so the hardware library can pick up the locking callbacks. Fixes PR 20951.
Tested on Linux with trunk and an nCipher nShield card, and on Solaris 10/Sparc
on 2.0.55 with an nCipher NetHSM.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@525709 13f79535-47bb-0310-9956-ffa450edef68
*) simplify a ton of overly-verbose legacy code
*) split the compiled-against v.s. runtime library
*) precache the results of the version string touchup
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@520701 13f79535-47bb-0310-9956-ffa450edef68
pkp->certs pointer after freeing the array; fixes segfault at startup
if the certs are shared across >1 server_rec.
PR: 39915
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@417988 13f79535-47bb-0310-9956-ffa450edef68
key generation which passed a bogus pointer for a %pA conversion,
hence could give false warnings for name-based-vhost use.
PR: 37051
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@320796 13f79535-47bb-0310-9956-ffa450edef68
configured to support exactly one protocol, use that explicit server
and client mechansim to handshake with the client or proxied machine,
rather than the generic SSLv23_[client|server]_method().
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@264621 13f79535-47bb-0310-9956-ffa450edef68
differ as openssl has modified pointer constness from bump to bump.
This needs testing on Netware, it builds clean on 0.9.6m, 0.9.7d,
0.9.7g, and 0.9.8-final on Win32.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@209675 13f79535-47bb-0310-9956-ffa450edef68
I will be adding documentation for the new directives hopefully in the next day or so.
* server/core.c: Added 'Protocol' to the core module config
Added ap_{set,get}_server_protocol API.
Added new directive: 'AcceptFilter'.
Enable 'httpready' by default on systems that support it. Use dataready filters for others.
* server/listen.c: Attempt to inherit protocols from Listener Records to Server configs.
The 'Listen' directive can now optionally take a protocol arg
Move bits that determined which accept filter is applied to core.c.
Added bits to find the correct accept filter based on the core's configuration.
* include/{ap_listen.h,http_core.h}: Add Protocol to respective structures.
* include/http_core.h: Add the accf_map table to the core_server_config structure
* include/ap_mmn.h: Minor MMN Bump for the new interfacces.
* modules/ssl/ssl_engine_init.c: Use the new protocol framework to enable mod_ssl for 'https' websites.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@190563 13f79535-47bb-0310-9956-ffa450edef68
SSLCADNRequestFile and SSLCADNRequestPath.
* modules/ssl/ssl_private.h (modssl_pk_server_t): Add ca_name_path,
ca_name_file fields.
* modules/ssl/ssl_engine_init.c (ssl_init_ctx_verify): If either of
SSLCADNRequestFile or SSLCADNRequestPath are configured, load the CA
DN list sent in the CertificateRequest from those certificates.
* modules/ssl/ssl_engine_config.c (modssl_ctx_init_server): Use
pcalloc to zero-initialize the entire modssl_pk_server_t structure.
(ssl_config_server_new): Merge the ca_name_* fields.
(ssl_cmd_SSLCADNRequestPath, ssl_cmd_SSLCADNRequestFile): New
functions.
PR: 32848
Submitted by: Tim Taylor <tim.taylor dfas.mil>
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@125165 13f79535-47bb-0310-9956-ffa450edef68
* modules/ssl/ssl_engine_kernel.c (ssl_hook_Access): Ensure that a
correct cipher suite has been negotiated, else deny access.
* modules/ssl/ssl_engine_init.c (ssl_init_ctx_protocol): With OpenSSL
0.9.7, prevent session resumption during a renegotiation to force the
client to negotiate a new (and acceptable) cipher suite.
Submitted by: Hartmut Keil <Hartmut.Keil adnovum.ch>, Joe Orton
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@105396 13f79535-47bb-0310-9956-ffa450edef68
which uses the server's cipher preference order rather than the
client's.
* modules/ssl/ssl_private.h (struct SSLSrvConfigRec): Add
cipher_server_pref field.
* modules/ssl/ssl_engine_config.c (ssl_config_server_create,
ssl_config_server_merge): Initialize and merge cipher_server_pref
field.
(ssl_cmd_SSLHonorCipherOrder): New function.
* modules/ssl/ssl_engine_init.c (ssl_init_ctx_protocol): Set the
context option SSL_OP_CIPHER_SERVER_PREFERENCE when required.
PR: 28665
Submitted by: Jim Shneider <jschneid netilla.com>
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@103832 13f79535-47bb-0310-9956-ffa450edef68
just prevents the internal lookup but does not prevent the caching.
OpenSSL 0.9.6h onwards has a new flag 'SSL_SESS_CACHE_NO_INTERNAL' to
prevent OpenSSL from both lookup and caching the sessions internally.
PR: 26562
Reviewed by: Geoff Thorpe, Joe Orton
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@103165 13f79535-47bb-0310-9956-ffa450edef68
to be included even when mod_ssl is not enabled.
* Makefile.in (install-include): Only install mod_ssl.h.
* modules/ssl/ssl_private.h: New file.
* modules/ssl/mod_ssl.h: Move everything apart from than the optional
hook definitions into ssl_private.h.
* modules/ssl/*.c: Include ssl_private.h not mod_ssl.h
* modules/ssl/config.m4: Always add the mod_ssl directory to the
include path so other modules can find mod_ssl.h.
* modules/proxy/mod_proxy.c: Include mod_ssl.h to pick up the optional
hook definitions rather than copy'n'pasting them.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@102803 13f79535-47bb-0310-9956-ffa450edef68
(rather than segfault later) if a client cert is configured which is
missing either the certificate or private key.
PR: 24030
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@101878 13f79535-47bb-0310-9956-ffa450edef68
because of the changes to the argument lists of apr_mmap_dup and apr_socket_create,
2.1-dev won't build with apr and apr-util's 0.9 branch anymore
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@101154 13f79535-47bb-0310-9956-ffa450edef68
dynalinked OpenSSL Engines and Configs. Move the library teardown code
so that it is torn down in the proper order, corresponding to when the
library itself was initialized. And leave a little reminder that some
memory diagnostics would be good if OpenSSL is built for malloc debugging.
Suggested by: Geoff Thorpe
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@100288 13f79535-47bb-0310-9956-ffa450edef68
the config cmd processors should be examining the SSL context. We must
initialize the SSL library before we can actually obtain any useful
information from the SSL library.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@100107 13f79535-47bb-0310-9956-ffa450edef68
to check for both the existence of the openssl/engine.h header file
and some 'expected function' such as ENGINE_init() (better suggestions
are welcome.) Also clear up some confusion; so long as we have
ENGINE_load_builtin_engines() we should attempt to preload those.
This patch protects all ENGINE-based code within the tests for the
engine header and function, and changes a version test into a
function test.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@100104 13f79535-47bb-0310-9956-ffa450edef68
type overrides;
MODSSL_CLIENT_CERT_CB_ARG_TYPE
MODSSL_PCHAR_CAST (for a host of non-void/const sslc values)
modssl_read_bio_cb_fn (for several callbacks with same prototypes)
Declare callback functions appropriately.
And protect us from indetermineant toolkits with
#error "Unrecognized SSL Toolkit!"
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@99183 13f79535-47bb-0310-9956-ffa450edef68
of the CRYPTO_malloc_init() which must happen the moment we load the
module and prior to *any* ssl library fn invocation.
Moved the CRYPTO_malloc_init() into the ssl_register_hooks() function,
the absolute first call made into any loaded module.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@98252 13f79535-47bb-0310-9956-ffa450edef68
SSLEngine upgrade so that we can begin and continue to support these
facilities. This makes it simpler to keep this effort (while we have
no known clients that support Connection: upgrade at this time), and
begin refactoring more of SSL into smaller and tighter (and then optional)
components.
Submitted by: Ryan Bloom
Reviewed by: William Rowe, Joe Orton
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@97912 13f79535-47bb-0310-9956-ffa450edef68
Also, uncomment a line of code that the last commit should have uncommented.
Randall found this line and the fix, but I forgot to uncomment this line
along with the fix.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@97179 13f79535-47bb-0310-9956-ffa450edef68
expected by OpenSSL? Right now I've left it as _DEFAULT for the platform
preference. Very simple code really - the server_rec was superfluous.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@95497 13f79535-47bb-0310-9956-ffa450edef68
for example: <VirtualHost *:>, for which the core only spits out a warning:
Name or service not known: Cannot resolve host name *: --- ignoring!
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@95158 13f79535-47bb-0310-9956-ffa450edef68
