More ALPN goodness

ALPN support, based on mod_spdy/mod_h2 patch set

Provide separate SSL_CT_*_STATUS variables for client vs. proxy connections, courtesy of a new flag passed from mod_ssl on its pre_connection "optional hook."

Add SSLSessionTickets (on|off). It controls the use of TLS session tickets (RFC 5077). Default is unchanged (on). Using session tickets without restarting the web server with an appropriate frequency (e.g. daily) compromises perfect forward secrecy. As long as we do not have a nice key management there should be a way to deactivate session tickets.

* mod_ssl: call ERR_free_strings() with OpenSSL >= 0.9.8e. Fixes memory leak in mod_ssl on graceful restart. PR 53435.

mod_ssl: Add hooks to allow other modules to perform processing at several stages of initialization and connection handling. See mod_ssl_openssl.h. This is enough to allow implementation of Certificate Transparency outside of mod_ssl.

mod_ssl: send OCSP request's nonce according to SSLOCSPUseRequestNonce on/off. PR 56233.

Remove SSLPKCS7CertificateFile support: - was never documented, so very unlikely that it was ever used - adds complexity without apparent benefit; PKCS#7 files can be trivially converted to a file for use with SSLCertificateChainFile (concatenated X509 CERTIFICATE chunks, openssl pkcs7 -print_certs...) - only supports PKCS7 files with PEM encoding, i.e. relies on a non-standardized PEM header (cf. RFC 2315 and draft-josefsson-pkix-textual) - issues pointed out in http://mail-archives.apache.org/mod_mbox/httpd-dev/200607.mbox/%3C20060723093125.GA19423@redhat.com%3E were never fully addressed (cf. r424707 and r424735) - has never worked in vhost context due to a cfgMergeString call missing from modssl_ctx_cfg_merge

Increase minimum required OpenSSL version to 0.9.8a (in preparation for the next mod_ssl commit, which will rely on the get_rfcX_prime_Y functions added in that release): - remove obsolete #defines / macros - in ssl_private.h, regroup definitions based on whether they depend on TLS extension support or not - for ECC and SRP support, set HAVE_X and change the rather awkward #ifndef OPENSSL_NO_X lines accordingly For the discussion prior to taking this step, see https://mail-archives.apache.org/mod_mbox/httpd-dev/201309.mbox/%3C524275C7.9060408%40velox.ch%3E

Streamline ephemeral key handling: - drop support for ephemeral RSA keys (only allowed/needed for export ciphers) - drop pTmpKeys from the per-process SSLModConfigRec, and remove the temp key generation at startup (unnecessary for DHE/ECDHE) - unconditionally disable null and export-grade ciphers by always prepending "!aNULL:!eNULL:!EXP:" to any cipher suite string - do not configure per-connection SSL_tmp_*_callbacks, as it is sufficient to set them for the SSL_CTX - set default curve for ECDHE at startup, obviating the need for a per-handshake callback, for the time being (and also configure SSL_OP_SINGLE_ECDH_USE, previously left out) For additional background, see https://mail-archives.apache.org/mod_mbox/httpd-dev/201309.mbox/%3C52358ED1.2070704@velox.ch%3E

SSLCompression help text: add missing space between directive description and syntax

Remove unnecessary global declarations of optional function implementations: * modules/ssl/mod_ssl.c (ssl_proxy_enable, ssl_engine_disable): Mark static. * modules/ssl/ssl_private.h (ssl_proxy_enable, ssl_engine_disable): Remove declarations.

mod_ssl: Redesign NPN (Next Protocol Negotiation) API to avoid use of hooks API and inter-module hard linkage: * modules/ssl/mod_ssl.h: Remove NPN hooks, add "modssl_register_npn" optional function and callback function type declarations for ssl_npn_advertise_protos, ssl_npn_proto_negotiated. * modules/ssl/mod_ssl.c: Drop hooks. (modssl_register_npn): New optional function implementation. (ssl_register_hooks): Register it. * modules/ssl/ssl_private.h (SSLConnRec): Add npn_advertfns, npn_negofns array fields. * modules/ssl/ssl_engine_kernel.c (ssl_callback_AdvertiseNextProtos): Replace use of hook API with array iteration. * modules/ssl/ssl_engine_io.c (ssl_io_filter_input): Likewise. Reviewed by: Matthew Steele <mdsteele google.com>

revert r1352596, for the reasons explained in https://mail-archives.apache.org/mod_mbox/httpd-dev/201304.mbox/%3C515FED7C.5010009%40velox.ch%3E

Removed tabs.

Avoid valgrind warnings in mod_ssl random number generator We intentionally add uninitialized stack memory. To avoid warnings, make valgrind believe that the memory is defined. Add configure option to enable valgrind support

mod_ssl: add support for subjectAltName-based host name checking in proxy mode (PR 54030) factor out code from ssl_engine_init.c:ssl_check_public_cert() to ssl_util_ssl.c:SSL_X509_match_name() introduce new SSLProxyCheckPeerName directive, which should eventually obsolete SSLProxyCheckPeerCN ssl_engine_io.c:ssl_io_filter_handshake(): avoid code duplication when aborting with HTTP_BAD_GATEWAY

Add support for OpenSSL configuration commands.

Avoid use of deprecated functions for OpenSSL version >= 1.0

Removed trailing semicolons.

RFC 5878 support.

Add support for TLS-SRP (Secure Remote Password key exchange for TLS, RFC 5054). PR: 51075 Submitted by: Quinn Slack <sqs cs stanford edu>, Christophe Renou, Peter Sylvester

Add new directive SSLCompression to disable SSL-level compression. PR: 53219 Submitted by: Björn Jacke <bjoern j3e de>, Stefan Fritsch

Add support for TLS Next Protocol Negotiation: * modules/ssl/mod_ssl.c, modules/ssl/mod_ssl.h: Add and implement new hooks for next protocol advertisement/discovery. * modules/ssl/ssl_engine_init.c (ssl_init_ctx_callbacks): Enable NPN advertisement callback in handshake. * modules/ssl/ssl_engine_io.c (ssl_io_filter_input): Invoke next-protocol discovery hook. * modules/ssl/ssl_engine_kernel.c (ssl_callback_AdvertiseNextProtos): New callback. * modules/ssl/ssl_private.h: Add prototype. Submitted by: Matthew Steele <mdsteele google.com> with slight tweaks by jorton

Fix another case of #ifdef-within-a-macro (which was inadvertently introduced a few days ago).

SSLProtocol: allow explicit control of TLSv1.1 and TLSv1.2 flavors when compiled against OpenSSL 1.0.1 or later. Update documentation.

Streamline TLS session ticket key handling (added in r1200040): - drop the SSLTicketKeyDefault directive, and only support a single ticket key per server/vhost - rename the SSLTicketKeyFile directive to SSLSessionTicketKeyFile, remove the keyname parameter - move ticket key parameters from SSLSrvConfigRec to modssl_ctx_t - configure the tlsext_ticket_key_cb only when in server mode - add documentation for SSLSessionTicketKeyFile

Add lots of unique tags to error log messages

Add support for RFC 5077 TLS Session tickets. This adds two new directives: * SSLTicketKeyFile: To store the private information for the encryption of the ticket. * SSLTicketKeyDefault To set the default, otherwise the first listed token is used. This enables key rotation across servers.

More cleanup: Expand tabs and some more indentation fixes No functional change

Revamp CRL checking for client and remote servers: - completely delegate CRL processing to OpenSSL - introduce a new [Proxy]CARevocationCheck directive - drop ssl_callback_SSLVerify_CRL from ssl_engine_kernel.c - remove X509_STORE from modssl_ctx_t - drop CRL store helper functions from ssl_util_ssl.c - avoid sending "certificate_expired" SSL alerts to peers when the nextUpdate field of a CRL is in the past

Add SSLProxyMachineCertificateChainFile directive and documentation for bug 50812

Enforce OpenSSL 0.9.7 as a minimum requirement in configure, and remove #ifdef'ed code which was relevant for earlier versions only.

Drop support for the RSA BSAFE SSL-C toolkit from configure, and remove #ifdef'ed code from mod_ssl and ab where applicable. Consensus for dropping support for SSL/TLS toolkits other than OpenSSL was reached on dev@httpd in June 2010 (message with ID <20100602162310.GA11156@redhat.com> and follow-ups).

Avoid unnecessary renegotiations with SSLVerifyDepth 0. PR: 48215 Submitted by: Kaspar Brand <asfbugz velox ch>

* modules/ssl/ssl_engine_config.c, modules/ssl/ssl_private.h: Add config hooks for OCSP response time skew, maximum age, timeout. * modules/ssl/ssl_engine_ocsp.c (verify_ocsp_status): Respect config settings for above. * docs/: Update accordingly. Submitted by: Kaspar Brand <httpd-dev.2011 velox.ch>

Replace ap_expr with a parser derived from mod_ssl's parser. Make mod_ssl use the new parser. Rework ap_expr's public interface and provide hooks for modules to add variables and functions. The Netware and Windows build files still need to be adjusted

Add authz providers for use with mod_authz_core and its RequireAny/RequireAll containers: 'ssl' (equivalent to SSLRequireSSL) 'ssl-verify-client' (for use with 'SSLVerifyClient optional') 'ssl-require' (expressions with same syntax as SSLRequire) We may decide to axe 'ssl-require' again in favor of the generic 'expr' provider, depending on the development of the ap_expr parser.

Replace LogLevelDebugDump with TRACE log levels

Introduce SSLLOG_MARK for use with ssl_log_ssl_error(). This will allow to redefine APLOG_MARK later.

Introduce SSLFIPS directive to support OpenSSL FIPS_mode; permits all builds of mod_ssl to use 'SSLFIPS off' for portability, but the proper build of openssl is required for 'SSLFIPS on'. PR: 46270 Submitted by: Dr Stephen Henson <steve openssl.org>, wrowe

Style guides at httpd are pretty clear, macro values are UPCASE, please?

New releases of OpenSSL will only allow secure renegotiation by default. Add an "SSLInsecureRenegotiation" directive to enable renegotiation against unpatched clients, to ease transition: * modules/ssl/ssl_private.h (struct SSLSrvConfigRec): Add insecure_reneg field. * modules/ssl/ssl_engine_config.c (ssl_config_server_new, ssl_config_server_merge): Handle the insecure_reneg flag. (ssl_cmd_SSLInsecureRenegotiation): New function. * modules/ssl/ssl_engine_init.c (ssl_init_ctx_protocol): Set the SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION option if insecure_reneg is enabled. * modules/ssl/ssl_engine_kernel.c (ssl_hook_Access): Log level of support for secure reneg. * modules/ssl/mod_ssl.c: Add the directive definition.

Replace AcceptMutex, LockFile, RewriteLock, SSLMutex, SSLStaplingMutex, and WatchdogMutexPath with a single Mutex directive. Add APIs to simplify setup and user customization of APR proc and global mutexes. (See util_mutex.h.) Build-time setting DEFAULT_LOCKFILE is no longer respected; set DEFAULT_REL_RUNTIMEDIR instead. Some existing modules, such as mod_ldap and mod_auth_digest gain configurability for their mutexes.

enable support for ECC keys and ECDH ciphers. Tested against OpenSSL 1.0.0b3. [Vipul Gupta vipul.gupta sun.com, Sander Temme]

Add support for OCSP "stapling": * modules/ssl/ssl_util_stapling.c: New file. * modules/ssl/config.m4, modules/ssl/mod_ssl.dsp: Build it. * modules/ssl/ssl_toolkit_compat.h: Define HAVE_OCSP_STAPLING if OpenSSL is of suitable version (>= 0.9.8g) and capability (TLS extension support enabled). * modules/ssl/mod_ssl.c: Add config directives. * modules/ssl/ssl_private.h: Add prototypes for new functions. (SSLModConfigRec): Add fields for stapling socache instance and associated mutex. (modssl_ctx_t): Add config fields for stapling. * modules/ssl/ssl_engine_init.c (ssl_init_Module, ssl_init_Child): Call the stapling initialization functions. * modules/ssl/ssl_engine_config.c: Add config hooks. * modules/ssl/ssl_scache.c: Create, initialize and destroy the socache instance for OCSP responses. Submitted by: Dr Stephen Henson <shenson oss-institute.org>

replaced all backticks with single quotes in output strings.

* As proposed by wrowe on list always define SSLStrictSNIVHostCheck, but error out if we are not compiled against an SNI capable OpenSSL.

* Add SSLStrictSNIVHostCheck to allow / disallow non SNI clients to connect to name based virtual hosts.

* Add SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN directives to enable stricter checking of remote server certificates. (docs/manual/mod/mod_ssl.xml) Documentation of SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN. (modules/proxy/mod_proxy_http.c) Set the hostname of the request URL as note on the connection. (modules/ssl/ssl_private.h) Add proxy_ssl_check_peer_expire and proxy_ssl_check_peer_cn fields to the SSLSrvConfigRec. (modules/ssl/ssl_engine_config.c) Directives stuff for SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN. (modules/ssl/ssl_engine_io.c) Check whether the remote servers certificate is expired / if there is a mismatch between the requested hostanme and the remote server certificates CN field. Be able to parse ASN1 times. (modules/ssl/mod_ssl.c) Directives stuff for SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN.

* Store the correct server_rec in the connection record configuration and adjust the remaining part of mod_ssl to use this server_rec instead of c->base_server. modules/ssl/ssl_private.h: - server_rec member to SSLConnRec struct - Add macros to extract data from connection_rec mySrvFromConn(c) mySrvConfigFromConn(c) myModConfigFromConn(c) modules/ssl/ssl_engine_io.c modules/ssl/ssl_util_ocsp.c modules/ssl/ssl_engine_kernel.c modules/ssl/mod_ssl.c modules/ssl/ssl_engine_log.c - Use the new macros to extract data fron connection_rec and use the server_rec stored in SSLConnRec instead of c->base_server whereever appropriate.

mod_ssl: Make the size of the per-dir-reneg request-body buffer configurable, by popular demand: * modules/ssl/ssl_private.h: Define DEFAULT_RENEG_BUFFER_SIZE. (SSLDirConfigRec): Add nRenegBufferSize field. * modules/ssl/ssl_engine_config.c (ssl_cmd_SSLRenegBufferSize): New function. (ssl_config_perdir_create, ssl_config_perdir_merge): Handle nRenegBufferSize. * modules/ssl/ssl_engine_io.c (ssl_io_buffer_fill): Take max buffer size as an argument rather than compile-time constant. * modules/ssl/ssl_engine_kernel.c (ssl_hook_Access): Pass nRenegBufferSize to ssl_io_buffer_fill. * modules/ssl/mod_ssl.c (ssl_config_cmds): Add SSLRenegBufferSize. PR: 39243

* modules/ssl/mod_ssl.c (ssl_cleanup_pre_config): Remove the call to CRYPTO_cleanup_all_ex_data here, fixing a per-connection memory leak which occurs if the client indicates support for a compression algorithm in the initial handshake, and mod_ssl is linked against OpenSSL >= 0.9.8f. Thanks to Amund Elstad and Dr Stephen Henson for analysis of this issue.

Session cache interface redesign, Part 9: Switch mod_ssl to use the ap_socache interface. * modules/ssl/ssl_scache_shmcb.c, modules/ssl/ssl_scache_memcache.c, modules/ssl/ssl_scache_dc.c, modules/ssl/ssl_scache_dbm.c: Remove files. * modules/ssl/mod_ssl.c (modssl_register_scache): Remove function. * modules/ssl/ssl_private.h: Remove modssl_sesscache_provider etc. (SSLModConfigRec): Switch to using socache types. * modules/ssl/ssl_engine_config.c (ssl_cmd_SSLSessionCache): Switch to use socache provider. * modules/ssl/ssl_engine_mutex.c, modules/ssl/ssl_scache.c: Switch to using socache constants. * modules/ssl/config.m4: Drop distache/memcache configuration, remove old objects.

Avoid calling access control hooks for internal requests with configurations which match those of the initial request. Revert to the original behaviour (call access control hooks for internal requests with URIs different from the initial request) if any access control hooks or providers are not registered as permitting this optimization. Introduce wrappers for access control hook and provider registration which can accept additional mode and flag data. The configuration walk optimizations were originally proposed a while ago (see http://marc.info/?l=apache-httpd-dev&m=116536713506234&w=2); they have been used since then in production systems and appear to be stable and effective. They permit certain combinations of modules and clients to function efficiently, especially when a deeply recursive series of internal requests, such as those generated by certain WebDAV requests, are all subject to the identical authentication and authorization directives. The major change from the original proposal is a cleaner mechanism for detecting modules which may expect the old behaviour. This has been tested successfully with Subversion's mod_authz_svn, which specifically requires the old behaviour when performing path-based authorization based against its own private access control configuration files.

Session cache interface redesign, Part 5: Use the ap_provider interface for session cache storage providers. * modules/ssl/mod_ssl.c (modssl_register_scache): New function. (ssl_register_hooks): Call it. * modules/ssl/ssl_private.h: Define MODSSL_SESSCACHE_PROVIDER_GROUP and MODSSL_SESSCACHE_PROVIDER_VERSION constants. Remove ssl_scmode_t type. Change nSessionCacheMode in SSLModConfigRec into a long sesscache_mode, storing the OpenSSL SSL_SESS_CACHE_* flags directly. * modules/ssl/ssl_engine_config.c (ssl_config_global_create): Set sesscache_mode to SSL_SESS_CACHE_OFF by default. (ssl_cmd_SSLSessionCache): Remove ifdef spaghetti; fetch configured session cache by provider name. Set mc->sesscache_mode for configured providers. * modules/ssl/ssl_engine_init.c (ssl_init_ctx_session_cache): Use the configured mode flags directly from mc->sesscache_mode.

mod_ssl: Add support for OCSP validation of client certificates: * modules/ssl/ssl_engine_config.c (modssl_ctx_init, modssl_ctx_cfg_merge): Initialize and merge OCSP config options. (ssl_cmd_SSLOCSPOverrideResponder, ssl_cmd_SSLOCSPDefaultResponder, ssl_cmd_SSLOCSPEnable): Add functions. * modules/ssl/mod_ssl.c (ssl_config_cmds): Add config options. * modules/ssl/ssl_private.h: Add prototypes, config options to modssl_ctx_t. * modules/ssl/ssl_util_ocsp.c: New file, utility interface for dispatching OCSP requests. * modules/ssl/ssl_engine_ocsp.c: New file, interface for performing OCSP validation. * modules/ssl/ssl_engine_kernel.c (ssl_callback_SSLVerify): Perform OCSP validation if configured, and the cert is so-far verified to be trusted. Fail if OCSP validation is configured an the optional-no-ca check tripped. * modules/ssl/config.m4: Check for OCSP support, build new files. * modules/ssl/mod_ssl.dsp: Build new files. * modules/ssl/ssl_toolkit_compat.h: Include headers for OCSP interfaces. PR: 41123 Submitted by: Marc Stern <marc.stern approach.be>, Joe Orton Reviewed by: Steve Henson <steve openssl.org>

mod_ssl: Fix forever-broken TLS upgrade support; perform the upgrade in the post_read_request hook rather than in a filter, and fix the filter insertion issue: * modules/ssl/ssl_engine_kernel.c (upgrade_connection): New function, mostly moved from ssl_io_filter_Upgrade. (ssl_hook_ReadReq): Call upgrade_connection to upgrade to TLS if required. * modules/ssl/ssl_engine_io.c (ssl_io_filter_Upgrade): Remove function. (ssl_io_input_add_filter, ssl_io_filter_init): Take a request_rec pointer and pass to ap_add_*_filter to ensure the filter chain is modified correctly; remove it from the filter afterwards. (ssl_io_filter_register): Drop UPGRADE_FILTER registration. * modules/ssl/mod_ssl.c (ssl_init_ssl_connection): Take a request_rec pointer, pass to ssl_io_filter_init. (ssl_hook_pre_connection): Pass NULL request_rec pointer to above. (ssl_hook_Insert_Filter): Remove function. (ssl_register_hooks): Drop insert_filter hook. * modules/ssl/ssl_private.h: Update prototypes. PR: 41231

* modules/ssl/ssl_engine_vars.c (ssl_var_register): Take a pool argument; determine library version strings once at startup. (ssl_var_lookup_ssl_version): Drop 'pp' argument; use new global variables rather than modifying process-global state in a function which must be thread-safe. (all callers changed) * modules/ssl/mod_ssl.c (ssl_register_hooks): Pass pool to ssl_var_register.

ap_available_mutexes_string and ap_add_available_mutexes_string cannot be data symbols when mod_ssl is built as a loadable module; using an external string constant in a loadable module is not portable. Also reorganize file and sem to follow their explicit mechanisms, and ensured that the explicit mechansims are listed in order of preference. This raises a question, would [fcntl|file] be a clearer way of indiciating what the file/sem methods devolve to?

Once SSLMutex allowed for the setting of both the locking method and the lockfile location, I never liked how AcceptMutex was linked to LockFile. This seemed unnecessary. Much better to have AcceptMutex do both as well. Plus, now that we will likely see other modules require a "standard" way of setting mutexes, why not have Apache provide that as an API of sorts. Anyway, LockFile is now depreciated and AcceptMutex is now SSLMutex-like. We also provide a short function that "parses" out a mutex parameter and strips out the mechanism and lockfile location. AcceptMutex and SSLMutex is this capability.

* Fixed typo. No functional change.

Layout and compiler warning.

Add PKCS#7 support.

update license header text

New SSLLogLevelDebugDump [ None (default) | IO (not bytes) | Bytes ] configures the I/O Dump of SSL traffic, when LogLevel is set to Debug. The default is none as this is far greater debugging resolution than the typical administrator is prepared to untangle.

Update the copyright year in all .c, .h and .xml files

No functional Change: Removing trailing whitespace. This also means that "blank" lines consisting of just spaces or tabs are now really blank lines

No functional change: simple detabbing of indented code.

- remove ssl_ext_lookup and replace it with ssl_ext_list - change ssl_expr_eval_oid to use ssl_ext_list This change provides for a singfle function that provides an array of all values from a certificate that match a given extension and removes the duplictaed code that was present. Reviewed by: Joe Orton

* modules/ssl/mod_ssl.c (ssl_hook_pre_config): Initialize all algorithms in OpenSSL; enables PKCS#8 keyfile support. PR: 35469

Allow extraction of the values of SSL certificate extensions into environment variables, so that their value can be used by any module that is aware of environment variables, as in: SetEnvIf OID("2.16.840.1.113730.1.13") "(.*) Generated (Certificate)" ca=$1 sets ca=TinyCA if the cert was issued by TinyCA. Similarly, SetenvIf OID("2.16.840.1.113730.1.13") "(.*)" NetscapeComment=$1 will set $NetscapeComment to the whole string. It is technically allowed to have multiple instances of an extension field, all with the same oid. In this case, the environment variable will be set to the list of all fields, separated by commas. The [PATCH] uses a cross-module call from mod_setenvif to mod_ssl (the latter may also be missing: in this case the variable will never be set). It calls a common function in the ssl module that is also used for the SSLRequire directive's test.

Good suggestion from a private Email. name changes.

Fix case where buggy OpenSSL internal cache continually grows. So don't bother to store it, but still force OpenSSL to provide a Session ID.

Fix issue where mod_ssl does not pick up the ssl-unclean-shutdown setting when configured e.g. as a reverse proxy: * modules/ssl/ssl_private.h: Remove ssl_hook_Translate. * modules/ssl/ssl_engine_kernel.c (ssl_hook_ReadReq): Merge in ssl_hook_Translate. (ssl_hook_Translate): Remove. * modules/ssl/mod_ssl.c (ssl_register_hooks): Ensure that _ReadReq hook runs after mod_setenvif.c; don't register translate_name hook. PR: 34452

Update copyright year to 2005 and standardize on current copyright owner line.

* modules/ssl/mod_ssl.c: Declare new config directives SSLCADNRequestFile and SSLCADNRequestPath. * modules/ssl/ssl_private.h (modssl_pk_server_t): Add ca_name_path, ca_name_file fields. * modules/ssl/ssl_engine_init.c (ssl_init_ctx_verify): If either of SSLCADNRequestFile or SSLCADNRequestPath are configured, load the CA DN list sent in the CertificateRequest from those certificates. * modules/ssl/ssl_engine_config.c (modssl_ctx_init_server): Use pcalloc to zero-initialize the entire modssl_pk_server_t structure. (ssl_config_server_new): Merge the ca_name_* fields. (ssl_cmd_SSLCADNRequestPath, ssl_cmd_SSLCADNRequestFile): New functions. PR: 32848 Submitted by: Tim Taylor <tim.taylor dfas.mil>

FINALLY Correct ap_http_method()! It is NOT a method, it's a SCHEME! Bumped mmn, and ap module cookie, for this function rename. It's not a deprecation, as ap_http_method would be a lovely function name sometime in the future: to determine what the function name implies.

Add -t -DDUMP_CERTS option to mod_ssl which dumps the filenames of all configured SSL certificates to stdout, useful for cron-ing through a "do I need to renew any of my certificates this week" tool: * modules/ssl/ssl_engine_config.c (ssl_hook_ConfigTest): New function. * modules/ssl/mod_ssl.c (ssl_register_hooks): ...register it as a test_config hook.

* modules/ssl/ssl_engine_io.c, modules/ssl/ssl_engine_kernel.c, modules/mod_ssl.c: Switch to using ap_log_cerror() in place of ap_log_error() everywhere that the conn_rec * is available.

Add a check for SSL_ENABLED_OPTIONAL to the http_method and default_port hook so that they return the correct values for an upgradeable connection.

Add "SSLUserName" directive to set r->user based on a chosen SSL environment variable name. * modules/ssl/ssl_private.h (struct SSLDirConfigRec): Add szUserName field. * modules/ssl/ssl_engine_config.c (ssl_config_perdir_create, ssl_config_perdir_merge): Initialize and merge szUserName field. (ssl_cmd_SSLUserName): New function. * modules/ssl/ssl_engine_kernel.c (ssl_hook_Fixup): Set r->user to the value of the chosen SSL environment variable. * modules/ssl/mod_ssl.c: Add SSLUserName config directive. PR: 20957 Submitted by: Martin v. Loewis <martin v.loewis.de>

Add "SSLHonorCipherOrder" directive to enable the OpenSSL 0.9.7 flag which uses the server's cipher preference order rather than the client's. * modules/ssl/ssl_private.h (struct SSLSrvConfigRec): Add cipher_server_pref field. * modules/ssl/ssl_engine_config.c (ssl_config_server_create, ssl_config_server_merge): Initialize and merge cipher_server_pref field. (ssl_cmd_SSLHonorCipherOrder): New function. * modules/ssl/ssl_engine_init.c (ssl_init_ctx_protocol): Set the context option SSL_OP_CIPHER_SERVER_PREFERENCE when required. PR: 28665 Submitted by: Jim Shneider <jschneid netilla.com>

Allow the enabled flag to be set to more that just TRUE or FALSE so that the OPTIONAL flag is correctly merged within the ssl_config_server_merge() function.

Move mod_ssl-internal interfaces into ssl_private.h; allow mod_ssl.h to be included even when mod_ssl is not enabled. * Makefile.in (install-include): Only install mod_ssl.h. * modules/ssl/ssl_private.h: New file. * modules/ssl/mod_ssl.h: Move everything apart from than the optional hook definitions into ssl_private.h. * modules/ssl/*.c: Include ssl_private.h not mod_ssl.h * modules/ssl/config.m4: Always add the mod_ssl directory to the include path so other modules can find mod_ssl.h. * modules/proxy/mod_proxy.c: Include mod_ssl.h to pick up the optional hook definitions rather than copy'n'pasting them.

fix name of The Apache Software Foundation

fix copyright dates according to the first check in

apply Apache License, Version 2.0

update license to 2004.

We need the error strings loaded as early as possible

Extend mod_status output to include SSL session cache status information: * modules/ssl/mod_ssl.c (ssl_hook_pre_config): Call ssl_scache_status_register. * modules/ssl/ssl_scache.c (ssl_scache_status): Removed function. (ssl_ext_status_hook): Renamed from ssl_ext_ms_display: switch to 2.1's mod_status "status_hook" API. (ssl_scache_status_register): Register optional hook. * modules/ssl/ssl_scache_dbm.c (ssl_scache_dbm_status): Adjust to use new API. * modules/ssl/ssl_scache_shmcb.c (ssl_scache_shmcb_status): Adjust to use new API.

Sync with APR-util deprecated functions.

Fix missing human-readable error information in SSL log messages: * mod_ssl.c (ssl_cleanup_pre_config): Don't free the error strings, since they can't be loaded again once.

Make mod_ssl consistent with itself when you have a halfass install of openssl-engine (ie, you're missing the headers). ssl_cmd_SSLCryptoDevice() is thrown away by the preprocessor if you're missing the header, so the call to it should have the same condition applied. otherwise, mod_ssl will fail to link.

Narrow the scope of several OPENSSL-specific setup and teardown calls to only OpenSSL based builds. Also introduce success result for the registered cleanup callback to clean up a compiler emit.

Reaction to Jeff Trawick's observations that we are double-initializing dynalinked OpenSSL Engines and Configs. Move the library teardown code so that it is torn down in the proper order, corresponding to when the library itself was initialized. And leave a little reminder that some memory diagnostics would be good if OpenSSL is built for malloc debugging. Suggested by: Geoff Thorpe

OPENSSL_load_builtin_modules -appears- to have been introduced in beta-1, but boy is this a hassle to determine without gstein's viewcvs ;-)

The right patch (thanks to Eric for identifying the wrong patch) to move SSL_library_init() into the register hooks phase. OpenSSL_add_ssl_algorithms devolves to SSL_library_init, which is the same for most toolkits (and would be accomodated in ssl_toolkit_config.h if not.)

Revert revision 1.81 which called non-existent SSL_load_library. No idea where this was seen, but OpenSSL 0.9.7b does not have this. This gets mod_ssl working again.

OpenSSL_add_all_algorithms is simply an alias for SSL_load_library. Note that the entire schema of what-we-load-how follows from OpenSSL 0.9.7's own apps/ example applications. More review is greatly desired, but that's where I believed I should start looking for the 'correct' order of operations.

Solve a pretty horrific bug in SSLCryptoDevice and other places where the config cmd processors should be examining the SSL context. We must initialize the SSL library before we can actually obtain any useful information from the SSL library.

Roll away the SSL_EXPERIMENTAL_ENGINE test in favor of testing for the ENGINE_init() function in config.m4, and rely on HAVE_ENGINE_INIT instead. Reviewed by: Ben Laurie (concept)

Right now SSLMutex is bogus. It just uses APR_LOCK_DEFAULT no matter what. We now allow for the full range of APR mutex locking mechanims to be used, while maintaining backwards compatibility. PR: 8122 Obtained from: Submitted by: Reviewed by: William Rowe

finished that boring job: update license to 2003. Happy New Year! ;-))

After introducing tests in the cmds, we lose the absolute authority of the CRYPTO_malloc_init() which must happen the moment we load the module and prior to *any* ssl library fn invocation. Moved the CRYPTO_malloc_init() into the ssl_register_hooks() function, the absolute first call made into any loaded module.

After some productive feedback and no negative feedback, introduce SSLEngine upgrade so that we can begin and continue to support these facilities. This makes it simpler to keep this effort (while we have no known clients that support Connection: upgrade at this time), and begin refactoring more of SSL into smaller and tighter (and then optional) components.

Merge the last of the 'filtering' functions into ssl_engine_io.c, merge ssl_abort into what was ssl_hook_CloseConnection, clean out a bunch of now-static or private headers from mod_ssl.h, and final fix a very small but potent segfault if ->pssl is destroyed within our read loop.

Close several small leaks in SSL. Submitted by: Zvi Har'El <rl@math.technion.ac.il> Reviewed by: Madhusudan Mathihalli <madhusudan_mathihalli@hp.com>

This stuff shouldn't have been committed. This is the SSL upgrade stuff, and it was included in a commit that shouldn't have touched these files.

Fix a compile of compiler warnings. I don't know how these slipped past. Also, uncomment a line of code that the last commit should have uncommented. Randall found this line and the fix, but I forgot to uncomment this line along with the fix.

Remove warnings seen with Sun's Forte compiler.

Remove all special mod_ssl URIs. This also fixes the bug where redirecting (.*) will allow an SSL protected page to be viewed without SSL.

stop using APLOG_NOERRNO in calls to ap_log_[pr]error()

Remove SSLLog and SSLLogLevel directives in favor of having mod_ssl use the standard ErrorLog directives.

Change mod_ssl from using ssl_log() to ap_log_error(). The issue is that ssl_log doesn't handle apr_status_t result codes. This leads to a number of places (esp. with mutexes) where the error codes get lost. Rather than extending ssl_log further, since mod_ssl is part of our core, migrate to ap_log_error. This means that mod_ssl no longer does its own logging. Most uses of SSL_ADD_ERRNO are now mapped correctly to apr_status_t values (mainly because the APIs that used to return errnos are now APRized and have apr_status_t codes available). SSL_LOG_TRACE and SSL_LOG_DEBUG were mapped to the APLOG_DEBUG values. mod_ssl prints out a LOT of debugging information, so mod_ssl with LogLevel Debug may not be a good idea - perhaps mod_ssl should be less chatty. Numerous printf type collisions were also resolved. (The ssl logging code itself will be removed in a subsequent commit.) This has been discussed on dev@httpd, but the fact that there isn't much to review besides the mindless changes, I'm going to commit now and rely on CTR if I screwed up anything on the translation.

Stop using SSL_ADD_SSLERR option in ssl_log() and replace with new ssl_log_ssl_error() function that wraps ap_log_error instead. This begins the migration from ssl_log() -> ap_log_error(). Divorcing ourselves from the SSL_ADD_SSLERR option is required to make the next pass easier.

Revert optimization from circa 2.0.34 that caused very long vhost id's to be unusable with mod_ssl. PR: 8572

fix ProxyPass when frontend is https and backend is http

PR: Obtained from: Submitted by: Reviewed by: Ryan Bloom ap_remove_output_filter no longer works for connection filters. change logic in the case of "HTTP spoken on HTTPS port" to disable the ssl filters rather than attempt to remove the filters.

add SSLProxyCARevocation{File,Path} directives to support CRLs in the proxy

add SSLProxyEngine directive. this was not required in the 1.x based mod_ssl because the SSL_CTX was created and configured for *every* request. unlike in 2.0 where we configure the proxy SSL_CTX at startup time, which is much better for performance. but we don't want to configure a proxy context for every vhost if it isn't going to be used, for the same reasons we don't create a server context for every vhost unless SSLEngine is on.

removing old proxy extension code

in proxy mode we need to SSL_connect rather than SSL_accept in ssl_hook_process_connection.

add optional function (ssl_proxy_enable) to turn on ssl proxy choose SSL_CTX based on SSLConnRec.is_proxy

use ssl_cmd_verify_parse for SSLProxyVerify directive handler

enable proxy directives

breakup SSLSrvConfigRec in preparation for proxy support: + modssl_pk_server_t - certs/keys for the server + modssl_pk_proxy_t - certs/keys for the proxy + modssl_auth_ctx_t - stuff related to authentication that can also be per-dir, used by both server and proxy + modssl_ctx_t - context that can be used by both server and proxy + SSLSrvConfigRec - now contains original stuff specific to the server config and modssl_ctx_t *server, *proxy

de-hungarian-ize server config member names which are going to stay

per-dir SSLCACertificate{File,Path} cannot use SSL_CTX_set_cert_store as the 1.x based module does, since the function is not thread-safe. a patch has been submitted to OpenSSL to support SSL_set_cert_store which is thread safe. this feature is enabled by default in the current 1.x based module, we only enable it if the SSL_set_cert_store function is available.

Update our copyright for this year.

minor performance enhancement: no need to use md5 of VHostID for the session id, just use the VHostID itself.

dropping hungarian notation

minor style changes

no need to call SSL_clear() after SSL_new()

don't allocate SSLConnRec unless ssl is enabled on this vhost. also provides a shorter shortcut for mod_ssl hooks to decline if ssl is not enabled.

Introduce the PassPhraseDialog 'pipe' mechanism. This is the directive handling commit only, the mechanics patch will follow. PassPhraseDialog "|/path/to/pipe" will use the bidirectional pipe to have a 'conversation', along the lines of the tty dialog with PassPhraseDialog 'builtin'. This is entirely different than the 'exec' method, which simply runs once for each passphrase, and doesn't allow for failure/retries, and certainly doesn't offer any sensible 'dialog'.

Remove the install_transport_filters hook. The same function can be acheived with the pre_connection hook. I have added the socket to the pre_connection phase to make this possible. Reviewed by: Bill Stoddard

The pre_config hook now takes a return value. This allows modules to cause the server to bail out under error conditions.

the client cert X509_NAME_oneline() is only used if SSLFakeBasicAuth is happening. so avoid calling that unless needed and just stash a pointer to the client cert for the boolean checks that the client provided a cert. PR: Obtained from: Submitted by: Reviewed by:

calculate VHostID length at startup rather than request time. change ap_md5() call in ssl_hook_pre_connection() to ap_md5_binary() that uses the precalculated sc->nVHostID_length to avoid a strlen() call. PR: Obtained from: Submitted by: Reviewed by:

avoid calling ssl_util_vhostid() (and apr_sprintf underneath) at request time by calling it at startup time and saving the value in the SSLSrvConfigRec. PR: Obtained from: Submitted by: Reviewed by:

replace strlen(cpVHostMD5) with MD5_DIGESTSIZE*2 in ssl_hook_pre_connection() since we know the string returned by ap_md5() will always be that length PR: Obtained from: Submitted by: Reviewed by:

remove unused ssl::handshake::timeout references (core handles all timeouts) PR: Obtained from: Submitted by: Reviewed by:

avoid a couple of calls to ssl_util_vhostid() and apr_psprintf() unless loglevel >= SSL_LOG_INFO PR: Obtained from: Submitted by: Reviewed by:

get rid of 'apctx' table that used to live in SSL_get_app_data2(ssl) change app_data2 to be the request_rec itself. if something needs per-request context in the future, it can use r->request_config PR: Obtained from: Submitted by: Reviewed by:

move c->notes.ssl::verify::depth to SSLConnRec.verify_depth note: may actually be removed unless somebody can figure out why it is in there to begin with PR: Obtained from: Submitted by: Reviewed by:

move c->notes.ssl::verify::{info,error} to SSLConnRec.verify_{info,error} PR: Obtained from: Submitted by: Reviewed by:

move c->notes.ssl::client::dn to SSLConnRec.client_dn PR: Obtained from: Submitted by: Reviewed by:

start moving c->notes usage to a new SSLConnRec structure hanging off of c->conn_config PR: Obtained from: Submitted by: Reviewed by: rbb, madhu

This is the mod_ssl input filtering rewrite. Lots of stuff here. I also changed some of the style issues within the filtering code to conform to the rest of the server. Various incarnations of this patch have been posted to dev@httpd without feedback. Now that it passes all of the httpd-test cases (with the exception of module/negotiation test which fails without mod_ssl anyway), it is time to check it in. Please review and test. We are under C-T-R rules, so I'm going to take advantage of that and commit it now. I have tested this about as much as I can and it seems to work from everything I can give to it. Considering that mod_ssl was broken before this commit, this is an improvement.

dont block when handling non-ssl request

Allow mod_ssl to send back an error message if an HTTP request is sent over an HTTPS connection. This also adds an ap_remove_input_filter function, which should be used to remove the SSL input filter in this case, as soon as this code is stressed a bit more. For right now, we are sending the same message that we used to send in mod_ssl for Apache 1.3.

enable i/o debugging

support "SSLVerifyClient optional_no_ca"

prevent double lookup of ssl::verify::error

Complete the rename of the ssl_scache_status_register and ssl_ext_proxy_register (which has yet to be renamed for it's future location, since I'm not going further at the moment with implementing it's functionallity, all my focus is on the ssl_var_register arm.)

Remove a ton o' cruft. Moves the mod_log_config 'var' extensions to ssl_engine_vars.c.

remove #if 0-ed ssl_hook_NewConnection code; was only left for reference, no longer needed remove #if 0-ed ssl_hook_TimeoutConnection code; ssl no longer talks directly to the socket PR: Obtained from: Submitted by: madhu Reviewed by: dougm

move some code duplication into ssl_abort() function

Enable ssl client authentication at SSL_accept time PR: Obtained from: Submitted by: Madhusudan Mathihalli <madhusudan_mathihalli@hp.com> Reviewed by: dougm

Explicitly fix some types, and opt-out on macro conflicts

and swap Auth/UserCheck names to match the hook names, in hopes of preventing further foncusion

authentication/authorization hooks were backwards make authentication hook run APR_HOOK_FIRST for FakeBasicAuth PR: Obtained from: Submitted by: Reviewed by:

remove unused ssl_io_ functions

remove some unused hook code enable child init hook PR: Obtained from: Submitted by: Reviewed by:

at least make a note of SSL_R_HTTP_REQUEST error (until this is properly dealt with)

if ssl shutdown happens earlier than expected, filter code needs be aware

enable ssl Translate, UserCheck, Access and Auth hooks add support for renegotiation during the Access hook this requires hooking into the read and write SSL BIOs in order to flush data to the client and read from the filter chain this also requires that the ssl filters become "aware" that renegotitation is in progress so that the BIOs are left alone for SSL_renegotiate/SSL_do_handshake in ssl_hook_Access to deal with PR: Obtained from: Submitted by: Reviewed by:

enables the use of the ssl_var_lookup functionality in the various source files in modules/ssl. The ap_hook_* functions are still not yet ported to Apache 2.0 style Submitted by: Madhusudan Mathihalli <madhusudan_mathihalli@hp.com>

Activate ssl_hook_pre_config

Register for %X, %c (we gotta make a decision, please vote if you care... use %c's meaning from the historical SSL modules, or Bill Stoddard's connection-terminated meaning? One will have to give.)

Workaround till connection_hook details are resolved [MATHIHALLI,MADHUSUDAN <madhusudan_mathihalli@hp.com>]

Apply mod_ssl MEGA porting patch. This is a cleaned up version of the latest patches from Madhusudan which makes mod_ssl 95% working inside Apache 2.0. There is still a lot of more work (both porting and cleanup) to do be done. See modules/ssl/README for details. Submitted by: Madhusudan Mathihalli <madhusudan_mathihalli@hp.com>

dummy ssl hooks need to return an int value for server to function with mod_ssl compiled in

Fix typos

Change mostly all old module structure hooks and EAPI hooks to ap_hook_xxx equivalents. More work has to be done here to clean all this up and reduce to a minimum...

Activate the command_rec structure.

Integrate mod_ssl into the Autoconf facility. (currently only stub files are compiled)

mod_ssl integration step 2: transfer copyright of all code to ASF by using Apache Software License v1.1

Initial revision