75f5c2db254c0167a0e396254460de09b775d203 1588987 |
|
21-Apr-2014 |
trawick |
Add module mod_ssl_ct, which provides an implementation of Certificate
Transparency (RFC 6962) for httpd.
mod_ssl_ct requires OpenSSL 1.0.2 (in beta) and must be explicitly
enabled via configure.
Note that support/ctauditscts is purposefully not installed; it
does not properly function due to a dependency on a
certificate-transparency open source project tool which itself is
not sufficiently complete at this time. |
b4e664baba9a4be0457c31f84b3dcc4c31f2cb07 1527295 |
|
29-Sep-2013 |
kbrand |
Improve ephemeral key handling (companion to r1526168):
- allow to configure custom DHE or ECDHE parameters via the
SSLCertificateFile directive, and adapt its documentation
accordingly (addresses PR 49559)
- add standardized DH parameters from RFCs 2409 and 3526,
use them based on the length of the certificate's RSA/DSA key,
and add a FAQ entry for clients which limit DH support
to 1024 bits (such as Java 7 and earlier)
- move ssl_dh_GetParamFromFile() from ssl_engine_dh.c to
ssl_util_ssl.c, and add ssl_ec_GetParamFromFile()
- drop ssl_engine_dh.c from mod_ssl
For the standardized DH parameters, OpenSSL version 0.9.8a
or later is required, which was therefore made a new minimum
requirement in r1527294. |
75093d320edb4f9637eccc37b4f37f76456ce4cd 1387610 |
|
19-Sep-2012 |
kbrand |
switch back to MOD_SSL_LDADD, as suggested by jorton |
708fec3f1a67942d7ee00b8c57fb0aa4fb40dde2 1385216 |
|
16-Sep-2012 |
kbrand |
Spin off module-specific build options into separate build vars.
[second try, supersedes r1385214]
Add MOD_CFLAGS, MOD_LDFLAGS variables etc. to the build commands,
which are available to modules for customization on a per-subdir
basis (by adding definitions to modules.mk). Reduces the risk
of side-effects when a module needs to add CFLAGS, LDFLAGS etc.
and these would be added to the global settings (ALL_CFLAGS etc.).
Adapt build settings for mod_ssl, mod_socache_dc, mod_deflate,
mod_xml2enc, mod_proxy_html, and mod_lua to use the new MOD_xxx
build variables.
Change PICFLAGS, SHLTCFLAGS and LTCFLAGS into config vars, instead
of AC_SUBSTing them in build/rules.mk.in. For support/ab, introduce
ab_CFLAGS and ab_LDFLAGS, and define explicit make targets where
they appear at the proper position in the build commands.
Consistently use "--with-xxx=PATH" in configure help strings which
are used to specify a path to the installation directory of an
auxiliary package. |
c256e9afd101e8c501964bc5a64e6c357dbf8d4b 1385215 |
|
16-Sep-2012 |
kbrand |
revert r1385214, as I inadvertently left out acinclude.m4. |
7b89b40f0ba56c00f9fa6fa2078fde0ffc52732e 1385214 |
|
16-Sep-2012 |
kbrand |
Spin off module-specific build options into separate build vars.
Add MOD_CFLAGS, MOD_LDFLAGS variables etc. to the build commands,
which are available to modules for customization on a per-subdir
basis (by adding definitions to modules.mk). Reduces the risk
of side-effects when a module needs to add CFLAGS, LDFLAGS etc.
and these would be added to the global settings (ALL_CFLAGS etc.).
Adapt build settings for mod_ssl, mod_socache_dc, mod_deflate,
mod_xml2enc, mod_proxy_html, and mod_lua to use the new MOD_xxx
build variables.
Change PICFLAGS, SHLTCFLAGS and LTCFLAGS into config vars, instead
of AC_SUBSTing them in build/rules.mk.in. For support/ab, introduce
ab_CFLAGS and ab_LDFLAGS, and define explicit make targets where
they appear at the proper position in the build commands.
Consistently use "--with-xxx=PATH" in configure help strings which
are used to specify a path to the installation directory of an
auxiliary package. |
292707b9868335763d6f2bb74a263134eeeb8cad 1154688 |
|
07-Aug-2011 |
kbrand |
Enforce OpenSSL 0.9.7 as a minimum requirement in configure, and
remove #ifdef'ed code which was relevant for earlier versions only. |
4281cf6a722c99ae21394dc2000bd48efcebdb3a 1154683 |
|
07-Aug-2011 |
kbrand |
Drop support for the RSA BSAFE SSL-C toolkit from configure,
and remove #ifdef'ed code from mod_ssl and ab where applicable.
Consensus for dropping support for SSL/TLS toolkits other
than OpenSSL was reached on dev@httpd in June 2010 (message
with ID <20100602162310.GA11156@redhat.com> and follow-ups). |
8c2ac56b3654234237ca3a943407361c45a3a4d1 1150471 |
|
24-Jul-2011 |
sf |
enable mod_ssl at level 'most'
Let's assume that if a system has the openssl dev headers installed in
the default location, it is very unlikely that crypto is forbidden in
the country that the system is located in.
If no ssl toolkit is found, disable mod_ssl instead of aborting.
The actual change is small, use 'diff -b' to review |
3bcb72c0b2797d2ec0b41bb9f4696e58be2c7043 1142938 |
|
05-Jul-2011 |
rjung |
Allow to specify module specific custom linker flags
via the MOD_XXX_LDADD variables.
Use APR_ADDTO instead of APR_SETVAR or direct
variable assignment.
This is especially useful when building mod_lua
or mod_deflate against a lua resp. libz which
are installed in non-standard locations.
One can add "-R ..." to MOD_LUA_LDADD and
MOD_DEFLATE_LDADD before configure to fix
the RPATH/RUNPATH of those modules. |
8fae12696bce44be9ce4c56888690cad8ac7b8f9 1032073 |
|
06-Nov-2010 |
sf |
Replace ap_expr with a parser derived from mod_ssl's parser. Make mod_ssl use
the new parser. Rework ap_expr's public interface and provide hooks for modules
to add variables and functions.
The Netware and Windows build files still need to be adjusted |
89b8bbc89404e7071e573c4f0a17f528996e855d 829619 |
|
25-Oct-2009 |
jorton |
Add support for OCSP "stapling":
* modules/ssl/ssl_util_stapling.c: New file.
* modules/ssl/config.m4, modules/ssl/mod_ssl.dsp: Build it.
* modules/ssl/ssl_toolkit_compat.h: Define HAVE_OCSP_STAPLING if
OpenSSL is of suitable version (>= 0.9.8g) and capability (TLS
extension support enabled).
* modules/ssl/mod_ssl.c: Add config directives.
* modules/ssl/ssl_private.h: Add prototypes for new functions.
(SSLModConfigRec): Add fields for stapling socache instance and
associated mutex.
(modssl_ctx_t): Add config fields for stapling.
* modules/ssl/ssl_engine_init.c (ssl_init_Module, ssl_init_Child):
Call the stapling initialization functions.
* modules/ssl/ssl_engine_config.c: Add config hooks.
* modules/ssl/ssl_scache.c: Create, initialize and destroy the socache
instance for OCSP responses.
Submitted by: Dr Stephen Henson <shenson oss-institute.org> |
1e046c430fedc2d319088d925fd044710b3596b9 645940 |
|
08-Apr-2008 |
jorton |
Session cache interface redesign, Part 9:
Switch mod_ssl to use the ap_socache interface.
* modules/ssl/ssl_scache_shmcb.c, modules/ssl/ssl_scache_memcache.c,
modules/ssl/ssl_scache_dc.c, modules/ssl/ssl_scache_dbm.c: Remove
files.
* modules/ssl/mod_ssl.c (modssl_register_scache): Remove function.
* modules/ssl/ssl_private.h: Remove modssl_sesscache_provider etc.
(SSLModConfigRec): Switch to using socache types.
* modules/ssl/ssl_engine_config.c (ssl_cmd_SSLSessionCache): Switch to
use socache provider.
* modules/ssl/ssl_engine_mutex.c, modules/ssl/ssl_scache.c: Switch to
using socache constants.
* modules/ssl/config.m4: Drop distache/memcache configuration, remove
old objects. |
39c7699ec0799d394d3f67145d4a12ed82f587b8 599385 |
|
29-Nov-2007 |
jorton |
mod_ssl: Add support for OCSP validation of client certificates:
* modules/ssl/ssl_engine_config.c (modssl_ctx_init,
modssl_ctx_cfg_merge): Initialize and merge OCSP config options.
(ssl_cmd_SSLOCSPOverrideResponder, ssl_cmd_SSLOCSPDefaultResponder,
ssl_cmd_SSLOCSPEnable): Add functions.
* modules/ssl/mod_ssl.c (ssl_config_cmds): Add config options.
* modules/ssl/ssl_private.h: Add prototypes, config options to
modssl_ctx_t.
* modules/ssl/ssl_util_ocsp.c: New file, utility interface for
dispatching OCSP requests.
* modules/ssl/ssl_engine_ocsp.c: New file, interface for performing
OCSP validation.
* modules/ssl/ssl_engine_kernel.c (ssl_callback_SSLVerify): Perform
OCSP validation if configured, and the cert is so-far verified to be
trusted. Fail if OCSP validation is configured an the optional-no-ca
check tripped.
* modules/ssl/config.m4: Check for OCSP support, build new files.
* modules/ssl/mod_ssl.dsp: Build new files.
* modules/ssl/ssl_toolkit_compat.h: Include headers for OCSP
interfaces.
PR: 41123
Submitted by: Marc Stern <marc.stern approach.be>, Joe Orton
Reviewed by: Steve Henson <steve openssl.org> |
43636250ee8165dcc556b5e43a61db6517f4c9dc 555463 |
|
12-Jul-2007 |
pquerna |
Remove unneeded -I in apr_memcache test, since _INCLUDES already includes them on the paths |
790f9f969e6a65c504b13b8d18a6b290a9475f0e 555458 |
|
12-Jul-2007 |
pquerna |
Fix VPATH builds of httpd with the apr_memcache backend for ssl sessions, when APR and APR-Util are also in a VPATH. This is caused by APR_INCLUDEDIR actually having multiple paths in a VPATH builds, so we need to use _INCLUDES instead. |
e4b96ba15dc8b2b27d251d53e29b86da32cd5066 545379 |
|
08-Jun-2007 |
pquerna |
Add support for distributed caching of SSL Sessions inside memcached, using apr_memcache, which is present in APR-Util 1.3/trunk.
This was originally written at ApacheCon US 2005 (San Diego), and was sent to the list:
http://mail-archives.apache.org/mod_mbox/httpd-dev/200512.mbox/%3C439C6C07.9030904@force-elite.com%3E
This version is slightly cleaned up, and of course, uses the now bundled apr_memcache, rather than an external dependency. |
824eaf6c02773ba97a1f23fa284eaa9bf3636195 421021 |
|
12-Jul-2006 |
fielding |
update license header text |
db878466c5e95073429dda0bdd001f45e9486e16 421020 |
|
12-Jul-2006 |
fielding |
update license header text |
a2652f3451528565db1f85db6953fc30799d7ead 395229 |
|
19-Apr-2006 |
colm |
Update the last year of copyright. |
53359f0fef553ad61e2d1e871dc007c542844f86 190592 |
|
14-Jun-2005 |
jorton |
Update remaining 2004 copyright notices. |
854bdf16f253f5b1e12ed5c4975054c60c7fcc48 105740 |
|
10-Nov-2004 |
jorton |
* modules/ssl/config.m4: Use libtool's -export-symbols-regex flag to
hide all global symbols defined by mod_ssl other than the module
structure (where possible). |
164141857c02667118df04b14fe536d1756f0ef4 102870 |
|
06-Mar-2004 |
jorton |
Fix use of mod_ssl as a DSO linked against static SSL libraries; also
stop linking all of support/* against the SSL libraries:
* acinclude.m4 (APACHE_MODULE): Define MOD_FOO_LDADD which each
module .la library will be linked against.
(APACHE_MODPATH_ADD): Link static modules against the provided libraries.
(APACHE_CHECK_SSL_TOOLKIT): Put SSL libraries in SSL_LIBS and export
that to config_vars.mk.
* support/Makefile.in: Link ab against SSL_LIBS.
* modules/ssl/config.m4: Add SSL_LIBS and distcache libraries to
MOD_SSL_LDADD.
PR: 17217 |
70535d6421eb979ac79d8f49d31cd94d75dd8b2f 102803 |
|
28-Feb-2004 |
jorton |
Move mod_ssl-internal interfaces into ssl_private.h; allow mod_ssl.h
to be included even when mod_ssl is not enabled.
* Makefile.in (install-include): Only install mod_ssl.h.
* modules/ssl/ssl_private.h: New file.
* modules/ssl/mod_ssl.h: Move everything apart from than the optional
hook definitions into ssl_private.h.
* modules/ssl/*.c: Include ssl_private.h not mod_ssl.h
* modules/ssl/config.m4: Always add the mod_ssl directory to the
include path so other modules can find mod_ssl.h.
* modules/proxy/mod_proxy.c: Include mod_ssl.h to pick up the optional
hook definitions rather than copy'n'pasting them. |
12586227591ccf6dda6f5bd341ca390f8806faea 102799 |
|
28-Feb-2004 |
jorton |
Relicense. |
9f3f5c38b5f56b0cab274392a3156681747bd32f 102515 |
|
05-Feb-2004 |
jerenkrantz |
We need the SSL module dir in our path in order to compile mod_ssl.
Otherwise, we can't find mod_ssl.h. |
a9ee8e9bd3dffd23ca49be8d0bdf0e33cd0bcce2 102227 |
|
08-Jan-2004 |
jorton |
Add support to mod_ssl for a distributed session cache using
distcache.
* LAYOUT: Update for removal of scache_shmht and addition of scache_dc.
* modules/ssl/config.m4: Check for libdistcache; build ssl_scache_dc.lo.
* modules/ssl/mod_ssl.dsp: Build ssl_scache_dc (with luck).
* modules/ssl/mod_ssl.h: Add SSL_SCMODE_DC and scache_dc_* prototypes.
* modules/ssl/ssl_engine_config.c (ssl_cmd_SSLSessionCache): Allow
use of dc: argument.
* modules/ssl/ssl_scache_dc.c: New file.
* modules/ssl/ssl_scache.c (ssl_scache_init, ssl_scache_kill,
ssl_scache_store, ssl_scache_retrieve, ssl_scache_remove,
ssl_ext_status_hook): Hook into scache_dc.
Submitted by: Geoff Thorpe <geoff@geoffthorpe.net> |
ca2504b59d48a926af23f6b18af550c1e892d8a6 101888 |
|
25-Nov-2003 |
jorton |
Remove shmht session cache in favour of shmcb; shmht has had
data corruption bugs since being apr_rmm'ified.
* config.m4, mod_ssl.dsp: Don't build ssl_util_table and
ssl_scache_shmht.
* ssl_util_table.h, ssl_util_table.c, ssl_scache_shmht.c: Removed
files.
* mod_ssl.h (SSLModConfigRec): Use a void * pointer for storing
the scache-specific data.
* ssl_engine_config.c (ssl_cmd_SSLSessionCache): Treat shmht: as
shmcb:.
* ssl_scache.c: Remove shmht hooks throughout.
* ssl_scache_shmcb.c: Remove casts to use the table_t * pointer as a
void *. |
d925aa9edfba7c81a0310a1175bb6aea5e814439 100041 |
|
27-May-2003 |
wrowe |
These tests now exist in acinclude.m4 |
50a466d6a21b3134572bd5fc4f6f6e7e16baeb0c 100004 |
|
22-May-2003 |
wrowe |
The patch below reverts the prior commit to eliminate SSL_set_state().
Some additional work or research is required in order to pass the
perl-framework regressions, but I don't have the cycles and don't
care to leave the broken code in cvs HEAD.
REVERTING: wrowe 2003/05/19 08:13:19
Modified: modules/ssl config.m4 ssl_engine_io.c ssl_engine_kernel.c
ssl_toolkit_compat.h
Log:
Drop SSL_set_state() in favor of a proper SSL_renegotiate() to begin
rehandshaking the SSL connection, vis-a-vis ApacheSSL.
Revision Changes Path
1.15 +0 -1 httpd-2.0/modules/ssl/config.m4
1.108 +1 -1 httpd-2.0/modules/ssl/ssl_engine_io.c
1.93 +1 -1 httpd-2.0/modules/ssl/ssl_engine_kernel.c
1.34 +0 -6 httpd-2.0/modules/ssl/ssl_toolkit_compat.h |
6d13e2d4f53caa96b8b592a88753a018dbf66439 99921 |
|
19-May-2003 |
wrowe |
Drop SSL_set_state() in favor of a proper SSL_renegotiate() to begin
rehandshaking the SSL connection, vis-a-vis ApacheSSL. |
6b973f74bcd9dc4888b408e65e355228bbf20364 99919 |
|
19-May-2003 |
wrowe |
Roll away the SSL_EXPERIMENTAL_ENGINE test in favor of testing for the
ENGINE_init() function in config.m4, and rely on HAVE_ENGINE_INIT instead.
Reviewed by: Ben Laurie (concept) |
863568dd263384cde6e3d9256500ade64b589490 99918 |
|
19-May-2003 |
wrowe |
First point out that we lost HAVE_SSL_SET_STATE and HAVE_SSL_SET_CERT_STORE
autoconf discovery. |
92a2439559cf1161742650ed9c50c6483bd029ce 98999 |
|
13-Mar-2003 |
madhum |
Replace the APACHE_CHECK_SSL_TOOLKIT method with a cleaner one, using
autoconf tools (AC_CHECK_HEADER, AC_CHECK_LIB etc).
Submitted by: Geoff Thorpe <geoff@geoffthorpe.net>
Reviewed by: Madhu, Justin |
108a52e39565819753b5400f7ac582ae3a1169fe 94301 |
|
29-Mar-2002 |
dougm |
removing old proxy extension code |
8c118e10f6e74359cb990ce2652578ca6af6b038 94223 |
|
27-Mar-2002 |
dougm |
add configure checks for ssl functions:
-SSL_set_state: macro in OpenSSL, might be a function in a patched sslc
-SSL_set_cert_store: patch submitted to OpenSSL, might be applied to
OpenSSL or sslc |
bc8fd1b0b1afdf89b8d28eefa8cd74e26ba97986 93918 |
|
13-Mar-2002 |
fielding |
Update our copyright for this year. |
a0e0d20b666cfc453ac76506079eb50e03997eef 93891 |
|
13-Mar-2002 |
dougm |
remove obsolete ssl_ds_{table,array} api |
9099e18dcfa8222190074980e6e937aae629da91 91950 |
|
14-Nov-2001 |
aaron |
Turns out this is causing problems on my linux box (libtool 1.3.5), so
I'm going to remove it until I or someone else can come up with a better
way to check for and link against libssl and libcrypto for mod_ssl.so. |
047eb6cc9f977147662724bfcdf7af905a6dfaee 91791 |
|
07-Nov-2001 |
aaron |
Gets mod_ssl building/loading as a DSO on some platforms (like HPUX).
Submitted by: Madhu Mathihalli <madhusudan_mathihalli@hp.com> |
11ce1f263fdd8812189b85930874943f9fa81bd5 89063 |
|
10-May-2001 |
fielding |
Eventually we will want to only find openssl once regardless of how
many modules depend on it, so make the check an autoconf macro.
Note that this still isn't being checked "the autoconf way", but it
is better than what we have now.
I'm not sure about the -R stuff, but I am told that Solaris won't
build without it. This is something that should be tested using
AC_TRY_LINK rather than assuming openssl isn't already on the ld path. |
c68a78df080213c796aae0c0801977a7198b2141 89053 |
|
08-May-2001 |
fielding |
When no specific location of openssl is given, we need to check the
places where people install upgraded software first, since otherwise
we will get the older versions installed by the OS distribution. That's
very bad for us because we are requiring a version of openssl that is
more recent than most of the Linux distros.
When finding the openssl helper program, check both the PATH and the default
install dirs, since openssl isn't normally included on a user's path.
Use APR_ADDTO to add to the make macros in order to avoid duplicates. |
7c792f0c8975e3edce4be2d878d47ed32c5224db 89015 |
|
05-May-2001 |
rse |
remove remaining references to compat and sdbm |
02c7b3fa1c2c34a3a9bd236f6cbf2fc5486b8bb0 89006 |
|
05-May-2001 |
rse |
Next step in mod_ssl integration:
Add missing files to build environment. |
6ace32dacb8313226eb9019275d0e4fa45a15148 89002 |
|
05-May-2001 |
rse |
Integrate mod_ssl into the Autoconf facility.
(currently only stub files are compiled) |