Switch mod_ssl to use the ap_socache interface.
* modules/ssl/ssl_scache_shmcb.c, modules/ssl/ssl_scache_memcache.c,
modules/ssl/ssl_scache_dc.c, modules/ssl/ssl_scache_dbm.c: Remove
files.
* modules/ssl/mod_ssl.c (modssl_register_scache): Remove function.
* modules/ssl/ssl_private.h: Remove modssl_sesscache_provider etc.
(SSLModConfigRec): Switch to using socache types.
* modules/ssl/ssl_engine_config.c (ssl_cmd_SSLSessionCache): Switch to
use socache provider.
* modules/ssl/ssl_engine_mutex.c, modules/ssl/ssl_scache.c: Switch to
using socache constants.
* modules/ssl/config.m4: Drop distache/memcache configuration, remove
old objects.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@645940 13f79535-47bb-0310-9956-ffa450edef68
Use the ap_provider interface for session cache storage providers.
* modules/ssl/mod_ssl.c (modssl_register_scache): New function.
(ssl_register_hooks): Call it.
* modules/ssl/ssl_private.h: Define MODSSL_SESSCACHE_PROVIDER_GROUP
and MODSSL_SESSCACHE_PROVIDER_VERSION constants.
Remove ssl_scmode_t type. Change nSessionCacheMode in
SSLModConfigRec into a long sesscache_mode, storing the OpenSSL
SSL_SESS_CACHE_* flags directly.
* modules/ssl/ssl_engine_config.c (ssl_config_global_create): Set
sesscache_mode to SSL_SESS_CACHE_OFF by default.
(ssl_cmd_SSLSessionCache): Remove ifdef spaghetti; fetch configured
session cache by provider name. Set mc->sesscache_mode for
configured providers.
* modules/ssl/ssl_engine_init.c (ssl_init_ctx_session_cache): Use the
configured mode flags directly from mc->sesscache_mode.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@631000 13f79535-47bb-0310-9956-ffa450edef68
Move provider-specific configuration handling down into the provider
code. Eliminate all use of SSLModConfigRec within provider code.
* modules/ssl/ssl_private.h (modssl_sesscache_provider): Add 'create'
function which creates and configures the cache provider, before
initialisation. Change 'init' function to take the context pointer
as an input parameter, and reorder to be first.
* modules/ssl/ssl_scache.c (ssl_scache_init): Adjust accordingly.
* modules/ssl/ssl_scache_memcache.c (struct context): Add servers
field.
(ssl_scache_mc_create): New function.
(ssl_scache_mc_init): Use servers from context not SSLModConfigRec.
* modules/ssl/ssl_scache_dbm.c (struct context): Define.
(ssl_scache_dbm_create): New function.
(ssl_scache_dbm_init, ssl_scache_dbm_kill): Adjust to use filename
and pool from context.
(ssl_scache_dbm_store, ssl_scache_dbm_retrieve,
ssl_scache_dbm_status): Use filename from context. Use context pool
for temp storage of the DBM object, and clear before use.
(ssl_scache_dbm_expire): Remove static tLast; use last_expiry from
context. Use context pool for temp storage and clear before use.
* modules/ssl/ssl_scache_dc.c (struct context): Add target field.
(ssl_scache_dc_init, ssl_scache_dc_status): Use target from context.
* modules/ssl/ssl_scache_shmcb.c (struct context): Add data_file,
shm_size fields.
(ssl_scache_shmcb_create): New function; moved argument parsing
logic from ssl_cmd_SSLSessionCache
(ssl_scache_shmcb_init, ssl_scache_shmcb_status): Use config from
context.
* modules/ssl/ssl_engine_config.c (ssl_config_global_create): Remove
handling of old provider-specific fields.
(ssl_cmd_SSLSessionCache): Call provider ->create function to parse
the argument and create provider-specific context structure.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@630974 13f79535-47bb-0310-9956-ffa450edef68
Move provider-private context out of SSLModConfigRec and into an
opaque context pointer. Use real error propagation in the ->init
functions rather than ssl_die().
* modules/ssl/ssl_private.h (modssl_sesscache_provider): Take a
context out-parameter from ->init, and return an apr_status_t.
Add context pointer as first arg for the other function types.
(SSLModConfigRec): Remove tSessionCacheData* fields; add
sesscache_context field.
* modules/ssl/ssl_scache.c (ssl_scache_init): Move once-per-process
invocation check back into here.
(ssl_scache_*): Adjust to use context pointer.
* modules/ssl/ssl_scache_shmcb.c, modules/ssl/ssl_scache_dc.c,
modules/ssl/ssl_scache_dbm.c: Adjust all implementations to use
opaque context pointer.
* modules/ssl/ssl_scache_memcache.c: Move memcache context into the
context structure rather than using global state.
* modules/ssl/ssl_engine_config.c: Remove handling of
pSessionCacheData* fields in SSLModConfigRec.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@630323 13f79535-47bb-0310-9956-ffa450edef68
step towards use of the ap_provider interface:
* modules/ssl/ssl_private.h (modssl_sesscache_provider): Add new
vtable type.
(SSLModConfigRec): Reference the vtable here.
Replace all the ssl_scache_* prototypes with provider vtable objects.
* modules/ssl/ssl_scache.c (ssl_scache_init, ssl_scache_kill,
ssl_scache_retrieve, ssl_scache_store, ssl_scache_remove,
ssl_ext_status_hook): Use callbacks from vtable rather than ifdef
spaghetti.
* modules/ssl/ssl_engine_init.c (ssl_init_ctx_session_cache):
Only install the OpenSSL callbacks if a vtable is configured.
* modules/ssl/ssl_engine_config.c (ssl_cmd_SSLSessionCache): Set up
vtable pointer.
* modules/ssl/ssl_scache_dc.c, modules/ssl_scache_mc.c: Adjust to make
implementations static, and add vtable definition.
* modules/ssl_scache_shmcb.c: Likewise; also move the init
one-per-process requirement down here.
* modules/ssl_scache_dbm.c: Likewise; also (temporarily) use a local
subpool in the store callback.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@630163 13f79535-47bb-0310-9956-ffa450edef68
* modules/ssl/ssl_engine_config.c (modssl_ctx_init,
modssl_ctx_cfg_merge): Initialize and merge OCSP config options.
(ssl_cmd_SSLOCSPOverrideResponder, ssl_cmd_SSLOCSPDefaultResponder,
ssl_cmd_SSLOCSPEnable): Add functions.
* modules/ssl/mod_ssl.c (ssl_config_cmds): Add config options.
* modules/ssl/ssl_private.h: Add prototypes, config options to
modssl_ctx_t.
* modules/ssl/ssl_util_ocsp.c: New file, utility interface for
dispatching OCSP requests.
* modules/ssl/ssl_engine_ocsp.c: New file, interface for performing
OCSP validation.
* modules/ssl/ssl_engine_kernel.c (ssl_callback_SSLVerify): Perform
OCSP validation if configured, and the cert is so-far verified to be
trusted. Fail if OCSP validation is configured an the optional-no-ca
check tripped.
* modules/ssl/config.m4: Check for OCSP support, build new files.
* modules/ssl/mod_ssl.dsp: Build new files.
* modules/ssl/ssl_toolkit_compat.h: Include headers for OCSP
interfaces.
PR: 41123
Submitted by: Marc Stern <marc.stern approach.be>, Joe Orton
Reviewed by: Steve Henson <steve openssl.org>
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@599385 13f79535-47bb-0310-9956-ffa450edef68
cannot be data symbols when mod_ssl is built as a loadable module;
using an external string constant in a loadable module is not portable.
Also reorganize file and sem to follow their explicit mechanisms,
and ensured that the explicit mechansims are listed in order of
preference.
This raises a question, would [fcntl|file] be a clearer way of
indiciating what the file/sem methods devolve to?
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@568833 13f79535-47bb-0310-9956-ffa450edef68
locking method and the lockfile location, I never
liked how AcceptMutex was linked to LockFile. This
seemed unnecessary. Much better to have AcceptMutex
do both as well. Plus, now that we will likely see
other modules require a "standard" way of setting
mutexes, why not have Apache provide that as
an API of sorts.
Anyway, LockFile is now depreciated and AcceptMutex
is now SSLMutex-like. We also provide a short
function that "parses" out a mutex parameter
and strips out the mechanism and lockfile location.
AcceptMutex and SSLMutex is this capability.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@467326 13f79535-47bb-0310-9956-ffa450edef68
configures the I/O Dump of SSL traffic, when LogLevel is set to Debug.
The default is none as this is far greater debugging resolution than
the typical administrator is prepared to untangle.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@416265 13f79535-47bb-0310-9956-ffa450edef68
SSLCADNRequestFile and SSLCADNRequestPath.
* modules/ssl/ssl_private.h (modssl_pk_server_t): Add ca_name_path,
ca_name_file fields.
* modules/ssl/ssl_engine_init.c (ssl_init_ctx_verify): If either of
SSLCADNRequestFile or SSLCADNRequestPath are configured, load the CA
DN list sent in the CertificateRequest from those certificates.
* modules/ssl/ssl_engine_config.c (modssl_ctx_init_server): Use
pcalloc to zero-initialize the entire modssl_pk_server_t structure.
(ssl_config_server_new): Merge the ca_name_* fields.
(ssl_cmd_SSLCADNRequestPath, ssl_cmd_SSLCADNRequestFile): New
functions.
PR: 32848
Submitted by: Tim Taylor <tim.taylor dfas.mil>
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@125165 13f79535-47bb-0310-9956-ffa450edef68
configured SSL certificates to stdout, useful for cron-ing through a
"do I need to renew any of my certificates this week" tool:
* modules/ssl/ssl_engine_config.c (ssl_hook_ConfigTest): New function.
* modules/ssl/mod_ssl.c (ssl_register_hooks): ...register it as a
test_config hook.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@105741 13f79535-47bb-0310-9956-ffa450edef68
which uses the server's cipher preference order rather than the
client's.
* modules/ssl/ssl_private.h (struct SSLSrvConfigRec): Add
cipher_server_pref field.
* modules/ssl/ssl_engine_config.c (ssl_config_server_create,
ssl_config_server_merge): Initialize and merge cipher_server_pref
field.
(ssl_cmd_SSLHonorCipherOrder): New function.
* modules/ssl/ssl_engine_init.c (ssl_init_ctx_protocol): Set the
context option SSL_OP_CIPHER_SERVER_PREFERENCE when required.
PR: 28665
Submitted by: Jim Shneider <jschneid netilla.com>
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@103832 13f79535-47bb-0310-9956-ffa450edef68
never implemented in 2.0 and never needed to be.
* docs/ssl/ssl-std.conf.in: Remove CompatEnvVars examples.
* modules/ssl/ssl_engine_config.c (ssl_cmd_SSLOptions): Don't allow
the CompatEnvVars argument.
* modules/ssl/ssl_private.h: Remove SSL_OPT_COMPATENVVARS macro.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@103829 13f79535-47bb-0310-9956-ffa450edef68
to be included even when mod_ssl is not enabled.
* Makefile.in (install-include): Only install mod_ssl.h.
* modules/ssl/ssl_private.h: New file.
* modules/ssl/mod_ssl.h: Move everything apart from than the optional
hook definitions into ssl_private.h.
* modules/ssl/*.c: Include ssl_private.h not mod_ssl.h
* modules/ssl/config.m4: Always add the mod_ssl directory to the
include path so other modules can find mod_ssl.h.
* modules/proxy/mod_proxy.c: Include mod_ssl.h to pick up the optional
hook definitions rather than copy'n'pasting them.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@102803 13f79535-47bb-0310-9956-ffa450edef68
data corruption bugs since being apr_rmm'ified.
* config.m4, mod_ssl.dsp: Don't build ssl_util_table and
ssl_scache_shmht.
* ssl_util_table.h, ssl_util_table.c, ssl_scache_shmht.c: Removed
files.
* mod_ssl.h (SSLModConfigRec): Use a void * pointer for storing
the scache-specific data.
* ssl_engine_config.c (ssl_cmd_SSLSessionCache): Treat shmht: as
shmcb:.
* ssl_scache.c: Remove shmht hooks throughout.
* ssl_scache_shmcb.c: Remove casts to use the table_t * pointer as a
void *.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@101888 13f79535-47bb-0310-9956-ffa450edef68
openssl-engine (ie, you're missing the headers). ssl_cmd_SSLCryptoDevice()
is thrown away by the preprocessor if you're missing the header, so the
call to it should have the same condition applied. otherwise, mod_ssl
will fail to link.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@100970 13f79535-47bb-0310-9956-ffa450edef68
unixd_set_global|proc_mutex_perms(). Allow the functions to be
called for any type of mutex.
This resolves a fatal problem with mod_rewrite on systems where
APR uses flock-based mutex.
It simplifies mod_ssl as well, which had special logic to perform
the chown(). It fixed an init error with mod_ssl on systems where
flock is used when the user had no SSLMutex directive.
The Unix MPMs continue to call unixd_set_global|proc_mutex_perms()
only for SysV sems. There is no permission problem with flock-based
accept mutexes since the child init logic for the MPMs is done
prior to switching identity.
PR: 20312
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@100189 13f79535-47bb-0310-9956-ffa450edef68
find a device. Still would be nice to implement dynamic:{options}
but this gets us to display the usual, builtin devices.
We now load builtin engines up front, in the pre_config phase, because
this and any other config cmd processor must have an already valid
library config. So loading builtin engines becomes redundant in this
cmd handler.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@100108 13f79535-47bb-0310-9956-ffa450edef68
to check for both the existence of the openssl/engine.h header file
and some 'expected function' such as ENGINE_init() (better suggestions
are welcome.) Also clear up some confusion; so long as we have
ENGINE_load_builtin_engines() we should attempt to preload those.
This patch protects all ENGINE-based code within the tests for the
engine header and function, and changes a version test into a
function test.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@100104 13f79535-47bb-0310-9956-ffa450edef68
server root unless we are using posixsem, which can't handle big paths.
This reorganization should make the code much more readable because
all of the common code is at the beginning and end of the function,
simplifing the long conditional test case block.
This patch allows SSLMutex default:logs/ssl_mutex syntax. It also
removes the mod_ssl historical '.pid' suffixes - that isn't how Apache2
specifies files.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@99094 13f79535-47bb-0310-9956-ffa450edef68
matter what. We now allow for the full range of APR mutex
locking mechanims to be used, while maintaining backwards
compatibility.
PR: 8122
Obtained from:
Submitted by:
Reviewed by: William Rowe
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@98771 13f79535-47bb-0310-9956-ffa450edef68
SSLEngine upgrade so that we can begin and continue to support these
facilities. This makes it simpler to keep this effort (while we have
no known clients that support Connection: upgrade at this time), and
begin refactoring more of SSL into smaller and tighter (and then optional)
components.
Submitted by: Ryan Bloom
Reviewed by: William Rowe, Joe Orton
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@97912 13f79535-47bb-0310-9956-ffa450edef68
(and allow 8192 to be valid). Secondly, this missplaced else
made the size part (8192) non-optional for shm:
PR:
Obtained from:
Submitted by:
Reviewed by:
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@97281 13f79535-47bb-0310-9956-ffa450edef68
