* modules/ssl/ssl_engine_kernel.c (has_buffered_data): New function.
(ssl_hook_Access): Forcibly disable keepalive for the connection if
there is any buffered data readable from the input filter stack.
* modules/ssl/ssl_engine_io.c (ssl_io_filter_input): Ensure that the
BIO uses blocking operations when invoked outside direct control of
the httpd filter stack.
Thanks to Hartmut Keil <Hartmut.Keil adnovum.ch> for proposing this
technique.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@891282 13f79535-47bb-0310-9956-ffa450edef68
Reject client-initiated renegotiations; this is sufficient to prevent
the attack for any configuration which does not require renegotiation
due to per-directory/per-location access control configuration.
Configuration with per-directory/per-location access control
requirements (such as "SSLVerifyClient require") are still vulnerable
to CVE-2009-3555 with this patch applied (if using OpenSSL <= 0.9.8k).
* modules/ssl/ssl_private.h (SSLConnRec): Add reneg_state field.
(ssl_callback_Info): Renamed from ssl_callback_LogTracingState.
* modules/ssl/ssl_engine_init.c (ssl_init_ctx_callbacks): Install
the (renamed) info callback unconditionally.
* modules/ssl/ssl_engine_io.c (ssl_filter_ctx_t): Add config pointer
to SSLConnRec.
(bio_filter_out_write, bio_filter_in_read): Fail with
APR_ECONNABORTED if the reneg state is set to RENEG_ABORT.
* modules/ssl/ssl_engine_kernel.c (log_tracing_state): Factored out
of ssl_callback_LogTracingState.
(ssl_callback_Info): New function.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@833582 13f79535-47bb-0310-9956-ffa450edef68
* modules/ssl/ssl_engine_io.c (bio_filter_in_read): Flush pending
output unconditionally since OpenSSL is known to not flush correctly
at all times, and it should be cheap even in cases where it is
unnecessary.
PR: 46952
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@788715 13f79535-47bb-0310-9956-ffa450edef68
implementation of BIO_CTRL_PENDING and BIO_CTRL_WPENDING, to return
zero and pending-bytes-to-write respectively.
PR: 46952
Submitted by: David Smith <David.Smith cern.ch>
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@787722 13f79535-47bb-0310-9956-ffa450edef68
stricter checking of remote server certificates.
(docs/manual/mod/mod_ssl.xml)
Documentation of SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN.
(modules/proxy/mod_proxy_http.c)
Set the hostname of the request URL as note on the connection.
(modules/ssl/ssl_private.h)
Add proxy_ssl_check_peer_expire and proxy_ssl_check_peer_cn fields to
the SSLSrvConfigRec.
(modules/ssl/ssl_engine_config.c)
Directives stuff for SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN.
(modules/ssl/ssl_engine_io.c)
Check whether the remote servers certificate is expired / if there is a
mismatch between the requested hostanme and the remote server certificates
CN field.
Be able to parse ASN1 times.
(modules/ssl/mod_ssl.c)
Directives stuff for SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@760866 13f79535-47bb-0310-9956-ffa450edef68
adjust the remaining part of mod_ssl to use this server_rec instead of
c->base_server.
modules/ssl/ssl_private.h:
- server_rec member to SSLConnRec struct
- Add macros to extract data from connection_rec
mySrvFromConn(c)
mySrvConfigFromConn(c)
myModConfigFromConn(c)
modules/ssl/ssl_engine_io.c
modules/ssl/ssl_util_ocsp.c
modules/ssl/ssl_engine_kernel.c
modules/ssl/mod_ssl.c
modules/ssl/ssl_engine_log.c
- Use the new macros to extract data fron connection_rec
and use the server_rec stored in SSLConnRec instead of
c->base_server whereever appropriate.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@757463 13f79535-47bb-0310-9956-ffa450edef68
interface.
(ssl_io_filter_input): For GETLINE mode, pull lines directly from
the char_buffer if possible, to avoid unnecessarily copying the
entire buffer once per invocation.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@683283 13f79535-47bb-0310-9956-ffa450edef68
* modules/ssl/ssl_engine_io.c: Define new error codes in the APR status
code range, MODSSL_ERROR_BAD_GATEWAY and MODSSL_ERROR_HTTP_ON_HTTPS;
use these HTTP_* constants directly as apr_status_t values.
(ssl_io_filter_error): Use new constants.
(ssl_io_filter_handshake): Return purely an APR status value rather
than a mixture of HTTP_* constants, OpenSSL error codes, and APR
status values.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@645549 13f79535-47bb-0310-9956-ffa450edef68
ssl_io_filter_init): Don't clear f->r here after adding connection
filters since ap_add_*_filter now guarantee to do it internally.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@600477 13f79535-47bb-0310-9956-ffa450edef68
ssl_io_filter_connect since the function performs a handshake in
either client or server mode, not a "connect". No functional change.
(both callers updated)
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@592552 13f79535-47bb-0310-9956-ffa450edef68
in the post_read_request hook rather than in a filter, and fix the
filter insertion issue:
* modules/ssl/ssl_engine_kernel.c (upgrade_connection): New function,
mostly moved from ssl_io_filter_Upgrade.
(ssl_hook_ReadReq): Call upgrade_connection to upgrade to TLS if
required.
* modules/ssl/ssl_engine_io.c (ssl_io_filter_Upgrade): Remove
function.
(ssl_io_input_add_filter, ssl_io_filter_init): Take a request_rec
pointer and pass to ap_add_*_filter to ensure the filter chain
is modified correctly; remove it from the filter afterwards.
(ssl_io_filter_register): Drop UPGRADE_FILTER registration.
* modules/ssl/mod_ssl.c (ssl_init_ssl_connection): Take a request_rec
pointer, pass to ssl_io_filter_init.
(ssl_hook_pre_connection): Pass NULL request_rec pointer to above.
(ssl_hook_Insert_Filter): Remove function.
(ssl_register_hooks): Drop insert_filter hook.
* modules/ssl/ssl_private.h: Update prototypes.
PR: 41231
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@592446 13f79535-47bb-0310-9956-ffa450edef68
renegotiation when an internal redirect occurs:
* modules/ssl/ssl_engine_io.c (ssl_io_buffer_fill): Remove
protocol-level filters before inserting the buffering filter.
(ssl_io_filter_buffer): Return an EOS if invoked with an empty
brigade; do not remove the filter after exhausting the buffer.
(ssl_io_filter_buffer): Increase the type of the buffer filter to be
AP_FTYPE_PROTOCOL.
PR: 43738
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@591393 13f79535-47bb-0310-9956-ffa450edef68
configures the I/O Dump of SSL traffic, when LogLevel is set to Debug.
The default is none as this is far greater debugging resolution than
the typical administrator is prepared to untangle.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@416265 13f79535-47bb-0310-9956-ffa450edef68
but safe fix for the mod_ssl renegotiation-vs-requests-with-bodies
bug:
* modules/ssl/ssl_private.h (ssl_io_buffer_fill): Add prototype.
* modules/ssl/ssl_engine_io.c (ssl_io_buffer_fill,
ssl_io_filter_buffer): New functions.
* modules/ssl/ssl_engine_kernel.c (ssl_hook_Access): If a
renegotiation is needed, and the request has a non-zero
content-length, or a t-e header (and 100-continue was not requested),
call ssl_io_buffer_fill to set aside the request body data if
possible, then proceed with the negotiation.
PR: 12355
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@290965 13f79535-47bb-0310-9956-ffa450edef68
change to mod_proxy_http):
* modules/ssl/ssl_engine_io.c (bio_filter_in_read): Return an error if
the read would block so that the SSL_read() caller checks for
SSL_ERROR_WANT_READ, rather than 0, which is treated like EOF.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@105768 13f79535-47bb-0310-9956-ffa450edef68
modules/mod_ssl.c: Switch to using ap_log_cerror() in place of
ap_log_error() everywhere that the conn_rec * is available.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@105739 13f79535-47bb-0310-9956-ffa450edef68
