Retrieve and set sslconn->client_cert here for both "modern" and
classic access control.
(ssl_hook_Access_classic, ssl_hook_Access_modern, ssl_hook_Access):
Restore SSLRequire and FakeBasicAuth checks to ssl_hook_Access so tests
are still applied for TLSv1.3.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1841218 13f79535-47bb-0310-9956-ffa450edef68
403 if SSL_verify_client_post_handshake() fails, e.g. when the
TLS/1.3 client didn't send the Post-Handshake Authentication
extension.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1840585 13f79535-47bb-0310-9956-ffa450edef68
This is already forbidden by the protocol, enforced by OpenSSL, and the
current logic can't work (ssl_callback_Info() may be called multiple times
with TLS 1.3).
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1833588 13f79535-47bb-0310-9956-ffa450edef68
to take SSLConnRec * out parameter rather than SSL *.
* modules/ssl/ssl_engine_kernel.c (ssl_hook_UserCheck): Use it here.
(ssl_hook_Fixup): Adjust use.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1829263 13f79535-47bb-0310-9956-ffa450edef68
consistently.
* modules/ssl/ssl_util.c (modssl_request_is_tls): New function.
* modules/ssl/ssl_engine_kernel.c (ssl_hook_Fixup): Use it.
* modules/ssl/mod_ssl.c (ssl_hook_http_scheme, ssl_hook_default_port):
Use it.
PR: 61519
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1829250 13f79535-47bb-0310-9956-ffa450edef68
SSLVerifyClient support for TLSv1.3 protocol now fails similarly to TLSv1.2 in my setups. (Read: I cannot get client certs to work, but I think this change is an improvement)
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1828720 13f79535-47bb-0310-9956-ffa450edef68
mod_ssl TLSv1.3 support, removed V1_3 cipher suite directives again and added an optional protocol specifier to the SSLCipherSuite and SSLProxyCipherSuite commands.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1827992 13f79535-47bb-0310-9956-ffa450edef68
mod_ssl: Added configuration directives for TLSv1.3 cipher suites (which
are separate from previous ones) as SSL(Proxy)CipherSuiteV1_3. A great opportunity
to find a better name.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1827924 13f79535-47bb-0310-9956-ffa450edef68
The logic in 'ap_request_has_body()' is:
has_body = (!r->header_only
&& (r->kept_body
|| apr_table_get(r->headers_in, "Transfer-Encoding")
|| ( (cls = apr_table_get(r->headers_in, "Content-Length"))
&& (apr_strtoff(&cl, cls, &estr, 10) == APR_SUCCESS)
&& (!*estr)
&& (cl > 0) )
)
);
So the test is slighly different from the original code. (but this looks fine to me)
This also has the advantage to avoid a redundant call to 'apr_table_get()' and to improve readability.
While at it, move the test '!r->expecting_100' a few lines above because it is cheap.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1827374 13f79535-47bb-0310-9956-ffa450edef68
does not contain a colon before constructing Authorization header
for FakeBasicAuth mode. (Also constify 'user' variable.)
PR: 52644
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1815592 13f79535-47bb-0310-9956-ffa450edef68
LibreSSL defines OPENSSL_VERSION_NUMBER = 2.0, but is not compatible with
all of the latest OpenSSL 1.1 API.
Address this by defining MODSSL_USE_OPENSSL_PRE_1_1_API which is true for
anything but OpenSSL >= 1.1 (for now).
Proposed by: Bernard Spil <brnrd freebsd.org>
Reviewed by: ylavic
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1803396 13f79535-47bb-0310-9956-ffa450edef68
We also need to reset the X509_STORE_CTX's error in the callback to quiet
X509_V_ERR_UNABLE_TO_GET_CRL for the leaf certificate (caught by AH02010).
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1737265 13f79535-47bb-0310-9956-ffa450edef68
encryption mode (we used to return 0, OpenSSL documents returning 1 instead).
Practically this does not change anything since OpenSSL will only check for
>= 0 return value (non error) for encryption mode (the other possible return
values are only relevant for decryption mode).
However the OpenSSL documentation for SSL_CTX_set_tlsext_ticket_key_cb()
states:
"
The return value of the cb function is used by OpenSSL to determine what
further processing will occur. The following return values have meaning:
2
This indicates that the ctx and hctx have been set and the session can
continue on those parameters. Additionally it indicates that the session
ticket is in a renewal period and should be replaced. The OpenSSL library
will call cb again with an enc argument of 1 to set the new ticket (see
RFC5077 3.3 paragraph 2).
1
This indicates that the ctx and hctx have been set and the session can
continue on those parameters.
0
This indicates that it was not possible to set/retrieve a session ticket
and the SSL/TLS session will continue by by negotiating a set of
cryptographic parameters or using the alternate SSL/TLS resumption
mechanism, session ids.
If called with enc equal to 0 the library will call the cb again to get a
new set of parameters.
less than 0
This indicates an error.
"
So 0 is not appropriate in our code, 1 is what we really want (and it won't
break if OpenSSL later changes its checks on the callback return value).
Reported/Proposed by: oknet on github, pull request #18.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1736186 13f79535-47bb-0310-9956-ffa450edef68
- The callback function passed to
SSL_CTX_sess_set_get_cb() now needs the
session id argument to be const.
So constify the session id.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1735883 13f79535-47bb-0310-9956-ffa450edef68
- SRP_VBASE_get_by_user() is deprecated now,
one should use SRP_VBASE_get1_by_user()
instead. The new function returns a pointer
owned by the callee. It must be freed after
use.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1735877 13f79535-47bb-0310-9956-ffa450edef68
- Simplify code by using new 1.1.0 variant
also for older OpenSSL. Also tested with
1.0.2f and 0.9.8zh. No ssl test suite
failures.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1731423 13f79535-47bb-0310-9956-ffa450edef68
- 1.1.0-pre3 was relesed
- remove pre2 comments which no longer apply
- one more struct has been made opaque, use
accessor function instead
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1731012 13f79535-47bb-0310-9956-ffa450edef68
- use SSL_peek instead of looping with
has_buffered_data().
This fixes t/security/CVE-2009-3555.t where
has_buffered_data() doesn't help, because it
finds the buffered data and doesn't call
SSL_read(), so the reneg handshake isn't
triggered. SSL_peek() for 0 bytes seems to
reliably trigger the reneg in every case.
No more polling/sleeping. The code for the
OpenSSL 1.1.0 case is now again very close to
the pre 1.1.0 case.
Still need to run the full test suite with a
clean build.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1730316 13f79535-47bb-0310-9956-ffa450edef68
- Fix typo in loop end condition
This code will be removed next. Thex fix is
for the case we want to roll teh code back
to this state.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1730314 13f79535-47bb-0310-9956-ffa450edef68
