- Simplify code by using new 1.1.0 variant
also for older OpenSSL. Also tested with
1.0.2f and 0.9.8zh. No ssl test suite
failures.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1731423 13f79535-47bb-0310-9956-ffa450edef68
- 1.1.0-pre3 was relesed
- remove pre2 comments which no longer apply
- one more struct has been made opaque, use
accessor function instead
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1731012 13f79535-47bb-0310-9956-ffa450edef68
- use SSL_peek instead of looping with
has_buffered_data().
This fixes t/security/CVE-2009-3555.t where
has_buffered_data() doesn't help, because it
finds the buffered data and doesn't call
SSL_read(), so the reneg handshake isn't
triggered. SSL_peek() for 0 bytes seems to
reliably trigger the reneg in every case.
No more polling/sleeping. The code for the
OpenSSL 1.1.0 case is now again very close to
the pre 1.1.0 case.
Still need to run the full test suite with a
clean build.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1730316 13f79535-47bb-0310-9956-ffa450edef68
- Fix typo in loop end condition
This code will be removed next. Thex fix is
for the case we want to roll teh code back
to this state.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1730314 13f79535-47bb-0310-9956-ffa450edef68
- improve renegotiation loop.
Should now also work in case only the
cipher changes.
Should now also work in case the handshake
ends with an error.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1729498 13f79535-47bb-0310-9956-ffa450edef68
- partial support for renegotiations.
- Not a good design, need to poll until
renegotitation has finished.
- Loop criterion not right, if no client certs
will be send.
- Also doesn't work for EC or DH ciphers.
Unclear how to fix with current 1.1.0
API.
- Details see
http://marc.info/?t=145493359200002&r=1&w=2
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1729341 13f79535-47bb-0310-9956-ffa450edef68
the SSLVerifyDepth applied with the default/handshaken vhost differs from
the one applicable with the finally selected vhost.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1684171 13f79535-47bb-0310-9956-ffa450edef68
and SSL_set_app_data2 from SSL_* to modssl_*. Update references in
README.dsov.* files. Rename static variable SSL_app_data2_idx to just
app_data2_idx since the symbol is internal to ssl_util_ssl.c.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1677143 13f79535-47bb-0310-9956-ffa450edef68
* modules/ssl/mod_ssl.c, modules/ssl/mod_ssl.h: drop
modssl_register_npn optional function and related declarations.
* modules/ssl/ssl_engine_init.c (ssl_init_ctx_callbacks):
no longer set NPN advertisement callback.
* modules/ssl/ssl_engine_io.c (ssl_io_filter_input): remove
NPN handling.
* modules/ssl/ssl_engine_kernel.c (ssl_callback_AdvertiseNextProtos):
remove callback.
* modules/ssl/ssl_private.h: remove NPN prototypes, set
HAVE_TLS_ALPN (OpenSSL 1.0.2 and later) with feature-based detection.
Rename SSLAlpnPreference to SSLALPNPreference, and add documentation.
Previous commits related to NPN and ALPN, for reference purposes:
r1332643 - Add support for TLS Next Protocol Negotiation
r1487772 - mod_ssl: Redesign NPN (Next Protocol Negotiation) API
to avoid use of hooks API and inter-module hard linkage
r1670397 - ALPN support, based on mod_spdy/mod_h2 patch set
r1670434 - More ALPN goodness
(plus some minor tweaks: r1670578, r1670440, r1670578,
r1670738, r1675459, and r1675549)
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1676004 13f79535-47bb-0310-9956-ffa450edef68
More uses of ap_map_http_request_error() and AP_FILTER_ERROR so that we never
return an HTTP error status from a handler if some filter generated a response
already.
That is, from a handler, either ap_get_brigade() (an input filter) returned
AP_FILTER_ERROR and we must forward it to ap_die(), or ap_pass_brigade() (an
output filter) failed with any status and we must return AP_FILTER_ERROR in
any case for ap_die() to determine whether a response is needed or not.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1665625 13f79535-47bb-0310-9956-ffa450edef68
rfc822Name and dNSName into SSL_{CLIENT,SERVER}_SAN_{Email,DNS}_n
variables.
* docs/manual/mod/mod_ssl.xml: add SSL_*_SAN_*_n entries to the
environment variables table
* modules/ssl/ssl_engine_kernel.c: in ssl_hook_Fixup, add extraction
of subjectAltName entries for the "StdEnvVars" case
* modules/ssl/ssl_engine_vars.c: add support for retrieving the
SSL_{CLIENT,SERVER}_SAN_{Email,DNS}_n variables, either with
individual on-demand lookup (ssl_var_lookup_ssl_cert_san),
or with full-list extraction to the environment ("StdEnvVars")
* modules/ssl/ssl_private.h: add modssl_var_extract_san_entries prototype
* modules/ssl/ssl_util_ssl.c: implement SSL_X509_getSAN and
SSL_ASN1_STRING_to_utf8 helper functions, with factoring out common
code from SSL_X509_getIDs and SSL_X509_NAME_ENTRY_to_string where
suitable. Limit SSL_X509_getSAN to the two most common subjectAltName
entry types appearing in user or server certificates (i.e., rfc822Name
and dNSName), for the time being.
* modules/ssl/ssl_util_ssl.h: add SSL_ASN1_STRING_to_utf8
and SSL_X509_getSAN prototypes
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1650047 13f79535-47bb-0310-9956-ffa450edef68
When this occurs, the redirect (internal) request reaches ssl_hook_Access()
and make SSL_do_handshake crash probably because we force the renegotiation
based on an incomplete SSL state.
To avoid this, ssl_hook_Access() now returns FORBIDDEN immediatly if the given
SSL connection is not in a valid (handshaken) state.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1644498 13f79535-47bb-0310-9956-ffa450edef68
