6ccaafe6847128ba40aa20d2e389d23dbbbed06d 1670434 |
|
31-Mar-2015 |
jim |
More ALPN goodness |
da0e8dabb745dce2c403f2aa9aded8045c646c29 1670397 |
|
31-Mar-2015 |
jim |
ALPN support, based on mod_spdy/mod_h2 patch set |
e670b9648396d99ab737684f74e251d4a2e9b95b 1661487 |
|
22-Feb-2015 |
trawick |
Provide separate SSL_CT_*_STATUS variables for client vs. proxy
connections, courtesy of a new flag passed from mod_ssl on its
pre_connection "optional hook." |
f0ed8386200af077d3151eed8724d68b35884f1e 1650310 |
|
08-Jan-2015 |
rjung |
Add SSLSessionTickets (on|off).
It controls the use of TLS session tickets
(RFC 5077). Default is unchanged (on).
Using session tickets without restarting
the web server with an appropriate frequency
(e.g. daily) compromises perfect forward
secrecy.
As long as we do not have a nice key management
there should be a way to deactivate session
tickets. |
28a2a3f8cc81354f027a4ac95abbbcd9e190db3f 1638772 |
|
12-Nov-2014 |
jkaluza |
* mod_ssl: call ERR_free_strings() with OpenSSL >= 0.9.8e. Fixes memory leak
in mod_ssl on graceful restart. PR 53435. |
5716f9c6daa92dde5f2f9d11ed63f7c9549c223a 1587607 |
|
15-Apr-2014 |
trawick |
mod_ssl: Add hooks to allow other modules to perform processing at
several stages of initialization and connection handling. See
mod_ssl_openssl.h.
This is enough to allow implementation of Certificate Transparency
outside of mod_ssl. |
1716538bf2c1a52278afc6830c84f4f232329d1a 1583191 |
|
30-Mar-2014 |
ylavic |
mod_ssl: send OCSP request's nonce according to SSLOCSPUseRequestNonce on/off. PR 56233. |
5d59b45268c4cd29c489e897e14b31e77f276b05 1544784 |
|
23-Nov-2013 |
kbrand |
Remove SSLPKCS7CertificateFile support:
- was never documented, so very unlikely that it was ever used
- adds complexity without apparent benefit; PKCS#7 files can
be trivially converted to a file for use with SSLCertificateChainFile
(concatenated X509 CERTIFICATE chunks, openssl pkcs7 -print_certs...)
- only supports PKCS7 files with PEM encoding, i.e. relies on a
non-standardized PEM header (cf. RFC 2315 and draft-josefsson-pkix-textual)
- issues pointed out in http://mail-archives.apache.org/mod_mbox/httpd-dev/200607.mbox/%3C20060723093125.GA19423@redhat.com%3E
were never fully addressed (cf. r424707 and r424735)
- has never worked in vhost context due to a cfgMergeString
call missing from modssl_ctx_cfg_merge |
ac0c8366f49659958162b4bfb3d625a77343eda3 1527294 |
|
29-Sep-2013 |
kbrand |
Increase minimum required OpenSSL version to 0.9.8a (in preparation
for the next mod_ssl commit, which will rely on the get_rfcX_prime_Y
functions added in that release):
- remove obsolete #defines / macros
- in ssl_private.h, regroup definitions based on whether
they depend on TLS extension support or not
- for ECC and SRP support, set HAVE_X and change the rather awkward
#ifndef OPENSSL_NO_X lines accordingly
For the discussion prior to taking this step, see
https://mail-archives.apache.org/mod_mbox/httpd-dev/201309.mbox/%3C524275C7.9060408%40velox.ch%3E |
3ccfc257819b3bad063cd3ac9dd1670d5d2ae4d2 1526168 |
|
25-Sep-2013 |
kbrand |
Streamline ephemeral key handling:
- drop support for ephemeral RSA keys (only allowed/needed
for export ciphers)
- drop pTmpKeys from the per-process SSLModConfigRec, and remove
the temp key generation at startup (unnecessary for DHE/ECDHE)
- unconditionally disable null and export-grade ciphers by always
prepending "!aNULL:!eNULL:!EXP:" to any cipher suite string
- do not configure per-connection SSL_tmp_*_callbacks, as it is
sufficient to set them for the SSL_CTX
- set default curve for ECDHE at startup, obviating the need
for a per-handshake callback, for the time being (and also
configure SSL_OP_SINGLE_ECDH_USE, previously left out)
For additional background, see
https://mail-archives.apache.org/mod_mbox/httpd-dev/201309.mbox/%3C52358ED1.2070704@velox.ch%3E |
807c436563a054c3513648163fd2e36612b68c9a 1509983 |
|
03-Aug-2013 |
trawick |
SSLCompression help text:
add missing space between directive description and syntax |
73c7bbd51ac1420b4bb98d1c8b3cc97d57f21c56 1487775 |
|
30-May-2013 |
jorton |
Remove unnecessary global declarations of optional function
implementations:
* modules/ssl/mod_ssl.c (ssl_proxy_enable, ssl_engine_disable): Mark
static.
* modules/ssl/ssl_private.h (ssl_proxy_enable, ssl_engine_disable):
Remove declarations. |
8a2483ae14c7d9c1ee21a92e4251202456af5747 1487772 |
|
30-May-2013 |
jorton |
mod_ssl: Redesign NPN (Next Protocol Negotiation) API to avoid use of
hooks API and inter-module hard linkage:
* modules/ssl/mod_ssl.h: Remove NPN hooks, add "modssl_register_npn"
optional function and callback function type declarations for
ssl_npn_advertise_protos, ssl_npn_proto_negotiated.
* modules/ssl/mod_ssl.c: Drop hooks.
(modssl_register_npn): New optional function implementation.
(ssl_register_hooks): Register it.
* modules/ssl/ssl_private.h (SSLConnRec): Add npn_advertfns,
npn_negofns array fields.
* modules/ssl/ssl_engine_kernel.c (ssl_callback_AdvertiseNextProtos):
Replace use of hook API with array iteration.
* modules/ssl/ssl_engine_io.c (ssl_io_filter_input): Likewise.
Reviewed by: Matthew Steele <mdsteele google.com> |
9f75646ed2590d08ba8dc74e4e40a24e4d27de83 1468131 |
|
15-Apr-2013 |
kbrand |
revert r1352596, for the reasons explained in
https://mail-archives.apache.org/mod_mbox/httpd-dev/201304.mbox/%3C515FED7C.5010009%40velox.ch%3E |
1cb35ac84e3ff37ec77837d1e3702a74604ab6f0 1451108 |
|
28-Feb-2013 |
fuankg |
Removed tabs. |
c12917da693bae4028a1d5a5e8224bceed8c739d 1442307 |
|
04-Feb-2013 |
sf |
Avoid valgrind warnings in mod_ssl random number generator
We intentionally add uninitialized stack memory. To avoid warnings,
make valgrind believe that the memory is defined.
Add configure option to enable valgrind support |
d58a822aff1dfda25384d3d009f88f1883c95436 1425874 |
|
26-Dec-2012 |
kbrand |
mod_ssl: add support for subjectAltName-based host name checking in proxy mode
(PR 54030)
factor out code from ssl_engine_init.c:ssl_check_public_cert()
to ssl_util_ssl.c:SSL_X509_match_name()
introduce new SSLProxyCheckPeerName directive, which should eventually
obsolete SSLProxyCheckPeerCN
ssl_engine_io.c:ssl_io_filter_handshake(): avoid code duplication
when aborting with HTTP_BAD_GATEWAY |
1366443dc565c33e7b449ae428bbfc4c86f33935 1421323 |
|
13-Dec-2012 |
drh |
Add support for OpenSSL configuration commands. |
aafba4d7e3ecc7fcaa87efa8d7fae3e700d2428b 1421305 |
|
13-Dec-2012 |
drh |
Avoid use of deprecated functions for OpenSSL version >= 1.0 |
1519712c64bd54930638aba716230de1e2f3d899 1374941 |
|
20-Aug-2012 |
fuankg |
Removed trailing semicolons. |
0ad39f9cb23f1633ac0b58cf32da3acc16e1ae50 1352596 |
|
21-Jun-2012 |
ben |
RFC 5878 support. |
099c357f282d4aebf2b32264f7dce6ffc0497c37 1347980 |
|
08-Jun-2012 |
sf |
Add support for TLS-SRP (Secure Remote Password key exchange
for TLS, RFC 5054).
PR: 51075
Submitted by: Quinn Slack <sqs cs stanford edu>, Christophe Renou,
Peter Sylvester |
d9b079a6dd66d36313be56f859c8c61153146527 1345319 |
|
01-Jun-2012 |
sf |
Add new directive SSLCompression to disable SSL-level compression.
PR: 53219
Submitted by: Björn Jacke <bjoern j3e de>, Stefan Fritsch |
3e4e54d4e3fc0123c63d57aa84ac7ad7a8c73ff8 1332643 |
|
01-May-2012 |
jorton |
Add support for TLS Next Protocol Negotiation:
* modules/ssl/mod_ssl.c, modules/ssl/mod_ssl.h: Add and implement new
hooks for next protocol advertisement/discovery.
* modules/ssl/ssl_engine_init.c (ssl_init_ctx_callbacks): Enable
NPN advertisement callback in handshake.
* modules/ssl/ssl_engine_io.c (ssl_io_filter_input): Invoke
next-protocol discovery hook.
* modules/ssl/ssl_engine_kernel.c (ssl_callback_AdvertiseNextProtos):
New callback.
* modules/ssl/ssl_private.h: Add prototype.
Submitted by: Matthew Steele <mdsteele google.com>
with slight tweaks by jorton |
1fd6337111a9607570691e38857dcece7fb84abe 1225791 |
|
30-Dec-2011 |
kbrand |
Fix another case of #ifdef-within-a-macro (which was inadvertently
introduced a few days ago). |
a1de5cf47c9ccfbf493264e8a3fa7ddd5a9c80d1 1222921 |
|
24-Dec-2011 |
kbrand |
SSLProtocol: allow explicit control of TLSv1.1 and TLSv1.2 flavors when
compiled against OpenSSL 1.0.1 or later. Update documentation. |
7a4e3510f3516132ff057ac986fd6350164b7950 1213380 |
|
12-Dec-2011 |
kbrand |
Streamline TLS session ticket key handling (added in r1200040):
- drop the SSLTicketKeyDefault directive, and only support a single
ticket key per server/vhost
- rename the SSLTicketKeyFile directive to SSLSessionTicketKeyFile,
remove the keyname parameter
- move ticket key parameters from SSLSrvConfigRec to modssl_ctx_t
- configure the tlsext_ticket_key_cb only when in server mode
- add documentation for SSLSessionTicketKeyFile |
185aa71728867671e105178b4c66fbc22b65ae26 1209766 |
|
03-Dec-2011 |
sf |
Add lots of unique tags to error log messages |
df8ef9cef9dbbf5217ee38751f4bab63e14588d6 1200040 |
|
10-Nov-2011 |
pquerna |
Add support for RFC 5077 TLS Session tickets. This adds two new directives:
* SSLTicketKeyFile: To store the private information for the encryption of the ticket.
* SSLTicketKeyDefault To set the default, otherwise the first listed token is used. This enables key rotation across servers. |
11e076839c8d5a82d55e710194d0daac51390dbd 1174929 |
|
23-Sep-2011 |
sf |
More cleanup: Expand tabs and some more indentation fixes
No functional change |
77504f17963a8dd941a921d9ddfa25ddb0f348d6 1165056 |
|
04-Sep-2011 |
kbrand |
Revamp CRL checking for client and remote servers:
- completely delegate CRL processing to OpenSSL
- introduce a new [Proxy]CARevocationCheck directive
- drop ssl_callback_SSLVerify_CRL from ssl_engine_kernel.c
- remove X509_STORE from modssl_ctx_t
- drop CRL store helper functions from ssl_util_ssl.c
- avoid sending "certificate_expired" SSL alerts to peers
when the nextUpdate field of a CRL is in the past |
44985e4f931d3a75a7e5108705010cc21605ee34 1160863 |
|
23-Aug-2011 |
druggeri |
Add SSLProxyMachineCertificateChainFile directive and documentation for bug 50812 |
292707b9868335763d6f2bb74a263134eeeb8cad 1154688 |
|
07-Aug-2011 |
kbrand |
Enforce OpenSSL 0.9.7 as a minimum requirement in configure, and
remove #ifdef'ed code which was relevant for earlier versions only. |
4281cf6a722c99ae21394dc2000bd48efcebdb3a 1154683 |
|
07-Aug-2011 |
kbrand |
Drop support for the RSA BSAFE SSL-C toolkit from configure,
and remove #ifdef'ed code from mod_ssl and ab where applicable.
Consensus for dropping support for SSL/TLS toolkits other
than OpenSSL was reached on dev@httpd in June 2010 (message
with ID <20100602162310.GA11156@redhat.com> and follow-ups). |
2ce2fc3287632e20f1b8759aa17e571f68c6fe6d 1137394 |
|
19-Jun-2011 |
sf |
Avoid unnecessary renegotiations with SSLVerifyDepth 0.
PR: 48215
Submitted by: Kaspar Brand <asfbugz velox ch> |
a2558ec3af4391b7da7fe61e1e53383bbd0174b9 1059917 |
|
17-Jan-2011 |
jorton |
* modules/ssl/ssl_engine_config.c, modules/ssl/ssl_private.h: Add
config hooks for OCSP response time skew, maximum age, timeout.
* modules/ssl/ssl_engine_ocsp.c (verify_ocsp_status): Respect
config settings for above.
* docs/: Update accordingly.
Submitted by: Kaspar Brand <httpd-dev.2011 velox.ch> |
8fae12696bce44be9ce4c56888690cad8ac7b8f9 1032073 |
|
06-Nov-2010 |
sf |
Replace ap_expr with a parser derived from mod_ssl's parser. Make mod_ssl use
the new parser. Rework ap_expr's public interface and provide hooks for modules
to add variables and functions.
The Netware and Windows build files still need to be adjusted |
fc58f0ff708564b67cd578c626b6500d1cd63a51 1002837 |
|
29-Sep-2010 |
sf |
Add authz providers for use with mod_authz_core and its RequireAny/RequireAll
containers:
'ssl' (equivalent to SSLRequireSSL)
'ssl-verify-client' (for use with 'SSLVerifyClient optional')
'ssl-require' (expressions with same syntax as SSLRequire)
We may decide to axe 'ssl-require' again in favor of the generic 'expr'
provider, depending on the development of the ap_expr parser. |
26cc83458a27220d116be2e0d6db117285571b51 951904 |
|
06-Jun-2010 |
sf |
Replace LogLevelDebugDump with TRACE log levels |
baa6746bc66ff1daa1852a3a085906d2dfa96bb6 951194 |
|
04-Jun-2010 |
sf |
Introduce SSLLOG_MARK for use with ssl_log_ssl_error(). This will allow to
redefine APLOG_MARK later. |
e9eabac76b50e8f00d0c391f6070d0f42db77aa2 925980 |
|
22-Mar-2010 |
wrowe |
Introduce SSLFIPS directive to support OpenSSL FIPS_mode; permits all
builds of mod_ssl to use 'SSLFIPS off' for portability, but the proper
build of openssl is required for 'SSLFIPS on'.
PR: 46270
Submitted by: Dr Stephen Henson <steve openssl.org>, wrowe |
2792780a6fb0951dc304b940ba9274ed1e37fe26 907472 |
|
07-Feb-2010 |
wrowe |
Style guides at httpd are pretty clear, macro values are UPCASE, please? |
2b4e45d87889ab2f6b432690cc993a42bc607faf 906039 |
|
03-Feb-2010 |
jorton |
New releases of OpenSSL will only allow secure renegotiation by
default. Add an "SSLInsecureRenegotiation" directive to enable
renegotiation against unpatched clients, to ease transition:
* modules/ssl/ssl_private.h (struct SSLSrvConfigRec): Add
insecure_reneg field.
* modules/ssl/ssl_engine_config.c (ssl_config_server_new,
ssl_config_server_merge): Handle the insecure_reneg flag.
(ssl_cmd_SSLInsecureRenegotiation): New function.
* modules/ssl/ssl_engine_init.c (ssl_init_ctx_protocol): Set the
SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION option if insecure_reneg is
enabled.
* modules/ssl/ssl_engine_kernel.c (ssl_hook_Access): Log level of
support for secure reneg.
* modules/ssl/mod_ssl.c: Add the directive definition. |
11f2c481e1d57bedb3f758565307501e9a2730dd 883540 |
|
24-Nov-2009 |
trawick |
Replace AcceptMutex, LockFile, RewriteLock, SSLMutex, SSLStaplingMutex,
and WatchdogMutexPath with a single Mutex directive. Add APIs to
simplify setup and user customization of APR proc and global mutexes.
(See util_mutex.h.) Build-time setting DEFAULT_LOCKFILE is no longer
respected; set DEFAULT_REL_RUNTIMEDIR instead.
Some existing modules, such as mod_ldap and mod_auth_digest gain
configurability for their mutexes. |
ea6ff3396df1d6d43ee0ecfa3e26ada981d8e9a3 834378 |
|
10-Nov-2009 |
sctemme |
enable support for ECC keys and ECDH ciphers. Tested against
OpenSSL 1.0.0b3. [Vipul Gupta vipul.gupta sun.com, Sander Temme] |
89b8bbc89404e7071e573c4f0a17f528996e855d 829619 |
|
25-Oct-2009 |
jorton |
Add support for OCSP "stapling":
* modules/ssl/ssl_util_stapling.c: New file.
* modules/ssl/config.m4, modules/ssl/mod_ssl.dsp: Build it.
* modules/ssl/ssl_toolkit_compat.h: Define HAVE_OCSP_STAPLING if
OpenSSL is of suitable version (>= 0.9.8g) and capability (TLS
extension support enabled).
* modules/ssl/mod_ssl.c: Add config directives.
* modules/ssl/ssl_private.h: Add prototypes for new functions.
(SSLModConfigRec): Add fields for stapling socache instance and
associated mutex.
(modssl_ctx_t): Add config fields for stapling.
* modules/ssl/ssl_engine_init.c (ssl_init_Module, ssl_init_Child):
Call the stapling initialization functions.
* modules/ssl/ssl_engine_config.c: Add config hooks.
* modules/ssl/ssl_scache.c: Create, initialize and destroy the socache
instance for OCSP responses.
Submitted by: Dr Stephen Henson <shenson oss-institute.org> |
7988a91d9a1c6413f2c1a2138847f513d20de856 821621 |
|
04-Oct-2009 |
fuankg |
replaced all backticks with single quotes in output strings. |
681d773821cf3ac791ea88ffd07c0d7ea42864f2 770907 |
|
02-May-2009 |
rpluem |
* As proposed by wrowe on list always define SSLStrictSNIVHostCheck, but error
out if we are not compiled against an SNI capable OpenSSL. |
e3715027f352040ef98da03359b00f13ddb506cb 768596 |
|
25-Apr-2009 |
rpluem |
* Add SSLStrictSNIVHostCheck to allow / disallow non SNI clients to connect to
name based virtual hosts. |
8f2700898323915da289644dc1f3ee11a5e5b4ea 760866 |
|
01-Apr-2009 |
rpluem |
* Add SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN directives to enable
stricter checking of remote server certificates.
(docs/manual/mod/mod_ssl.xml)
Documentation of SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN.
(modules/proxy/mod_proxy_http.c)
Set the hostname of the request URL as note on the connection.
(modules/ssl/ssl_private.h)
Add proxy_ssl_check_peer_expire and proxy_ssl_check_peer_cn fields to
the SSLSrvConfigRec.
(modules/ssl/ssl_engine_config.c)
Directives stuff for SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN.
(modules/ssl/ssl_engine_io.c)
Check whether the remote servers certificate is expired / if there is a
mismatch between the requested hostanme and the remote server certificates
CN field.
Be able to parse ASN1 times.
(modules/ssl/mod_ssl.c)
Directives stuff for SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN. |
807c9f7266ad3a966b6714fe578f3c9da1ca868b 757463 |
|
23-Mar-2009 |
rpluem |
* Store the correct server_rec in the connection record configuration and
adjust the remaining part of mod_ssl to use this server_rec instead of
c->base_server.
modules/ssl/ssl_private.h:
- server_rec member to SSLConnRec struct
- Add macros to extract data from connection_rec
mySrvFromConn(c)
mySrvConfigFromConn(c)
myModConfigFromConn(c)
modules/ssl/ssl_engine_io.c
modules/ssl/ssl_util_ocsp.c
modules/ssl/ssl_engine_kernel.c
modules/ssl/mod_ssl.c
modules/ssl/ssl_engine_log.c
- Use the new macros to extract data fron connection_rec
and use the server_rec stored in SSLConnRec instead of
c->base_server whereever appropriate. |
509111f5f58a9effd4c832f6a0cbd6ad9d549188 726109 |
|
12-Dec-2008 |
jorton |
mod_ssl: Make the size of the per-dir-reneg request-body buffer
configurable, by popular demand:
* modules/ssl/ssl_private.h: Define DEFAULT_RENEG_BUFFER_SIZE.
(SSLDirConfigRec): Add nRenegBufferSize field.
* modules/ssl/ssl_engine_config.c (ssl_cmd_SSLRenegBufferSize): New
function.
(ssl_config_perdir_create, ssl_config_perdir_merge): Handle
nRenegBufferSize.
* modules/ssl/ssl_engine_io.c (ssl_io_buffer_fill): Take max buffer
size as an argument rather than compile-time constant.
* modules/ssl/ssl_engine_kernel.c (ssl_hook_Access): Pass
nRenegBufferSize to ssl_io_buffer_fill.
* modules/ssl/mod_ssl.c (ssl_config_cmds): Add SSLRenegBufferSize.
PR: 39243 |
a73ec375db18806018eabc968baa85b250bbbf5d 654119 |
|
07-May-2008 |
jorton |
* modules/ssl/mod_ssl.c (ssl_cleanup_pre_config): Remove the call to
CRYPTO_cleanup_all_ex_data here, fixing a per-connection memory leak
which occurs if the client indicates support for a compression
algorithm in the initial handshake, and mod_ssl is linked against
OpenSSL >= 0.9.8f.
Thanks to Amund Elstad and Dr Stephen Henson for analysis of this
issue. |
1e046c430fedc2d319088d925fd044710b3596b9 645940 |
|
08-Apr-2008 |
jorton |
Session cache interface redesign, Part 9:
Switch mod_ssl to use the ap_socache interface.
* modules/ssl/ssl_scache_shmcb.c, modules/ssl/ssl_scache_memcache.c,
modules/ssl/ssl_scache_dc.c, modules/ssl/ssl_scache_dbm.c: Remove
files.
* modules/ssl/mod_ssl.c (modssl_register_scache): Remove function.
* modules/ssl/ssl_private.h: Remove modssl_sesscache_provider etc.
(SSLModConfigRec): Switch to using socache types.
* modules/ssl/ssl_engine_config.c (ssl_cmd_SSLSessionCache): Switch to
use socache provider.
* modules/ssl/ssl_engine_mutex.c, modules/ssl/ssl_scache.c: Switch to
using socache constants.
* modules/ssl/config.m4: Drop distache/memcache configuration, remove
old objects. |
a72211e92bab814bfa28ee086ca9b2a1a6095c92 644525 |
|
03-Apr-2008 |
chrisd |
Avoid calling access control hooks for internal requests with
configurations which match those of the initial request. Revert to
the original behaviour (call access control hooks for internal requests
with URIs different from the initial request) if any access control hooks
or providers are not registered as permitting this optimization.
Introduce wrappers for access control hook and provider registration
which can accept additional mode and flag data.
The configuration walk optimizations were originally proposed a while
ago (see http://marc.info/?l=apache-httpd-dev&m=116536713506234&w=2);
they have been used since then in production systems and appear to be
stable and effective. They permit certain combinations of modules
and clients to function efficiently, especially when a deeply recursive
series of internal requests, such as those generated by certain WebDAV
requests, are all subject to the identical authentication and authorization
directives.
The major change from the original proposal is a cleaner mechanism for
detecting modules which may expect the old behaviour. This has been
tested successfully with Subversion's mod_authz_svn, which specifically
requires the old behaviour when performing path-based authorization based
against its own private access control configuration files. |
1660a5facf5797acb7aa1300f5ef86756a0bf493 631000 |
|
25-Feb-2008 |
jorton |
Session cache interface redesign, Part 5:
Use the ap_provider interface for session cache storage providers.
* modules/ssl/mod_ssl.c (modssl_register_scache): New function.
(ssl_register_hooks): Call it.
* modules/ssl/ssl_private.h: Define MODSSL_SESSCACHE_PROVIDER_GROUP
and MODSSL_SESSCACHE_PROVIDER_VERSION constants.
Remove ssl_scmode_t type. Change nSessionCacheMode in
SSLModConfigRec into a long sesscache_mode, storing the OpenSSL
SSL_SESS_CACHE_* flags directly.
* modules/ssl/ssl_engine_config.c (ssl_config_global_create): Set
sesscache_mode to SSL_SESS_CACHE_OFF by default.
(ssl_cmd_SSLSessionCache): Remove ifdef spaghetti; fetch configured
session cache by provider name. Set mc->sesscache_mode for
configured providers.
* modules/ssl/ssl_engine_init.c (ssl_init_ctx_session_cache): Use the
configured mode flags directly from mc->sesscache_mode. |
39c7699ec0799d394d3f67145d4a12ed82f587b8 599385 |
|
29-Nov-2007 |
jorton |
mod_ssl: Add support for OCSP validation of client certificates:
* modules/ssl/ssl_engine_config.c (modssl_ctx_init,
modssl_ctx_cfg_merge): Initialize and merge OCSP config options.
(ssl_cmd_SSLOCSPOverrideResponder, ssl_cmd_SSLOCSPDefaultResponder,
ssl_cmd_SSLOCSPEnable): Add functions.
* modules/ssl/mod_ssl.c (ssl_config_cmds): Add config options.
* modules/ssl/ssl_private.h: Add prototypes, config options to
modssl_ctx_t.
* modules/ssl/ssl_util_ocsp.c: New file, utility interface for
dispatching OCSP requests.
* modules/ssl/ssl_engine_ocsp.c: New file, interface for performing
OCSP validation.
* modules/ssl/ssl_engine_kernel.c (ssl_callback_SSLVerify): Perform
OCSP validation if configured, and the cert is so-far verified to be
trusted. Fail if OCSP validation is configured an the optional-no-ca
check tripped.
* modules/ssl/config.m4: Check for OCSP support, build new files.
* modules/ssl/mod_ssl.dsp: Build new files.
* modules/ssl/ssl_toolkit_compat.h: Include headers for OCSP
interfaces.
PR: 41123
Submitted by: Marc Stern <marc.stern approach.be>, Joe Orton
Reviewed by: Steve Henson <steve openssl.org> |
4ede070ca63bd4c48045e35a7192582769770290 592446 |
|
06-Nov-2007 |
jorton |
mod_ssl: Fix forever-broken TLS upgrade support; perform the upgrade
in the post_read_request hook rather than in a filter, and fix the
filter insertion issue:
* modules/ssl/ssl_engine_kernel.c (upgrade_connection): New function,
mostly moved from ssl_io_filter_Upgrade.
(ssl_hook_ReadReq): Call upgrade_connection to upgrade to TLS if
required.
* modules/ssl/ssl_engine_io.c (ssl_io_filter_Upgrade): Remove
function.
(ssl_io_input_add_filter, ssl_io_filter_init): Take a request_rec
pointer and pass to ap_add_*_filter to ensure the filter chain
is modified correctly; remove it from the filter afterwards.
(ssl_io_filter_register): Drop UPGRADE_FILTER registration.
* modules/ssl/mod_ssl.c (ssl_init_ssl_connection): Take a request_rec
pointer, pass to ssl_io_filter_init.
(ssl_hook_pre_connection): Pass NULL request_rec pointer to above.
(ssl_hook_Insert_Filter): Remove function.
(ssl_register_hooks): Drop insert_filter hook.
* modules/ssl/ssl_private.h: Update prototypes.
PR: 41231 |
17f61d2695369a9b62bc0e5f38e9c4d23eebc664 591384 |
|
02-Nov-2007 |
jorton |
* modules/ssl/ssl_engine_vars.c (ssl_var_register): Take a pool
argument; determine library version strings once at startup.
(ssl_var_lookup_ssl_version): Drop 'pp' argument; use new global
variables rather than modifying process-global state in a function
which must be thread-safe. (all callers changed)
* modules/ssl/mod_ssl.c (ssl_register_hooks): Pass pool to
ssl_var_register. |
c95d39bd1b86b856ca72485516e7b2e61008fe96 568833 |
|
23-Aug-2007 |
wrowe |
ap_available_mutexes_string and ap_add_available_mutexes_string
cannot be data symbols when mod_ssl is built as a loadable module;
using an external string constant in a loadable module is not portable.
Also reorganize file and sem to follow their explicit mechanisms,
and ensured that the explicit mechansims are listed in order of
preference.
This raises a question, would [fcntl|file] be a clearer way of
indiciating what the file/sem methods devolve to? |
67139e2d50d1e11558d87f7042f61cb04bb0d1d2 467326 |
|
24-Oct-2006 |
jim |
Once SSLMutex allowed for the setting of both the
locking method and the lockfile location, I never
liked how AcceptMutex was linked to LockFile. This
seemed unnecessary. Much better to have AcceptMutex
do both as well. Plus, now that we will likely see
other modules require a "standard" way of setting
mutexes, why not have Apache provide that as
an API of sorts.
Anyway, LockFile is now depreciated and AcceptMutex
is now SSLMutex-like. We also provide a short
function that "parses" out a mutex parameter
and strips out the mechanism and lockfile location.
AcceptMutex and SSLMutex is this capability. |
3a8856c9ca9e996d3a1fae2c65943c35eed97481 425052 |
|
24-Jul-2006 |
rpluem |
* Fixed typo. No functional change. |
e0c3fda9f782aee1140d83fbce32672ac299f2a4 424735 |
|
23-Jul-2006 |
ben |
Layout and compiler warning. |
176c2742db03fcb7b7d13e6408dd967d87e542e9 424707 |
|
23-Jul-2006 |
ben |
Add PKCS#7 support. |
842ae4bd224140319ae7feec1872b93dfd491143 420983 |
|
11-Jul-2006 |
fielding |
update license header text |
3c36b0324c8486306904c84eb0264affc45ed56c 416265 |
|
22-Jun-2006 |
wrowe |
New SSLLogLevelDebugDump [ None (default) | IO (not bytes) | Bytes ]
configures the I/O Dump of SSL traffic, when LogLevel is set to Debug.
The default is none as this is far greater debugging resolution than
the typical administrator is prepared to untangle. |
3d81f57512275ca06a60a9bcbd23c1f8b429fdf2 395228 |
|
19-Apr-2006 |
colm |
Update the copyright year in all .c, .h and .xml files |
e8f95a682820a599fe41b22977010636be5c2717 332306 |
|
10-Nov-2005 |
jim |
No functional Change: Removing trailing whitespace. This also
means that "blank" lines consisting of just spaces or
tabs are now really blank lines |
43c3e6a4b559b76b750c245ee95e2782c15b4296 332305 |
|
10-Nov-2005 |
jim |
No functional change: simple detabbing of indented code. |
93be7f634f9ab62b564793ca2872d460190a02ba 289444 |
|
16-Sep-2005 |
dreid |
- remove ssl_ext_lookup and replace it with ssl_ext_list
- change ssl_expr_eval_oid to use ssl_ext_list
This change provides for a singfle function that provides an array of all
values from a certificate that match a given extension and removes the
duplictaed code that was present.
Reviewed by: Joe Orton |
8a5120efd60acf0323371cb30cba489723b03819 226777 |
|
01-Aug-2005 |
jorton |
* modules/ssl/mod_ssl.c (ssl_hook_pre_config): Initialize all
algorithms in OpenSSL; enables PKCS#8 keyfile support.
PR: 35469 |
713b1ebd69defeb9e7a9507d2784dd1bd8cf32ac 220307 |
|
22-Jul-2005 |
martin |
Allow extraction of the values of SSL certificate extensions into
environment variables, so that their value can be used by any
module that is aware of environment variables, as in:
SetEnvIf OID("2.16.840.1.113730.1.13") "(.*) Generated (Certificate)" ca=$1
sets
ca=TinyCA
if the cert was issued by TinyCA.
Similarly,
SetenvIf OID("2.16.840.1.113730.1.13") "(.*)" NetscapeComment=$1
will set $NetscapeComment to the whole string.
It is technically allowed to have multiple instances of an extension
field, all with the same oid. In this case, the environment variable
will be set to the list of all fields, separated by commas.
The [PATCH] uses a cross-module call from mod_setenvif to
mod_ssl (the latter may also be missing: in this case the
variable will never be set). It calls a common function
in the ssl module that is also used for the SSLRequire
directive's test. |
42167da203d969a1402cf7ce09c14586c04af1df 209827 |
|
08-Jul-2005 |
jim |
Good suggestion from a private Email. name changes. |
81ebf4d4f943d1ec988dd10105354e510c2da1d8 209821 |
|
08-Jul-2005 |
jim |
Fix case where buggy OpenSSL internal cache continually grows.
So don't bother to store it, but still force OpenSSL
to provide a Session ID. |
825479074daa2c65852666c4b26d771dff957507 161958 |
|
19-Apr-2005 |
jorton |
Fix issue where mod_ssl does not pick up the ssl-unclean-shutdown
setting when configured e.g. as a reverse proxy:
* modules/ssl/ssl_private.h: Remove ssl_hook_Translate.
* modules/ssl/ssl_engine_kernel.c (ssl_hook_ReadReq): Merge in
ssl_hook_Translate. (ssl_hook_Translate): Remove.
* modules/ssl/mod_ssl.c (ssl_register_hooks): Ensure that _ReadReq
hook runs after mod_setenvif.c; don't register translate_name hook.
PR: 34452 |
08cb74ca432a8c24e39f17dedce527e6a47b8001 151408 |
|
04-Feb-2005 |
jerenkrantz |
Update copyright year to 2005 and standardize on current copyright owner line. |
e335319a08e12eb7daff9afa80e985dc53f652b8 125165 |
|
14-Jan-2005 |
jorton |
* modules/ssl/mod_ssl.c: Declare new config directives
SSLCADNRequestFile and SSLCADNRequestPath.
* modules/ssl/ssl_private.h (modssl_pk_server_t): Add ca_name_path,
ca_name_file fields.
* modules/ssl/ssl_engine_init.c (ssl_init_ctx_verify): If either of
SSLCADNRequestFile or SSLCADNRequestPath are configured, load the CA
DN list sent in the CertificateRequest from those certificates.
* modules/ssl/ssl_engine_config.c (modssl_ctx_init_server): Use
pcalloc to zero-initialize the entire modssl_pk_server_t structure.
(ssl_config_server_new): Merge the ca_name_* fields.
(ssl_cmd_SSLCADNRequestPath, ssl_cmd_SSLCADNRequestFile): New
functions.
PR: 32848
Submitted by: Tim Taylor <tim.taylor dfas.mil> |
7b6ba9c468f26bdb3492d5e8cb79628a3b04e8c8 123882 |
|
02-Jan-2005 |
wrowe |
FINALLY Correct ap_http_method()! It is NOT a method, it's a SCHEME!
Bumped mmn, and ap module cookie, for this function rename.
It's not a deprecation, as ap_http_method would be a lovely function
name sometime in the future: to determine what the function name implies. |
d2ffb32434f79782ff7a364ffa31064698c5c645 105741 |
|
10-Nov-2004 |
jorton |
Add -t -DDUMP_CERTS option to mod_ssl which dumps the filenames of all
configured SSL certificates to stdout, useful for cron-ing through a
"do I need to renew any of my certificates this week" tool:
* modules/ssl/ssl_engine_config.c (ssl_hook_ConfigTest): New function.
* modules/ssl/mod_ssl.c (ssl_register_hooks): ...register it as a
test_config hook. |
2261f694ce2fc09f9df6c65bd8e1f4230313696b 105739 |
|
10-Nov-2004 |
jorton |
* modules/ssl/ssl_engine_io.c, modules/ssl/ssl_engine_kernel.c,
modules/mod_ssl.c: Switch to using ap_log_cerror() in place of
ap_log_error() everywhere that the conn_rec * is available. |
2f32a3d146dc55d81b31660386e17c3b83ad61b8 105426 |
|
13-Oct-2004 |
bnicholes |
Add a check for SSL_ENABLED_OPTIONAL to the http_method and default_port hook so that they return the correct values for an upgradeable connection. |
f84d3d83a741c21154d42e0ebdec9b9b37efeedc 103834 |
|
03-Jun-2004 |
jorton |
Add "SSLUserName" directive to set r->user based on a chosen SSL
environment variable name.
* modules/ssl/ssl_private.h (struct SSLDirConfigRec): Add
szUserName field.
* modules/ssl/ssl_engine_config.c (ssl_config_perdir_create,
ssl_config_perdir_merge): Initialize and merge szUserName field.
(ssl_cmd_SSLUserName): New function.
* modules/ssl/ssl_engine_kernel.c (ssl_hook_Fixup): Set r->user to
the value of the chosen SSL environment variable.
* modules/ssl/mod_ssl.c: Add SSLUserName config directive.
PR: 20957
Submitted by: Martin v. Loewis <martin v.loewis.de> |
7efe7de73c89c26518714a504359244d03cfbbc5 103832 |
|
03-Jun-2004 |
jorton |
Add "SSLHonorCipherOrder" directive to enable the OpenSSL 0.9.7 flag
which uses the server's cipher preference order rather than the
client's.
* modules/ssl/ssl_private.h (struct SSLSrvConfigRec): Add
cipher_server_pref field.
* modules/ssl/ssl_engine_config.c (ssl_config_server_create,
ssl_config_server_merge): Initialize and merge cipher_server_pref
field.
(ssl_cmd_SSLHonorCipherOrder): New function.
* modules/ssl/ssl_engine_init.c (ssl_init_ctx_protocol): Set the
context option SSL_OP_CIPHER_SERVER_PREFERENCE when required.
PR: 28665
Submitted by: Jim Shneider <jschneid netilla.com> |
ccbf65bf19ac58a396133923aee4597e0870ec47 102859 |
|
05-Mar-2004 |
bnicholes |
Allow the enabled flag to be set to more that just TRUE or FALSE so that
the OPTIONAL flag is correctly merged within the
ssl_config_server_merge() function. |
70535d6421eb979ac79d8f49d31cd94d75dd8b2f 102803 |
|
28-Feb-2004 |
jorton |
Move mod_ssl-internal interfaces into ssl_private.h; allow mod_ssl.h
to be included even when mod_ssl is not enabled.
* Makefile.in (install-include): Only install mod_ssl.h.
* modules/ssl/ssl_private.h: New file.
* modules/ssl/mod_ssl.h: Move everything apart from than the optional
hook definitions into ssl_private.h.
* modules/ssl/*.c: Include ssl_private.h not mod_ssl.h
* modules/ssl/config.m4: Always add the mod_ssl directory to the
include path so other modules can find mod_ssl.h.
* modules/proxy/mod_proxy.c: Include mod_ssl.h to pick up the optional
hook definitions rather than copy'n'pasting them. |
78cd48acd325773619d78ac0d7263a99a8922fae 102618 |
|
09-Feb-2004 |
nd |
fix name of The Apache Software Foundation |
460e3d5eb142dab19f47842c85d0a522aab49b68 102573 |
|
08-Feb-2004 |
nd |
fix copyright dates according to the first check in |
ce9621257ef9e54c1bbe5ad8a5f445a1f211c2dc 102525 |
|
06-Feb-2004 |
nd |
apply Apache License, Version 2.0 |
26a4456dd6f1a5d7d7fff766551461a578687c4a 102135 |
|
01-Jan-2004 |
nd |
update license to 2004. |
93350a0dfa22a2c523cdcbad3357327013ecc145 102067 |
|
15-Dec-2003 |
martin |
We need the error strings loaded as early as possible |
8dc154408549195c828b823e9dc7396f107f2512 101889 |
|
25-Nov-2003 |
jorton |
Extend mod_status output to include SSL session cache status
information:
* modules/ssl/mod_ssl.c (ssl_hook_pre_config): Call
ssl_scache_status_register.
* modules/ssl/ssl_scache.c (ssl_scache_status): Removed function.
(ssl_ext_status_hook): Renamed from ssl_ext_ms_display: switch to
2.1's mod_status "status_hook" API.
(ssl_scache_status_register): Register optional hook.
* modules/ssl/ssl_scache_dbm.c (ssl_scache_dbm_status): Adjust to use
new API.
* modules/ssl/ssl_scache_shmcb.c (ssl_scache_shmcb_status): Adjust
to use new API. |
d0ba3b97557d47323bd055fb4002ed7692f703b9 101789 |
|
16-Nov-2003 |
jerenkrantz |
Sync with APR-util deprecated functions. |
56bd16e394f49423a22aa82643eb27f26db2c748 101624 |
|
30-Oct-2003 |
jorton |
Fix missing human-readable error information in SSL log messages:
* mod_ssl.c (ssl_cleanup_pre_config): Don't free the error strings,
since they can't be loaded again once. |
53c239bee62c6d55b5ddfba5d99376d4c8de924e 100970 |
|
12-Aug-2003 |
jwoolley |
Make mod_ssl consistent with itself when you have a halfass install of
openssl-engine (ie, you're missing the headers). ssl_cmd_SSLCryptoDevice()
is thrown away by the preprocessor if you're missing the header, so the
call to it should have the same condition applied. otherwise, mod_ssl
will fail to link. |
239dd0cf663713025d4451ddd465685021007d82 100348 |
|
24-Jun-2003 |
wrowe |
Narrow the scope of several OPENSSL-specific setup and teardown calls
to only OpenSSL based builds.
Also introduce success result for the registered cleanup callback
to clean up a compiler emit. |
2b7078b0c4fd5b6054f6f2d4f626177844f5c6f7 100288 |
|
17-Jun-2003 |
wrowe |
Reaction to Jeff Trawick's observations that we are double-initializing
dynalinked OpenSSL Engines and Configs. Move the library teardown code
so that it is torn down in the proper order, corresponding to when the
library itself was initialized. And leave a little reminder that some
memory diagnostics would be good if OpenSSL is built for malloc debugging.
Suggested by: Geoff Thorpe |
e13735ceb2025ea8ed0c530093e13fe57b62f1ef 100211 |
|
11-Jun-2003 |
wrowe |
OPENSSL_load_builtin_modules -appears- to have been introduced in beta-1,
but boy is this a hassle to determine without gstein's viewcvs ;-) |
2c038bf2465bf2150c396f4e67f68ebc5bb9e6e9 100136 |
|
02-Jun-2003 |
wrowe |
The right patch (thanks to Eric for identifying the wrong patch) to move
SSL_library_init() into the register hooks phase. OpenSSL_add_ssl_algorithms
devolves to SSL_library_init, which is the same for most toolkits (and would
be accomodated in ssl_toolkit_config.h if not.) |
11bb306b88016c3896fcf5de0c2c4b8cde0cd006 100122 |
|
31-May-2003 |
jerenkrantz |
Revert revision 1.81 which called non-existent SSL_load_library.
No idea where this was seen, but OpenSSL 0.9.7b does not have this. This
gets mod_ssl working again. |
80701ce2c337a94aea6eb56bb29236709651f44a 100110 |
|
30-May-2003 |
wrowe |
OpenSSL_add_all_algorithms is simply an alias for SSL_load_library.
Note that the entire schema of what-we-load-how follows from
OpenSSL 0.9.7's own apps/ example applications. More review
is greatly desired, but that's where I believed I should
start looking for the 'correct' order of operations. |
b5451913a64155af2eab4f12ecbaf16e15acafc3 100107 |
|
30-May-2003 |
wrowe |
Solve a pretty horrific bug in SSLCryptoDevice and other places where
the config cmd processors should be examining the SSL context. We must
initialize the SSL library before we can actually obtain any useful
information from the SSL library. |
6b973f74bcd9dc4888b408e65e355228bbf20364 99919 |
|
19-May-2003 |
wrowe |
Roll away the SSL_EXPERIMENTAL_ENGINE test in favor of testing for the
ENGINE_init() function in config.m4, and rely on HAVE_ENGINE_INIT instead.
Reviewed by: Ben Laurie (concept) |
0c44ed1cffad38b900b39e8c65996b9b9cff061d 98771 |
|
23-Feb-2003 |
jim |
Right now SSLMutex is bogus. It just uses APR_LOCK_DEFAULT no
matter what. We now allow for the full range of APR mutex
locking mechanims to be used, while maintaining backwards
compatibility.
PR: 8122
Obtained from:
Submitted by:
Reviewed by: William Rowe |
33bdcae1f7a1a65e351dda2a766a0cf28b1e695d 98573 |
|
03-Feb-2003 |
nd |
finished that boring job:
update license to 2003.
Happy New Year! ;-)) |
8aced0b621ea45e8621c7073b0bfbe5ea91c2329 98252 |
|
13-Jan-2003 |
wrowe |
After introducing tests in the cmds, we lose the absolute authority
of the CRYPTO_malloc_init() which must happen the moment we load the
module and prior to *any* ssl library fn invocation.
Moved the CRYPTO_malloc_init() into the ssl_register_hooks() function,
the absolute first call made into any loaded module. |
e726f34f8da08c01ee8bc90904b26196b69c8587 97913 |
|
14-Dec-2002 |
wrowe |
After some productive feedback and no negative feedback, introduce
SSLEngine upgrade so that we can begin and continue to support these
facilities. This makes it simpler to keep this effort (while we have
no known clients that support Connection: upgrade at this time), and
begin refactoring more of SSL into smaller and tighter (and then optional)
components. |
fbb20edcfd2e261e216e062851ed2ecf19df9322 97411 |
|
05-Nov-2002 |
wrowe |
Merge the last of the 'filtering' functions into ssl_engine_io.c, merge
ssl_abort into what was ssl_hook_CloseConnection, clean out a bunch of
now-static or private headers from mod_ssl.h, and final fix a very small
but potent segfault if ->pssl is destroyed within our read loop. |
40ec097fc670e8068b2342d2cd00247fb1ae2645 97340 |
|
29-Oct-2002 |
wrowe |
Close several small leaks in SSL.
Submitted by: Zvi Har'El <rl@math.technion.ac.il>
Reviewed by: Madhusudan Mathihalli <madhusudan_mathihalli@hp.com> |
b5a0ddd6e5e1cab1e2b61aa233fcad6fcee511f5 97201 |
|
14-Oct-2002 |
rbb |
This stuff shouldn't have been committed. This is the SSL upgrade stuff,
and it was included in a commit that shouldn't have touched these files. |
4d88cba691cf0cc222161dc403067071eca58751 97179 |
|
11-Oct-2002 |
rbb |
Fix a compile of compiler warnings. I don't know how these slipped past.
Also, uncomment a line of code that the last commit should have uncommented.
Randall found this line and the fix, but I forgot to uncomment this line
along with the fix. |
f4c472b8dce3c2e559232dbb5b27ed2466922ea4 96818 |
|
15-Sep-2002 |
jerenkrantz |
Remove warnings seen with Sun's Forte compiler. |
ad668861e40da485f2eea24dc4c1f9940e470698 95501 |
|
04-Jun-2002 |
rbb |
Remove all special mod_ssl URIs. This also fixes the bug where
redirecting (.*) will allow an SSL protected page to be viewed
without SSL. |
1cde33c7e2019830f8fb3224e01649305583916e 95150 |
|
17-May-2002 |
trawick |
stop using APLOG_NOERRNO in calls to ap_log_[pr]error() |
e6e65585927961caf45d4e9e932bb1f4e9e89ca1 95129 |
|
16-May-2002 |
jerenkrantz |
Remove SSLLog and SSLLogLevel directives in favor of having mod_ssl use the
standard ErrorLog directives. |
d12ae8e4992cea4901eed3035335ce3a6533f003 95127 |
|
16-May-2002 |
jerenkrantz |
Change mod_ssl from using ssl_log() to ap_log_error().
The issue is that ssl_log doesn't handle apr_status_t result codes. This
leads to a number of places (esp. with mutexes) where the error codes get
lost. Rather than extending ssl_log further, since mod_ssl is part of
our core, migrate to ap_log_error. This means that mod_ssl no longer
does its own logging.
Most uses of SSL_ADD_ERRNO are now mapped correctly to apr_status_t values
(mainly because the APIs that used to return errnos are now APRized and
have apr_status_t codes available).
SSL_LOG_TRACE and SSL_LOG_DEBUG were mapped to the APLOG_DEBUG values.
mod_ssl prints out a LOT of debugging information, so mod_ssl with LogLevel
Debug may not be a good idea - perhaps mod_ssl should be less chatty.
Numerous printf type collisions were also resolved.
(The ssl logging code itself will be removed in a subsequent commit.)
This has been discussed on dev@httpd, but the fact that there isn't
much to review besides the mindless changes, I'm going to commit now
and rely on CTR if I screwed up anything on the translation. |
e16695d440d82ec6f9a4b9af18ae38dbeaa19366 95122 |
|
16-May-2002 |
jerenkrantz |
Stop using SSL_ADD_SSLERR option in ssl_log() and replace with new
ssl_log_ssl_error() function that wraps ap_log_error instead.
This begins the migration from ssl_log() -> ap_log_error(). Divorcing
ourselves from the SSL_ADD_SSLERR option is required to make the next
pass easier. |
469549ac22c6f7b9ecdd9df2565925563e4df84d 94881 |
|
30-Apr-2002 |
jwoolley |
Revert optimization from circa 2.0.34 that caused very long vhost id's
to be unusable with mod_ssl.
PR: 8572 |
621bd763d2e4d32f19013ac8b76b375b5a01851f 94515 |
|
07-Apr-2002 |
dougm |
fix ProxyPass when frontend is https and backend is http |
d3ede1a68c9d9e6753f67834e6686bb147d2105c 94393 |
|
02-Apr-2002 |
dougm |
PR:
Obtained from:
Submitted by:
Reviewed by: Ryan Bloom
ap_remove_output_filter no longer works for connection filters.
change logic in the case of "HTTP spoken on HTTPS port" to disable the
ssl filters rather than attempt to remove the filters. |
a72de14bfdbf0be9d935be9bdc2df631ca5e032b 94338 |
|
30-Mar-2002 |
dougm |
add SSLProxyCARevocation{File,Path} directives to support CRLs in the proxy |
cde1010d880fb6230f80c9d697842ea0b1cb79c7 94314 |
|
29-Mar-2002 |
dougm |
add SSLProxyEngine directive. this was not required in the 1.x based
mod_ssl because the SSL_CTX was created and configured for *every*
request. unlike in 2.0 where we configure the proxy SSL_CTX at
startup time, which is much better for performance. but we don't want
to configure a proxy context for every vhost if it isn't going to be
used, for the same reasons we don't create a server context for every
vhost unless SSLEngine is on. |
108a52e39565819753b5400f7ac582ae3a1169fe 94301 |
|
29-Mar-2002 |
dougm |
removing old proxy extension code |
6f4e764bdc921aaae268a18d104d296fbc5dda5f 94298 |
|
29-Mar-2002 |
dougm |
in proxy mode we need to SSL_connect rather than SSL_accept in
ssl_hook_process_connection. |
9cb81d96f6b556cec1aa456191f43f7932aabaae 94293 |
|
29-Mar-2002 |
dougm |
add optional function (ssl_proxy_enable) to turn on ssl proxy
choose SSL_CTX based on SSLConnRec.is_proxy |
8fdc55d1624c714391fe1f93ebafe98ace427f4a 94289 |
|
29-Mar-2002 |
dougm |
use ssl_cmd_verify_parse for SSLProxyVerify directive handler |
b78f9307673dd25623f3dc74fd11a9dd702aea69 94286 |
|
29-Mar-2002 |
dougm |
enable proxy directives |
9adbc60e68a02b53c03295c06065f15034b1633e 94267 |
|
28-Mar-2002 |
dougm |
breakup SSLSrvConfigRec in preparation for proxy support:
+ modssl_pk_server_t - certs/keys for the server
+ modssl_pk_proxy_t - certs/keys for the proxy
+ modssl_auth_ctx_t - stuff related to authentication that can also
be per-dir, used by both server and proxy
+ modssl_ctx_t - context that can be used by both server and proxy
+ SSLSrvConfigRec - now contains original stuff specific to the
server config and modssl_ctx_t *server, *proxy |
93e04e27f5508c78897599cc15abd27ffbbd5424 94264 |
|
28-Mar-2002 |
dougm |
de-hungarian-ize server config member names which are going to stay |
615d8325d256f306dea742098e0855b2e207feb1 94179 |
|
26-Mar-2002 |
dougm |
per-dir SSLCACertificate{File,Path} cannot use SSL_CTX_set_cert_store
as the 1.x based module does, since the function is not thread-safe.
a patch has been submitted to OpenSSL to support SSL_set_cert_store
which is thread safe. this feature is enabled by default in the
current 1.x based module, we only enable it if the SSL_set_cert_store
function is available. |
bc8fd1b0b1afdf89b8d28eefa8cd74e26ba97986 93918 |
|
13-Mar-2002 |
fielding |
Update our copyright for this year. |
931ac1238a9dc3b8e46725cfef16c852e577e588 93861 |
|
12-Mar-2002 |
dougm |
minor performance enhancement: no need to use md5 of VHostID for the
session id, just use the VHostID itself. |
ae7ce6cd81b337be9b24aa9ba75b149f14ec9212 93860 |
|
12-Mar-2002 |
dougm |
dropping hungarian notation |
71c00f988beb28388702e14cb7fe06f08bd792bb 93859 |
|
12-Mar-2002 |
dougm |
minor style changes |
6d7efb8c76b56eaebd6032096771c9e44b247f3f 93824 |
|
10-Mar-2002 |
dougm |
no need to call SSL_clear() after SSL_new() |
2e79bb3add3d91814269824f948945d45b2b3260 93823 |
|
10-Mar-2002 |
dougm |
don't allocate SSLConnRec unless ssl is enabled on this vhost.
also provides a shorter shortcut for mod_ssl hooks to decline if ssl
is not enabled. |
ac64aa99c6775b1fdebeb5484d4e607c1b77ce8e 93606 |
|
27-Feb-2002 |
wrowe |
Introduce the PassPhraseDialog 'pipe' mechanism.
This is the directive handling commit only, the mechanics patch will
follow. PassPhraseDialog "|/path/to/pipe" will use the bidirectional
pipe to have a 'conversation', along the lines of the tty dialog with
PassPhraseDialog 'builtin'. This is entirely different than the 'exec'
method, which simply runs once for each passphrase, and doesn't allow
for failure/retries, and certainly doesn't offer any sensible 'dialog'. |
affe4f2ea22fca7ce90166044af0c5fdba608ec3 93259 |
|
05-Feb-2002 |
rbb |
Remove the install_transport_filters hook. The same function can be
acheived with the pre_connection hook. I have added the socket to the
pre_connection phase to make this possible.
Reviewed by: Bill Stoddard |
417f504d4d11631c0d062be85347f82a26c88677 93063 |
|
29-Jan-2002 |
aaron |
The pre_config hook now takes a return value. This allows modules to
cause the server to bail out under error conditions. |
ee950d863ae02c3105a32e53373fefbc38b96244 92240 |
|
29-Nov-2001 |
dougm |
the client cert X509_NAME_oneline() is only used if SSLFakeBasicAuth
is happening. so avoid calling that unless needed and just stash a
pointer to the client cert for the boolean checks that the client
provided a cert.
PR:
Obtained from:
Submitted by:
Reviewed by: |
544b377f935dac2238b3af7a1b84f3e955adb627 92216 |
|
28-Nov-2001 |
dougm |
calculate VHostID length at startup rather than request time.
change ap_md5() call in ssl_hook_pre_connection() to ap_md5_binary()
that uses the precalculated sc->nVHostID_length to avoid a strlen() call.
PR:
Obtained from:
Submitted by:
Reviewed by: |
72d7c23997c59e4195fe3ebc8ef48895773be0bc 92215 |
|
28-Nov-2001 |
dougm |
avoid calling ssl_util_vhostid() (and apr_sprintf underneath) at
request time by calling it at startup time and saving the value in the
SSLSrvConfigRec.
PR:
Obtained from:
Submitted by:
Reviewed by: |
e822d7a17076adc11a72b647028aa9755a035cf5 92213 |
|
28-Nov-2001 |
dougm |
replace strlen(cpVHostMD5) with MD5_DIGESTSIZE*2 in ssl_hook_pre_connection()
since we know the string returned by ap_md5() will always be that length
PR:
Obtained from:
Submitted by:
Reviewed by: |
eb44880a3a945b5af25d33ab6dfc8e5bd62e0be1 92211 |
|
28-Nov-2001 |
dougm |
remove unused ssl::handshake::timeout references
(core handles all timeouts)
PR:
Obtained from:
Submitted by:
Reviewed by: |
0372f6a6267f1ef4830637d59398b2902738efed 92122 |
|
22-Nov-2001 |
dougm |
avoid a couple of calls to ssl_util_vhostid() and apr_psprintf()
unless loglevel >= SSL_LOG_INFO
PR:
Obtained from:
Submitted by:
Reviewed by: |
d28d7091912b3d911bdbe18df2d37d315681054b 92113 |
|
22-Nov-2001 |
dougm |
get rid of 'apctx' table that used to live in SSL_get_app_data2(ssl)
change app_data2 to be the request_rec itself.
if something needs per-request context in the future,
it can use r->request_config
PR:
Obtained from:
Submitted by:
Reviewed by: |
13042558b26e8542e668397c9fd55920a425a187 92111 |
|
22-Nov-2001 |
dougm |
move c->notes.ssl::verify::depth to SSLConnRec.verify_depth
note: may actually be removed unless somebody can figure out why it is in
there to begin with
PR:
Obtained from:
Submitted by:
Reviewed by: |
34e35f19305a307db17a3e42beba8a7311525907 92109 |
|
21-Nov-2001 |
dougm |
move c->notes.ssl::verify::{info,error} to SSLConnRec.verify_{info,error}
PR:
Obtained from:
Submitted by:
Reviewed by: |
d572c96f3a1c0f6b712bf2522352b929872a607e 92094 |
|
21-Nov-2001 |
dougm |
move c->notes.ssl::client::dn to SSLConnRec.client_dn
PR:
Obtained from:
Submitted by:
Reviewed by: |
931b4fd1cc9dd3da096c45f4bf7ddcc14e0985c1 92093 |
|
21-Nov-2001 |
dougm |
start moving c->notes usage to a new SSLConnRec structure hanging off of
c->conn_config
PR:
Obtained from:
Submitted by:
Reviewed by: rbb, madhu |
574f6ff9ee80ef4f772649c5c8319b764a8abe42 91414 |
|
11-Oct-2001 |
jerenkrantz |
This is the mod_ssl input filtering rewrite. Lots of stuff here. I also
changed some of the style issues within the filtering code to conform to
the rest of the server.
Various incarnations of this patch have been posted to dev@httpd without
feedback. Now that it passes all of the httpd-test cases (with the
exception of module/negotiation test which fails without mod_ssl anyway),
it is time to check it in.
Please review and test. We are under C-T-R rules, so I'm going to take
advantage of that and commit it now. I have tested this about as much
as I can and it seems to work from everything I can give to it.
Considering that mod_ssl was broken before this commit, this is an
improvement. |
dbf952ad13b71b8dfb44a40370b4b422628b9fe5 90802 |
|
30-Aug-2001 |
dougm |
dont block when handling non-ssl request |
13bac43a0f21d8c6401debc1baa76be984474074 90724 |
|
27-Aug-2001 |
rbb |
Allow mod_ssl to send back an error message if an HTTP request is sent
over an HTTPS connection. This also adds an ap_remove_input_filter
function, which should be used to remove the SSL input filter in this
case, as soon as this code is stressed a bit more.
For right now, we are sending the same message that we used to send in
mod_ssl for Apache 1.3. |
c947acd3d1a604a0acad6a53ef685312d4410fc5 90645 |
|
24-Aug-2001 |
dougm |
enable i/o debugging |
08e685922fbfb1742c65c85a3a1d8688bc826aee 90599 |
|
24-Aug-2001 |
dougm |
support "SSLVerifyClient optional_no_ca" |
eecdc3ce360b93883329706f0e50705c2b9bf0cb 90597 |
|
24-Aug-2001 |
dougm |
prevent double lookup of ssl::verify::error |
b79b480213d7452db127eec054e52eb2b4fa6153 90524 |
|
23-Aug-2001 |
wrowe |
Complete the rename of the ssl_scache_status_register and
ssl_ext_proxy_register (which has yet to be renamed for it's
future location, since I'm not going further at the moment
with implementing it's functionallity, all my focus is on
the ssl_var_register arm.) |
af5dd1c93d2185f7e37f8783c593b64fd35ea8a6 90517 |
|
23-Aug-2001 |
wrowe |
Remove a ton o' cruft. Moves the mod_log_config 'var' extensions to
ssl_engine_vars.c. |
f9ab8587cde76774152c8324f4b6927e42caa96d 90511 |
|
22-Aug-2001 |
dougm |
remove #if 0-ed ssl_hook_NewConnection code; was only left for reference,
no longer needed
remove #if 0-ed ssl_hook_TimeoutConnection code; ssl no longer talks directly
to the socket
PR:
Obtained from:
Submitted by: madhu
Reviewed by: dougm |
caaa9b08da1d1cc30fe9160109b883561e574932 90504 |
|
22-Aug-2001 |
dougm |
move some code duplication into ssl_abort() function |
6b025bd5a034790b2bb31236092265e154d6a565 90503 |
|
22-Aug-2001 |
dougm |
Enable ssl client authentication at SSL_accept time
PR:
Obtained from:
Submitted by: Madhusudan Mathihalli <madhusudan_mathihalli@hp.com>
Reviewed by: dougm |
c41079a4104442a06991bf7fd0b69b36c3774058 90496 |
|
22-Aug-2001 |
wrowe |
Explicitly fix some types, and opt-out on macro conflicts |
0fce4eaa9fdf964f33fab19d0adac422a5305261 90464 |
|
21-Aug-2001 |
dougm |
and swap Auth/UserCheck names to match the hook names, in hopes of preventing further foncusion |
61bf28bc9ea9d02800355540594f61bdef973117 90463 |
|
21-Aug-2001 |
dougm |
authentication/authorization hooks were backwards
make authentication hook run APR_HOOK_FIRST for FakeBasicAuth
PR:
Obtained from:
Submitted by:
Reviewed by: |
f8f6d46ab6c53940b0533b97210fd411396fb371 90444 |
|
21-Aug-2001 |
dougm |
remove unused ssl_io_ functions |
dfaea9dfb7e6fd2c97b9d35a75d7bcab94af8ff8 90443 |
|
21-Aug-2001 |
dougm |
remove some unused hook code
enable child init hook
PR:
Obtained from:
Submitted by:
Reviewed by: |
5f844601d834818fdd996911c52446af752a8401 90229 |
|
16-Aug-2001 |
dougm |
at least make a note of SSL_R_HTTP_REQUEST error (until this is properly dealt with) |
2eeb0550d9b16ceec9e585831e698c9761232cc9 90227 |
|
16-Aug-2001 |
dougm |
if ssl shutdown happens earlier than expected, filter code needs be aware |
667644ed8cd8f8c8e21f5f5cf908585b03a4b501 90185 |
|
16-Aug-2001 |
dougm |
enable ssl Translate, UserCheck, Access and Auth hooks
add support for renegotiation during the Access hook
this requires hooking into the read and write SSL BIOs in order to
flush data to the client and read from the filter chain
this also requires that the ssl filters become "aware" that
renegotitation is in progress so that the BIOs are left alone for
SSL_renegotiate/SSL_do_handshake in ssl_hook_Access to deal with
PR:
Obtained from:
Submitted by:
Reviewed by: |
4bcb2920ca31b3f0eadfb90f21aaa7a5f317c21d 89819 |
|
31-Jul-2001 |
wrowe |
enables the use of the ssl_var_lookup functionality in the various source
files in modules/ssl. The ap_hook_* functions are still not yet ported to
Apache 2.0 style
Submitted by: Madhusudan Mathihalli <madhusudan_mathihalli@hp.com> |
fa599e0e097d4d933c4dc378ffbfc3c045dd589e 89815 |
|
31-Jul-2001 |
wrowe |
Activate ssl_hook_pre_config |
2115487f2a78dcabf1f6285e790ad243bee5531e 89807 |
|
31-Jul-2001 |
wrowe |
Register for %X, %c (we gotta make a decision, please vote if you care...
use %c's meaning from the historical SSL modules, or Bill Stoddard's
connection-terminated meaning? One will have to give.) |
c052e3e4fb5e1c58bfd28dc086c06ac24ffba5e9 89620 |
|
19-Jul-2001 |
wrowe |
Workaround till connection_hook details are resolved
[MATHIHALLI,MADHUSUDAN <madhusudan_mathihalli@hp.com>] |
a943533fd4d91d114af622731a405407990c4fb1 89618 |
|
19-Jul-2001 |
rse |
Apply mod_ssl MEGA porting patch. This is a cleaned up version of the
latest patches from Madhusudan which makes mod_ssl 95% working inside
Apache 2.0. There is still a lot of more work (both porting and cleanup)
to do be done. See modules/ssl/README for details.
Submitted by: Madhusudan Mathihalli <madhusudan_mathihalli@hp.com> |
07ffd6dad158ce6749fd62a125a4939ea092981e 89566 |
|
17-Jul-2001 |
dougm |
dummy ssl hooks need to return an int value for server to function with mod_ssl compiled in |
0839d91ee551a0e19ea9577bb00976b97308dfdd 89113 |
|
14-May-2001 |
martin |
Fix typos |
7933d4a963def02417113b6798d87a36395053b0 89020 |
|
05-May-2001 |
rse |
Change mostly all old module structure hooks and EAPI hooks to
ap_hook_xxx equivalents. More work has to be done here to clean all this
up and reduce to a minimum... |
d1bb6e2664788e0437acc18e877562c9a796d7ce 89005 |
|
05-May-2001 |
rse |
Activate the command_rec structure. |
6ace32dacb8313226eb9019275d0e4fa45a15148 89002 |
|
05-May-2001 |
rse |
Integrate mod_ssl into the Autoconf facility.
(currently only stub files are compiled) |
d86ef5503dcbc38e87c0e03cd3e1f16458cb6323 88995 |
|
05-May-2001 |
rse |
mod_ssl integration step 2:
transfer copyright of all code to ASF by using Apache Software License v1.1 |
cc003103e52ff9d5fe9bed567ef9438613ab4fbf 88988 |
|
04-May-2001 |
rse |
Initial revision |