* mod_ssl_openssl.h:
Make it the first openssl to be included openssl header, selecting the
OpenSSL api based on OPENSSL_API_COMPAT eventually.
* ssl_private.h;
Define OPENSSL_API_COMPAT to version 1.1.1 (last one supporting EGINE_ API)
before including mod_ssl_openssl.h to enable the ENGINE_ api (TODO: switch to
new "providers" api before the ENGINE_ api is abandonned..).
mod_ssl.h is now implicitely included from there.
Fix preprocessor "#define FOO (COND)" to "#if COND #define FOO 1 #else #define FOO 0".
Define MODSSL_HAVE_ENGINE_API iff OPENSSL_API_COMPAT < 3.0 (otherwise all the
engine features are disabled, only "builtin" is accepted).
Define HAVE_SRP iff OPENSSL_API_COMPAT < 3.0 (no replacement for this api
above, so it might not be implemenentedain httpd anymore at some point..).
Define X509_get_not{Before,After} if missing to the non deprecated version.
New modssl_set_io_callbacks() to factorize compat code for io callbacks.
ssl_dh_GetParamFromFile() becomes modssl_dh_from_file() for openssl < 3.0 and
modssl_dh_pkey_from_file() for openssl >= 3.0.
* mod_ssl.c, mod_ssl_ct.c, ssl_util_stapling:
Including "ssl_private.h" only is suited/enough now.
* mod_ssl_ct.c, ssl_ct_log_config:
Use EVP api with openssl >= 3 instead of the deprecated SHA256 one.
* ssl_engine_config.c(ssl_cmd_SSLCryptoDevice):
Disabled engines (besides NULL/"builtin"/NULL) unless MODSSL_HAVE_ENGINE_API.
* ssl_engine_init:
New compat modssl_runtime_lib_version() to address deprecated SSLeay().
ssl_init_Engine() does nothing unless MODSSL_HAVE_ENGINE_API.
Simplify ssl_init_server_certs() (less #ifdef-ery) with scoped local vars.
Compat loading DH parameters and EC curve from cert.
* ssl_engine_io.c, ssl_engine_kernel.c:
Implement common modssl_set_io_callbacks() and use it.
* ssl_engine_pphrase(modssl_load_engine_keypair):
Depend on MODSSL_HAVE_ENGINE_API, or return ENOTIMPL.
* ssl_util.c(modssl_is_engine_id):
No engine supported unless MODSSL_HAVE_ENGINE_API.
* ssl_util_ssl.c(modssl_dh_pkey_from_file, modssl_ec_group_from_file):
Compat with openssl >= 3.0.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1908537 13f79535-47bb-0310-9956-ffa450edef68
Adding `outgoing` flag to conn_rec, indicating a connection is
initiated by the server to somewhere, in contrast to incoming
connections from clients.
Adding 'ap_ssl_bind_outgoing()` function that marks a connection
as outgoing and is used by mod_proxy instead of the previous
optional function `ssl_engine_set`. This enables other SSL
module to secure proxy connections.
The optional functions `ssl_engine_set`, `ssl_engine_disable` and
`ssl_proxy_enable` are now provided by the core to have backward
compatibility with non-httpd modules that might use them. mod_ssl
itself no longer registers these functions, but keeps them in its
header for backward compatibility.
The core provided optional function wrap any registered function
like it was done for `ssl_is_ssl`.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1890605 13f79535-47bb-0310-9956-ffa450edef68
- removed no longer needed (char*) casts when looking
up ssl variables.
- move 'goto cleanup;' on separate source line
- fixed check for wrong optional function in ap_run_ssl_var_lookup
- remove ap_bytes_t again from httpd.h and passes now ocsp
identifier as separate const char* and apr_size_t. This
follows more how such data is passed in the rest of the
server.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1889009 13f79535-47bb-0310-9956-ffa450edef68
allows modules to access and provide OCSP response data without being tied
of each other. The data is exchanged in standard, portable formats (PEM encoded
certificates and DER encoded responses), so that the actual SSL/crypto
implementations used by the modules are independant of each other.
Registration and retrieval happen in the context of a server (server_rec)
which modules may use to decide if they are configured for this or not.
The area of changes:
1. core: defines 2 functions in include/http_ssl.h, so that modules may
register a certificate, together with its issuer certificate for OCSP
response provisioning and ask for current response data (DER bytes) later.
Also, 2 hooks are defined that allow modules to implement this OCSP
provisioning.
2. mod_ssl uses the new functions, in addition to what it did already, to
register its certificates this way. If no one is interested in providing
OCSP, it falls back to its own (if configured) stapling implementation.
3. mod_md registers itself at the core hooks for OCSP provisioning. Depending
on configuration, it will accept registrations of its own certificates only,
all certficates or none.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1888723 13f79535-47bb-0310-9956-ffa450edef68
for OpenSSL < 1.1.
* modules/ssl/ssl_engine_kernel.c (modssl_set_cert_info):
* modules/ssl/ssl_util_stapling.c (stapling_get_issuer):
Use the above macros for all OpenSSL versions.
Github: closes#104
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1875702 13f79535-47bb-0310-9956-ffa450edef68
out an OCSP response that can't be parsed.
If the crypto/ASN library can't parse a response as 'basic OCSP'
even if it leads with a OCSP successful status, then don't pass it
to the client. There is nothing to say at all it isn't just garbage.
And if other types of messages are standardized they can be added.
PR: 60182
Obtained from: e72154c75d.diff
Submitted by: <gmoniker@gmail.com>
Reviewed by: rpluem
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1875356 13f79535-47bb-0310-9956-ffa450edef68
Certificate Revoked messages.
Certificate Revoked Responder messages don't belong to 'error' class.
When the server receives one, it MUST be passed on to the client.
And stored for the normal period of basic responses.
Also don't log an error each time it is retrieved from cache,
only once when it is retrieved from the OCSP responder.
PR: 60182
Obtained from: 7db9795f45.diff
Submitted by: <gmoniker@gmail.com>
Reviewed by: rpluem
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1875355 13f79535-47bb-0310-9956-ffa450edef68
The OCSP_RESPONSE is either ignored or serialized (i2d_OCSP_RESPONSE) in the
TLS response/handshake extension, so it must be freed.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1874577 13f79535-47bb-0310-9956-ffa450edef68
The OCSP_RESPONSE is either ignored or serialized (i2d_OCSP_RESPONSE) in the
TLS response/handshake extension, so it must be freed.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1874574 13f79535-47bb-0310-9956-ffa450edef68
* chaning type parameter to openssl types
* adding explanation of return value in get_stapling_status()
* adding array element description for add_cert_files and add_fallback_cert_files hooks
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1862823 13f79535-47bb-0310-9956-ffa450edef68
Adding 2 new hooks for init/get of OCSP stapling status information when
other modules want to provide those. Falls back to own implementation with
same behaviour as before.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1862384 13f79535-47bb-0310-9956-ffa450edef68
* For the time being keep on caching OCSP_RESPONSE_STATUS_TRYLATER. The effect can be limited by setting SSLStaplingErrorCacheTimeout.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1798460 13f79535-47bb-0310-9956-ffa450edef68
"686: warning: 'ok' may be used uninitialized in
this function"
This is a false positive, because the value of "ok"
will only be used if stapling_get_cached_response()
sets "rsp" to non-NULL in which case it will always
have set "ok".
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1775173 13f79535-47bb-0310-9956-ffa450edef68
The old compatibility macro check no longer works,
because those are now actual functions, so an
ifndef is not the correct check.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1729435 13f79535-47bb-0310-9956-ffa450edef68
staple responses with certificate status "good". Also avoids including
inaccurate responses when the OCSP responder is not completely up
to date in terms of the CA-issued certificates (and provides interim
"unknown" or "extended revoked" [RFC 6960] status replies).
Log a certificate status other than "good" in stapling_check_response().
Propagate the "ok" status from stapling_check_response() back via both
stapling_renew_response() and get_and_check_cached_response() to the
callback code in stapling_cb(), enabling the decision whether to include
or skip the response.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1711728 13f79535-47bb-0310-9956-ffa450edef68
the OCSP response for a different certificate. mod_ssl has an additional
global mutex, "ssl-stapling-refresh".
Not mentioned in CHANGES:
Stapling no longer uses a mutex when using a stapling cache
implementation which doesn't require it. (A further, unrelated
code change to mod_ssl is required to allow the use of memcache
as a stapling cache, and I haven't tested with distcache; thus
it isn't clear if this helps in practice yet.)
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1679032 13f79535-47bb-0310-9956-ffa450edef68
one bug was traded for another in r1641077; track the response
length and the cached object length separately to avoid such
confusion
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1641095 13f79535-47bb-0310-9956-ffa450edef68
(ex_data attached to an X509 *) to a per-server hash which is
allocated from the pconf pool. Fixes PR 54357, PR 56919 and
a leak with the certinfo_free cleanup function (missing
OCSP_CERTID_free).
* modules/ssl/ssl_util_stapling.c: drop certinfo_free, and add
ssl_stapling_certid_free (used with apr_pool_cleanup_register).
Switch to a stapling_certinfo hash which is keyed by the SHA-1
digest of the certificate's DER encoding, rework ssl_stapling_init_cert
to only store info once per certificate (allocated from the pconf
to the extent possible) and extend the logging.
* modules/ssl/ssl_private.h: adjust prototype for
ssl_stapling_init_cert, replace ssl_stapling_ex_init with
ssl_stapling_certinfo_hash_init
* modules/ssl/ssl_engine_init.c: adjust ssl_stapling_* calls
Based on initial work by Alex Bligh <alex alex.org.uk>
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1629372 13f79535-47bb-0310-9956-ffa450edef68
or later, so that mod_ssl retains binary compatibility with future
versions when internal structures are changed. Use API functions
where available, and fall back to direct access for OpenSSL up
to 1.0.0, where needed.
Remove SSL_make_ciphersuite() from ssl_util_ssl.[ch], as it was
never used by any released version of mod_ssl.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1222917 13f79535-47bb-0310-9956-ffa450edef68
Remove some log message tags from ap_log_* calls that log lots of
different error messages, in particular the config parsing errors.
Not sure how we should handle those.
ssl_util.c: Downgrade some dynamic locking messages from level DEBUG
to TRACE1-3
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1210252 13f79535-47bb-0310-9956-ffa450edef68
