mod_ssl TLSv1.3 support, removed V1_3 cipher suite directives again and added an optional protocol specifier to the SSLCipherSuite and SSLProxyCipherSuite commands.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1827992 13f79535-47bb-0310-9956-ffa450edef68
mod_ssl: Added configuration directives for TLSv1.3 cipher suites (which
are separate from previous ones) as SSL(Proxy)CipherSuiteV1_3. A great opportunity
to find a better name.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1827924 13f79535-47bb-0310-9956-ffa450edef68
The logic in 'ap_request_has_body()' is:
has_body = (!r->header_only
&& (r->kept_body
|| apr_table_get(r->headers_in, "Transfer-Encoding")
|| ( (cls = apr_table_get(r->headers_in, "Content-Length"))
&& (apr_strtoff(&cl, cls, &estr, 10) == APR_SUCCESS)
&& (!*estr)
&& (cl > 0) )
)
);
So the test is slighly different from the original code. (but this looks fine to me)
This also has the advantage to avoid a redundant call to 'apr_table_get()' and to improve readability.
While at it, move the test '!r->expecting_100' a few lines above because it is cheap.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1827374 13f79535-47bb-0310-9956-ffa450edef68
does not contain a colon before constructing Authorization header
for FakeBasicAuth mode. (Also constify 'user' variable.)
PR: 52644
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1815592 13f79535-47bb-0310-9956-ffa450edef68
LibreSSL defines OPENSSL_VERSION_NUMBER = 2.0, but is not compatible with
all of the latest OpenSSL 1.1 API.
Address this by defining MODSSL_USE_OPENSSL_PRE_1_1_API which is true for
anything but OpenSSL >= 1.1 (for now).
Proposed by: Bernard Spil <brnrd freebsd.org>
Reviewed by: ylavic
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1803396 13f79535-47bb-0310-9956-ffa450edef68
We also need to reset the X509_STORE_CTX's error in the callback to quiet
X509_V_ERR_UNABLE_TO_GET_CRL for the leaf certificate (caught by AH02010).
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1737265 13f79535-47bb-0310-9956-ffa450edef68
encryption mode (we used to return 0, OpenSSL documents returning 1 instead).
Practically this does not change anything since OpenSSL will only check for
>= 0 return value (non error) for encryption mode (the other possible return
values are only relevant for decryption mode).
However the OpenSSL documentation for SSL_CTX_set_tlsext_ticket_key_cb()
states:
"
The return value of the cb function is used by OpenSSL to determine what
further processing will occur. The following return values have meaning:
2
This indicates that the ctx and hctx have been set and the session can
continue on those parameters. Additionally it indicates that the session
ticket is in a renewal period and should be replaced. The OpenSSL library
will call cb again with an enc argument of 1 to set the new ticket (see
RFC5077 3.3 paragraph 2).
1
This indicates that the ctx and hctx have been set and the session can
continue on those parameters.
0
This indicates that it was not possible to set/retrieve a session ticket
and the SSL/TLS session will continue by by negotiating a set of
cryptographic parameters or using the alternate SSL/TLS resumption
mechanism, session ids.
If called with enc equal to 0 the library will call the cb again to get a
new set of parameters.
less than 0
This indicates an error.
"
So 0 is not appropriate in our code, 1 is what we really want (and it won't
break if OpenSSL later changes its checks on the callback return value).
Reported/Proposed by: oknet on github, pull request #18.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1736186 13f79535-47bb-0310-9956-ffa450edef68
- The callback function passed to
SSL_CTX_sess_set_get_cb() now needs the
session id argument to be const.
So constify the session id.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1735883 13f79535-47bb-0310-9956-ffa450edef68
- SRP_VBASE_get_by_user() is deprecated now,
one should use SRP_VBASE_get1_by_user()
instead. The new function returns a pointer
owned by the callee. It must be freed after
use.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1735877 13f79535-47bb-0310-9956-ffa450edef68
- Simplify code by using new 1.1.0 variant
also for older OpenSSL. Also tested with
1.0.2f and 0.9.8zh. No ssl test suite
failures.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1731423 13f79535-47bb-0310-9956-ffa450edef68
- 1.1.0-pre3 was relesed
- remove pre2 comments which no longer apply
- one more struct has been made opaque, use
accessor function instead
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1731012 13f79535-47bb-0310-9956-ffa450edef68
- use SSL_peek instead of looping with
has_buffered_data().
This fixes t/security/CVE-2009-3555.t where
has_buffered_data() doesn't help, because it
finds the buffered data and doesn't call
SSL_read(), so the reneg handshake isn't
triggered. SSL_peek() for 0 bytes seems to
reliably trigger the reneg in every case.
No more polling/sleeping. The code for the
OpenSSL 1.1.0 case is now again very close to
the pre 1.1.0 case.
Still need to run the full test suite with a
clean build.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1730316 13f79535-47bb-0310-9956-ffa450edef68
- Fix typo in loop end condition
This code will be removed next. Thex fix is
for the case we want to roll teh code back
to this state.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1730314 13f79535-47bb-0310-9956-ffa450edef68
- improve renegotiation loop.
Should now also work in case only the
cipher changes.
Should now also work in case the handshake
ends with an error.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1729498 13f79535-47bb-0310-9956-ffa450edef68
- partial support for renegotiations.
- Not a good design, need to poll until
renegotitation has finished.
- Loop criterion not right, if no client certs
will be send.
- Also doesn't work for EC or DH ciphers.
Unclear how to fix with current 1.1.0
API.
- Details see
http://marc.info/?t=145493359200002&r=1&w=2
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1729341 13f79535-47bb-0310-9956-ffa450edef68
