in virtualhost context (new version of r1653906 reverted by r1653993).
Submitted By: Michael Kaufmann <apache-bugzilla michael-kaufmann.ch>
Committed/modified By: ylavic
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1653997 13f79535-47bb-0310-9956-ffa450edef68
The issue with r1653906 is that existing configurations like
"SSLProtocol -SSLv3" (where the default is assumed to be ALL)
won't work anymore.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1653993 13f79535-47bb-0310-9956-ffa450edef68
It controls the use of TLS session tickets
(RFC 5077). Default is unchanged (on).
Using session tickets without restarting
the web server with an appropriate frequency
(e.g. daily) compromises perfect forward
secrecy.
As long as we do not have a nice key management
there should be a way to deactivate session
tickets.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1650310 13f79535-47bb-0310-9956-ffa450edef68
rfc822Name and dNSName into SSL_{CLIENT,SERVER}_SAN_{Email,DNS}_n
variables.
* docs/manual/mod/mod_ssl.xml: add SSL_*_SAN_*_n entries to the
environment variables table
* modules/ssl/ssl_engine_kernel.c: in ssl_hook_Fixup, add extraction
of subjectAltName entries for the "StdEnvVars" case
* modules/ssl/ssl_engine_vars.c: add support for retrieving the
SSL_{CLIENT,SERVER}_SAN_{Email,DNS}_n variables, either with
individual on-demand lookup (ssl_var_lookup_ssl_cert_san),
or with full-list extraction to the environment ("StdEnvVars")
* modules/ssl/ssl_private.h: add modssl_var_extract_san_entries prototype
* modules/ssl/ssl_util_ssl.c: implement SSL_X509_getSAN and
SSL_ASN1_STRING_to_utf8 helper functions, with factoring out common
code from SSL_X509_getIDs and SSL_X509_NAME_ENTRY_to_string where
suitable. Limit SSL_X509_getSAN to the two most common subjectAltName
entry types appearing in user or server certificates (i.e., rfc822Name
and dNSName), for the time being.
* modules/ssl/ssl_util_ssl.h: add SSL_ASN1_STRING_to_utf8
and SSL_X509_getSAN prototypes
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1650047 13f79535-47bb-0310-9956-ffa450edef68
(ex_data attached to an X509 *) to a per-server hash which is
allocated from the pconf pool. Fixes PR 54357, PR 56919 and
a leak with the certinfo_free cleanup function (missing
OCSP_CERTID_free).
* modules/ssl/ssl_util_stapling.c: drop certinfo_free, and add
ssl_stapling_certid_free (used with apr_pool_cleanup_register).
Switch to a stapling_certinfo hash which is keyed by the SHA-1
digest of the certificate's DER encoding, rework ssl_stapling_init_cert
to only store info once per certificate (allocated from the pconf
to the extent possible) and extend the logging.
* modules/ssl/ssl_private.h: adjust prototype for
ssl_stapling_init_cert, replace ssl_stapling_ex_init with
ssl_stapling_certinfo_hash_init
* modules/ssl/ssl_engine_init.c: adjust ssl_stapling_* calls
Based on initial work by Alex Bligh <alex alex.org.uk>
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1629372 13f79535-47bb-0310-9956-ffa450edef68
minor) race and leaks:
* modules/ssl/ssl_engine_init.c (make_dh_params): Moved/rejigged
variant of make_get_dh() macro.
(init_dh_params, free_dh_params): New functions.
(modssl_get_dh_params): Split out from ssl_callback_TmpDH.
(ssl_init_Module, ssl_init_ModuleKill): Use new init_/free_.
* modules/ssl/ssl_engine_kernel.c: Moved out DH parameter handling.
(ssl_callback_TmpDH): Use modssl_get_dh_params.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1598107 13f79535-47bb-0310-9956-ffa450edef68
New SSLOCSPUseRequestNonce directive's manual and CHANGES.
Non functional code changes (modssl_ctx_t's field ocsp_use_request_nonce
grouped with other OCSP ones, nested if turned to a single AND condition).
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1584098 13f79535-47bb-0310-9956-ffa450edef68
also pass the file name to ssl_load_encrypted_pkey, to make sure that we
retry with the same filename we used for SSL_CTX_use_PrivateKey_file first
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1563417 13f79535-47bb-0310-9956-ffa450edef68
- add documentation
- clear the error queue before executing the next SSL_CONF_cmd
- if needed, configure OCSP stapling after a "Certificate" command
- ifdef ssl_cmd_SSLOpenSSLConfCmd in ssl_private.h
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1555464 13f79535-47bb-0310-9956-ffa450edef68
and SSLCertificateKeyFile directives, and deprecate SSLCertificateChainFile
Splitting the patch into smaller pieces turned out to be infeasible,
unfortunately, due to the heavily intertwined code in ssl_engine_config.c,
ssl_engine_init.c and ssl_engine_pphrase.c, which all depends on the
modssl_pk_server_t data structure. For better comprehensibility,
a detailed listing of the changes follows:
ssl_private.h
- drop the X509 certs and EVP_PKEY keys arrays from modssl_pk_server_t
- use apr_array_header_t for cert_files and key_files
- drop tPublicCert from SSLModConfigRec
- drop the ssl_algo_t struct and the SSL_ALGO_* and SSL_AIDX_* constants
ssl_engine_config.c
- change to apr_array_header_t for SSLCertificate[Key]File
- drop ssl_cmd_check_aidx_max, i.e. allow an arbitrary number of certs
and keys (in theory; currently OpenSSL does not support more than
one cert/key per algorithm type)
- add deprecation warning for SSLCertificateChainFile
ssl_engine_init.c
- configure server certs/keys in ssl_init_server_certs (no longer via
ssl_pphrase_Handle in ssl_init_Module)
- in ssl_init_server_certs, read in certificates and keys with standard
OpenSSL API functions (SSL_CTX_use_*_file), and only fall back to
ssl_load_encrypted_pkey when encountering an encrypted private key
- drop ssl_server_import_cert, ssl_server_import_key, ssl_init_server_check,
and ssl_init_ctx_cleanup_server
- move the "problematic re-initialization" check to ssl_init_server_ctx
ssl_engine_pphrase.c
- use servername:port:index as the key identifier, instead of the
previously used servername:port:algorithm
- ssl_pphrase_Handle overhaul: remove all cert/public-key handling,
make it only load a single (encrypted) private key, and rename
to ssl_load_encrypted_pkey
- in the passphrase prompt message, show the private key file name
instead of the vhost id and the algorithm name
- do no longer supply the algorithm name as an argument to "exec"-type
passphrase prompting programs
ssl_util.c
- drop ssl_util_algotypeof, ssl_util_algotypestr, ssl_asn1_keystr,
and ssl_asn1_table_keyfmt
ssl_util_ssl.{c,h}
- drop SSL_read_X509
- constify the filename arg for SSL_read_PrivateKey
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1553824 13f79535-47bb-0310-9956-ffa450edef68
a pphrase_cb_arg_t struct instead, for passing stuff between
ssl_pphrase_Handle and ssl_pphrase_Handle_CB. Prefer struct
members instead of using additional local variables, to make
the data flow more transparent. (Doesn't "vastly simplify"
the code yet, but hopefully we'll get there when further
stripping down ssl_pphrase_Handle.)
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1546804 13f79535-47bb-0310-9956-ffa450edef68
- was never documented, so very unlikely that it was ever used
- adds complexity without apparent benefit; PKCS#7 files can
be trivially converted to a file for use with SSLCertificateChainFile
(concatenated X509 CERTIFICATE chunks, openssl pkcs7 -print_certs...)
- only supports PKCS7 files with PEM encoding, i.e. relies on a
non-standardized PEM header (cf. RFC 2315 and draft-josefsson-pkix-textual)
- issues pointed out in http://mail-archives.apache.org/mod_mbox/httpd-dev/200607.mbox/%3C20060723093125.GA19423@redhat.com%3E
were never fully addressed (cf. r424707 and r424735)
- has never worked in vhost context due to a cfgMergeString
call missing from modssl_ctx_cfg_merge
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1544784 13f79535-47bb-0310-9956-ffa450edef68
- allow to configure custom DHE or ECDHE parameters via the
SSLCertificateFile directive, and adapt its documentation
accordingly (addresses PR 49559)
- add standardized DH parameters from RFCs 2409 and 3526,
use them based on the length of the certificate's RSA/DSA key,
and add a FAQ entry for clients which limit DH support
to 1024 bits (such as Java 7 and earlier)
- move ssl_dh_GetParamFromFile() from ssl_engine_dh.c to
ssl_util_ssl.c, and add ssl_ec_GetParamFromFile()
- drop ssl_engine_dh.c from mod_ssl
For the standardized DH parameters, OpenSSL version 0.9.8a
or later is required, which was therefore made a new minimum
requirement in r1527294.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1527295 13f79535-47bb-0310-9956-ffa450edef68
- drop SSL_TMP_KEY_* constants from ssl_private.h, too
- make sure we also disable aNULL, eNULL and EXP ciphers
for per-directory SSLCipherSuite directives
- apply the same treatment to SSLProxyCipherSuite
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1527291 13f79535-47bb-0310-9956-ffa450edef68
- drop support for ephemeral RSA keys (only allowed/needed
for export ciphers)
- drop pTmpKeys from the per-process SSLModConfigRec, and remove
the temp key generation at startup (unnecessary for DHE/ECDHE)
- unconditionally disable null and export-grade ciphers by always
prepending "!aNULL:!eNULL:!EXP:" to any cipher suite string
- do not configure per-connection SSL_tmp_*_callbacks, as it is
sufficient to set them for the SSL_CTX
- set default curve for ECDHE at startup, obviating the need
for a per-handshake callback, for the time being (and also
configure SSL_OP_SINGLE_ECDH_USE, previously left out)
For additional background, see
https://mail-archives.apache.org/mod_mbox/httpd-dev/201309.mbox/%3C52358ED1.2070704@velox.ch%3E
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1526168 13f79535-47bb-0310-9956-ffa450edef68
hooks API and inter-module hard linkage:
* modules/ssl/mod_ssl.h: Remove NPN hooks, add "modssl_register_npn"
optional function and callback function type declarations for
ssl_npn_advertise_protos, ssl_npn_proto_negotiated.
* modules/ssl/mod_ssl.c: Drop hooks.
(modssl_register_npn): New optional function implementation.
(ssl_register_hooks): Register it.
* modules/ssl/ssl_private.h (SSLConnRec): Add npn_advertfns,
npn_negofns array fields.
* modules/ssl/ssl_engine_kernel.c (ssl_callback_AdvertiseNextProtos):
Replace use of hook API with array iteration.
* modules/ssl/ssl_engine_io.c (ssl_io_filter_input): Likewise.
Reviewed by: Matthew Steele <mdsteele google.com>
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1487772 13f79535-47bb-0310-9956-ffa450edef68
We intentionally add uninitialized stack memory. To avoid warnings,
make valgrind believe that the memory is defined.
Add configure option to enable valgrind support
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1442307 13f79535-47bb-0310-9956-ffa450edef68
(PR 54030)
factor out code from ssl_engine_init.c:ssl_check_public_cert()
to ssl_util_ssl.c:SSL_X509_match_name()
introduce new SSLProxyCheckPeerName directive, which should eventually
obsolete SSLProxyCheckPeerCN
ssl_engine_io.c:ssl_io_filter_handshake(): avoid code duplication
when aborting with HTTP_BAD_GATEWAY
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1425874 13f79535-47bb-0310-9956-ffa450edef68
- expand comment in config file
- check username == NULL
- detect SRP support via SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB, not via openssl
version
- rename rv variable
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1348653 13f79535-47bb-0310-9956-ffa450edef68
or later, so that mod_ssl retains binary compatibility with future
versions when internal structures are changed. Use API functions
where available, and fall back to direct access for OpenSSL up
to 1.0.0, where needed.
Remove SSL_make_ciphersuite() from ssl_util_ssl.[ch], as it was
never used by any released version of mod_ssl.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1222917 13f79535-47bb-0310-9956-ffa450edef68
- drop the SSLTicketKeyDefault directive, and only support a single
ticket key per server/vhost
- rename the SSLTicketKeyFile directive to SSLSessionTicketKeyFile,
remove the keyname parameter
- move ticket key parameters from SSLSrvConfigRec to modssl_ctx_t
- configure the tlsext_ticket_key_cb only when in server mode
- add documentation for SSLSessionTicketKeyFile
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1213380 13f79535-47bb-0310-9956-ffa450edef68
* SSLTicketKeyFile: To store the private information for the encryption of the ticket.
* SSLTicketKeyDefault To set the default, otherwise the first listed token is used. This enables key rotation across servers.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1200040 13f79535-47bb-0310-9956-ffa450edef68
Add SSL_X509_NAME_to_string(), which converts an X509 distinguished name
to an RFC 2253 formatted string.
Adapt ssl_log_*error() to make use of SSL_X509_NAME_to_string().
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1172797 13f79535-47bb-0310-9956-ffa450edef68
- completely delegate CRL processing to OpenSSL
- introduce a new [Proxy]CARevocationCheck directive
- drop ssl_callback_SSLVerify_CRL from ssl_engine_kernel.c
- remove X509_STORE from modssl_ctx_t
- drop CRL store helper functions from ssl_util_ssl.c
- avoid sending "certificate_expired" SSL alerts to peers
when the nextUpdate field of a CRL is in the past
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1165056 13f79535-47bb-0310-9956-ffa450edef68
