(PR 54030)
factor out code from ssl_engine_init.c:ssl_check_public_cert()
to ssl_util_ssl.c:SSL_X509_match_name()
introduce new SSLProxyCheckPeerName directive, which should eventually
obsolete SSLProxyCheckPeerCN
ssl_engine_io.c:ssl_io_filter_handshake(): avoid code duplication
when aborting with HTTP_BAD_GATEWAY
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1425874 13f79535-47bb-0310-9956-ffa450edef68
- expand comment in config file
- check username == NULL
- detect SRP support via SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB, not via openssl
version
- rename rv variable
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1348653 13f79535-47bb-0310-9956-ffa450edef68
or later, so that mod_ssl retains binary compatibility with future
versions when internal structures are changed. Use API functions
where available, and fall back to direct access for OpenSSL up
to 1.0.0, where needed.
Remove SSL_make_ciphersuite() from ssl_util_ssl.[ch], as it was
never used by any released version of mod_ssl.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1222917 13f79535-47bb-0310-9956-ffa450edef68
- drop the SSLTicketKeyDefault directive, and only support a single
ticket key per server/vhost
- rename the SSLTicketKeyFile directive to SSLSessionTicketKeyFile,
remove the keyname parameter
- move ticket key parameters from SSLSrvConfigRec to modssl_ctx_t
- configure the tlsext_ticket_key_cb only when in server mode
- add documentation for SSLSessionTicketKeyFile
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1213380 13f79535-47bb-0310-9956-ffa450edef68
* SSLTicketKeyFile: To store the private information for the encryption of the ticket.
* SSLTicketKeyDefault To set the default, otherwise the first listed token is used. This enables key rotation across servers.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1200040 13f79535-47bb-0310-9956-ffa450edef68
Add SSL_X509_NAME_to_string(), which converts an X509 distinguished name
to an RFC 2253 formatted string.
Adapt ssl_log_*error() to make use of SSL_X509_NAME_to_string().
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1172797 13f79535-47bb-0310-9956-ffa450edef68
- completely delegate CRL processing to OpenSSL
- introduce a new [Proxy]CARevocationCheck directive
- drop ssl_callback_SSLVerify_CRL from ssl_engine_kernel.c
- remove X509_STORE from modssl_ctx_t
- drop CRL store helper functions from ssl_util_ssl.c
- avoid sending "certificate_expired" SSL alerts to peers
when the nextUpdate field of a CRL is in the past
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1165056 13f79535-47bb-0310-9956-ffa450edef68
Remove some more unneeded defines from ssl_private.h.
At runtime, warn when mod_ssl is started with an OpenSSL version
older than the one it was originally compiled against.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1157575 13f79535-47bb-0310-9956-ffa450edef68
after support for non-OpenSSL toolkits has been dropped.
Replace macros by their value proper where feasible, and keep
those definitions in ssl_private.h which depend on specific
OpenSSL versions.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1154687 13f79535-47bb-0310-9956-ffa450edef68
up stdlib.h.
* modules/ssl/ssl_engine_pphrase.c (ssl_pphrase_Handle),
modules/ssl/ssl_engine_vars.c: Stop pretending mod_ssl has a version
independent of the rest of the server.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1082202 13f79535-47bb-0310-9956-ffa450edef68
calculate hash index only once per loop iteration; no (intended)
functional change. Add comments and tweak a log message.
* modules/ssl/ssl_private.h: Add comments.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1069765 13f79535-47bb-0310-9956-ffa450edef68
to be RFC 2253 compatible, convert non-ASCII characters to UTF8, and
escape other special characters with backslashes. The old format can
still be used with the LegacyDNStringFormat argument to SSLOptions.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1054323 13f79535-47bb-0310-9956-ffa450edef68
the new parser. Rework ap_expr's public interface and provide hooks for modules
to add variables and functions.
The Netware and Windows build files still need to be adjusted
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1032073 13f79535-47bb-0310-9956-ffa450edef68
containers:
'ssl' (equivalent to SSLRequireSSL)
'ssl-verify-client' (for use with 'SSLVerifyClient optional')
'ssl-require' (expressions with same syntax as SSLRequire)
We may decide to axe 'ssl-require' again in favor of the generic 'expr'
provider, depending on the development of the ap_expr parser.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1002837 13f79535-47bb-0310-9956-ffa450edef68
builds of mod_ssl to use 'SSLFIPS off' for portability, but the proper
build of openssl is required for 'SSLFIPS on'.
PR: 46270
Submitted by: Dr Stephen Henson <steve openssl.org>, wrowe
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@925980 13f79535-47bb-0310-9956-ffa450edef68
default. Add an "SSLInsecureRenegotiation" directive to enable
renegotiation against unpatched clients, to ease transition:
* modules/ssl/ssl_private.h (struct SSLSrvConfigRec): Add
insecure_reneg field.
* modules/ssl/ssl_engine_config.c (ssl_config_server_new,
ssl_config_server_merge): Handle the insecure_reneg flag.
(ssl_cmd_SSLInsecureRenegotiation): New function.
* modules/ssl/ssl_engine_init.c (ssl_init_ctx_protocol): Set the
SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION option if insecure_reneg is
enabled.
* modules/ssl/ssl_engine_kernel.c (ssl_hook_Access): Log level of
support for secure reneg.
* modules/ssl/mod_ssl.c: Add the directive definition.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@906039 13f79535-47bb-0310-9956-ffa450edef68
and WatchdogMutexPath with a single Mutex directive. Add APIs to
simplify setup and user customization of APR proc and global mutexes.
(See util_mutex.h.) Build-time setting DEFAULT_LOCKFILE is no longer
respected; set DEFAULT_REL_RUNTIMEDIR instead.
Some existing modules, such as mod_ldap and mod_auth_digest gain
configurability for their mutexes.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@883540 13f79535-47bb-0310-9956-ffa450edef68
Reject client-initiated renegotiations; this is sufficient to prevent
the attack for any configuration which does not require renegotiation
due to per-directory/per-location access control configuration.
Configuration with per-directory/per-location access control
requirements (such as "SSLVerifyClient require") are still vulnerable
to CVE-2009-3555 with this patch applied (if using OpenSSL <= 0.9.8k).
* modules/ssl/ssl_private.h (SSLConnRec): Add reneg_state field.
(ssl_callback_Info): Renamed from ssl_callback_LogTracingState.
* modules/ssl/ssl_engine_init.c (ssl_init_ctx_callbacks): Install
the (renamed) info callback unconditionally.
* modules/ssl/ssl_engine_io.c (ssl_filter_ctx_t): Add config pointer
to SSLConnRec.
(bio_filter_out_write, bio_filter_in_read): Fail with
APR_ECONNABORTED if the reneg state is set to RENEG_ABORT.
* modules/ssl/ssl_engine_kernel.c (log_tracing_state): Factored out
of ssl_callback_LogTracingState.
(ssl_callback_Info): New function.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@833582 13f79535-47bb-0310-9956-ffa450edef68
I added a few more fixes, and there are still more that might
need a doxygen expert.
PR: 48061
Submitted by: Brad Hards
Reviewed by: poirier
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@830527 13f79535-47bb-0310-9956-ffa450edef68
* modules/ssl/ssl_util_stapling.c: New file.
* modules/ssl/config.m4, modules/ssl/mod_ssl.dsp: Build it.
* modules/ssl/ssl_toolkit_compat.h: Define HAVE_OCSP_STAPLING if
OpenSSL is of suitable version (>= 0.9.8g) and capability (TLS
extension support enabled).
* modules/ssl/mod_ssl.c: Add config directives.
* modules/ssl/ssl_private.h: Add prototypes for new functions.
(SSLModConfigRec): Add fields for stapling socache instance and
associated mutex.
(modssl_ctx_t): Add config fields for stapling.
* modules/ssl/ssl_engine_init.c (ssl_init_Module, ssl_init_Child):
Call the stapling initialization functions.
* modules/ssl/ssl_engine_config.c: Add config hooks.
* modules/ssl/ssl_scache.c: Create, initialize and destroy the socache
instance for OCSP responses.
Submitted by: Dr Stephen Henson <shenson oss-institute.org>
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@829619 13f79535-47bb-0310-9956-ffa450edef68
