Transparency (RFC 6962) for httpd.
mod_ssl_ct requires OpenSSL 1.0.2 (in beta) and must be explicitly
enabled via configure.
Note that support/ctauditscts is purposefully not installed; it
does not properly function due to a dependency on a
certificate-transparency open source project tool which itself is
not sufficiently complete at this time.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1588987 13f79535-47bb-0310-9956-ffa450edef68
- allow to configure custom DHE or ECDHE parameters via the
SSLCertificateFile directive, and adapt its documentation
accordingly (addresses PR 49559)
- add standardized DH parameters from RFCs 2409 and 3526,
use them based on the length of the certificate's RSA/DSA key,
and add a FAQ entry for clients which limit DH support
to 1024 bits (such as Java 7 and earlier)
- move ssl_dh_GetParamFromFile() from ssl_engine_dh.c to
ssl_util_ssl.c, and add ssl_ec_GetParamFromFile()
- drop ssl_engine_dh.c from mod_ssl
For the standardized DH parameters, OpenSSL version 0.9.8a
or later is required, which was therefore made a new minimum
requirement in r1527294.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1527295 13f79535-47bb-0310-9956-ffa450edef68
[second try, supersedes r1385214]
Add MOD_CFLAGS, MOD_LDFLAGS variables etc. to the build commands,
which are available to modules for customization on a per-subdir
basis (by adding definitions to modules.mk). Reduces the risk
of side-effects when a module needs to add CFLAGS, LDFLAGS etc.
and these would be added to the global settings (ALL_CFLAGS etc.).
Adapt build settings for mod_ssl, mod_socache_dc, mod_deflate,
mod_xml2enc, mod_proxy_html, and mod_lua to use the new MOD_xxx
build variables.
Change PICFLAGS, SHLTCFLAGS and LTCFLAGS into config vars, instead
of AC_SUBSTing them in build/rules.mk.in. For support/ab, introduce
ab_CFLAGS and ab_LDFLAGS, and define explicit make targets where
they appear at the proper position in the build commands.
Consistently use "--with-xxx=PATH" in configure help strings which
are used to specify a path to the installation directory of an
auxiliary package.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1385216 13f79535-47bb-0310-9956-ffa450edef68
Add MOD_CFLAGS, MOD_LDFLAGS variables etc. to the build commands,
which are available to modules for customization on a per-subdir
basis (by adding definitions to modules.mk). Reduces the risk
of side-effects when a module needs to add CFLAGS, LDFLAGS etc.
and these would be added to the global settings (ALL_CFLAGS etc.).
Adapt build settings for mod_ssl, mod_socache_dc, mod_deflate,
mod_xml2enc, mod_proxy_html, and mod_lua to use the new MOD_xxx
build variables.
Change PICFLAGS, SHLTCFLAGS and LTCFLAGS into config vars, instead
of AC_SUBSTing them in build/rules.mk.in. For support/ab, introduce
ab_CFLAGS and ab_LDFLAGS, and define explicit make targets where
they appear at the proper position in the build commands.
Consistently use "--with-xxx=PATH" in configure help strings which
are used to specify a path to the installation directory of an
auxiliary package.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1385214 13f79535-47bb-0310-9956-ffa450edef68
Let's assume that if a system has the openssl dev headers installed in
the default location, it is very unlikely that crypto is forbidden in
the country that the system is located in.
If no ssl toolkit is found, disable mod_ssl instead of aborting.
The actual change is small, use 'diff -b' to review
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1150471 13f79535-47bb-0310-9956-ffa450edef68
via the MOD_XXX_LDADD variables.
Use APR_ADDTO instead of APR_SETVAR or direct
variable assignment.
This is especially useful when building mod_lua
or mod_deflate against a lua resp. libz which
are installed in non-standard locations.
One can add "-R ..." to MOD_LUA_LDADD and
MOD_DEFLATE_LDADD before configure to fix
the RPATH/RUNPATH of those modules.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1142938 13f79535-47bb-0310-9956-ffa450edef68
the new parser. Rework ap_expr's public interface and provide hooks for modules
to add variables and functions.
The Netware and Windows build files still need to be adjusted
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1032073 13f79535-47bb-0310-9956-ffa450edef68
* modules/ssl/ssl_util_stapling.c: New file.
* modules/ssl/config.m4, modules/ssl/mod_ssl.dsp: Build it.
* modules/ssl/ssl_toolkit_compat.h: Define HAVE_OCSP_STAPLING if
OpenSSL is of suitable version (>= 0.9.8g) and capability (TLS
extension support enabled).
* modules/ssl/mod_ssl.c: Add config directives.
* modules/ssl/ssl_private.h: Add prototypes for new functions.
(SSLModConfigRec): Add fields for stapling socache instance and
associated mutex.
(modssl_ctx_t): Add config fields for stapling.
* modules/ssl/ssl_engine_init.c (ssl_init_Module, ssl_init_Child):
Call the stapling initialization functions.
* modules/ssl/ssl_engine_config.c: Add config hooks.
* modules/ssl/ssl_scache.c: Create, initialize and destroy the socache
instance for OCSP responses.
Submitted by: Dr Stephen Henson <shenson oss-institute.org>
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@829619 13f79535-47bb-0310-9956-ffa450edef68
Switch mod_ssl to use the ap_socache interface.
* modules/ssl/ssl_scache_shmcb.c, modules/ssl/ssl_scache_memcache.c,
modules/ssl/ssl_scache_dc.c, modules/ssl/ssl_scache_dbm.c: Remove
files.
* modules/ssl/mod_ssl.c (modssl_register_scache): Remove function.
* modules/ssl/ssl_private.h: Remove modssl_sesscache_provider etc.
(SSLModConfigRec): Switch to using socache types.
* modules/ssl/ssl_engine_config.c (ssl_cmd_SSLSessionCache): Switch to
use socache provider.
* modules/ssl/ssl_engine_mutex.c, modules/ssl/ssl_scache.c: Switch to
using socache constants.
* modules/ssl/config.m4: Drop distache/memcache configuration, remove
old objects.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@645940 13f79535-47bb-0310-9956-ffa450edef68
* modules/ssl/ssl_engine_config.c (modssl_ctx_init,
modssl_ctx_cfg_merge): Initialize and merge OCSP config options.
(ssl_cmd_SSLOCSPOverrideResponder, ssl_cmd_SSLOCSPDefaultResponder,
ssl_cmd_SSLOCSPEnable): Add functions.
* modules/ssl/mod_ssl.c (ssl_config_cmds): Add config options.
* modules/ssl/ssl_private.h: Add prototypes, config options to
modssl_ctx_t.
* modules/ssl/ssl_util_ocsp.c: New file, utility interface for
dispatching OCSP requests.
* modules/ssl/ssl_engine_ocsp.c: New file, interface for performing
OCSP validation.
* modules/ssl/ssl_engine_kernel.c (ssl_callback_SSLVerify): Perform
OCSP validation if configured, and the cert is so-far verified to be
trusted. Fail if OCSP validation is configured an the optional-no-ca
check tripped.
* modules/ssl/config.m4: Check for OCSP support, build new files.
* modules/ssl/mod_ssl.dsp: Build new files.
* modules/ssl/ssl_toolkit_compat.h: Include headers for OCSP
interfaces.
PR: 41123
Submitted by: Marc Stern <marc.stern approach.be>, Joe Orton
Reviewed by: Steve Henson <steve openssl.org>
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@599385 13f79535-47bb-0310-9956-ffa450edef68
stop linking all of support/* against the SSL libraries:
* acinclude.m4 (APACHE_MODULE): Define MOD_FOO_LDADD which each
module .la library will be linked against.
(APACHE_MODPATH_ADD): Link static modules against the provided libraries.
(APACHE_CHECK_SSL_TOOLKIT): Put SSL libraries in SSL_LIBS and export
that to config_vars.mk.
* support/Makefile.in: Link ab against SSL_LIBS.
* modules/ssl/config.m4: Add SSL_LIBS and distcache libraries to
MOD_SSL_LDADD.
PR: 17217
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@102870 13f79535-47bb-0310-9956-ffa450edef68
to be included even when mod_ssl is not enabled.
* Makefile.in (install-include): Only install mod_ssl.h.
* modules/ssl/ssl_private.h: New file.
* modules/ssl/mod_ssl.h: Move everything apart from than the optional
hook definitions into ssl_private.h.
* modules/ssl/*.c: Include ssl_private.h not mod_ssl.h
* modules/ssl/config.m4: Always add the mod_ssl directory to the
include path so other modules can find mod_ssl.h.
* modules/proxy/mod_proxy.c: Include mod_ssl.h to pick up the optional
hook definitions rather than copy'n'pasting them.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@102803 13f79535-47bb-0310-9956-ffa450edef68
data corruption bugs since being apr_rmm'ified.
* config.m4, mod_ssl.dsp: Don't build ssl_util_table and
ssl_scache_shmht.
* ssl_util_table.h, ssl_util_table.c, ssl_scache_shmht.c: Removed
files.
* mod_ssl.h (SSLModConfigRec): Use a void * pointer for storing
the scache-specific data.
* ssl_engine_config.c (ssl_cmd_SSLSessionCache): Treat shmht: as
shmcb:.
* ssl_scache.c: Remove shmht hooks throughout.
* ssl_scache_shmcb.c: Remove casts to use the table_t * pointer as a
void *.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@101888 13f79535-47bb-0310-9956-ffa450edef68
Some additional work or research is required in order to pass the
perl-framework regressions, but I don't have the cycles and don't
care to leave the broken code in cvs HEAD.
REVERTING: wrowe 2003/05/19 08:13:19
Modified: modules/ssl config.m4 ssl_engine_io.c ssl_engine_kernel.c
ssl_toolkit_compat.h
Log:
Drop SSL_set_state() in favor of a proper SSL_renegotiate() to begin
rehandshaking the SSL connection, vis-a-vis ApacheSSL.
Revision Changes Path
1.15 +0 -1 httpd-2.0/modules/ssl/config.m4
1.108 +1 -1 httpd-2.0/modules/ssl/ssl_engine_io.c
1.93 +1 -1 httpd-2.0/modules/ssl/ssl_engine_kernel.c
1.34 +0 -6 httpd-2.0/modules/ssl/ssl_toolkit_compat.h
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@100004 13f79535-47bb-0310-9956-ffa450edef68
-SSL_set_state: macro in OpenSSL, might be a function in a patched sslc
-SSL_set_cert_store: patch submitted to OpenSSL, might be applied to
OpenSSL or sslc
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@94223 13f79535-47bb-0310-9956-ffa450edef68
I'm going to remove it until I or someone else can come up with a better
way to check for and link against libssl and libcrypto for mod_ssl.so.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@91950 13f79535-47bb-0310-9956-ffa450edef68
many modules depend on it, so make the check an autoconf macro.
Note that this still isn't being checked "the autoconf way", but it
is better than what we have now.
I'm not sure about the -R stuff, but I am told that Solaris won't
build without it. This is something that should be tested using
AC_TRY_LINK rather than assuming openssl isn't already on the ld path.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@89063 13f79535-47bb-0310-9956-ffa450edef68
places where people install upgraded software first, since otherwise
we will get the older versions installed by the OS distribution. That's
very bad for us because we are requiring a version of openssl that is
more recent than most of the Linux distros.
When finding the openssl helper program, check both the PATH and the default
install dirs, since openssl isn't normally included on a user's path.
Use APR_ADDTO to add to the make macros in order to avoid duplicates.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@89053 13f79535-47bb-0310-9956-ffa450edef68
