(PR 54030)
factor out code from ssl_engine_init.c:ssl_check_public_cert()
to ssl_util_ssl.c:SSL_X509_match_name()
introduce new SSLProxyCheckPeerName directive, which should eventually
obsolete SSLProxyCheckPeerCN
ssl_engine_io.c:ssl_io_filter_handshake(): avoid code duplication
when aborting with HTTP_BAD_GATEWAY
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1425874 13f79535-47bb-0310-9956-ffa450edef68
response status in the 502 error bucket; fortuitously this error
bucket is currently ignored so this bug was not user-visible.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1416589 13f79535-47bb-0310-9956-ffa450edef68
after support for non-OpenSSL toolkits has been dropped.
Replace macros by their value proper where feasible, and keep
those definitions in ssl_private.h which depend on specific
OpenSSL versions.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1154687 13f79535-47bb-0310-9956-ffa450edef68
"coalesce" filter which buffers the plaintext, and remove buffering
of the SSL records -- i.e. buffer before the SSL output filter,
rather than after it. This aims to reduce the network overhead
imposed by the output of many small brigades (such as produced by
chunked HTTP response), which can now be transformed into a few
large TLS records rather than many small ones.
(ssl_filter_ctx_t): Remove "nobuffer" field.
(bio_filter_out_ctx_t): Remove length, buffer, blen fields.
(bio_filter_out_pass): Split from bio_filter_out_flush.
(bio_filter_out_write): Remove handling of buffer.
(bio_filter_out_ctrl): Adjust to reflect lack of buffer.
(ssl_io_filter_coalesce): Add new filter...
(ssl_io_filter_init): ...add it to the filter chain...
(ssl_io_filter_register): ...and register it.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1059910 13f79535-47bb-0310-9956-ffa450edef68
failed such that mod_proxy can put the worker in error state.
PR: 50332
Submitted by: Daniel Ruggeri <DRuggeri primary.net>
Reviewed by: rpluem
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1039304 13f79535-47bb-0310-9956-ffa450edef68
* modules/ssl/ssl_engine_kernel.c (has_buffered_data): New function.
(ssl_hook_Access): Forcibly disable keepalive for the connection if
there is any buffered data readable from the input filter stack.
* modules/ssl/ssl_engine_io.c (ssl_io_filter_input): Ensure that the
BIO uses blocking operations when invoked outside direct control of
the httpd filter stack.
Thanks to Hartmut Keil <Hartmut.Keil adnovum.ch> for proposing this
technique.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@891282 13f79535-47bb-0310-9956-ffa450edef68
Reject client-initiated renegotiations; this is sufficient to prevent
the attack for any configuration which does not require renegotiation
due to per-directory/per-location access control configuration.
Configuration with per-directory/per-location access control
requirements (such as "SSLVerifyClient require") are still vulnerable
to CVE-2009-3555 with this patch applied (if using OpenSSL <= 0.9.8k).
* modules/ssl/ssl_private.h (SSLConnRec): Add reneg_state field.
(ssl_callback_Info): Renamed from ssl_callback_LogTracingState.
* modules/ssl/ssl_engine_init.c (ssl_init_ctx_callbacks): Install
the (renamed) info callback unconditionally.
* modules/ssl/ssl_engine_io.c (ssl_filter_ctx_t): Add config pointer
to SSLConnRec.
(bio_filter_out_write, bio_filter_in_read): Fail with
APR_ECONNABORTED if the reneg state is set to RENEG_ABORT.
* modules/ssl/ssl_engine_kernel.c (log_tracing_state): Factored out
of ssl_callback_LogTracingState.
(ssl_callback_Info): New function.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@833582 13f79535-47bb-0310-9956-ffa450edef68
* modules/ssl/ssl_engine_io.c (bio_filter_in_read): Flush pending
output unconditionally since OpenSSL is known to not flush correctly
at all times, and it should be cheap even in cases where it is
unnecessary.
PR: 46952
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@788715 13f79535-47bb-0310-9956-ffa450edef68
implementation of BIO_CTRL_PENDING and BIO_CTRL_WPENDING, to return
zero and pending-bytes-to-write respectively.
PR: 46952
Submitted by: David Smith <David.Smith cern.ch>
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@787722 13f79535-47bb-0310-9956-ffa450edef68
stricter checking of remote server certificates.
(docs/manual/mod/mod_ssl.xml)
Documentation of SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN.
(modules/proxy/mod_proxy_http.c)
Set the hostname of the request URL as note on the connection.
(modules/ssl/ssl_private.h)
Add proxy_ssl_check_peer_expire and proxy_ssl_check_peer_cn fields to
the SSLSrvConfigRec.
(modules/ssl/ssl_engine_config.c)
Directives stuff for SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN.
(modules/ssl/ssl_engine_io.c)
Check whether the remote servers certificate is expired / if there is a
mismatch between the requested hostanme and the remote server certificates
CN field.
Be able to parse ASN1 times.
(modules/ssl/mod_ssl.c)
Directives stuff for SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@760866 13f79535-47bb-0310-9956-ffa450edef68
adjust the remaining part of mod_ssl to use this server_rec instead of
c->base_server.
modules/ssl/ssl_private.h:
- server_rec member to SSLConnRec struct
- Add macros to extract data from connection_rec
mySrvFromConn(c)
mySrvConfigFromConn(c)
myModConfigFromConn(c)
modules/ssl/ssl_engine_io.c
modules/ssl/ssl_util_ocsp.c
modules/ssl/ssl_engine_kernel.c
modules/ssl/mod_ssl.c
modules/ssl/ssl_engine_log.c
- Use the new macros to extract data fron connection_rec
and use the server_rec stored in SSLConnRec instead of
c->base_server whereever appropriate.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@757463 13f79535-47bb-0310-9956-ffa450edef68
interface.
(ssl_io_filter_input): For GETLINE mode, pull lines directly from
the char_buffer if possible, to avoid unnecessarily copying the
entire buffer once per invocation.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@683283 13f79535-47bb-0310-9956-ffa450edef68
* modules/ssl/ssl_engine_io.c: Define new error codes in the APR status
code range, MODSSL_ERROR_BAD_GATEWAY and MODSSL_ERROR_HTTP_ON_HTTPS;
use these HTTP_* constants directly as apr_status_t values.
(ssl_io_filter_error): Use new constants.
(ssl_io_filter_handshake): Return purely an APR status value rather
than a mixture of HTTP_* constants, OpenSSL error codes, and APR
status values.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@645549 13f79535-47bb-0310-9956-ffa450edef68
ssl_io_filter_init): Don't clear f->r here after adding connection
filters since ap_add_*_filter now guarantee to do it internally.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@600477 13f79535-47bb-0310-9956-ffa450edef68
ssl_io_filter_connect since the function performs a handshake in
either client or server mode, not a "connect". No functional change.
(both callers updated)
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@592552 13f79535-47bb-0310-9956-ffa450edef68
in the post_read_request hook rather than in a filter, and fix the
filter insertion issue:
* modules/ssl/ssl_engine_kernel.c (upgrade_connection): New function,
mostly moved from ssl_io_filter_Upgrade.
(ssl_hook_ReadReq): Call upgrade_connection to upgrade to TLS if
required.
* modules/ssl/ssl_engine_io.c (ssl_io_filter_Upgrade): Remove
function.
(ssl_io_input_add_filter, ssl_io_filter_init): Take a request_rec
pointer and pass to ap_add_*_filter to ensure the filter chain
is modified correctly; remove it from the filter afterwards.
(ssl_io_filter_register): Drop UPGRADE_FILTER registration.
* modules/ssl/mod_ssl.c (ssl_init_ssl_connection): Take a request_rec
pointer, pass to ssl_io_filter_init.
(ssl_hook_pre_connection): Pass NULL request_rec pointer to above.
(ssl_hook_Insert_Filter): Remove function.
(ssl_register_hooks): Drop insert_filter hook.
* modules/ssl/ssl_private.h: Update prototypes.
PR: 41231
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@592446 13f79535-47bb-0310-9956-ffa450edef68
renegotiation when an internal redirect occurs:
* modules/ssl/ssl_engine_io.c (ssl_io_buffer_fill): Remove
protocol-level filters before inserting the buffering filter.
(ssl_io_filter_buffer): Return an EOS if invoked with an empty
brigade; do not remove the filter after exhausting the buffer.
(ssl_io_filter_buffer): Increase the type of the buffer filter to be
AP_FTYPE_PROTOCOL.
PR: 43738
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@591393 13f79535-47bb-0310-9956-ffa450edef68
