ssl_openssl.h:
Make it the first openssl to be included openssl header, selecting the
OpenSSL api based on OPENSSL_API_COMPAT eventually.
* ssl_private.h;
Define OPENSSL_API_COMPAT to version 1.1.1 (last one supporting EGINE_ API)
before including mod_ssl_openssl.h to enable the ENGINE_ api (TODO: switch to
new "providers" api before the ENGINE_ api is abandonned..).
mod_ssl.h is now implicitely included from there.
Fix preprocessor "#define FOO (COND)" to "#if COND #define FOO 1 #else #define FOO 0".
Define MODSSL_HAVE_ENGINE_API iff OPENSSL_API_COMPAT < 3.0 (otherwise all the
engine features are disabled, only "builtin" is accepted).
Define HAVE_SRP iff OPENSSL_API_COMPAT < 3.0 (no replacement for this api
above, so it might not be implemenentedain httpd anymore at some point..).
Define X509_get_not{Before,After} if missing to the non deprecated version.
New modssl_set_io_callbacks() to factorize compat code for io callbacks.
ssl_dh_GetParamFromFile() becomes modssl_dh_from_file() for openssl < 3.0 and
modssl_dh_pkey_from_file() for openssl >= 3.0.
* mod_ssl.c, mod_ssl_ct.c, ssl_util_stapling:
Including "ssl_private.h" only is suited/enough now.
* mod_ssl_ct.c, ssl_ct_log_config:
Use EVP api with openssl >= 3 instead of the deprecated SHA256 one.
* ssl_engine_config.c(ssl_cmd_SSLCryptoDevice):
Disabled engines (besides NULL/"builtin"/NULL) unless MODSSL_HAVE_ENGINE_API.
* ssl_engine_init:
New compat modssl_runtime_lib_version() to address deprecated SSLeay().
ssl_init_Engine() does nothing unless MODSSL_HAVE_ENGINE_API.
Simplify ssl_init_server_certs() (less #ifdef-ery) with scoped local vars.
Compat loading DH parameters and EC curve from cert.
* ssl_engine_io.c, ssl_engine_kernel.c:
Implement common modssl_set_io_callbacks() and use it.
* ssl_engine_pphrase(modssl_load_engine_keypair):
Depend on MODSSL_HAVE_ENGINE_API, or return ENOTIMPL.
* ssl_util.c(modssl_is_engine_id):
No engine supported unless MODSSL_HAVE_ENGINE_API.
* ssl_util_ssl.c(modssl_dh_pkey_from_file, modssl_ec_group_from_file):
Compat with openssl >= 3.0.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1908537 13f79535-47bb-0310-9956-ffa450edef68
to PEM, to avoid newline mangling issues when using PEM in header
values.
* modules/ssl/ssl_private.h (SSL_OPT_EXPORTCB64DATA): New constant.
* modules/ssl/ssl_engine_vars.c (ssl_var_lookup_ssl_cert_data):
New function, replacing ssl_var_lookup_ssl_cert_PEM.
(ssl_var_lookup_ssl): Use it, and add _B64CERT variants of
SSL_{CLIENT,SERVER}_CERT.
(ssl_var_lookup_ssl_cert_chain): Use it.
* modules/ssl/ssl_engine_config.c (ssl_cmd_SSLOptions): Support
"ExportBase64CertData" argument.
* modules/ssl/ssl_engine_kernel.c (extract_to_env): New function.
(ssl_hook_Fixup): Use it, also export _B64CERT variables if
SSL_OPT_EXPORTCB64DATA is set; simplify the client cert chain
handling.
PR: 65169
Reviewed by: michaelo
Github: closes#177
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887811 13f79535-47bb-0310-9956-ffa450edef68
Require that OpenSSL is configured with a suitable entropy source,
or fail startup otherwise.
* modules/ssl/ssl_private.h:
Define MODSSL_USE_SSLRAND for OpenSSL < 1.1.1.
(SSLModConfigRec): Only define pid, aRandSeed for <1.1.1.
(ssl_rand_seed): Define as noop if !MODSSL_USE_SSLRAND.
* modules/ssl/ssl_engine_init.c (ssl_init_Module):
Only initialize mc->pid for MODSSL_USE_SSLRAND.
Fail if RAND_status() returns zero.
(ssl_init_Child): Drop getpid and srand for !MODSSL_USE_SSLRAND.
* modules/ssl/ssl_engine_rand.c: ifdef-out for !MODSSL_USE_SSLRAND.
(ssl_rand_seed): Drop warning if PRNG not seeded (now a startup
error as above).
* modules/ssl/ssl_engine_config.c (ssl_config_global_create): Drop
aRandSeed initialization. (ssl_cmd_SSLRandomSeed): Log a warning if
used w/!MODSSL_USE_SSLRAND.
Github: closes#123
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1877467 13f79535-47bb-0310-9956-ffa450edef68
vhost at startup, rather than building it for each new connection.
* modules/ssl/ssl_private.h (struct SSLSrvConfigRec):
Replace vhost_id_len field with vhost_md5.
* modules/ssl/ssl_engine_init.c (ssl_init_Module): Build the
sc->vhost_md5 hash here.
* modules/ssl/mod_ssl.c: Fail at compile time if the
SSL_set_session_id_context() API constraint on context length is
violated.
(ssl_init_ssl_connection): Use sc->vhost_md5.
* modules/ssl/ssl_engine_kernel.c (ssl_find_vhost): Use sc->vhost_md5
after renegotiation.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1877349 13f79535-47bb-0310-9956-ffa450edef68
Drop the field from SSLModConfigRec and use pconf instead (where
appropriate) to match the new SSLModConfigRec lifetime.
* modules/ssl/ssl_engine_kernel.c (ssl_callback_DelSessionCacheEntry):
Explicitly (and probably unsafely) use the process pool.
* modules/ssl/ssl_engine_config.c (ssl_cmd_SSLRandomSeed): Use
cmd->pool to allocate paths.
* modules/ssl/ssl_engine_init.c (ssl_init_Module): Use pconf
to allocate the keylog_file.
* modules/ssl/ssl_engine_vars.c (ssl_var_lookup): Drop lookup
of SSLModConfigRec and use s->process->pool when no pool is
passed.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1877347 13f79535-47bb-0310-9956-ffa450edef68
Allocate SSLModConfigRec from pconf rather than the process pool.
* modules/ssl/ssl_private.h: Add modssl_retained_data_t structure and
move private key storage here from SSLModConfigRec. Add retained
pointer to SSLModConfigRec.
* modules/ssl/ssl_engine_config.c (ssl_config_global_create): Take
pool argument; allocate SSLModConfigRec from there and
initialize mc->retained. SSLModConfigRec no longer cached for the
process lifetime.
(ssl_init_Module): Sanity check that sc->mc is correct.
(ssl_init_server_certs): Use private keys from mc->retained.
* modules/ssl/ssl_engine_pphrase.c
(privkey_vhost_keyid): Rename from asn1_table_vhost_key and
update to use the retained structure.
(ssl_load_encrypted_pkey): Update for above.
* modules/ssl/ssl_engine_init.c (ssl_init_Module): Remove
(apparently) redundant call to ssl_config_global_create and
add debug asserts to validate that is safe.
Github: closes#119
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1877345 13f79535-47bb-0310-9956-ffa450edef68
SSL library setting. Additionally, always log the FIPS mode since it
can be set outside of the httpd config.
* modules/ssl/ssl_private.h (SSLModConfigRec): Move fips field here.
(SSLSrvConfigRec): ... from here.
* modules/ssl/ssl_engine_config.c (ssl_cmd_SSLFIPS): Adjust for fips
field move.
* modules/ssl/ssl_engine_init.c (ssl_init_Module): Adjust for fips
field move. Always log the OpenSSL FIPS mode state even if SSLFIPS
is not used.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1877261 13f79535-47bb-0310-9956-ffa450edef68
environment, using the standard format which can be parsed by (e.g.)
wireshark for decoding SSL/TLS traffic; supported from OpenSSL 1.1.1.
* modules/ssl/ssl_private.h: Add keylog_file to SSLModConfigRec.
* modules/ssl/ssl_engine_init.c (ssl_init_Module): Open log file if
SSLKEYLOGFILE is set in the environment.
(ssl_init_ctx_protocol): Register the keylog callback with OpenSSL.
* modules/ssl/ssl_engine_kernel.c (modssl_callback_keylog):
New function.
PR: 63391
Github: closes#74
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1869842 13f79535-47bb-0310-9956-ffa450edef68
If dumping the config, don't validate the paths. Allows
e.g. "httpd -L" to work w/ certs configured but not present,
doesn't affect "httpd -t".
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1861269 13f79535-47bb-0310-9956-ffa450edef68
by SSLProxyMachineCertificate{File|Path}.
The certificates and keys loaded during configuration time got lost during
runtime if e.g. SSLProxyMachineCertificate{File|Path} was set on virtual host
level and there was an SSL directive at directory level, e.g. SSLRequire.
This fixes a regression likely introduced in r1740928.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1844002 13f79535-47bb-0310-9956-ffa450edef68
* eliminated SSLPolicyRec as name no longer used
* eliminated some left over parameters in internal functions due to policy def removal
* reverted a NULL test, necessary before
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1832994 13f79535-47bb-0310-9956-ffa450edef68
engine.
* modules/ssl/ssl_util.c (modssl_is_engine_id): Renamed
from modssl_is_engine_key.
* modules/ssl/ssl_engine_config.c (ssl_cmd_SSLCertificateKeyFile):
Adjust accordingly.
(ssl_cmd_SSLCertificateFile): Also allow ENGINE cert ids.
* modules/ssl/ssl_engine_pphrase.c (modssl_load_engine_keypair):
Rename from modssl_load_engine_key; load certificate if
cert id is passed.
* modules/ssl/ssl_engine_init.c (ssl_init_server_certs): Optionally
load the certificate from the engine as well.
* docs/manual/: Update manual.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1831168 13f79535-47bb-0310-9956-ffa450edef68
for PKCS#11 URIs only, and PIN entry is not threaded through
SSLPassPhraseDialog config yet.
* modules/ssl/ssl_util.c (modssl_is_engine_key): New function.
* modules/ssl/ssl_engine_config.c (ssl_cmd_SSLCertificateKeyFile):
Use it, skip check for file existence for engine keys.
* modules/ssl/ssl_engine_pphrase.c (modssl_load_engine_pkey):
New function.
* modules/ssl/ssl_engine_init.c (ssl_init_server_certs):
For engine keys, load via modssl_load_engine_pkey.
Submitted by: Anderson Sasaki <ansasaki redhat.com>, jorton
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1830819 13f79535-47bb-0310-9956-ffa450edef68
Regression introduced in 2.4.30. PR 62232.
The proxy SSL_CTX was not inherited from the vhost (the only available in
2.4.29) in/for any directory context besides <Proxy>...
Mostly debugged and fixed by Rainer, thanks!
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1828390 13f79535-47bb-0310-9956-ffa450edef68
mod_ssl TLSv1.3 support, removed V1_3 cipher suite directives again and added an optional protocol specifier to the SSLCipherSuite and SSLProxyCipherSuite commands.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1827992 13f79535-47bb-0310-9956-ffa450edef68
mod_ssl: Added configuration directives for TLSv1.3 cipher suites (which
are separate from previous ones) as SSL(Proxy)CipherSuiteV1_3. A great opportunity
to find a better name.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1827924 13f79535-47bb-0310-9956-ffa450edef68
mod_ssl: heavily simplified SSLPolicy. No more user defines, no propxy policies,
just the basic "modern", "intermediate" and "old" as specified by Mozilla security.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1827561 13f79535-47bb-0310-9956-ffa450edef68
mod_ssl: renamed section <SSLPolicy to <SSLPolicyDefine. Fixed behaviour
for new server config merge flag. Denying global, only once used directives
inside a SSLPolicyDefine.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1817381 13f79535-47bb-0310-9956-ffa450edef68
mod_ssl: not using SSLV3 constant that would define what we mean by SSL version 3 if openssl does not know about SSL version 3. Then we pretend to not know about it either.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1805186 13f79535-47bb-0310-9956-ffa450edef68
