Add module mod_ssl_ct, which provides an implementation of Certificate Transparency (RFC 6962) for httpd. mod_ssl_ct requires OpenSSL 1.0.2 (in beta) and must be explicitly enabled via configure. Note that support/ctauditscts is purposefully not installed; it does not properly function due to a dependency on a certificate-transparency open source project tool which itself is not sufficiently complete at this time.

Improve ephemeral key handling (companion to r1526168): - allow to configure custom DHE or ECDHE parameters via the SSLCertificateFile directive, and adapt its documentation accordingly (addresses PR 49559) - add standardized DH parameters from RFCs 2409 and 3526, use them based on the length of the certificate's RSA/DSA key, and add a FAQ entry for clients which limit DH support to 1024 bits (such as Java 7 and earlier) - move ssl_dh_GetParamFromFile() from ssl_engine_dh.c to ssl_util_ssl.c, and add ssl_ec_GetParamFromFile() - drop ssl_engine_dh.c from mod_ssl For the standardized DH parameters, OpenSSL version 0.9.8a or later is required, which was therefore made a new minimum requirement in r1527294.

switch back to MOD_SSL_LDADD, as suggested by jorton

Spin off module-specific build options into separate build vars. [second try, supersedes r1385214] Add MOD_CFLAGS, MOD_LDFLAGS variables etc. to the build commands, which are available to modules for customization on a per-subdir basis (by adding definitions to modules.mk). Reduces the risk of side-effects when a module needs to add CFLAGS, LDFLAGS etc. and these would be added to the global settings (ALL_CFLAGS etc.). Adapt build settings for mod_ssl, mod_socache_dc, mod_deflate, mod_xml2enc, mod_proxy_html, and mod_lua to use the new MOD_xxx build variables. Change PICFLAGS, SHLTCFLAGS and LTCFLAGS into config vars, instead of AC_SUBSTing them in build/rules.mk.in. For support/ab, introduce ab_CFLAGS and ab_LDFLAGS, and define explicit make targets where they appear at the proper position in the build commands. Consistently use "--with-xxx=PATH" in configure help strings which are used to specify a path to the installation directory of an auxiliary package.

revert r1385214, as I inadvertently left out acinclude.m4.

Spin off module-specific build options into separate build vars. Add MOD_CFLAGS, MOD_LDFLAGS variables etc. to the build commands, which are available to modules for customization on a per-subdir basis (by adding definitions to modules.mk). Reduces the risk of side-effects when a module needs to add CFLAGS, LDFLAGS etc. and these would be added to the global settings (ALL_CFLAGS etc.). Adapt build settings for mod_ssl, mod_socache_dc, mod_deflate, mod_xml2enc, mod_proxy_html, and mod_lua to use the new MOD_xxx build variables. Change PICFLAGS, SHLTCFLAGS and LTCFLAGS into config vars, instead of AC_SUBSTing them in build/rules.mk.in. For support/ab, introduce ab_CFLAGS and ab_LDFLAGS, and define explicit make targets where they appear at the proper position in the build commands. Consistently use "--with-xxx=PATH" in configure help strings which are used to specify a path to the installation directory of an auxiliary package.

Enforce OpenSSL 0.9.7 as a minimum requirement in configure, and remove #ifdef'ed code which was relevant for earlier versions only.

Drop support for the RSA BSAFE SSL-C toolkit from configure, and remove #ifdef'ed code from mod_ssl and ab where applicable. Consensus for dropping support for SSL/TLS toolkits other than OpenSSL was reached on dev@httpd in June 2010 (message with ID <20100602162310.GA11156@redhat.com> and follow-ups).

enable mod_ssl at level 'most' Let's assume that if a system has the openssl dev headers installed in the default location, it is very unlikely that crypto is forbidden in the country that the system is located in. If no ssl toolkit is found, disable mod_ssl instead of aborting. The actual change is small, use 'diff -b' to review

Allow to specify module specific custom linker flags via the MOD_XXX_LDADD variables. Use APR_ADDTO instead of APR_SETVAR or direct variable assignment. This is especially useful when building mod_lua or mod_deflate against a lua resp. libz which are installed in non-standard locations. One can add "-R ..." to MOD_LUA_LDADD and MOD_DEFLATE_LDADD before configure to fix the RPATH/RUNPATH of those modules.

Replace ap_expr with a parser derived from mod_ssl's parser. Make mod_ssl use the new parser. Rework ap_expr's public interface and provide hooks for modules to add variables and functions. The Netware and Windows build files still need to be adjusted

Add support for OCSP "stapling": * modules/ssl/ssl_util_stapling.c: New file. * modules/ssl/config.m4, modules/ssl/mod_ssl.dsp: Build it. * modules/ssl/ssl_toolkit_compat.h: Define HAVE_OCSP_STAPLING if OpenSSL is of suitable version (>= 0.9.8g) and capability (TLS extension support enabled). * modules/ssl/mod_ssl.c: Add config directives. * modules/ssl/ssl_private.h: Add prototypes for new functions. (SSLModConfigRec): Add fields for stapling socache instance and associated mutex. (modssl_ctx_t): Add config fields for stapling. * modules/ssl/ssl_engine_init.c (ssl_init_Module, ssl_init_Child): Call the stapling initialization functions. * modules/ssl/ssl_engine_config.c: Add config hooks. * modules/ssl/ssl_scache.c: Create, initialize and destroy the socache instance for OCSP responses. Submitted by: Dr Stephen Henson <shenson oss-institute.org>

Session cache interface redesign, Part 9: Switch mod_ssl to use the ap_socache interface. * modules/ssl/ssl_scache_shmcb.c, modules/ssl/ssl_scache_memcache.c, modules/ssl/ssl_scache_dc.c, modules/ssl/ssl_scache_dbm.c: Remove files. * modules/ssl/mod_ssl.c (modssl_register_scache): Remove function. * modules/ssl/ssl_private.h: Remove modssl_sesscache_provider etc. (SSLModConfigRec): Switch to using socache types. * modules/ssl/ssl_engine_config.c (ssl_cmd_SSLSessionCache): Switch to use socache provider. * modules/ssl/ssl_engine_mutex.c, modules/ssl/ssl_scache.c: Switch to using socache constants. * modules/ssl/config.m4: Drop distache/memcache configuration, remove old objects.

mod_ssl: Add support for OCSP validation of client certificates: * modules/ssl/ssl_engine_config.c (modssl_ctx_init, modssl_ctx_cfg_merge): Initialize and merge OCSP config options. (ssl_cmd_SSLOCSPOverrideResponder, ssl_cmd_SSLOCSPDefaultResponder, ssl_cmd_SSLOCSPEnable): Add functions. * modules/ssl/mod_ssl.c (ssl_config_cmds): Add config options. * modules/ssl/ssl_private.h: Add prototypes, config options to modssl_ctx_t. * modules/ssl/ssl_util_ocsp.c: New file, utility interface for dispatching OCSP requests. * modules/ssl/ssl_engine_ocsp.c: New file, interface for performing OCSP validation. * modules/ssl/ssl_engine_kernel.c (ssl_callback_SSLVerify): Perform OCSP validation if configured, and the cert is so-far verified to be trusted. Fail if OCSP validation is configured an the optional-no-ca check tripped. * modules/ssl/config.m4: Check for OCSP support, build new files. * modules/ssl/mod_ssl.dsp: Build new files. * modules/ssl/ssl_toolkit_compat.h: Include headers for OCSP interfaces. PR: 41123 Submitted by: Marc Stern <marc.stern approach.be>, Joe Orton Reviewed by: Steve Henson <steve openssl.org>

Remove unneeded -I in apr_memcache test, since _INCLUDES already includes them on the paths

Fix VPATH builds of httpd with the apr_memcache backend for ssl sessions, when APR and APR-Util are also in a VPATH. This is caused by APR_INCLUDEDIR actually having multiple paths in a VPATH builds, so we need to use _INCLUDES instead.

Add support for distributed caching of SSL Sessions inside memcached, using apr_memcache, which is present in APR-Util 1.3/trunk. This was originally written at ApacheCon US 2005 (San Diego), and was sent to the list: http://mail-archives.apache.org/mod_mbox/httpd-dev/200512.mbox/%3C439C6C07.9030904@force-elite.com%3E This version is slightly cleaned up, and of course, uses the now bundled apr_memcache, rather than an external dependency.

update license header text

update license header text

Update the last year of copyright.

Update remaining 2004 copyright notices.

* modules/ssl/config.m4: Use libtool's -export-symbols-regex flag to hide all global symbols defined by mod_ssl other than the module structure (where possible).

Fix use of mod_ssl as a DSO linked against static SSL libraries; also stop linking all of support/* against the SSL libraries: * acinclude.m4 (APACHE_MODULE): Define MOD_FOO_LDADD which each module .la library will be linked against. (APACHE_MODPATH_ADD): Link static modules against the provided libraries. (APACHE_CHECK_SSL_TOOLKIT): Put SSL libraries in SSL_LIBS and export that to config_vars.mk. * support/Makefile.in: Link ab against SSL_LIBS. * modules/ssl/config.m4: Add SSL_LIBS and distcache libraries to MOD_SSL_LDADD. PR: 17217

Move mod_ssl-internal interfaces into ssl_private.h; allow mod_ssl.h to be included even when mod_ssl is not enabled. * Makefile.in (install-include): Only install mod_ssl.h. * modules/ssl/ssl_private.h: New file. * modules/ssl/mod_ssl.h: Move everything apart from than the optional hook definitions into ssl_private.h. * modules/ssl/*.c: Include ssl_private.h not mod_ssl.h * modules/ssl/config.m4: Always add the mod_ssl directory to the include path so other modules can find mod_ssl.h. * modules/proxy/mod_proxy.c: Include mod_ssl.h to pick up the optional hook definitions rather than copy'n'pasting them.

Relicense.

We need the SSL module dir in our path in order to compile mod_ssl. Otherwise, we can't find mod_ssl.h.

Add support to mod_ssl for a distributed session cache using distcache. * LAYOUT: Update for removal of scache_shmht and addition of scache_dc. * modules/ssl/config.m4: Check for libdistcache; build ssl_scache_dc.lo. * modules/ssl/mod_ssl.dsp: Build ssl_scache_dc (with luck). * modules/ssl/mod_ssl.h: Add SSL_SCMODE_DC and scache_dc_* prototypes. * modules/ssl/ssl_engine_config.c (ssl_cmd_SSLSessionCache): Allow use of dc: argument. * modules/ssl/ssl_scache_dc.c: New file. * modules/ssl/ssl_scache.c (ssl_scache_init, ssl_scache_kill, ssl_scache_store, ssl_scache_retrieve, ssl_scache_remove, ssl_ext_status_hook): Hook into scache_dc. Submitted by: Geoff Thorpe <geoff@geoffthorpe.net>

Remove shmht session cache in favour of shmcb; shmht has had data corruption bugs since being apr_rmm'ified. * config.m4, mod_ssl.dsp: Don't build ssl_util_table and ssl_scache_shmht. * ssl_util_table.h, ssl_util_table.c, ssl_scache_shmht.c: Removed files. * mod_ssl.h (SSLModConfigRec): Use a void * pointer for storing the scache-specific data. * ssl_engine_config.c (ssl_cmd_SSLSessionCache): Treat shmht: as shmcb:. * ssl_scache.c: Remove shmht hooks throughout. * ssl_scache_shmcb.c: Remove casts to use the table_t * pointer as a void *.

These tests now exist in acinclude.m4

The patch below reverts the prior commit to eliminate SSL_set_state(). Some additional work or research is required in order to pass the perl-framework regressions, but I don't have the cycles and don't care to leave the broken code in cvs HEAD. REVERTING: wrowe 2003/05/19 08:13:19 Modified: modules/ssl config.m4 ssl_engine_io.c ssl_engine_kernel.c ssl_toolkit_compat.h Log: Drop SSL_set_state() in favor of a proper SSL_renegotiate() to begin rehandshaking the SSL connection, vis-a-vis ApacheSSL. Revision Changes Path 1.15 +0 -1 httpd-2.0/modules/ssl/config.m4 1.108 +1 -1 httpd-2.0/modules/ssl/ssl_engine_io.c 1.93 +1 -1 httpd-2.0/modules/ssl/ssl_engine_kernel.c 1.34 +0 -6 httpd-2.0/modules/ssl/ssl_toolkit_compat.h

Drop SSL_set_state() in favor of a proper SSL_renegotiate() to begin rehandshaking the SSL connection, vis-a-vis ApacheSSL.

Roll away the SSL_EXPERIMENTAL_ENGINE test in favor of testing for the ENGINE_init() function in config.m4, and rely on HAVE_ENGINE_INIT instead. Reviewed by: Ben Laurie (concept)

First point out that we lost HAVE_SSL_SET_STATE and HAVE_SSL_SET_CERT_STORE autoconf discovery.

Replace the APACHE_CHECK_SSL_TOOLKIT method with a cleaner one, using autoconf tools (AC_CHECK_HEADER, AC_CHECK_LIB etc). Submitted by: Geoff Thorpe <geoff@geoffthorpe.net> Reviewed by: Madhu, Justin

removing old proxy extension code

add configure checks for ssl functions: -SSL_set_state: macro in OpenSSL, might be a function in a patched sslc -SSL_set_cert_store: patch submitted to OpenSSL, might be applied to OpenSSL or sslc

Update our copyright for this year.

remove obsolete ssl_ds_{table,array} api

Turns out this is causing problems on my linux box (libtool 1.3.5), so I'm going to remove it until I or someone else can come up with a better way to check for and link against libssl and libcrypto for mod_ssl.so.

Gets mod_ssl building/loading as a DSO on some platforms (like HPUX). Submitted by: Madhu Mathihalli <madhusudan_mathihalli@hp.com>

Eventually we will want to only find openssl once regardless of how many modules depend on it, so make the check an autoconf macro. Note that this still isn't being checked "the autoconf way", but it is better than what we have now. I'm not sure about the -R stuff, but I am told that Solaris won't build without it. This is something that should be tested using AC_TRY_LINK rather than assuming openssl isn't already on the ld path.

When no specific location of openssl is given, we need to check the places where people install upgraded software first, since otherwise we will get the older versions installed by the OS distribution. That's very bad for us because we are requiring a version of openssl that is more recent than most of the Linux distros. When finding the openssl helper program, check both the PATH and the default install dirs, since openssl isn't normally included on a user's path. Use APR_ADDTO to add to the make macros in order to avoid duplicates.

remove remaining references to compat and sdbm

Next step in mod_ssl integration: Add missing files to build environment.

Integrate mod_ssl into the Autoconf facility. (currently only stub files are compiled)