containers:
'ssl' (equivalent to SSLRequireSSL)
'ssl-verify-client' (for use with 'SSLVerifyClient optional')
'ssl-require' (expressions with same syntax as SSLRequire)
We may decide to axe 'ssl-require' again in favor of the generic 'expr'
provider, depending on the development of the ap_expr parser.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1002837 13f79535-47bb-0310-9956-ffa450edef68
builds of mod_ssl to use 'SSLFIPS off' for portability, but the proper
build of openssl is required for 'SSLFIPS on'.
PR: 46270
Submitted by: Dr Stephen Henson <steve openssl.org>, wrowe
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@925980 13f79535-47bb-0310-9956-ffa450edef68
default. Add an "SSLInsecureRenegotiation" directive to enable
renegotiation against unpatched clients, to ease transition:
* modules/ssl/ssl_private.h (struct SSLSrvConfigRec): Add
insecure_reneg field.
* modules/ssl/ssl_engine_config.c (ssl_config_server_new,
ssl_config_server_merge): Handle the insecure_reneg flag.
(ssl_cmd_SSLInsecureRenegotiation): New function.
* modules/ssl/ssl_engine_init.c (ssl_init_ctx_protocol): Set the
SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION option if insecure_reneg is
enabled.
* modules/ssl/ssl_engine_kernel.c (ssl_hook_Access): Log level of
support for secure reneg.
* modules/ssl/mod_ssl.c: Add the directive definition.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@906039 13f79535-47bb-0310-9956-ffa450edef68
and WatchdogMutexPath with a single Mutex directive. Add APIs to
simplify setup and user customization of APR proc and global mutexes.
(See util_mutex.h.) Build-time setting DEFAULT_LOCKFILE is no longer
respected; set DEFAULT_REL_RUNTIMEDIR instead.
Some existing modules, such as mod_ldap and mod_auth_digest gain
configurability for their mutexes.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@883540 13f79535-47bb-0310-9956-ffa450edef68
Reject client-initiated renegotiations; this is sufficient to prevent
the attack for any configuration which does not require renegotiation
due to per-directory/per-location access control configuration.
Configuration with per-directory/per-location access control
requirements (such as "SSLVerifyClient require") are still vulnerable
to CVE-2009-3555 with this patch applied (if using OpenSSL <= 0.9.8k).
* modules/ssl/ssl_private.h (SSLConnRec): Add reneg_state field.
(ssl_callback_Info): Renamed from ssl_callback_LogTracingState.
* modules/ssl/ssl_engine_init.c (ssl_init_ctx_callbacks): Install
the (renamed) info callback unconditionally.
* modules/ssl/ssl_engine_io.c (ssl_filter_ctx_t): Add config pointer
to SSLConnRec.
(bio_filter_out_write, bio_filter_in_read): Fail with
APR_ECONNABORTED if the reneg state is set to RENEG_ABORT.
* modules/ssl/ssl_engine_kernel.c (log_tracing_state): Factored out
of ssl_callback_LogTracingState.
(ssl_callback_Info): New function.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@833582 13f79535-47bb-0310-9956-ffa450edef68
I added a few more fixes, and there are still more that might
need a doxygen expert.
PR: 48061
Submitted by: Brad Hards
Reviewed by: poirier
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@830527 13f79535-47bb-0310-9956-ffa450edef68
* modules/ssl/ssl_util_stapling.c: New file.
* modules/ssl/config.m4, modules/ssl/mod_ssl.dsp: Build it.
* modules/ssl/ssl_toolkit_compat.h: Define HAVE_OCSP_STAPLING if
OpenSSL is of suitable version (>= 0.9.8g) and capability (TLS
extension support enabled).
* modules/ssl/mod_ssl.c: Add config directives.
* modules/ssl/ssl_private.h: Add prototypes for new functions.
(SSLModConfigRec): Add fields for stapling socache instance and
associated mutex.
(modssl_ctx_t): Add config fields for stapling.
* modules/ssl/ssl_engine_init.c (ssl_init_Module, ssl_init_Child):
Call the stapling initialization functions.
* modules/ssl/ssl_engine_config.c: Add config hooks.
* modules/ssl/ssl_scache.c: Create, initialize and destroy the socache
instance for OCSP responses.
Submitted by: Dr Stephen Henson <shenson oss-institute.org>
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@829619 13f79535-47bb-0310-9956-ffa450edef68
modssl_dispatch_ocsp_request): Take timeout as argument, as pass through.
* modules/ssl/ssl_engine_ocsp.c (verify_ocsp_status): Pass server timeout
to modssl_dispatch_ocsp_request.
Submitted by: Dr Stephen Henson <shenson oss-institute.org>
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@815719 13f79535-47bb-0310-9956-ffa450edef68
stricter checking of remote server certificates.
(docs/manual/mod/mod_ssl.xml)
Documentation of SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN.
(modules/proxy/mod_proxy_http.c)
Set the hostname of the request URL as note on the connection.
(modules/ssl/ssl_private.h)
Add proxy_ssl_check_peer_expire and proxy_ssl_check_peer_cn fields to
the SSLSrvConfigRec.
(modules/ssl/ssl_engine_config.c)
Directives stuff for SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN.
(modules/ssl/ssl_engine_io.c)
Check whether the remote servers certificate is expired / if there is a
mismatch between the requested hostanme and the remote server certificates
CN field.
Be able to parse ASN1 times.
(modules/ssl/mod_ssl.c)
Directives stuff for SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@760866 13f79535-47bb-0310-9956-ffa450edef68
of integral parts which share global variables, functions, and macros
with the rest of httpd.
Converted now:
prefork, worker, event, simple, WinNT*
*WinNT hasn't been built or tested, and relies on a hack to include the
WinNT mpm.h to disable Unixy MPM support routines in mpm_common.c
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@757853 13f79535-47bb-0310-9956-ffa450edef68
adjust the remaining part of mod_ssl to use this server_rec instead of
c->base_server.
modules/ssl/ssl_private.h:
- server_rec member to SSLConnRec struct
- Add macros to extract data from connection_rec
mySrvFromConn(c)
mySrvConfigFromConn(c)
myModConfigFromConn(c)
modules/ssl/ssl_engine_io.c
modules/ssl/ssl_util_ocsp.c
modules/ssl/ssl_engine_kernel.c
modules/ssl/mod_ssl.c
modules/ssl/ssl_engine_log.c
- Use the new macros to extract data fron connection_rec
and use the server_rec stored in SSLConnRec instead of
c->base_server whereever appropriate.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@757463 13f79535-47bb-0310-9956-ffa450edef68
DNs with duplicate tags:
* modules/ssl/ssl_engine_vars.c:
Augment the ssl_var_lookup_ssl_cert_dn_rec table with a flag
to indicate whether RDNs of the given NID should be extracted
to the environment.
(extract_dn, modssl_var_extract_dns): New functions.
* modules/ssl/ssl_private.h (modssl_var_extract_dns): Add prototype.
* modules/ssl/ssl_engine_kernel.c: Remove SSL_*_DN_ from the list
of variables to insert into the environment.
(ssl_hook_Fixup): Use modssl_var_extract_dns to insert the
SSL_*_DN_ variables efficiently and accurately, handling
certs with duplicate RDN tags correctly.
PR: 45875
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@724717 13f79535-47bb-0310-9956-ffa450edef68
Switch mod_ssl to use the ap_socache interface.
* modules/ssl/ssl_scache_shmcb.c, modules/ssl/ssl_scache_memcache.c,
modules/ssl/ssl_scache_dc.c, modules/ssl/ssl_scache_dbm.c: Remove
files.
* modules/ssl/mod_ssl.c (modssl_register_scache): Remove function.
* modules/ssl/ssl_private.h: Remove modssl_sesscache_provider etc.
(SSLModConfigRec): Switch to using socache types.
* modules/ssl/ssl_engine_config.c (ssl_cmd_SSLSessionCache): Switch to
use socache provider.
* modules/ssl/ssl_engine_mutex.c, modules/ssl/ssl_scache.c: Switch to
using socache constants.
* modules/ssl/config.m4: Drop distache/memcache configuration, remove
old objects.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@645940 13f79535-47bb-0310-9956-ffa450edef68
Clean up provider interface, removing use of mod_ssl-specific types:
* modules/ssl/ssl_private.h (modssl_sesscache_provider): Replace BOOL
with apr_status_t, UCHAR with unsigned char; use 'unsigned int' for
idlen; constify id arguments; remove pool argument from ->status.
* modules/ssl/ssl_scache_dc.c, modules/ssl/ssl_scache_memcache,
modules/ssl/ssl_scache_shmcb.c, modules/ssl_scache_dbm.c: Update
accordingly.
* modules/ssl/ssl_scache.c (ssl_scache_retrieve, ssl_scache_store):
Adjust for BOOL->apr_status_t change.
(ssl_ext_status_hook): Update for dropped pool argument.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@633526 13f79535-47bb-0310-9956-ffa450edef68
Move mutex handling up out of the session cache providers:
* modules/ssl/ssl_private.h (modssl_sesscache_provider): Add name and
flags fields. Define MODSSL_SESSCACHE_FLAG_NOTMPSAFE constant.
* modules/ssl/ssl_scache.c (ssl_scache_store, ssl_scache_retrieve,
ssl_scache_remove, ssl_ext_status_hook): Lock and release the mutex
around provider calls, if necessary.
* modules/ssl/ssl_engine_mutex.c (ssl_mutex_init): Do nothing if no
session cache is configured, or the session cache does not require a
mutex. Otherwise, fail if no mutex is configured and the session
cache *does* require a mutex.
(ssl_mutex_on, ssl_mutex_off): Remove checks for mutex mode;
functions now invoked only if necessary.
* modules/ssl/ssl_scache_dc.c, modules/ssl/ssl_scache_memcache: Set
name and flags fields in provider structures.
* modules/ssl/ssl_scache_shmcb.c, modules/ssl_scache_dbm.c: Remove
mutex handling through; set name and flags fields in provider
structures; mark both as unsafe for concurrent access in flags.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@631297 13f79535-47bb-0310-9956-ffa450edef68
Use the ap_provider interface for session cache storage providers.
* modules/ssl/mod_ssl.c (modssl_register_scache): New function.
(ssl_register_hooks): Call it.
* modules/ssl/ssl_private.h: Define MODSSL_SESSCACHE_PROVIDER_GROUP
and MODSSL_SESSCACHE_PROVIDER_VERSION constants.
Remove ssl_scmode_t type. Change nSessionCacheMode in
SSLModConfigRec into a long sesscache_mode, storing the OpenSSL
SSL_SESS_CACHE_* flags directly.
* modules/ssl/ssl_engine_config.c (ssl_config_global_create): Set
sesscache_mode to SSL_SESS_CACHE_OFF by default.
(ssl_cmd_SSLSessionCache): Remove ifdef spaghetti; fetch configured
session cache by provider name. Set mc->sesscache_mode for
configured providers.
* modules/ssl/ssl_engine_init.c (ssl_init_ctx_session_cache): Use the
configured mode flags directly from mc->sesscache_mode.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@631000 13f79535-47bb-0310-9956-ffa450edef68
Move provider-specific configuration handling down into the provider
code. Eliminate all use of SSLModConfigRec within provider code.
* modules/ssl/ssl_private.h (modssl_sesscache_provider): Add 'create'
function which creates and configures the cache provider, before
initialisation. Change 'init' function to take the context pointer
as an input parameter, and reorder to be first.
* modules/ssl/ssl_scache.c (ssl_scache_init): Adjust accordingly.
* modules/ssl/ssl_scache_memcache.c (struct context): Add servers
field.
(ssl_scache_mc_create): New function.
(ssl_scache_mc_init): Use servers from context not SSLModConfigRec.
* modules/ssl/ssl_scache_dbm.c (struct context): Define.
(ssl_scache_dbm_create): New function.
(ssl_scache_dbm_init, ssl_scache_dbm_kill): Adjust to use filename
and pool from context.
(ssl_scache_dbm_store, ssl_scache_dbm_retrieve,
ssl_scache_dbm_status): Use filename from context. Use context pool
for temp storage of the DBM object, and clear before use.
(ssl_scache_dbm_expire): Remove static tLast; use last_expiry from
context. Use context pool for temp storage and clear before use.
* modules/ssl/ssl_scache_dc.c (struct context): Add target field.
(ssl_scache_dc_init, ssl_scache_dc_status): Use target from context.
* modules/ssl/ssl_scache_shmcb.c (struct context): Add data_file,
shm_size fields.
(ssl_scache_shmcb_create): New function; moved argument parsing
logic from ssl_cmd_SSLSessionCache
(ssl_scache_shmcb_init, ssl_scache_shmcb_status): Use config from
context.
* modules/ssl/ssl_engine_config.c (ssl_config_global_create): Remove
handling of old provider-specific fields.
(ssl_cmd_SSLSessionCache): Call provider ->create function to parse
the argument and create provider-specific context structure.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@630974 13f79535-47bb-0310-9956-ffa450edef68
Move provider-private context out of SSLModConfigRec and into an
opaque context pointer. Use real error propagation in the ->init
functions rather than ssl_die().
* modules/ssl/ssl_private.h (modssl_sesscache_provider): Take a
context out-parameter from ->init, and return an apr_status_t.
Add context pointer as first arg for the other function types.
(SSLModConfigRec): Remove tSessionCacheData* fields; add
sesscache_context field.
* modules/ssl/ssl_scache.c (ssl_scache_init): Move once-per-process
invocation check back into here.
(ssl_scache_*): Adjust to use context pointer.
* modules/ssl/ssl_scache_shmcb.c, modules/ssl/ssl_scache_dc.c,
modules/ssl/ssl_scache_dbm.c: Adjust all implementations to use
opaque context pointer.
* modules/ssl/ssl_scache_memcache.c: Move memcache context into the
context structure rather than using global state.
* modules/ssl/ssl_engine_config.c: Remove handling of
pSessionCacheData* fields in SSLModConfigRec.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@630323 13f79535-47bb-0310-9956-ffa450edef68
storage providers; includes a significant change to the shmcb storage
structure:
* modules/ssl/ssl_private.h (modssl_sesscache_provider): Change
retrieve function to take dest/destlen output buffer, to take a
constant id paramater, and to return a BOOL.
* modules/ssl/ssl_scache.c (ssl_scache_retrieve): Update accordingly,
perform SSL deserialization here.
* modules/ssl/ssl_scache_dc.c (ssl_scache_dc_retrieve),
modules/ssl/ssl_scache_dbm.c (ssl_scache_dbm_retrieve),
modules/ssl/ssl_scache_memcache.c (ssl_scache_mc_retrieve):
Update accordingly.
* modules/ssl/ssl_scache_shmcb.c: Store the whole ID in the cache
before the data, so that each index can be compared against the
requested ID without deserializing the data. This requires approx
20% extra storage per session in the common case, though should
reduce CPU overhead in some retrieval paths.
(SHMCBIndex): Replace s_id2 field with id_len.
(shmcb_cyclic_memcmp): New function.
(ssl_scache_shmcb_init): Change the heuristics to allow for increase
in per-session storage requirement.
(ssl_scache_shmcb_retrieve): Drop requirement on ID length.
(shmcb_subcache_store): Store the ID in the cyclic buffer.
(shmcb_subcache_retrieve, shmcb_subcache_remove): Compare against
the stored ID rather than deserializing the data.
(ssl_scache_shmcb_retrieve, ssl_scache_shmcb_store): Update
accordingly.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@630307 13f79535-47bb-0310-9956-ffa450edef68
storage providers:
* modules/ssl/ssl_private.h (modssl_sesscache_provider): Change
'store' interface to take a data/length pair rather than an
SSL_SESSION pointer.
* modules/ssl/ssl_scache.c (ssl_scache_store): Serialize the SSL
session here and pass down the raw DER.
* modules/ssl/ssl_scache_dc.c, modules/ssl_scache_mc.c,
modules/ssl_scache_shmcb.c, modules/ssl_scache_dbm.c: Adjust ->store
implementations accordingly, removing the four sets of identical
code doing the i2d dance.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@630168 13f79535-47bb-0310-9956-ffa450edef68
step towards use of the ap_provider interface:
* modules/ssl/ssl_private.h (modssl_sesscache_provider): Add new
vtable type.
(SSLModConfigRec): Reference the vtable here.
Replace all the ssl_scache_* prototypes with provider vtable objects.
* modules/ssl/ssl_scache.c (ssl_scache_init, ssl_scache_kill,
ssl_scache_retrieve, ssl_scache_store, ssl_scache_remove,
ssl_ext_status_hook): Use callbacks from vtable rather than ifdef
spaghetti.
* modules/ssl/ssl_engine_init.c (ssl_init_ctx_session_cache):
Only install the OpenSSL callbacks if a vtable is configured.
* modules/ssl/ssl_engine_config.c (ssl_cmd_SSLSessionCache): Set up
vtable pointer.
* modules/ssl/ssl_scache_dc.c, modules/ssl_scache_mc.c: Adjust to make
implementations static, and add vtable definition.
* modules/ssl_scache_shmcb.c: Likewise; also move the init
one-per-process requirement down here.
* modules/ssl_scache_dbm.c: Likewise; also (temporarily) use a local
subpool in the store callback.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@630163 13f79535-47bb-0310-9956-ffa450edef68
log message since the passed-in cert may be e.g. the peer's issuer.
* modules/ssl/ssl_private.h (ssl_log_cxerror): Don't mention the word
peer here either.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@600486 13f79535-47bb-0310-9956-ffa450edef68
* modules/ssl/ssl_engine_config.c (modssl_ctx_init,
modssl_ctx_cfg_merge): Initialize and merge OCSP config options.
(ssl_cmd_SSLOCSPOverrideResponder, ssl_cmd_SSLOCSPDefaultResponder,
ssl_cmd_SSLOCSPEnable): Add functions.
* modules/ssl/mod_ssl.c (ssl_config_cmds): Add config options.
* modules/ssl/ssl_private.h: Add prototypes, config options to
modssl_ctx_t.
* modules/ssl/ssl_util_ocsp.c: New file, utility interface for
dispatching OCSP requests.
* modules/ssl/ssl_engine_ocsp.c: New file, interface for performing
OCSP validation.
* modules/ssl/ssl_engine_kernel.c (ssl_callback_SSLVerify): Perform
OCSP validation if configured, and the cert is so-far verified to be
trusted. Fail if OCSP validation is configured an the optional-no-ca
check tripped.
* modules/ssl/config.m4: Check for OCSP support, build new files.
* modules/ssl/mod_ssl.dsp: Build new files.
* modules/ssl/ssl_toolkit_compat.h: Include headers for OCSP
interfaces.
PR: 41123
Submitted by: Marc Stern <marc.stern approach.be>, Joe Orton
Reviewed by: Steve Henson <steve openssl.org>
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@599385 13f79535-47bb-0310-9956-ffa450edef68
factored out from ssl_callback_SSLVerify.
* modules/ssl/ssl_private: Add prototype.
* modules/ssl/ssl_engine_kernel.c (ssl_callback_SSLVerify): Use it.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@597651 13f79535-47bb-0310-9956-ffa450edef68
in the post_read_request hook rather than in a filter, and fix the
filter insertion issue:
* modules/ssl/ssl_engine_kernel.c (upgrade_connection): New function,
mostly moved from ssl_io_filter_Upgrade.
(ssl_hook_ReadReq): Call upgrade_connection to upgrade to TLS if
required.
* modules/ssl/ssl_engine_io.c (ssl_io_filter_Upgrade): Remove
function.
(ssl_io_input_add_filter, ssl_io_filter_init): Take a request_rec
pointer and pass to ap_add_*_filter to ensure the filter chain
is modified correctly; remove it from the filter afterwards.
(ssl_io_filter_register): Drop UPGRADE_FILTER registration.
* modules/ssl/mod_ssl.c (ssl_init_ssl_connection): Take a request_rec
pointer, pass to ssl_io_filter_init.
(ssl_hook_pre_connection): Pass NULL request_rec pointer to above.
(ssl_hook_Insert_Filter): Remove function.
(ssl_register_hooks): Drop insert_filter hook.
* modules/ssl/ssl_private.h: Update prototypes.
PR: 41231
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@592446 13f79535-47bb-0310-9956-ffa450edef68
argument; determine library version strings once at startup.
(ssl_var_lookup_ssl_version): Drop 'pp' argument; use new global
variables rather than modifying process-global state in a function
which must be thread-safe. (all callers changed)
* modules/ssl/mod_ssl.c (ssl_register_hooks): Pass pool to
ssl_var_register.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@591384 13f79535-47bb-0310-9956-ffa450edef68
locking method and the lockfile location, I never
liked how AcceptMutex was linked to LockFile. This
seemed unnecessary. Much better to have AcceptMutex
do both as well. Plus, now that we will likely see
other modules require a "standard" way of setting
mutexes, why not have Apache provide that as
an API of sorts.
Anyway, LockFile is now depreciated and AcceptMutex
is now SSLMutex-like. We also provide a short
function that "parses" out a mutex parameter
and strips out the mechanism and lockfile location.
AcceptMutex and SSLMutex is this capability.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@467326 13f79535-47bb-0310-9956-ffa450edef68
