mirror of
https://github.com/apache/httpd.git
synced 2025-11-14 01:22:37 +03:00
1e80b68ec1
and SSLCertificateKeyFile directives, and deprecate SSLCertificateChainFile
Splitting the patch into smaller pieces turned out to be infeasible,
unfortunately, due to the heavily intertwined code in ssl_engine_config.c,
ssl_engine_init.c and ssl_engine_pphrase.c, which all depends on the
modssl_pk_server_t data structure. For better comprehensibility,
a detailed listing of the changes follows:
ssl_private.h
- drop the X509 certs and EVP_PKEY keys arrays from modssl_pk_server_t
- use apr_array_header_t for cert_files and key_files
- drop tPublicCert from SSLModConfigRec
- drop the ssl_algo_t struct and the SSL_ALGO_* and SSL_AIDX_* constants
ssl_engine_config.c
- change to apr_array_header_t for SSLCertificate[Key]File
- drop ssl_cmd_check_aidx_max, i.e. allow an arbitrary number of certs
and keys (in theory; currently OpenSSL does not support more than
one cert/key per algorithm type)
- add deprecation warning for SSLCertificateChainFile
ssl_engine_init.c
- configure server certs/keys in ssl_init_server_certs (no longer via
ssl_pphrase_Handle in ssl_init_Module)
- in ssl_init_server_certs, read in certificates and keys with standard
OpenSSL API functions (SSL_CTX_use_*_file), and only fall back to
ssl_load_encrypted_pkey when encountering an encrypted private key
- drop ssl_server_import_cert, ssl_server_import_key, ssl_init_server_check,
and ssl_init_ctx_cleanup_server
- move the "problematic re-initialization" check to ssl_init_server_ctx
ssl_engine_pphrase.c
- use servername:port:index as the key identifier, instead of the
previously used servername:port:algorithm
- ssl_pphrase_Handle overhaul: remove all cert/public-key handling,
make it only load a single (encrypted) private key, and rename
to ssl_load_encrypted_pkey
- in the passphrase prompt message, show the private key file name
instead of the vhost id and the algorithm name
- do no longer supply the algorithm name as an argument to "exec"-type
passphrase prompting programs
ssl_util.c
- drop ssl_util_algotypeof, ssl_util_algotypestr, ssl_asn1_keystr,
and ssl_asn1_table_keyfmt
ssl_util_ssl.{c,h}
- drop SSL_read_X509
- constify the filename arg for SSL_read_PrivateKey
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1553824 13f79535-47bb-0310-9956-ffa450edef68
78 lines
2.9 KiB
C
78 lines
2.9 KiB
C
/* Licensed to the Apache Software Foundation (ASF) under one or more
|
|
* contributor license agreements. See the NOTICE file distributed with
|
|
* this work for additional information regarding copyright ownership.
|
|
* The ASF licenses this file to You under the Apache License, Version 2.0
|
|
* (the "License"); you may not use this file except in compliance with
|
|
* the License. You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*/
|
|
|
|
/**
|
|
* @verbatim
|
|
_ _
|
|
_ __ ___ ___ __| | ___ ___| | mod_ssl
|
|
| '_ ` _ \ / _ \ / _` | / __/ __| | Apache Interface to OpenSSL
|
|
| | | | | | (_) | (_| | \__ \__ \ |
|
|
|_| |_| |_|\___/ \__,_|___|___/___/_|
|
|
|_____|
|
|
@endverbatim
|
|
* @file ssl_util_ssl.h
|
|
* @brief Additional Utility Functions for OpenSSL
|
|
*
|
|
* @defgroup MOD_SSL_UTIL Utilities
|
|
* @ingroup MOD_SSL
|
|
* @{
|
|
*/
|
|
|
|
#ifndef __SSL_UTIL_SSL_H__
|
|
#define __SSL_UTIL_SSL_H__
|
|
|
|
/**
|
|
* SSL library version number
|
|
*/
|
|
|
|
#define SSL_LIBRARY_VERSION OPENSSL_VERSION_NUMBER
|
|
#define SSL_LIBRARY_NAME "OpenSSL"
|
|
#define SSL_LIBRARY_TEXT OPENSSL_VERSION_TEXT
|
|
#define SSL_LIBRARY_DYNTEXT SSLeay_version(SSLEAY_VERSION)
|
|
|
|
/**
|
|
* Maximum length of a DER encoded session.
|
|
* FIXME: There is no define in OpenSSL, but OpenSSL uses 1024*10,
|
|
* so this value should be ok. Although we have no warm feeling.
|
|
*/
|
|
#define SSL_SESSION_MAX_DER 1024*10
|
|
|
|
/** max length for SSL_SESSION_id2sz */
|
|
#define SSL_SESSION_ID_STRING_LEN \
|
|
((SSL_MAX_SSL_SESSION_ID_LENGTH + 1) * 2)
|
|
|
|
/**
|
|
* Additional Functions
|
|
*/
|
|
void SSL_init_app_data2_idx(void);
|
|
void *SSL_get_app_data2(SSL *);
|
|
void SSL_set_app_data2(SSL *, void *);
|
|
EVP_PKEY *SSL_read_PrivateKey(const char *, EVP_PKEY **, pem_password_cb *, void *);
|
|
int SSL_smart_shutdown(SSL *ssl);
|
|
BOOL SSL_X509_getBC(X509 *, int *, int *);
|
|
char *SSL_X509_NAME_ENTRY_to_string(apr_pool_t *p, X509_NAME_ENTRY *xsne);
|
|
char *SSL_X509_NAME_to_string(apr_pool_t *, X509_NAME *, int);
|
|
BOOL SSL_X509_getIDs(apr_pool_t *, X509 *, apr_array_header_t **);
|
|
BOOL SSL_X509_match_name(apr_pool_t *, X509 *, const char *, BOOL, server_rec *);
|
|
BOOL SSL_X509_INFO_load_file(apr_pool_t *, STACK_OF(X509_INFO) *, const char *);
|
|
BOOL SSL_X509_INFO_load_path(apr_pool_t *, STACK_OF(X509_INFO) *, const char *);
|
|
int SSL_CTX_use_certificate_chain(SSL_CTX *, char *, int, pem_password_cb *);
|
|
char *SSL_SESSION_id2sz(unsigned char *, int, char *, int);
|
|
|
|
#endif /* __SSL_UTIL_SSL_H__ */
|
|
/** @} */
|
|
|