Address a todo listed in https://mail-archives.apache.org/mod_mbox/httpd-dev/200205.mbox/%3CPine.LNX.4.33.0205292300380.27841-100000%40mako.covalent.net%3E "init functions should return status code rather than ssl_die()" For diagnostic purposes, ssl_die() is still there, but instead of abruptly exit(1)ing, it will return APR_EGENERAL to the ssl_init_* callers in ssl_engine_init.c, and these will propagate the status back to ssl_init_Module.

abort if BIO_new fails due to lack of memory

Pass the server_rec to ssl_die() and use it to log a message to the main error log, pointing to the appropriate virtual host error log

Various fixes for log message tags: - Remove tags in ssl_log_ssl_error() and ssl_log_cert_error() - Instead add tags to various ssl_log_xerror, ssl_log_cxerror calls (ssl_log_rxerror is unused). - likewise for modssl_proxy_info_log() - Fix spelling of APLOG_NOERRNO in coccinelle script - add support for ssl_log_*error and ap_log_cserror - add some more tags missing due to APLOG_NOERRNO spelling error - Remove tags from example modules (we don't want people to blindly copy those)

Add lots of unique tags to error log messages

Cleanup effort in prep for GA push: Trim trailing whitespace... no func change

Add ssl_log_xerror() and ssl_log_rxerror(), modeled after ssl_log_cxerror(). Add SSL_X509_NAME_to_string(), which converts an X509 distinguished name to an RFC 2253 formatted string. Adapt ssl_log_*error() to make use of SSL_X509_NAME_to_string().

we might also see GeneralizedTimes in certs nowadays

Improve ssl_log_cxerror(): Fix logic of APLOG_IS_LEVEL check. Use X509_NAME_print_ex() instead of deprecated X509_NAME_oneline(). Use i2a_ASN1_INTEGER for printing the serial number. Add notBefore and notAfter dates to log line. Check for null cert argument (addresses PR 47408).

Remove the ssl_toolkit_compat layer, which is no longer needed after support for non-OpenSSL toolkits has been dropped. Replace macros by their value proper where feasible, and keep those definitions in ssl_private.h which depend on specific OpenSSL versions.

Fix some modules to make them compile with per-module loglevels.

* Store the correct server_rec in the connection record configuration and adjust the remaining part of mod_ssl to use this server_rec instead of c->base_server. modules/ssl/ssl_private.h: - server_rec member to SSLConnRec struct - Add macros to extract data from connection_rec mySrvFromConn(c) mySrvConfigFromConn(c) myModConfigFromConn(c) modules/ssl/ssl_engine_io.c modules/ssl/ssl_util_ocsp.c modules/ssl/ssl_engine_kernel.c modules/ssl/mod_ssl.c modules/ssl/ssl_engine_log.c - Use the new macros to extract data fron connection_rec and use the server_rec stored in SSLConnRec instead of c->base_server whereever appropriate.

* modules/ssl/ssl_engine_log.c (ssl_log_cxerror): Drop 'peer' from the log message since the passed-in cert may be e.g. the peer's issuer. * modules/ssl/ssl_private.h (ssl_log_cxerror): Don't mention the word peer here either.

* modules/ssl/ssl_engine_log.c (ssl_log_cxerror): Log the certificate serial number along with the subject and issuer names.

* modules/ssl/ssl_engine_log.c (ssl_log_cxerror): New function, factored out from ssl_callback_SSLVerify. * modules/ssl/ssl_private: Add prototype. * modules/ssl/ssl_engine_kernel.c (ssl_callback_SSLVerify): Use it.

* modules/ssl/ssl_engine_log.c (ssl_log_ssl_error): Improve SSL error log messages: retrieve and log the "data" string where available, drop the redundant error number (always included in the error string anyway), and clearly delineate both the "data" and "annotation" from the error string itself. PR: 43889 Submitted by: Dr Stephen Henson <steve openssl.org>, jorton

update license header text

Update the copyright year in all .c, .h and .xml files

No functional Change: Removing trailing whitespace. This also means that "blank" lines consisting of just spaces or tabs are now really blank lines

Update copyright year to 2005 and standardize on current copyright owner line.

* modules/ssl/ssl_engine_log.c (ssl_log_annotation): const-ify more.

* modules/ssl/ssl_engine_log.c (ssl_log_annotate, ssl_log_annotation, ssl_log_ssl_error): const-ify annotation strings and simplify ssl_log_annotation.

* modules/ssl/ssl_engine_log.c (ssl_log_ssl_error): Use %lu to print an unsigned long.

Move mod_ssl-internal interfaces into ssl_private.h; allow mod_ssl.h to be included even when mod_ssl is not enabled. * Makefile.in (install-include): Only install mod_ssl.h. * modules/ssl/ssl_private.h: New file. * modules/ssl/mod_ssl.h: Move everything apart from than the optional hook definitions into ssl_private.h. * modules/ssl/*.c: Include ssl_private.h not mod_ssl.h * modules/ssl/config.m4: Always add the mod_ssl directory to the include path so other modules can find mod_ssl.h. * modules/proxy/mod_proxy.c: Include mod_ssl.h to pick up the optional hook definitions rather than copy'n'pasting them.

fix name of The Apache Software Foundation

fix copyright dates according to the first check in

apply Apache License, Version 2.0

update license to 2004.

* ssl_engine_log.c (ssl_log_ssl_error): Use the thread-safe interface for retrieving error strings.

finished that boring job: update license to 2003. Happy New Year! ;-))

stop using APLOG_NOERRNO in calls to ap_log_[pr]error()

Remove SSLLog and SSLLogLevel directives in favor of having mod_ssl use the standard ErrorLog directives.

Stop using SSL_ADD_SSLERR option in ssl_log() and replace with new ssl_log_ssl_error() function that wraps ap_log_error instead. This begins the migration from ssl_log() -> ap_log_error(). Divorcing ourselves from the SSL_ADD_SSLERR option is required to make the next pass easier.

- Sync with modssl 2.8.8-1.3.24 - Also a minor change to add more useful error logging for shmcb startup failures

Adapt to the rename of apr_explode_localtime to apr_time_exp_lt in APR. Submitted by: Thom May <thom@planetarytramp.net>

de-hungarian-ize server config member names which are going to stay

there is a heaping pile of: ssl_log(s, flags, "Init: (%s) ...", sc->szVHostID) add SSL_INIT flag to cut down some noise and end up with: ssl_log(s, flags, "...")

PR: Obtained from: Submitted by: Reviewed by:

Update our copyright for this year.

apr-utils rename apr_ansi_time_to_apr_time and apr_exploded_time_t. PR: Obtained from: Submitted by: Thom May <thom@planetarytramp.net> Reviewed by: Ian Holsman

Use the empty string, not NUL. I should have read my code more closely. Thanks Cliff for slapping me in the head.

Grrrrr..... We should really use the correct line endings on all platforms.

get rid of ssl_log_applies() function. it does more than we need and what should be done with a macro. it was only used once anyhow. PR: Obtained from: Submitted by: Reviewed by:

dont va_start() in ssl_log() unless we are actually going to log something

Fix most-bogus ap_server_root_relative() cases. These don't include the cases where we are trying to ap_server_root_relative() a pipe cmd!

Apply mod_ssl MEGA porting patch. This is a cleaned up version of the latest patches from Madhusudan which makes mod_ssl 95% working inside Apache 2.0. There is still a lot of more work (both porting and cleanup) to do be done. See modules/ssl/README for details. Submitted by: Madhusudan Mathihalli <madhusudan_mathihalli@hp.com>

Axe out EAPI-based SSL_VENDOR stuff. If we want this later again, we have to do it differently anyway. So, for now we try to strip down mod_ssl as heavy as possible and hence we kick out this stuff at all.

Next step in mod_ssl integration: Add missing files to build environment.

mod_ssl integration step 2: transfer copyright of all code to ASF by using Apache Software License v1.1

Initial revision