in virtualhost context (new version of r1653906 reverted by r1653993).
Submitted By: Michael Kaufmann <apache-bugzilla michael-kaufmann.ch>
Committed/modified By: ylavic
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1653997 13f79535-47bb-0310-9956-ffa450edef68
The issue with r1653906 is that existing configurations like
"SSLProtocol -SSLv3" (where the default is assumed to be ALL)
won't work anymore.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1653993 13f79535-47bb-0310-9956-ffa450edef68
It controls the use of TLS session tickets
(RFC 5077). Default is unchanged (on).
Using session tickets without restarting
the web server with an appropriate frequency
(e.g. daily) compromises perfect forward
secrecy.
As long as we do not have a nice key management
there should be a way to deactivate session
tickets.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1650310 13f79535-47bb-0310-9956-ffa450edef68
rfc822Name and dNSName into SSL_{CLIENT,SERVER}_SAN_{Email,DNS}_n
variables.
* docs/manual/mod/mod_ssl.xml: add SSL_*_SAN_*_n entries to the
environment variables table
* modules/ssl/ssl_engine_kernel.c: in ssl_hook_Fixup, add extraction
of subjectAltName entries for the "StdEnvVars" case
* modules/ssl/ssl_engine_vars.c: add support for retrieving the
SSL_{CLIENT,SERVER}_SAN_{Email,DNS}_n variables, either with
individual on-demand lookup (ssl_var_lookup_ssl_cert_san),
or with full-list extraction to the environment ("StdEnvVars")
* modules/ssl/ssl_private.h: add modssl_var_extract_san_entries prototype
* modules/ssl/ssl_util_ssl.c: implement SSL_X509_getSAN and
SSL_ASN1_STRING_to_utf8 helper functions, with factoring out common
code from SSL_X509_getIDs and SSL_X509_NAME_ENTRY_to_string where
suitable. Limit SSL_X509_getSAN to the two most common subjectAltName
entry types appearing in user or server certificates (i.e., rfc822Name
and dNSName), for the time being.
* modules/ssl/ssl_util_ssl.h: add SSL_ASN1_STRING_to_utf8
and SSL_X509_getSAN prototypes
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1650047 13f79535-47bb-0310-9956-ffa450edef68
The hard-coded 2 byte offset to get to the list (in lieu of
the proper logic) didn't survive the addition of the SCT
from an additional log.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1645546 13f79535-47bb-0310-9956-ffa450edef68
return an error code understood by ssl_io_filter_error().
That function needs to perform error handling, and a valid
apr_status_t needs to be returned up.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1645529 13f79535-47bb-0310-9956-ffa450edef68
When this occurs, the redirect (internal) request reaches ssl_hook_Access()
and make SSL_do_handshake crash probably because we force the renegotiation
based on an incomplete SSL state.
To avoid this, ssl_hook_Access() now returns FORBIDDEN immediatly if the given
SSL connection is not in a valid (handshaken) state.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1644498 13f79535-47bb-0310-9956-ffa450edef68
one bug was traded for another in r1641077; track the response
length and the cached object length separately to avoid such
confusion
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1641095 13f79535-47bb-0310-9956-ffa450edef68
SSLSessionCache are used and SSL session is resumed. SSL_CLIENT_VERIFY value
has been set to SUCCESS on resumption even when originally it was set to
GENEROUS. PR 53193.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1633085 13f79535-47bb-0310-9956-ffa450edef68
(e.g., as of certificate-transparency commit
3f03188fe89974d45345fddee64a8227bd2ec26a)
The interface to the "ct" tool now requires the log's URL and
public key, resulting in a bit of refactoring in the module.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1630624 13f79535-47bb-0310-9956-ffa450edef68
(ex_data attached to an X509 *) to a per-server hash which is
allocated from the pconf pool. Fixes PR 54357, PR 56919 and
a leak with the certinfo_free cleanup function (missing
OCSP_CERTID_free).
* modules/ssl/ssl_util_stapling.c: drop certinfo_free, and add
ssl_stapling_certid_free (used with apr_pool_cleanup_register).
Switch to a stapling_certinfo hash which is keyed by the SHA-1
digest of the certificate's DER encoding, rework ssl_stapling_init_cert
to only store info once per certificate (allocated from the pconf
to the extent possible) and extend the logging.
* modules/ssl/ssl_private.h: adjust prototype for
ssl_stapling_init_cert, replace ssl_stapling_ex_init with
ssl_stapling_certinfo_hash_init
* modules/ssl/ssl_engine_init.c: adjust ssl_stapling_* calls
Based on initial work by Alex Bligh <alex alex.org.uk>
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1629372 13f79535-47bb-0310-9956-ffa450edef68
Add API to support TLS channel bindings with mod_ssl.
* modules/ssl/mod_ssl.h: Define ssl_get_tls_cb.
* modules/ssl/ssl_engine_vars.c (ssl_get_tls_cb): New function.
Submitted by: Simo Sorce <simo redhat.com>
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1620927 13f79535-47bb-0310-9956-ffa450edef68
Refactor some lines to keep APLOGNO on the same line as ap_log_error, when applicable.
Split lines longer than 80.
Improve alignment.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1612068 13f79535-47bb-0310-9956-ffa450edef68
No change in generated code because MODULE_MAGIC_NUMBER is defined as:
#define MODULE_MAGIC_NUMBER MODULE_MAGIC_NUMBER_MAJOR
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1611871 13f79535-47bb-0310-9956-ffa450edef68
if these checks detect a problem, the checks shouldn't return an
error again when processing an ErrorDocument redirect for the
original problem.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1609914 13f79535-47bb-0310-9956-ffa450edef68
and adjust selection logic to prefer use of larger not smaller keys.
(init_dh_params, free_dh_params, modssl_get_dh_params): Use array of
structs to store and initialize DH parameters up to 8192-bit.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1605827 13f79535-47bb-0310-9956-ffa450edef68
minor) race and leaks:
* modules/ssl/ssl_engine_init.c (make_dh_params): Moved/rejigged
variant of make_get_dh() macro.
(init_dh_params, free_dh_params): New functions.
(modssl_get_dh_params): Split out from ssl_callback_TmpDH.
(ssl_init_Module, ssl_init_ModuleKill): Use new init_/free_.
* modules/ssl/ssl_engine_kernel.c: Moved out DH parameter handling.
(ssl_callback_TmpDH): Use modssl_get_dh_params.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1598107 13f79535-47bb-0310-9956-ffa450edef68
SSL_CTX_set_tmp_dh_callback though once generated as we leak
memory otherwise and freeing the structure up after use would be
hard to track and in fact is not needed at all as it is safe to
use the same parameters over and over again security wise (in
contrast to the keys itself) and code safe as the returned structure
is duplicated by OpenSSL anyway. Hence no modification happens
to our copy.
Observed by: rjung
Reviewed by: kbrand
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1597349 13f79535-47bb-0310-9956-ffa450edef68
