several stages of initialization and connection handling. See
mod_ssl_openssl.h.
This is enough to allow implementation of Certificate Transparency
outside of mod_ssl.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1587607 13f79535-47bb-0310-9956-ffa450edef68
- was never documented, so very unlikely that it was ever used
- adds complexity without apparent benefit; PKCS#7 files can
be trivially converted to a file for use with SSLCertificateChainFile
(concatenated X509 CERTIFICATE chunks, openssl pkcs7 -print_certs...)
- only supports PKCS7 files with PEM encoding, i.e. relies on a
non-standardized PEM header (cf. RFC 2315 and draft-josefsson-pkix-textual)
- issues pointed out in http://mail-archives.apache.org/mod_mbox/httpd-dev/200607.mbox/%3C20060723093125.GA19423@redhat.com%3E
were never fully addressed (cf. r424707 and r424735)
- has never worked in vhost context due to a cfgMergeString
call missing from modssl_ctx_cfg_merge
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1544784 13f79535-47bb-0310-9956-ffa450edef68
- drop support for ephemeral RSA keys (only allowed/needed
for export ciphers)
- drop pTmpKeys from the per-process SSLModConfigRec, and remove
the temp key generation at startup (unnecessary for DHE/ECDHE)
- unconditionally disable null and export-grade ciphers by always
prepending "!aNULL:!eNULL:!EXP:" to any cipher suite string
- do not configure per-connection SSL_tmp_*_callbacks, as it is
sufficient to set them for the SSL_CTX
- set default curve for ECDHE at startup, obviating the need
for a per-handshake callback, for the time being (and also
configure SSL_OP_SINGLE_ECDH_USE, previously left out)
For additional background, see
https://mail-archives.apache.org/mod_mbox/httpd-dev/201309.mbox/%3C52358ED1.2070704@velox.ch%3E
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1526168 13f79535-47bb-0310-9956-ffa450edef68
hooks API and inter-module hard linkage:
* modules/ssl/mod_ssl.h: Remove NPN hooks, add "modssl_register_npn"
optional function and callback function type declarations for
ssl_npn_advertise_protos, ssl_npn_proto_negotiated.
* modules/ssl/mod_ssl.c: Drop hooks.
(modssl_register_npn): New optional function implementation.
(ssl_register_hooks): Register it.
* modules/ssl/ssl_private.h (SSLConnRec): Add npn_advertfns,
npn_negofns array fields.
* modules/ssl/ssl_engine_kernel.c (ssl_callback_AdvertiseNextProtos):
Replace use of hook API with array iteration.
* modules/ssl/ssl_engine_io.c (ssl_io_filter_input): Likewise.
Reviewed by: Matthew Steele <mdsteele google.com>
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1487772 13f79535-47bb-0310-9956-ffa450edef68
We intentionally add uninitialized stack memory. To avoid warnings,
make valgrind believe that the memory is defined.
Add configure option to enable valgrind support
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1442307 13f79535-47bb-0310-9956-ffa450edef68
(PR 54030)
factor out code from ssl_engine_init.c:ssl_check_public_cert()
to ssl_util_ssl.c:SSL_X509_match_name()
introduce new SSLProxyCheckPeerName directive, which should eventually
obsolete SSLProxyCheckPeerCN
ssl_engine_io.c:ssl_io_filter_handshake(): avoid code duplication
when aborting with HTTP_BAD_GATEWAY
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1425874 13f79535-47bb-0310-9956-ffa450edef68
- drop the SSLTicketKeyDefault directive, and only support a single
ticket key per server/vhost
- rename the SSLTicketKeyFile directive to SSLSessionTicketKeyFile,
remove the keyname parameter
- move ticket key parameters from SSLSrvConfigRec to modssl_ctx_t
- configure the tlsext_ticket_key_cb only when in server mode
- add documentation for SSLSessionTicketKeyFile
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1213380 13f79535-47bb-0310-9956-ffa450edef68
* SSLTicketKeyFile: To store the private information for the encryption of the ticket.
* SSLTicketKeyDefault To set the default, otherwise the first listed token is used. This enables key rotation across servers.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1200040 13f79535-47bb-0310-9956-ffa450edef68
- completely delegate CRL processing to OpenSSL
- introduce a new [Proxy]CARevocationCheck directive
- drop ssl_callback_SSLVerify_CRL from ssl_engine_kernel.c
- remove X509_STORE from modssl_ctx_t
- drop CRL store helper functions from ssl_util_ssl.c
- avoid sending "certificate_expired" SSL alerts to peers
when the nextUpdate field of a CRL is in the past
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1165056 13f79535-47bb-0310-9956-ffa450edef68
the new parser. Rework ap_expr's public interface and provide hooks for modules
to add variables and functions.
The Netware and Windows build files still need to be adjusted
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1032073 13f79535-47bb-0310-9956-ffa450edef68
containers:
'ssl' (equivalent to SSLRequireSSL)
'ssl-verify-client' (for use with 'SSLVerifyClient optional')
'ssl-require' (expressions with same syntax as SSLRequire)
We may decide to axe 'ssl-require' again in favor of the generic 'expr'
provider, depending on the development of the ap_expr parser.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1002837 13f79535-47bb-0310-9956-ffa450edef68
builds of mod_ssl to use 'SSLFIPS off' for portability, but the proper
build of openssl is required for 'SSLFIPS on'.
PR: 46270
Submitted by: Dr Stephen Henson <steve openssl.org>, wrowe
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@925980 13f79535-47bb-0310-9956-ffa450edef68
default. Add an "SSLInsecureRenegotiation" directive to enable
renegotiation against unpatched clients, to ease transition:
* modules/ssl/ssl_private.h (struct SSLSrvConfigRec): Add
insecure_reneg field.
* modules/ssl/ssl_engine_config.c (ssl_config_server_new,
ssl_config_server_merge): Handle the insecure_reneg flag.
(ssl_cmd_SSLInsecureRenegotiation): New function.
* modules/ssl/ssl_engine_init.c (ssl_init_ctx_protocol): Set the
SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION option if insecure_reneg is
enabled.
* modules/ssl/ssl_engine_kernel.c (ssl_hook_Access): Log level of
support for secure reneg.
* modules/ssl/mod_ssl.c: Add the directive definition.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@906039 13f79535-47bb-0310-9956-ffa450edef68
and WatchdogMutexPath with a single Mutex directive. Add APIs to
simplify setup and user customization of APR proc and global mutexes.
(See util_mutex.h.) Build-time setting DEFAULT_LOCKFILE is no longer
respected; set DEFAULT_REL_RUNTIMEDIR instead.
Some existing modules, such as mod_ldap and mod_auth_digest gain
configurability for their mutexes.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@883540 13f79535-47bb-0310-9956-ffa450edef68
* modules/ssl/ssl_util_stapling.c: New file.
* modules/ssl/config.m4, modules/ssl/mod_ssl.dsp: Build it.
* modules/ssl/ssl_toolkit_compat.h: Define HAVE_OCSP_STAPLING if
OpenSSL is of suitable version (>= 0.9.8g) and capability (TLS
extension support enabled).
* modules/ssl/mod_ssl.c: Add config directives.
* modules/ssl/ssl_private.h: Add prototypes for new functions.
(SSLModConfigRec): Add fields for stapling socache instance and
associated mutex.
(modssl_ctx_t): Add config fields for stapling.
* modules/ssl/ssl_engine_init.c (ssl_init_Module, ssl_init_Child):
Call the stapling initialization functions.
* modules/ssl/ssl_engine_config.c: Add config hooks.
* modules/ssl/ssl_scache.c: Create, initialize and destroy the socache
instance for OCSP responses.
Submitted by: Dr Stephen Henson <shenson oss-institute.org>
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@829619 13f79535-47bb-0310-9956-ffa450edef68
stricter checking of remote server certificates.
(docs/manual/mod/mod_ssl.xml)
Documentation of SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN.
(modules/proxy/mod_proxy_http.c)
Set the hostname of the request URL as note on the connection.
(modules/ssl/ssl_private.h)
Add proxy_ssl_check_peer_expire and proxy_ssl_check_peer_cn fields to
the SSLSrvConfigRec.
(modules/ssl/ssl_engine_config.c)
Directives stuff for SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN.
(modules/ssl/ssl_engine_io.c)
Check whether the remote servers certificate is expired / if there is a
mismatch between the requested hostanme and the remote server certificates
CN field.
Be able to parse ASN1 times.
(modules/ssl/mod_ssl.c)
Directives stuff for SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@760866 13f79535-47bb-0310-9956-ffa450edef68
adjust the remaining part of mod_ssl to use this server_rec instead of
c->base_server.
modules/ssl/ssl_private.h:
- server_rec member to SSLConnRec struct
- Add macros to extract data from connection_rec
mySrvFromConn(c)
mySrvConfigFromConn(c)
myModConfigFromConn(c)
modules/ssl/ssl_engine_io.c
modules/ssl/ssl_util_ocsp.c
modules/ssl/ssl_engine_kernel.c
modules/ssl/mod_ssl.c
modules/ssl/ssl_engine_log.c
- Use the new macros to extract data fron connection_rec
and use the server_rec stored in SSLConnRec instead of
c->base_server whereever appropriate.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@757463 13f79535-47bb-0310-9956-ffa450edef68
CRYPTO_cleanup_all_ex_data here, fixing a per-connection memory leak
which occurs if the client indicates support for a compression
algorithm in the initial handshake, and mod_ssl is linked against
OpenSSL >= 0.9.8f.
Thanks to Amund Elstad and Dr Stephen Henson for analysis of this
issue.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@654119 13f79535-47bb-0310-9956-ffa450edef68
Switch mod_ssl to use the ap_socache interface.
* modules/ssl/ssl_scache_shmcb.c, modules/ssl/ssl_scache_memcache.c,
modules/ssl/ssl_scache_dc.c, modules/ssl/ssl_scache_dbm.c: Remove
files.
* modules/ssl/mod_ssl.c (modssl_register_scache): Remove function.
* modules/ssl/ssl_private.h: Remove modssl_sesscache_provider etc.
(SSLModConfigRec): Switch to using socache types.
* modules/ssl/ssl_engine_config.c (ssl_cmd_SSLSessionCache): Switch to
use socache provider.
* modules/ssl/ssl_engine_mutex.c, modules/ssl/ssl_scache.c: Switch to
using socache constants.
* modules/ssl/config.m4: Drop distache/memcache configuration, remove
old objects.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@645940 13f79535-47bb-0310-9956-ffa450edef68
configurations which match those of the initial request. Revert to
the original behaviour (call access control hooks for internal requests
with URIs different from the initial request) if any access control hooks
or providers are not registered as permitting this optimization.
Introduce wrappers for access control hook and provider registration
which can accept additional mode and flag data.
The configuration walk optimizations were originally proposed a while
ago (see http://marc.info/?l=apache-httpd-dev&m=116536713506234&w=2);
they have been used since then in production systems and appear to be
stable and effective. They permit certain combinations of modules
and clients to function efficiently, especially when a deeply recursive
series of internal requests, such as those generated by certain WebDAV
requests, are all subject to the identical authentication and authorization
directives.
The major change from the original proposal is a cleaner mechanism for
detecting modules which may expect the old behaviour. This has been
tested successfully with Subversion's mod_authz_svn, which specifically
requires the old behaviour when performing path-based authorization based
against its own private access control configuration files.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@644525 13f79535-47bb-0310-9956-ffa450edef68
