Use the ap_provider interface for session cache storage providers.
* modules/ssl/mod_ssl.c (modssl_register_scache): New function.
(ssl_register_hooks): Call it.
* modules/ssl/ssl_private.h: Define MODSSL_SESSCACHE_PROVIDER_GROUP
and MODSSL_SESSCACHE_PROVIDER_VERSION constants.
Remove ssl_scmode_t type. Change nSessionCacheMode in
SSLModConfigRec into a long sesscache_mode, storing the OpenSSL
SSL_SESS_CACHE_* flags directly.
* modules/ssl/ssl_engine_config.c (ssl_config_global_create): Set
sesscache_mode to SSL_SESS_CACHE_OFF by default.
(ssl_cmd_SSLSessionCache): Remove ifdef spaghetti; fetch configured
session cache by provider name. Set mc->sesscache_mode for
configured providers.
* modules/ssl/ssl_engine_init.c (ssl_init_ctx_session_cache): Use the
configured mode flags directly from mc->sesscache_mode.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@631000 13f79535-47bb-0310-9956-ffa450edef68
step towards use of the ap_provider interface:
* modules/ssl/ssl_private.h (modssl_sesscache_provider): Add new
vtable type.
(SSLModConfigRec): Reference the vtable here.
Replace all the ssl_scache_* prototypes with provider vtable objects.
* modules/ssl/ssl_scache.c (ssl_scache_init, ssl_scache_kill,
ssl_scache_retrieve, ssl_scache_store, ssl_scache_remove,
ssl_ext_status_hook): Use callbacks from vtable rather than ifdef
spaghetti.
* modules/ssl/ssl_engine_init.c (ssl_init_ctx_session_cache):
Only install the OpenSSL callbacks if a vtable is configured.
* modules/ssl/ssl_engine_config.c (ssl_cmd_SSLSessionCache): Set up
vtable pointer.
* modules/ssl/ssl_scache_dc.c, modules/ssl_scache_mc.c: Adjust to make
implementations static, and add vtable definition.
* modules/ssl_scache_shmcb.c: Likewise; also move the init
one-per-process requirement down here.
* modules/ssl_scache_dbm.c: Likewise; also (temporarily) use a local
subpool in the store callback.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@630163 13f79535-47bb-0310-9956-ffa450edef68
This is because a) during SNI such is normal and b) regardless
when overlap is detected there will always be a warning:
[warn] Init: Name-based SSL virtual hosts only work for clients
with TLS server name indication support (RFC 4366)
at the end of the cycle.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@620505 13f79535-47bb-0310-9956-ffa450edef68
so the hardware library can pick up the locking callbacks. Fixes PR 20951.
Tested on Linux with trunk and an nCipher nShield card, and on Solaris 10/Sparc
on 2.0.55 with an nCipher NetHSM.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@525709 13f79535-47bb-0310-9956-ffa450edef68
*) simplify a ton of overly-verbose legacy code
*) split the compiled-against v.s. runtime library
*) precache the results of the version string touchup
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@520701 13f79535-47bb-0310-9956-ffa450edef68
pkp->certs pointer after freeing the array; fixes segfault at startup
if the certs are shared across >1 server_rec.
PR: 39915
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@417988 13f79535-47bb-0310-9956-ffa450edef68
key generation which passed a bogus pointer for a %pA conversion,
hence could give false warnings for name-based-vhost use.
PR: 37051
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@320796 13f79535-47bb-0310-9956-ffa450edef68
configured to support exactly one protocol, use that explicit server
and client mechansim to handshake with the client or proxied machine,
rather than the generic SSLv23_[client|server]_method().
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@264621 13f79535-47bb-0310-9956-ffa450edef68
differ as openssl has modified pointer constness from bump to bump.
This needs testing on Netware, it builds clean on 0.9.6m, 0.9.7d,
0.9.7g, and 0.9.8-final on Win32.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@209675 13f79535-47bb-0310-9956-ffa450edef68
I will be adding documentation for the new directives hopefully in the next day or so.
* server/core.c: Added 'Protocol' to the core module config
Added ap_{set,get}_server_protocol API.
Added new directive: 'AcceptFilter'.
Enable 'httpready' by default on systems that support it. Use dataready filters for others.
* server/listen.c: Attempt to inherit protocols from Listener Records to Server configs.
The 'Listen' directive can now optionally take a protocol arg
Move bits that determined which accept filter is applied to core.c.
Added bits to find the correct accept filter based on the core's configuration.
* include/{ap_listen.h,http_core.h}: Add Protocol to respective structures.
* include/http_core.h: Add the accf_map table to the core_server_config structure
* include/ap_mmn.h: Minor MMN Bump for the new interfacces.
* modules/ssl/ssl_engine_init.c: Use the new protocol framework to enable mod_ssl for 'https' websites.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@190563 13f79535-47bb-0310-9956-ffa450edef68
SSLCADNRequestFile and SSLCADNRequestPath.
* modules/ssl/ssl_private.h (modssl_pk_server_t): Add ca_name_path,
ca_name_file fields.
* modules/ssl/ssl_engine_init.c (ssl_init_ctx_verify): If either of
SSLCADNRequestFile or SSLCADNRequestPath are configured, load the CA
DN list sent in the CertificateRequest from those certificates.
* modules/ssl/ssl_engine_config.c (modssl_ctx_init_server): Use
pcalloc to zero-initialize the entire modssl_pk_server_t structure.
(ssl_config_server_new): Merge the ca_name_* fields.
(ssl_cmd_SSLCADNRequestPath, ssl_cmd_SSLCADNRequestFile): New
functions.
PR: 32848
Submitted by: Tim Taylor <tim.taylor dfas.mil>
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@125165 13f79535-47bb-0310-9956-ffa450edef68
* modules/ssl/ssl_engine_kernel.c (ssl_hook_Access): Ensure that a
correct cipher suite has been negotiated, else deny access.
* modules/ssl/ssl_engine_init.c (ssl_init_ctx_protocol): With OpenSSL
0.9.7, prevent session resumption during a renegotiation to force the
client to negotiate a new (and acceptable) cipher suite.
Submitted by: Hartmut Keil <Hartmut.Keil adnovum.ch>, Joe Orton
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@105396 13f79535-47bb-0310-9956-ffa450edef68
which uses the server's cipher preference order rather than the
client's.
* modules/ssl/ssl_private.h (struct SSLSrvConfigRec): Add
cipher_server_pref field.
* modules/ssl/ssl_engine_config.c (ssl_config_server_create,
ssl_config_server_merge): Initialize and merge cipher_server_pref
field.
(ssl_cmd_SSLHonorCipherOrder): New function.
* modules/ssl/ssl_engine_init.c (ssl_init_ctx_protocol): Set the
context option SSL_OP_CIPHER_SERVER_PREFERENCE when required.
PR: 28665
Submitted by: Jim Shneider <jschneid netilla.com>
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@103832 13f79535-47bb-0310-9956-ffa450edef68
just prevents the internal lookup but does not prevent the caching.
OpenSSL 0.9.6h onwards has a new flag 'SSL_SESS_CACHE_NO_INTERNAL' to
prevent OpenSSL from both lookup and caching the sessions internally.
PR: 26562
Reviewed by: Geoff Thorpe, Joe Orton
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@103165 13f79535-47bb-0310-9956-ffa450edef68
to be included even when mod_ssl is not enabled.
* Makefile.in (install-include): Only install mod_ssl.h.
* modules/ssl/ssl_private.h: New file.
* modules/ssl/mod_ssl.h: Move everything apart from than the optional
hook definitions into ssl_private.h.
* modules/ssl/*.c: Include ssl_private.h not mod_ssl.h
* modules/ssl/config.m4: Always add the mod_ssl directory to the
include path so other modules can find mod_ssl.h.
* modules/proxy/mod_proxy.c: Include mod_ssl.h to pick up the optional
hook definitions rather than copy'n'pasting them.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@102803 13f79535-47bb-0310-9956-ffa450edef68
(rather than segfault later) if a client cert is configured which is
missing either the certificate or private key.
PR: 24030
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@101878 13f79535-47bb-0310-9956-ffa450edef68
because of the changes to the argument lists of apr_mmap_dup and apr_socket_create,
2.1-dev won't build with apr and apr-util's 0.9 branch anymore
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@101154 13f79535-47bb-0310-9956-ffa450edef68
dynalinked OpenSSL Engines and Configs. Move the library teardown code
so that it is torn down in the proper order, corresponding to when the
library itself was initialized. And leave a little reminder that some
memory diagnostics would be good if OpenSSL is built for malloc debugging.
Suggested by: Geoff Thorpe
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@100288 13f79535-47bb-0310-9956-ffa450edef68
the config cmd processors should be examining the SSL context. We must
initialize the SSL library before we can actually obtain any useful
information from the SSL library.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@100107 13f79535-47bb-0310-9956-ffa450edef68
to check for both the existence of the openssl/engine.h header file
and some 'expected function' such as ENGINE_init() (better suggestions
are welcome.) Also clear up some confusion; so long as we have
ENGINE_load_builtin_engines() we should attempt to preload those.
This patch protects all ENGINE-based code within the tests for the
engine header and function, and changes a version test into a
function test.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@100104 13f79535-47bb-0310-9956-ffa450edef68
type overrides;
MODSSL_CLIENT_CERT_CB_ARG_TYPE
MODSSL_PCHAR_CAST (for a host of non-void/const sslc values)
modssl_read_bio_cb_fn (for several callbacks with same prototypes)
Declare callback functions appropriately.
And protect us from indetermineant toolkits with
#error "Unrecognized SSL Toolkit!"
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@99183 13f79535-47bb-0310-9956-ffa450edef68
of the CRYPTO_malloc_init() which must happen the moment we load the
module and prior to *any* ssl library fn invocation.
Moved the CRYPTO_malloc_init() into the ssl_register_hooks() function,
the absolute first call made into any loaded module.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@98252 13f79535-47bb-0310-9956-ffa450edef68
