SSL_library_init() into the register hooks phase. OpenSSL_add_ssl_algorithms
devolves to SSL_library_init, which is the same for most toolkits (and would
be accomodated in ssl_toolkit_config.h if not.)
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@100136 13f79535-47bb-0310-9956-ffa450edef68
Note that the entire schema of what-we-load-how follows from
OpenSSL 0.9.7's own apps/ example applications. More review
is greatly desired, but that's where I believed I should
start looking for the 'correct' order of operations.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@100110 13f79535-47bb-0310-9956-ffa450edef68
the config cmd processors should be examining the SSL context. We must
initialize the SSL library before we can actually obtain any useful
information from the SSL library.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@100107 13f79535-47bb-0310-9956-ffa450edef68
matter what. We now allow for the full range of APR mutex
locking mechanims to be used, while maintaining backwards
compatibility.
PR: 8122
Obtained from:
Submitted by:
Reviewed by: William Rowe
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@98771 13f79535-47bb-0310-9956-ffa450edef68
of the CRYPTO_malloc_init() which must happen the moment we load the
module and prior to *any* ssl library fn invocation.
Moved the CRYPTO_malloc_init() into the ssl_register_hooks() function,
the absolute first call made into any loaded module.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@98252 13f79535-47bb-0310-9956-ffa450edef68
SSLEngine upgrade so that we can begin and continue to support these
facilities. This makes it simpler to keep this effort (while we have
no known clients that support Connection: upgrade at this time), and
begin refactoring more of SSL into smaller and tighter (and then optional)
components.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@97913 13f79535-47bb-0310-9956-ffa450edef68
ssl_abort into what was ssl_hook_CloseConnection, clean out a bunch of
now-static or private headers from mod_ssl.h, and final fix a very small
but potent segfault if ->pssl is destroyed within our read loop.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@97411 13f79535-47bb-0310-9956-ffa450edef68
Also, uncomment a line of code that the last commit should have uncommented.
Randall found this line and the fix, but I forgot to uncomment this line
along with the fix.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@97179 13f79535-47bb-0310-9956-ffa450edef68
The issue is that ssl_log doesn't handle apr_status_t result codes. This
leads to a number of places (esp. with mutexes) where the error codes get
lost. Rather than extending ssl_log further, since mod_ssl is part of
our core, migrate to ap_log_error. This means that mod_ssl no longer
does its own logging.
Most uses of SSL_ADD_ERRNO are now mapped correctly to apr_status_t values
(mainly because the APIs that used to return errnos are now APRized and
have apr_status_t codes available).
SSL_LOG_TRACE and SSL_LOG_DEBUG were mapped to the APLOG_DEBUG values.
mod_ssl prints out a LOT of debugging information, so mod_ssl with LogLevel
Debug may not be a good idea - perhaps mod_ssl should be less chatty.
Numerous printf type collisions were also resolved.
(The ssl logging code itself will be removed in a subsequent commit.)
This has been discussed on dev@httpd, but the fact that there isn't
much to review besides the mindless changes, I'm going to commit now
and rely on CTR if I screwed up anything on the translation.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@95127 13f79535-47bb-0310-9956-ffa450edef68
ssl_log_ssl_error() function that wraps ap_log_error instead.
This begins the migration from ssl_log() -> ap_log_error(). Divorcing
ourselves from the SSL_ADD_SSLERR option is required to make the next
pass easier.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@95122 13f79535-47bb-0310-9956-ffa450edef68
Obtained from:
Submitted by:
Reviewed by: Ryan Bloom
ap_remove_output_filter no longer works for connection filters.
change logic in the case of "HTTP spoken on HTTPS port" to disable the
ssl filters rather than attempt to remove the filters.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@94393 13f79535-47bb-0310-9956-ffa450edef68
mod_ssl because the SSL_CTX was created and configured for *every*
request. unlike in 2.0 where we configure the proxy SSL_CTX at
startup time, which is much better for performance. but we don't want
to configure a proxy context for every vhost if it isn't going to be
used, for the same reasons we don't create a server context for every
vhost unless SSLEngine is on.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@94314 13f79535-47bb-0310-9956-ffa450edef68
+ modssl_pk_server_t - certs/keys for the server
+ modssl_pk_proxy_t - certs/keys for the proxy
+ modssl_auth_ctx_t - stuff related to authentication that can also
be per-dir, used by both server and proxy
+ modssl_ctx_t - context that can be used by both server and proxy
+ SSLSrvConfigRec - now contains original stuff specific to the
server config and modssl_ctx_t *server, *proxy
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@94267 13f79535-47bb-0310-9956-ffa450edef68
as the 1.x based module does, since the function is not thread-safe.
a patch has been submitted to OpenSSL to support SSL_set_cert_store
which is thread safe. this feature is enabled by default in the
current 1.x based module, we only enable it if the SSL_set_cert_store
function is available.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@94179 13f79535-47bb-0310-9956-ffa450edef68
This is the directive handling commit only, the mechanics patch will
follow. PassPhraseDialog "|/path/to/pipe" will use the bidirectional
pipe to have a 'conversation', along the lines of the tty dialog with
PassPhraseDialog 'builtin'. This is entirely different than the 'exec'
method, which simply runs once for each passphrase, and doesn't allow
for failure/retries, and certainly doesn't offer any sensible 'dialog'.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@93606 13f79535-47bb-0310-9956-ffa450edef68
acheived with the pre_connection hook. I have added the socket to the
pre_connection phase to make this possible.
Reviewed by: Bill Stoddard
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@93259 13f79535-47bb-0310-9956-ffa450edef68
is happening. so avoid calling that unless needed and just stash a
pointer to the client cert for the boolean checks that the client
provided a cert.
PR:
Obtained from:
Submitted by:
Reviewed by:
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@92240 13f79535-47bb-0310-9956-ffa450edef68
change ap_md5() call in ssl_hook_pre_connection() to ap_md5_binary()
that uses the precalculated sc->nVHostID_length to avoid a strlen() call.
PR:
Obtained from:
Submitted by:
Reviewed by:
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@92216 13f79535-47bb-0310-9956-ffa450edef68
request time by calling it at startup time and saving the value in the
SSLSrvConfigRec.
PR:
Obtained from:
Submitted by:
Reviewed by:
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@92215 13f79535-47bb-0310-9956-ffa450edef68
since we know the string returned by ap_md5() will always be that length
PR:
Obtained from:
Submitted by:
Reviewed by:
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@92213 13f79535-47bb-0310-9956-ffa450edef68
change app_data2 to be the request_rec itself.
if something needs per-request context in the future,
it can use r->request_config
PR:
Obtained from:
Submitted by:
Reviewed by:
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@92113 13f79535-47bb-0310-9956-ffa450edef68
note: may actually be removed unless somebody can figure out why it is in
there to begin with
PR:
Obtained from:
Submitted by:
Reviewed by:
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@92111 13f79535-47bb-0310-9956-ffa450edef68
