the SSLVerifyDepth applied with the default/handshaken vhost differs from
the one applicable with the finally selected vhost.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1684171 13f79535-47bb-0310-9956-ffa450edef68
and SSL_set_app_data2 from SSL_* to modssl_*. Update references in
README.dsov.* files. Rename static variable SSL_app_data2_idx to just
app_data2_idx since the symbol is internal to ssl_util_ssl.c.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1677143 13f79535-47bb-0310-9956-ffa450edef68
* modules/ssl/mod_ssl.c, modules/ssl/mod_ssl.h: drop
modssl_register_npn optional function and related declarations.
* modules/ssl/ssl_engine_init.c (ssl_init_ctx_callbacks):
no longer set NPN advertisement callback.
* modules/ssl/ssl_engine_io.c (ssl_io_filter_input): remove
NPN handling.
* modules/ssl/ssl_engine_kernel.c (ssl_callback_AdvertiseNextProtos):
remove callback.
* modules/ssl/ssl_private.h: remove NPN prototypes, set
HAVE_TLS_ALPN (OpenSSL 1.0.2 and later) with feature-based detection.
Rename SSLAlpnPreference to SSLALPNPreference, and add documentation.
Previous commits related to NPN and ALPN, for reference purposes:
r1332643 - Add support for TLS Next Protocol Negotiation
r1487772 - mod_ssl: Redesign NPN (Next Protocol Negotiation) API
to avoid use of hooks API and inter-module hard linkage
r1670397 - ALPN support, based on mod_spdy/mod_h2 patch set
r1670434 - More ALPN goodness
(plus some minor tweaks: r1670578, r1670440, r1670578,
r1670738, r1675459, and r1675549)
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1676004 13f79535-47bb-0310-9956-ffa450edef68
More uses of ap_map_http_request_error() and AP_FILTER_ERROR so that we never
return an HTTP error status from a handler if some filter generated a response
already.
That is, from a handler, either ap_get_brigade() (an input filter) returned
AP_FILTER_ERROR and we must forward it to ap_die(), or ap_pass_brigade() (an
output filter) failed with any status and we must return AP_FILTER_ERROR in
any case for ap_die() to determine whether a response is needed or not.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1665625 13f79535-47bb-0310-9956-ffa450edef68
rfc822Name and dNSName into SSL_{CLIENT,SERVER}_SAN_{Email,DNS}_n
variables.
* docs/manual/mod/mod_ssl.xml: add SSL_*_SAN_*_n entries to the
environment variables table
* modules/ssl/ssl_engine_kernel.c: in ssl_hook_Fixup, add extraction
of subjectAltName entries for the "StdEnvVars" case
* modules/ssl/ssl_engine_vars.c: add support for retrieving the
SSL_{CLIENT,SERVER}_SAN_{Email,DNS}_n variables, either with
individual on-demand lookup (ssl_var_lookup_ssl_cert_san),
or with full-list extraction to the environment ("StdEnvVars")
* modules/ssl/ssl_private.h: add modssl_var_extract_san_entries prototype
* modules/ssl/ssl_util_ssl.c: implement SSL_X509_getSAN and
SSL_ASN1_STRING_to_utf8 helper functions, with factoring out common
code from SSL_X509_getIDs and SSL_X509_NAME_ENTRY_to_string where
suitable. Limit SSL_X509_getSAN to the two most common subjectAltName
entry types appearing in user or server certificates (i.e., rfc822Name
and dNSName), for the time being.
* modules/ssl/ssl_util_ssl.h: add SSL_ASN1_STRING_to_utf8
and SSL_X509_getSAN prototypes
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1650047 13f79535-47bb-0310-9956-ffa450edef68
When this occurs, the redirect (internal) request reaches ssl_hook_Access()
and make SSL_do_handshake crash probably because we force the renegotiation
based on an incomplete SSL state.
To avoid this, ssl_hook_Access() now returns FORBIDDEN immediatly if the given
SSL connection is not in a valid (handshaken) state.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1644498 13f79535-47bb-0310-9956-ffa450edef68
if these checks detect a problem, the checks shouldn't return an
error again when processing an ErrorDocument redirect for the
original problem.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1609914 13f79535-47bb-0310-9956-ffa450edef68
minor) race and leaks:
* modules/ssl/ssl_engine_init.c (make_dh_params): Moved/rejigged
variant of make_get_dh() macro.
(init_dh_params, free_dh_params): New functions.
(modssl_get_dh_params): Split out from ssl_callback_TmpDH.
(ssl_init_Module, ssl_init_ModuleKill): Use new init_/free_.
* modules/ssl/ssl_engine_kernel.c: Moved out DH parameter handling.
(ssl_callback_TmpDH): Use modssl_get_dh_params.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1598107 13f79535-47bb-0310-9956-ffa450edef68
SSL_CTX_set_tmp_dh_callback though once generated as we leak
memory otherwise and freeing the structure up after use would be
hard to track and in fact is not needed at all as it is safe to
use the same parameters over and over again security wise (in
contrast to the keys itself) and code safe as the returned structure
is duplicated by OpenSSL anyway. Hence no modification happens
to our copy.
Observed by: rjung
Reviewed by: kbrand
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1597349 13f79535-47bb-0310-9956-ffa450edef68
- no longer send a warning-level unrecognized_name(112) alert
when no matching vhost is found (PR 56241)
- at startup, only issue warnings about IP/port conflicts and name-based
SSL vhosts when running with an OpenSSL without TLS extension support
(almost 5 years after SNI was added to 2.2.x, the
"[...] only work for clients with TLS server name indication support"
warning feels obsolete)
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1585090 13f79535-47bb-0310-9956-ffa450edef68
- allow to configure custom DHE or ECDHE parameters via the
SSLCertificateFile directive, and adapt its documentation
accordingly (addresses PR 49559)
- add standardized DH parameters from RFCs 2409 and 3526,
use them based on the length of the certificate's RSA/DSA key,
and add a FAQ entry for clients which limit DH support
to 1024 bits (such as Java 7 and earlier)
- move ssl_dh_GetParamFromFile() from ssl_engine_dh.c to
ssl_util_ssl.c, and add ssl_ec_GetParamFromFile()
- drop ssl_engine_dh.c from mod_ssl
For the standardized DH parameters, OpenSSL version 0.9.8a
or later is required, which was therefore made a new minimum
requirement in r1527294.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1527295 13f79535-47bb-0310-9956-ffa450edef68
- drop support for ephemeral RSA keys (only allowed/needed
for export ciphers)
- drop pTmpKeys from the per-process SSLModConfigRec, and remove
the temp key generation at startup (unnecessary for DHE/ECDHE)
- unconditionally disable null and export-grade ciphers by always
prepending "!aNULL:!eNULL:!EXP:" to any cipher suite string
- do not configure per-connection SSL_tmp_*_callbacks, as it is
sufficient to set them for the SSL_CTX
- set default curve for ECDHE at startup, obviating the need
for a per-handshake callback, for the time being (and also
configure SSL_OP_SINGLE_ECDH_USE, previously left out)
For additional background, see
https://mail-archives.apache.org/mod_mbox/httpd-dev/201309.mbox/%3C52358ED1.2070704@velox.ch%3E
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1526168 13f79535-47bb-0310-9956-ffa450edef68
Inadvertent side effect of r907918, where the timeout calculation
in ssl_callback_NewSessionCacheEntry was slightly modified.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1510098 13f79535-47bb-0310-9956-ffa450edef68
hooks API and inter-module hard linkage:
* modules/ssl/mod_ssl.h: Remove NPN hooks, add "modssl_register_npn"
optional function and callback function type declarations for
ssl_npn_advertise_protos, ssl_npn_proto_negotiated.
* modules/ssl/mod_ssl.c: Drop hooks.
(modssl_register_npn): New optional function implementation.
(ssl_register_hooks): Register it.
* modules/ssl/ssl_private.h (SSLConnRec): Add npn_advertfns,
npn_negofns array fields.
* modules/ssl/ssl_engine_kernel.c (ssl_callback_AdvertiseNextProtos):
Replace use of hook API with array iteration.
* modules/ssl/ssl_engine_io.c (ssl_io_filter_input): Likewise.
Reviewed by: Matthew Steele <mdsteele google.com>
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1487772 13f79535-47bb-0310-9956-ffa450edef68
- expand comment in config file
- check username == NULL
- detect SRP support via SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB, not via openssl
version
- rename rv variable
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1348653 13f79535-47bb-0310-9956-ffa450edef68
