engine.
* modules/ssl/ssl_util.c (modssl_is_engine_id): Renamed
from modssl_is_engine_key.
* modules/ssl/ssl_engine_config.c (ssl_cmd_SSLCertificateKeyFile):
Adjust accordingly.
(ssl_cmd_SSLCertificateFile): Also allow ENGINE cert ids.
* modules/ssl/ssl_engine_pphrase.c (modssl_load_engine_keypair):
Rename from modssl_load_engine_key; load certificate if
cert id is passed.
* modules/ssl/ssl_engine_init.c (ssl_init_server_certs): Optionally
load the certificate from the engine as well.
* docs/manual/: Update manual.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1831168 13f79535-47bb-0310-9956-ffa450edef68
to cache serialized EVP_PKEYs not any char * blobs), and document.
* modules/ssl/ssl_util.c (ssl_asn1_table_set): Take the EVP_PKEY and
serialize internally. Use ap_realloc. Return the ssl_asn1_t *
pointer. Don't call apr_hash_set() for unchanged pointer case.
* modules/ssl/ssl_engine_pphrase.c (ssl_load_encrypted_pkey):
Adjust for the above.
* modules/ssl/ssl_private.h: Adjust as above, add docs.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1830927 13f79535-47bb-0310-9956-ffa450edef68
for PKCS#11 URIs only, and PIN entry is not threaded through
SSLPassPhraseDialog config yet.
* modules/ssl/ssl_util.c (modssl_is_engine_key): New function.
* modules/ssl/ssl_engine_config.c (ssl_cmd_SSLCertificateKeyFile):
Use it, skip check for file existence for engine keys.
* modules/ssl/ssl_engine_pphrase.c (modssl_load_engine_pkey):
New function.
* modules/ssl/ssl_engine_init.c (ssl_init_server_certs):
For engine keys, load via modssl_load_engine_pkey.
Submitted by: Anderson Sasaki <ansasaki redhat.com>, jorton
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1830819 13f79535-47bb-0310-9956-ffa450edef68
to take SSLConnRec * out parameter rather than SSL *.
* modules/ssl/ssl_engine_kernel.c (ssl_hook_UserCheck): Use it here.
(ssl_hook_Fixup): Adjust use.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1829263 13f79535-47bb-0310-9956-ffa450edef68
consistently.
* modules/ssl/ssl_util.c (modssl_request_is_tls): New function.
* modules/ssl/ssl_engine_kernel.c (ssl_hook_Fixup): Use it.
* modules/ssl/mod_ssl.c (ssl_hook_http_scheme, ssl_hook_default_port):
Use it.
PR: 61519
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1829250 13f79535-47bb-0310-9956-ffa450edef68
mod_ssl TLSv1.3 support, removed V1_3 cipher suite directives again and added an optional protocol specifier to the SSLCipherSuite and SSLProxyCipherSuite commands.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1827992 13f79535-47bb-0310-9956-ffa450edef68
mod_ssl: Added configuration directives for TLSv1.3 cipher suites (which
are separate from previous ones) as SSL(Proxy)CipherSuiteV1_3. A great opportunity
to find a better name.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1827924 13f79535-47bb-0310-9956-ffa450edef68
mod_ssl: heavily simplified SSLPolicy. No more user defines, no propxy policies,
just the basic "modern", "intermediate" and "old" as specified by Mozilla security.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1827561 13f79535-47bb-0310-9956-ffa450edef68
LibreSSL defines OPENSSL_VERSION_NUMBER = 2.0, but is not compatible with
all of the latest OpenSSL 1.1 API.
Address this by defining MODSSL_USE_OPENSSL_PRE_1_1_API which is true for
anything but OpenSSL >= 1.1 (for now).
Proposed by: Bernard Spil <brnrd freebsd.org>
Reviewed by: ylavic
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1803396 13f79535-47bb-0310-9956-ffa450edef68
- The callback function passed to
SSL_CTX_sess_set_get_cb() now needs the
session id argument to be const.
So constify the session id.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1735883 13f79535-47bb-0310-9956-ffa450edef68
- use SSL_peek instead of looping with
has_buffered_data().
This fixes t/security/CVE-2009-3555.t where
has_buffered_data() doesn't help, because it
finds the buffered data and doesn't call
SSL_read(), so the reneg handshake isn't
triggered. SSL_peek() for 0 bytes seems to
reliably trigger the reneg in every case.
No more polling/sleeping. The code for the
OpenSSL 1.1.0 case is now again very close to
the pre 1.1.0 case.
Still need to run the full test suite with a
clean build.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1730316 13f79535-47bb-0310-9956-ffa450edef68
The old compatibility macro check no longer works,
because those are now actual functions, so an
ifndef is not the correct check.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1729435 13f79535-47bb-0310-9956-ffa450edef68
Fix "HTTP spoken on HTTPS port" broken by the SSL handshake trigger moved to
process_connection hook (r1709602) along with H2Direct speculative read.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1715023 13f79535-47bb-0310-9956-ffa450edef68
APR_HAVE_foo is checked via #if, not #ifdef (since it should always be
defined, to either 0 or 1)
This fixes a compile error on Windows introduced by r1702948
as well as straightens up two long-time glitches.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1706595 13f79535-47bb-0310-9956-ffa450edef68
the OCSP response for a different certificate. mod_ssl has an additional
global mutex, "ssl-stapling-refresh".
Not mentioned in CHANGES:
Stapling no longer uses a mutex when using a stapling cache
implementation which doesn't require it. (A further, unrelated
code change to mod_ssl is required to allow the use of memcache
as a stapling cache, and I haven't tested with distcache; thus
it isn't clear if this helps in practice yet.)
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1679032 13f79535-47bb-0310-9956-ffa450edef68
* modules/ssl/mod_ssl.c, modules/ssl/mod_ssl.h: drop
modssl_register_npn optional function and related declarations.
* modules/ssl/ssl_engine_init.c (ssl_init_ctx_callbacks):
no longer set NPN advertisement callback.
* modules/ssl/ssl_engine_io.c (ssl_io_filter_input): remove
NPN handling.
* modules/ssl/ssl_engine_kernel.c (ssl_callback_AdvertiseNextProtos):
remove callback.
* modules/ssl/ssl_private.h: remove NPN prototypes, set
HAVE_TLS_ALPN (OpenSSL 1.0.2 and later) with feature-based detection.
Rename SSLAlpnPreference to SSLALPNPreference, and add documentation.
Previous commits related to NPN and ALPN, for reference purposes:
r1332643 - Add support for TLS Next Protocol Negotiation
r1487772 - mod_ssl: Redesign NPN (Next Protocol Negotiation) API
to avoid use of hooks API and inter-module hard linkage
r1670397 - ALPN support, based on mod_spdy/mod_h2 patch set
r1670434 - More ALPN goodness
(plus some minor tweaks: r1670578, r1670440, r1670578,
r1670738, r1675459, and r1675549)
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1676004 13f79535-47bb-0310-9956-ffa450edef68
