* modules/ssl/ssl_engine_pphrase.c: Add wrappers for OpenSSL UI * API
around passphrase entry.
(modssl_load_engine_keypair): Take vhost ID and use above rather than
default OpenSSL UI.
* modules/ssl/ssl_engine_init.c (ssl_init_server_certs): Pass vhost ID.
Submitted by: Anderson Sasaki<ansaski redhat.com>, jorton
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1835240 13f79535-47bb-0310-9956-ffa450edef68
LibreSSL seems to be openssl-1.1 API compatible only in version 2.8 (master).
So use that for MODSSL_USE_OPENSSL_PRE_1_1_API instead of 2.7, the two 2.7
compatibility-exceptions are handled explicitely but overall it's simpler.
Regarding CRYPTO_malloc_init vs OPENSSL_malloc_init, libreSSL uses none, the
former used to be a no-op but depends is LIBRESSL_INTERNAL in latest versions,
while the latter has never been (and will never be) defined. So don't call any
with LibreSSL.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1833598 13f79535-47bb-0310-9956-ffa450edef68
engine.
* modules/ssl/ssl_util.c (modssl_is_engine_id): Renamed
from modssl_is_engine_key.
* modules/ssl/ssl_engine_config.c (ssl_cmd_SSLCertificateKeyFile):
Adjust accordingly.
(ssl_cmd_SSLCertificateFile): Also allow ENGINE cert ids.
* modules/ssl/ssl_engine_pphrase.c (modssl_load_engine_keypair):
Rename from modssl_load_engine_key; load certificate if
cert id is passed.
* modules/ssl/ssl_engine_init.c (ssl_init_server_certs): Optionally
load the certificate from the engine as well.
* docs/manual/: Update manual.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1831168 13f79535-47bb-0310-9956-ffa450edef68
for PKCS#11 URIs only, and PIN entry is not threaded through
SSLPassPhraseDialog config yet.
* modules/ssl/ssl_util.c (modssl_is_engine_key): New function.
* modules/ssl/ssl_engine_config.c (ssl_cmd_SSLCertificateKeyFile):
Use it, skip check for file existence for engine keys.
* modules/ssl/ssl_engine_pphrase.c (modssl_load_engine_pkey):
New function.
* modules/ssl/ssl_engine_init.c (ssl_init_server_certs):
For engine keys, load via modssl_load_engine_pkey.
Submitted by: Anderson Sasaki <ansasaki redhat.com>, jorton
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1830819 13f79535-47bb-0310-9956-ffa450edef68
for a vhost if SSLEnable is not used and no certs are configured,
even if the Listen protocol is "https". Restores behaviour to that
prior to r1809303 for configs which would now otherwise fail at
startup.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1829513 13f79535-47bb-0310-9956-ffa450edef68
across a reload so don't backport this to 2.4. Otherwise it's only
user-visible in logging output.
* modules/ssl/ssl_engine_init.c (ssl_init_Module): Derive the vhost_id
*after* potentially setting sc->enabled to default-on, since the
port used may change if not specified explicitly.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1828913 13f79535-47bb-0310-9956-ffa450edef68
mod_ssl TLSv1.3 support, removed V1_3 cipher suite directives again and added an optional protocol specifier to the SSLCipherSuite and SSLProxyCipherSuite commands.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1827992 13f79535-47bb-0310-9956-ffa450edef68
mod_ssl: Added configuration directives for TLSv1.3 cipher suites (which
are separate from previous ones) as SSL(Proxy)CipherSuiteV1_3. A great opportunity
to find a better name.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1827924 13f79535-47bb-0310-9956-ffa450edef68
mod_ssl: heavily simplified SSLPolicy. No more user defines, no propxy policies,
just the basic "modern", "intermediate" and "old" as specified by Mozilla security.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1827561 13f79535-47bb-0310-9956-ffa450edef68
* modules/ssl/ssl_engine_init.c (ssl_init_ca_cert_path): Since
SSL_add_file_cert_subjects_to_stack() internally replaces the
comparison callback with one equivalent to
ssl_init_FindCAList_X509NameCmp, there's no point in using that
here.
(ssl_init_FindCAList_X509NameCmp): Removed.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1825124 13f79535-47bb-0310-9956-ffa450edef68
(ssl_init_ca_cert_path): Use SSL_add_file_cert_subjects_to_stack()
instead.
[Edit: This does change behaviour: the acceptable client CA list is now
always be sent in sorted order rather than configured/file order.
In the case of SSLCACertificatePath and SSLCADNRequestPath, the
order will be stable rather than non-determistic as previously.]
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1825120 13f79535-47bb-0310-9956-ffa450edef68
mod_ssl: unshare SSLSrvConfigRec instances between base server and virtual hosts. This avoids
overwrites of later initializattions (vhost_id), selective disables by "SSLEngine addr-list"
and certificate/key pickup from mod_md.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1809037 13f79535-47bb-0310-9956-ffa450edef68
LibreSSL defines OPENSSL_VERSION_NUMBER = 2.0, but is not compatible with
all of the latest OpenSSL 1.1 API.
Address this by defining MODSSL_USE_OPENSSL_PRE_1_1_API which is true for
anything but OpenSSL >= 1.1 (for now).
Proposed by: Bernard Spil <brnrd freebsd.org>
Reviewed by: ylavic
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1803396 13f79535-47bb-0310-9956-ffa450edef68
OpenSSL team is committed to preserving safe _free(NULL) behaviors, and the
overhead of these calls in the context setup path is inconsequential.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1783434 13f79535-47bb-0310-9956-ffa450edef68
