6ccaafe6847128ba40aa20d2e389d23dbbbed06d 1670434 |
|
31-Mar-2015 |
jim |
More ALPN goodness |
da0e8dabb745dce2c403f2aa9aded8045c646c29 1670397 |
|
31-Mar-2015 |
jim |
ALPN support, based on mod_spdy/mod_h2 patch set |
ea30bfa68d711e27206df00abb140174b4e65ed7 1653997 |
|
22-Jan-2015 |
ylavic |
mod_ssl: Fix merge problem with SSLProtocol that made SSLProtocol ALL ignored
in virtualhost context (new version of r1653906 reverted by r1653993).
Submitted By: Michael Kaufmann <apache-bugzilla michael-kaufmann.ch>
Committed/modified By: ylavic |
7a279335bb8e3f889bc16f44678e8c2eb9ccc9f3 1653993 |
|
22-Jan-2015 |
ylavic |
mod_ssl: revert r1653906, will commit an alternative just after.
The issue with r1653906 is that existing configurations like
"SSLProtocol -SSLv3" (where the default is assumed to be ALL)
won't work anymore. |
cea8a744f05a9714c0aeee91e51e19469150d8da 1653906 |
|
22-Jan-2015 |
covener |
Fix merge problem with SSLProtocol that made SSLProtocol ALL ignored
in virtualhost context.
Submitted By: Michael Kaufmann <apache-bugzilla michael-kaufmann.ch>
Commited By: covener |
f0ed8386200af077d3151eed8724d68b35884f1e 1650310 |
|
08-Jan-2015 |
rjung |
Add SSLSessionTickets (on|off).
It controls the use of TLS session tickets
(RFC 5077). Default is unchanged (on).
Using session tickets without restarting
the web server with an appropriate frequency
(e.g. daily) compromises perfect forward
secrecy.
As long as we do not have a nice key management
there should be a way to deactivate session
tickets. |
032982212dbcc7c3cce95bf89c503bb56e185ac7 1650047 |
|
07-Jan-2015 |
kbrand |
Add support for extracting subjectAltName entries of type
rfc822Name and dNSName into SSL_{CLIENT,SERVER}_SAN_{Email,DNS}_n
variables.
* docs/manual/mod/mod_ssl.xml: add SSL_*_SAN_*_n entries to the
environment variables table
* modules/ssl/ssl_engine_kernel.c: in ssl_hook_Fixup, add extraction
of subjectAltName entries for the "StdEnvVars" case
* modules/ssl/ssl_engine_vars.c: add support for retrieving the
SSL_{CLIENT,SERVER}_SAN_{Email,DNS}_n variables, either with
individual on-demand lookup (ssl_var_lookup_ssl_cert_san),
or with full-list extraction to the environment ("StdEnvVars")
* modules/ssl/ssl_private.h: add modssl_var_extract_san_entries prototype
* modules/ssl/ssl_util_ssl.c: implement SSL_X509_getSAN and
SSL_ASN1_STRING_to_utf8 helper functions, with factoring out common
code from SSL_X509_getIDs and SSL_X509_NAME_ENTRY_to_string where
suitable. Limit SSL_X509_getSAN to the two most common subjectAltName
entry types appearing in user or server certificates (i.e., rfc822Name
and dNSName), for the time being.
* modules/ssl/ssl_util_ssl.h: add SSL_ASN1_STRING_to_utf8
and SSL_X509_getSAN prototypes |
218262d57d1ae59891c34ebe396ae3276f2ffa97 1629519 |
|
05-Oct-2014 |
ylavic |
Follow up to r1629372 and r1629485: ensure compatibily with OpenSSL < 1.0 (sk_OPENSSL_STRING_[num|value|pop] macros). |
393e1bb47b60cf97d521c49cf929740f32b95758 1629372 |
|
04-Oct-2014 |
kbrand |
Move OCSP stapling information from a per-certificate store
(ex_data attached to an X509 *) to a per-server hash which is
allocated from the pconf pool. Fixes PR 54357, PR 56919 and
a leak with the certinfo_free cleanup function (missing
OCSP_CERTID_free).
* modules/ssl/ssl_util_stapling.c: drop certinfo_free, and add
ssl_stapling_certid_free (used with apr_pool_cleanup_register).
Switch to a stapling_certinfo hash which is keyed by the SHA-1
digest of the certificate's DER encoding, rework ssl_stapling_init_cert
to only store info once per certificate (allocated from the pconf
to the extent possible) and extend the logging.
* modules/ssl/ssl_private.h: adjust prototype for
ssl_stapling_init_cert, replace ssl_stapling_ex_init with
ssl_stapling_certinfo_hash_init
* modules/ssl/ssl_engine_init.c: adjust ssl_stapling_* calls
Based on initial work by Alex Bligh <alex alex.org.uk> |
5fd3ff5ac904371e665d1b0d7df9e2ba8912a12f 1598107 |
|
28-May-2014 |
jorton |
Create DH parameters from OpenSSL at module init, avoiding (very
minor) race and leaks:
* modules/ssl/ssl_engine_init.c (make_dh_params): Moved/rejigged
variant of make_get_dh() macro.
(init_dh_params, free_dh_params): New functions.
(modssl_get_dh_params): Split out from ssl_callback_TmpDH.
(ssl_init_Module, ssl_init_ModuleKill): Use new init_/free_.
* modules/ssl/ssl_engine_kernel.c: Moved out DH parameter handling.
(ssl_callback_TmpDH): Use modssl_get_dh_params. |
2447507f86685cea5f2796b6e89d09aa527b9a9b 1591401 |
|
30-Apr-2014 |
ylavic |
mod_ssl: follow up to r1583191.
Use type BOOL for modssl_ctx_t's field ocsp_use_request_nonce.
Suggested by: kbrand. |
c12b284247f00b5696adabb0b855ce0669465764 1584098 |
|
02-Apr-2014 |
ylavic |
mod_ssl: follow up to r1583191.
New SSLOCSPUseRequestNonce directive's manual and CHANGES.
Non functional code changes (modssl_ctx_t's field ocsp_use_request_nonce
grouped with other OCSP ones, nested if turned to a single AND condition). |
1716538bf2c1a52278afc6830c84f4f232329d1a 1583191 |
|
30-Mar-2014 |
ylavic |
mod_ssl: send OCSP request's nonce according to SSLOCSPUseRequestNonce on/off. PR 56233. |
96e274a89078dff2630bd0a5cc0968971764bd2a 1563894 |
|
03-Feb-2014 |
trawick |
fix a few spelling errors |
93556ea2f00ffd80b2c81831715dbaf545f840a2 1563417 |
|
01-Feb-2014 |
kbrand |
Followup fix for r1553824:
also pass the file name to ssl_load_encrypted_pkey, to make sure that we
retry with the same filename we used for SSL_CTX_use_PrivateKey_file first |
2406dd0fd6061a7e26baad86a1bf1d6c233c2d42 1555464 |
|
05-Jan-2014 |
kbrand |
More finishing touches for SSLOpenSSLConfCmd:
- add documentation
- clear the error queue before executing the next SSL_CONF_cmd
- if needed, configure OCSP stapling after a "Certificate" command
- ifdef ssl_cmd_SSLOpenSSLConfCmd in ssl_private.h |
60998c490ad3334eb07ae63b23b479ac564dec94 1553824 |
|
28-Dec-2013 |
kbrand |
Remove the hardcoded algorithm-type dependency for the SSLCertificateFile
and SSLCertificateKeyFile directives, and deprecate SSLCertificateChainFile
Splitting the patch into smaller pieces turned out to be infeasible,
unfortunately, due to the heavily intertwined code in ssl_engine_config.c,
ssl_engine_init.c and ssl_engine_pphrase.c, which all depends on the
modssl_pk_server_t data structure. For better comprehensibility,
a detailed listing of the changes follows:
ssl_private.h
- drop the X509 certs and EVP_PKEY keys arrays from modssl_pk_server_t
- use apr_array_header_t for cert_files and key_files
- drop tPublicCert from SSLModConfigRec
- drop the ssl_algo_t struct and the SSL_ALGO_* and SSL_AIDX_* constants
ssl_engine_config.c
- change to apr_array_header_t for SSLCertificate[Key]File
- drop ssl_cmd_check_aidx_max, i.e. allow an arbitrary number of certs
and keys (in theory; currently OpenSSL does not support more than
one cert/key per algorithm type)
- add deprecation warning for SSLCertificateChainFile
ssl_engine_init.c
- configure server certs/keys in ssl_init_server_certs (no longer via
ssl_pphrase_Handle in ssl_init_Module)
- in ssl_init_server_certs, read in certificates and keys with standard
OpenSSL API functions (SSL_CTX_use_*_file), and only fall back to
ssl_load_encrypted_pkey when encountering an encrypted private key
- drop ssl_server_import_cert, ssl_server_import_key, ssl_init_server_check,
and ssl_init_ctx_cleanup_server
- move the "problematic re-initialization" check to ssl_init_server_ctx
ssl_engine_pphrase.c
- use servername:port:index as the key identifier, instead of the
previously used servername:port:algorithm
- ssl_pphrase_Handle overhaul: remove all cert/public-key handling,
make it only load a single (encrypted) private key, and rename
to ssl_load_encrypted_pkey
- in the passphrase prompt message, show the private key file name
instead of the vhost id and the algorithm name
- do no longer supply the algorithm name as an argument to "exec"-type
passphrase prompting programs
ssl_util.c
- drop ssl_util_algotypeof, ssl_util_algotypestr, ssl_asn1_keystr,
and ssl_asn1_table_keyfmt
ssl_util_ssl.{c,h}
- drop SSL_read_X509
- constify the filename arg for SSL_read_PrivateKey |
3bd39e1c5cd928eaab417010274689abd1e9aeaa 1546804 |
|
01-Dec-2013 |
kbrand |
Throw away the myCtxVar{Set,Get} abomination and introduce
a pphrase_cb_arg_t struct instead, for passing stuff between
ssl_pphrase_Handle and ssl_pphrase_Handle_CB. Prefer struct
members instead of using additional local variables, to make
the data flow more transparent. (Doesn't "vastly simplify"
the code yet, but hopefully we'll get there when further
stripping down ssl_pphrase_Handle.) |
5d59b45268c4cd29c489e897e14b31e77f276b05 1544784 |
|
23-Nov-2013 |
kbrand |
Remove SSLPKCS7CertificateFile support:
- was never documented, so very unlikely that it was ever used
- adds complexity without apparent benefit; PKCS#7 files can
be trivially converted to a file for use with SSLCertificateChainFile
(concatenated X509 CERTIFICATE chunks, openssl pkcs7 -print_certs...)
- only supports PKCS7 files with PEM encoding, i.e. relies on a
non-standardized PEM header (cf. RFC 2315 and draft-josefsson-pkix-textual)
- issues pointed out in http://mail-archives.apache.org/mod_mbox/httpd-dev/200607.mbox/%3C20060723093125.GA19423@redhat.com%3E
were never fully addressed (cf. r424707 and r424735)
- has never worked in vhost context due to a cfgMergeString
call missing from modssl_ctx_cfg_merge |
bd17c0d7cde28d71d2c62db92a7fa8b3d0772ead 1544774 |
|
23-Nov-2013 |
kbrand |
Address a todo listed in
https://mail-archives.apache.org/mod_mbox/httpd-dev/200205.mbox/%3CPine.LNX.4.33.0205292300380.27841-100000%40mako.covalent.net%3E
"init functions should return status code rather than ssl_die()"
For diagnostic purposes, ssl_die() is still there, but instead
of abruptly exit(1)ing, it will return APR_EGENERAL to the
ssl_init_* callers in ssl_engine_init.c, and these will propagate
the status back to ssl_init_Module. |
b65a553874817068b4efead545da68f09c745f68 1534754 |
|
22-Oct-2013 |
drh |
SSL_CONF support for files and directories. |
b4e664baba9a4be0457c31f84b3dcc4c31f2cb07 1527295 |
|
29-Sep-2013 |
kbrand |
Improve ephemeral key handling (companion to r1526168):
- allow to configure custom DHE or ECDHE parameters via the
SSLCertificateFile directive, and adapt its documentation
accordingly (addresses PR 49559)
- add standardized DH parameters from RFCs 2409 and 3526,
use them based on the length of the certificate's RSA/DSA key,
and add a FAQ entry for clients which limit DH support
to 1024 bits (such as Java 7 and earlier)
- move ssl_dh_GetParamFromFile() from ssl_engine_dh.c to
ssl_util_ssl.c, and add ssl_ec_GetParamFromFile()
- drop ssl_engine_dh.c from mod_ssl
For the standardized DH parameters, OpenSSL version 0.9.8a
or later is required, which was therefore made a new minimum
requirement in r1527294. |
ac0c8366f49659958162b4bfb3d625a77343eda3 1527294 |
|
29-Sep-2013 |
kbrand |
Increase minimum required OpenSSL version to 0.9.8a (in preparation
for the next mod_ssl commit, which will rely on the get_rfcX_prime_Y
functions added in that release):
- remove obsolete #defines / macros
- in ssl_private.h, regroup definitions based on whether
they depend on TLS extension support or not
- for ECC and SRP support, set HAVE_X and change the rather awkward
#ifndef OPENSSL_NO_X lines accordingly
For the discussion prior to taking this step, see
https://mail-archives.apache.org/mod_mbox/httpd-dev/201309.mbox/%3C524275C7.9060408%40velox.ch%3E |
718f64661a8087164aa8a5dee7620800996c53b2 1527291 |
|
29-Sep-2013 |
kbrand |
Follow-up fixes for r1526168:
- drop SSL_TMP_KEY_* constants from ssl_private.h, too
- make sure we also disable aNULL, eNULL and EXP ciphers
for per-directory SSLCipherSuite directives
- apply the same treatment to SSLProxyCipherSuite |
3ccfc257819b3bad063cd3ac9dd1670d5d2ae4d2 1526168 |
|
25-Sep-2013 |
kbrand |
Streamline ephemeral key handling:
- drop support for ephemeral RSA keys (only allowed/needed
for export ciphers)
- drop pTmpKeys from the per-process SSLModConfigRec, and remove
the temp key generation at startup (unnecessary for DHE/ECDHE)
- unconditionally disable null and export-grade ciphers by always
prepending "!aNULL:!eNULL:!EXP:" to any cipher suite string
- do not configure per-connection SSL_tmp_*_callbacks, as it is
sufficient to set them for the SSL_CTX
- set default curve for ECDHE at startup, obviating the need
for a per-handshake callback, for the time being (and also
configure SSL_OP_SINGLE_ECDH_USE, previously left out)
For additional background, see
https://mail-archives.apache.org/mod_mbox/httpd-dev/201309.mbox/%3C52358ED1.2070704@velox.ch%3E |
73c7bbd51ac1420b4bb98d1c8b3cc97d57f21c56 1487775 |
|
30-May-2013 |
jorton |
Remove unnecessary global declarations of optional function
implementations:
* modules/ssl/mod_ssl.c (ssl_proxy_enable, ssl_engine_disable): Mark
static.
* modules/ssl/ssl_private.h (ssl_proxy_enable, ssl_engine_disable):
Remove declarations. |
8a2483ae14c7d9c1ee21a92e4251202456af5747 1487772 |
|
30-May-2013 |
jorton |
mod_ssl: Redesign NPN (Next Protocol Negotiation) API to avoid use of
hooks API and inter-module hard linkage:
* modules/ssl/mod_ssl.h: Remove NPN hooks, add "modssl_register_npn"
optional function and callback function type declarations for
ssl_npn_advertise_protos, ssl_npn_proto_negotiated.
* modules/ssl/mod_ssl.c: Drop hooks.
(modssl_register_npn): New optional function implementation.
(ssl_register_hooks): Register it.
* modules/ssl/ssl_private.h (SSLConnRec): Add npn_advertfns,
npn_negofns array fields.
* modules/ssl/ssl_engine_kernel.c (ssl_callback_AdvertiseNextProtos):
Replace use of hook API with array iteration.
* modules/ssl/ssl_engine_io.c (ssl_io_filter_input): Likewise.
Reviewed by: Matthew Steele <mdsteele google.com> |
9f75646ed2590d08ba8dc74e4e40a24e4d27de83 1468131 |
|
15-Apr-2013 |
kbrand |
revert r1352596, for the reasons explained in
https://mail-archives.apache.org/mod_mbox/httpd-dev/201304.mbox/%3C515FED7C.5010009%40velox.ch%3E |
c12917da693bae4028a1d5a5e8224bceed8c739d 1442307 |
|
04-Feb-2013 |
sf |
Avoid valgrind warnings in mod_ssl random number generator
We intentionally add uninitialized stack memory. To avoid warnings,
make valgrind believe that the memory is defined.
Add configure option to enable valgrind support |
d58a822aff1dfda25384d3d009f88f1883c95436 1425874 |
|
26-Dec-2012 |
kbrand |
mod_ssl: add support for subjectAltName-based host name checking in proxy mode
(PR 54030)
factor out code from ssl_engine_init.c:ssl_check_public_cert()
to ssl_util_ssl.c:SSL_X509_match_name()
introduce new SSLProxyCheckPeerName directive, which should eventually
obsolete SSLProxyCheckPeerCN
ssl_engine_io.c:ssl_io_filter_handshake(): avoid code duplication
when aborting with HTTP_BAD_GATEWAY |
1366443dc565c33e7b449ae428bbfc4c86f33935 1421323 |
|
13-Dec-2012 |
drh |
Add support for OpenSSL configuration commands. |
0ad39f9cb23f1633ac0b58cf32da3acc16e1ae50 1352596 |
|
21-Jun-2012 |
ben |
RFC 5878 support. |
304257c2b0d71c1e4cf3c5c819bb6b60e7c82d51 1348660 |
|
10-Jun-2012 |
sf |
Pass the server_rec to ssl_die() and use it to log a message to the main error
log, pointing to the appropriate virtual host error log |
ee32869be7683f78eb1b920e2dd63a5745a15985 1348656 |
|
10-Jun-2012 |
sf |
If OPENSSL_NO_COMP is defined, omit merging the compression flag.
Also make some code more compact, as suggested by kbrand. |
d014f77dd1c7f5802a5b7bbc930ea14254205df3 1348653 |
|
10-Jun-2012 |
sf |
Add some improvements as suggested by Kaspar
- expand comment in config file
- check username == NULL
- detect SRP support via SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB, not via openssl
version
- rename rv variable |
099c357f282d4aebf2b32264f7dce6ffc0497c37 1347980 |
|
08-Jun-2012 |
sf |
Add support for TLS-SRP (Secure Remote Password key exchange
for TLS, RFC 5054).
PR: 51075
Submitted by: Quinn Slack <sqs cs stanford edu>, Christophe Renou,
Peter Sylvester |
d9b079a6dd66d36313be56f859c8c61153146527 1345319 |
|
01-Jun-2012 |
sf |
Add new directive SSLCompression to disable SSL-level compression.
PR: 53219
Submitted by: Björn Jacke <bjoern j3e de>, Stefan Fritsch |
3e4e54d4e3fc0123c63d57aa84ac7ad7a8c73ff8 1332643 |
|
01-May-2012 |
jorton |
Add support for TLS Next Protocol Negotiation:
* modules/ssl/mod_ssl.c, modules/ssl/mod_ssl.h: Add and implement new
hooks for next protocol advertisement/discovery.
* modules/ssl/ssl_engine_init.c (ssl_init_ctx_callbacks): Enable
NPN advertisement callback in handshake.
* modules/ssl/ssl_engine_io.c (ssl_io_filter_input): Invoke
next-protocol discovery hook.
* modules/ssl/ssl_engine_kernel.c (ssl_callback_AdvertiseNextProtos):
New callback.
* modules/ssl/ssl_private.h: Add prototype.
Submitted by: Matthew Steele <mdsteele google.com>
with slight tweaks by jorton |
347074f011eae59e518ddf8d8474d35e029a2056 1328325 |
|
20-Apr-2012 |
sf |
When receiving http on https, send the error response with http 1.0
It is important that we send a proper error status, or search engines
may index the error message.
PR: 50823 |
745afecdb3ff59fe2cbd1d2e75d356f476dc86fe 1294306 |
|
27-Feb-2012 |
sf |
Initialize EC temporary key on server startup, as for DH and
RSA. This fixes a race condition that could lead to a crash with threaded
MPMs. |
a1de5cf47c9ccfbf493264e8a3fa7ddd5a9c80d1 1222921 |
|
24-Dec-2011 |
kbrand |
SSLProtocol: allow explicit control of TLSv1.1 and TLSv1.2 flavors when
compiled against OpenSSL 1.0.1 or later. Update documentation. |
53e2218c565ed45d3a7c69dd4c4ef6b1aad5f70a 1222917 |
|
24-Dec-2011 |
kbrand |
Set OPENSSL_NO_SSL_INTERN when compiling against OpenSSL 1.0.1
or later, so that mod_ssl retains binary compatibility with future
versions when internal structures are changed. Use API functions
where available, and fall back to direct access for OpenSSL up
to 1.0.0, where needed.
Remove SSL_make_ciphersuite() from ssl_util_ssl.[ch], as it was
never used by any released version of mod_ssl. |
7a4e3510f3516132ff057ac986fd6350164b7950 1213380 |
|
12-Dec-2011 |
kbrand |
Streamline TLS session ticket key handling (added in r1200040):
- drop the SSLTicketKeyDefault directive, and only support a single
ticket key per server/vhost
- rename the SSLTicketKeyFile directive to SSLSessionTicketKeyFile,
remove the keyname parameter
- move ticket key parameters from SSLSrvConfigRec to modssl_ctx_t
- configure the tlsext_ticket_key_cb only when in server mode
- add documentation for SSLSessionTicketKeyFile |
0827cb14e550f6f65018431c22c2c913631c8f25 1203491 |
|
18-Nov-2011 |
kbrand |
drop SSLv2 support (set SSL_OP_NO_SSLv2 for any new SSL_CTX) |
f88003c0c4fd58b38db6421b459fc9f301941c89 1200482 |
|
10-Nov-2011 |
jorton |
* modules/ssl/ssl_private.h, modules/ssl/ssl_engine_kernel.c
(ssl_callback_tlsext_tickets): Use unsigned char * to fix gcc
-Wpointer-sign warnings. |
04afa670eb4210e254cc6fb2b551601dab7017b2 1200045 |
|
10-Nov-2011 |
pquerna |
Whitespace fixes for r1200040 |
df8ef9cef9dbbf5217ee38751f4bab63e14588d6 1200040 |
|
10-Nov-2011 |
pquerna |
Add support for RFC 5077 TLS Session tickets. This adds two new directives:
* SSLTicketKeyFile: To store the private information for the encryption of the ticket.
* SSLTicketKeyDefault To set the default, otherwise the first listed token is used. This enables key rotation across servers. |
affb369b483d1c1767ebfe93e37d338b4e8648f2 1175946 |
|
26-Sep-2011 |
druggeri |
Final update to SSLProxyMachineCertificateChainFile |
742318b93e89c311f66b55f426c4d9cf2c14628b 1174748 |
|
23-Sep-2011 |
jim |
Cleanup effort in prep for GA push:
Trim trailing whitespace... no func change |
8f435d95de2724d4bc75338a9af8ef995e451599 1172797 |
|
19-Sep-2011 |
kbrand |
Add ssl_log_xerror() and ssl_log_rxerror(), modeled after ssl_log_cxerror().
Add SSL_X509_NAME_to_string(), which converts an X509 distinguished name
to an RFC 2253 formatted string.
Adapt ssl_log_*error() to make use of SSL_X509_NAME_to_string(). |
329aafcb026993f7566d517835613a9fa837ab1d 1170833 |
|
14-Sep-2011 |
druggeri |
Modify SSLProxyMachineCertificateChainFile to use X509 instead of X509_INFO and use openssl to construct the chain |
77504f17963a8dd941a921d9ddfa25ddb0f348d6 1165056 |
|
04-Sep-2011 |
kbrand |
Revamp CRL checking for client and remote servers:
- completely delegate CRL processing to OpenSSL
- introduce a new [Proxy]CARevocationCheck directive
- drop ssl_callback_SSLVerify_CRL from ssl_engine_kernel.c
- remove X509_STORE from modssl_ctx_t
- drop CRL store helper functions from ssl_util_ssl.c
- avoid sending "certificate_expired" SSL alerts to peers
when the nextUpdate field of a CRL is in the past |
562ca0c1728a0a8853cfe0c103192cb44d56e5be 1161005 |
|
24-Aug-2011 |
rpluem |
* Add missing prototype |
44985e4f931d3a75a7e5108705010cc21605ee34 1160863 |
|
23-Aug-2011 |
druggeri |
Add SSLProxyMachineCertificateChainFile directive and documentation for bug 50812 |
35bdb5ac3f12961359207dc0ee964c7137fb2b74 1157575 |
|
14-Aug-2011 |
kbrand |
Enforce OpenSSL 0.9.7 or later at compile time (#error out otherwise).
Remove some more unneeded defines from ssl_private.h.
At runtime, warn when mod_ssl is started with an OpenSSL version
older than the one it was originally compiled against. |
292707b9868335763d6f2bb74a263134eeeb8cad 1154688 |
|
07-Aug-2011 |
kbrand |
Enforce OpenSSL 0.9.7 as a minimum requirement in configure, and
remove #ifdef'ed code which was relevant for earlier versions only. |
070235bcb25af37efebf6405b082413144968289 1154687 |
|
07-Aug-2011 |
kbrand |
Remove the ssl_toolkit_compat layer, which is no longer needed
after support for non-OpenSSL toolkits has been dropped.
Replace macros by their value proper where feasible, and keep
those definitions in ssl_private.h which depend on specific
OpenSSL versions. |
4281cf6a722c99ae21394dc2000bd48efcebdb3a 1154683 |
|
07-Aug-2011 |
kbrand |
Drop support for the RSA BSAFE SSL-C toolkit from configure,
and remove #ifdef'ed code from mod_ssl and ab where applicable.
Consensus for dropping support for SSL/TLS toolkits other
than OpenSSL was reached on dev@httpd in June 2010 (message
with ID <20100602162310.GA11156@redhat.com> and follow-ups). |
575cc52562c51c0c8bb8de0c6eaa55a60f7f895b 1090367 |
|
08-Apr-2011 |
sf |
mod_ssl, ab: Support OpenSSL compiled without SSLv2 support |
88171e3486c92454452448dbff66464ab257fec4 1082202 |
|
16-Mar-2011 |
jorton |
* modules/ssl/ssl_private.h: Drop some redundant/unused macros; pick
up stdlib.h.
* modules/ssl/ssl_engine_pphrase.c (ssl_pphrase_Handle),
modules/ssl/ssl_engine_vars.c: Stop pretending mod_ssl has a version
independent of the rest of the server. |
c443f50a6fea8bf5fe042e945b25e39bbec279b8 1069765 |
|
11-Feb-2011 |
jorton |
* modules/ssl/ssl_engine_pphrase.c (ssl_pphrase_Handle): Simplify to
calculate hash index only once per loop iteration; no (intended)
functional change. Add comments and tweak a log message.
* modules/ssl/ssl_private.h: Add comments. |
0624a83f94b08328eee6ab21dc316ecfc1e8373e 1069725 |
|
11-Feb-2011 |
jorton |
* modules/ssl/ssl_private.h: Clarify comment on modssl_pk_server_t. |
a2558ec3af4391b7da7fe61e1e53383bbd0174b9 1059917 |
|
17-Jan-2011 |
jorton |
* modules/ssl/ssl_engine_config.c, modules/ssl/ssl_private.h: Add
config hooks for OCSP response time skew, maximum age, timeout.
* modules/ssl/ssl_engine_ocsp.c (verify_ocsp_status): Respect
config settings for above.
* docs/: Update accordingly.
Submitted by: Kaspar Brand <httpd-dev.2011 velox.ch> |
1b1621900bd89ddc496d721c865a726f635ebd7e 1054323 |
|
02-Jan-2011 |
sf |
Change the format of the SSL_{CLIENT,SERVER}_{I,S}_DN variables
to be RFC 2253 compatible, convert non-ASCII characters to UTF8, and
escape other special characters with backslashes. The old format can
still be used with the LegacyDNStringFormat argument to SSLOptions. |
8fae12696bce44be9ce4c56888690cad8ac7b8f9 1032073 |
|
06-Nov-2010 |
sf |
Replace ap_expr with a parser derived from mod_ssl's parser. Make mod_ssl use
the new parser. Rework ap_expr's public interface and provide hooks for modules
to add variables and functions.
The Netware and Windows build files still need to be adjusted |
de0aae7af654a602e812b4134e7a0192428843fc 1023821 |
|
18-Oct-2010 |
drh |
Make sure OCSP Stapling Mutex is initiliased if we need it.
PR 49498 |
fc58f0ff708564b67cd578c626b6500d1cd63a51 1002837 |
|
29-Sep-2010 |
sf |
Add authz providers for use with mod_authz_core and its RequireAny/RequireAll
containers:
'ssl' (equivalent to SSLRequireSSL)
'ssl-verify-client' (for use with 'SSLVerifyClient optional')
'ssl-require' (expressions with same syntax as SSLRequire)
We may decide to axe 'ssl-require' again in favor of the generic 'expr'
provider, depending on the development of the ap_expr parser. |
26cc83458a27220d116be2e0d6db117285571b51 951904 |
|
06-Jun-2010 |
sf |
Replace LogLevelDebugDump with TRACE log levels |
9f2628baf370d9cf6197b7ca9358b0fb18bd1ce3 951894 |
|
06-Jun-2010 |
sf |
Fix some modules to make them compile with per-module loglevels. |
baa6746bc66ff1daa1852a3a085906d2dfa96bb6 951194 |
|
04-Jun-2010 |
sf |
Introduce SSLLOG_MARK for use with ssl_log_ssl_error(). This will allow to
redefine APLOG_MARK later. |
e9eabac76b50e8f00d0c391f6070d0f42db77aa2 925980 |
|
22-Mar-2010 |
wrowe |
Introduce SSLFIPS directive to support OpenSSL FIPS_mode; permits all
builds of mod_ssl to use 'SSLFIPS off' for portability, but the proper
build of openssl is required for 'SSLFIPS on'.
PR: 46270
Submitted by: Dr Stephen Henson <steve openssl.org>, wrowe |
4db7896587f9b989da093d77a58500ec15b524d0 907918 |
|
09-Feb-2010 |
wrowe |
Catch up ssl to socache store expiry change, and clarify what the code is doing |
2792780a6fb0951dc304b940ba9274ed1e37fe26 907472 |
|
07-Feb-2010 |
wrowe |
Style guides at httpd are pretty clear, macro values are UPCASE, please? |
2b4e45d87889ab2f6b432690cc993a42bc607faf 906039 |
|
03-Feb-2010 |
jorton |
New releases of OpenSSL will only allow secure renegotiation by
default. Add an "SSLInsecureRenegotiation" directive to enable
renegotiation against unpatched clients, to ease transition:
* modules/ssl/ssl_private.h (struct SSLSrvConfigRec): Add
insecure_reneg field.
* modules/ssl/ssl_engine_config.c (ssl_config_server_new,
ssl_config_server_merge): Handle the insecure_reneg flag.
(ssl_cmd_SSLInsecureRenegotiation): New function.
* modules/ssl/ssl_engine_init.c (ssl_init_ctx_protocol): Set the
SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION option if insecure_reneg is
enabled.
* modules/ssl/ssl_engine_kernel.c (ssl_hook_Access): Log level of
support for secure reneg.
* modules/ssl/mod_ssl.c: Add the directive definition. |
11f2c481e1d57bedb3f758565307501e9a2730dd 883540 |
|
24-Nov-2009 |
trawick |
Replace AcceptMutex, LockFile, RewriteLock, SSLMutex, SSLStaplingMutex,
and WatchdogMutexPath with a single Mutex directive. Add APIs to
simplify setup and user customization of APR proc and global mutexes.
(See util_mutex.h.) Build-time setting DEFAULT_LOCKFILE is no longer
respected; set DEFAULT_REL_RUNTIMEDIR instead.
Some existing modules, such as mod_ldap and mod_auth_digest gain
configurability for their mutexes. |
ea6ff3396df1d6d43ee0ecfa3e26ada981d8e9a3 834378 |
|
10-Nov-2009 |
sctemme |
enable support for ECC keys and ECDH ciphers. Tested against
OpenSSL 1.0.0b3. [Vipul Gupta vipul.gupta sun.com, Sander Temme] |
299e8bc7d2d18eb822c5e44bdfcdcb22d9b7c7c2 833582 |
|
06-Nov-2009 |
jorton |
SECURITY: Partial fix for CVE-2009-3555:
Reject client-initiated renegotiations; this is sufficient to prevent
the attack for any configuration which does not require renegotiation
due to per-directory/per-location access control configuration.
Configuration with per-directory/per-location access control
requirements (such as "SSLVerifyClient require") are still vulnerable
to CVE-2009-3555 with this patch applied (if using OpenSSL <= 0.9.8k).
* modules/ssl/ssl_private.h (SSLConnRec): Add reneg_state field.
(ssl_callback_Info): Renamed from ssl_callback_LogTracingState.
* modules/ssl/ssl_engine_init.c (ssl_init_ctx_callbacks): Install
the (renamed) info callback unconditionally.
* modules/ssl/ssl_engine_io.c (ssl_filter_ctx_t): Add config pointer
to SSLConnRec.
(bio_filter_out_write, bio_filter_in_read): Fail with
APR_ECONNABORTED if the reneg state is set to RENEG_ABORT.
* modules/ssl/ssl_engine_kernel.c (log_tracing_state): Factored out
of ssl_callback_LogTracingState.
(ssl_callback_Info): New function. |
c779aea0c9b7c47c2e4fd258e3f54835a849625d 830527 |
|
28-Oct-2009 |
poirier |
Fix a lot of doxygen warnings. Thanks to Brad Hards for the patch.
I added a few more fixes, and there are still more that might
need a doxygen expert.
PR: 48061
Submitted by: Brad Hards
Reviewed by: poirier |
89b8bbc89404e7071e573c4f0a17f528996e855d 829619 |
|
25-Oct-2009 |
jorton |
Add support for OCSP "stapling":
* modules/ssl/ssl_util_stapling.c: New file.
* modules/ssl/config.m4, modules/ssl/mod_ssl.dsp: Build it.
* modules/ssl/ssl_toolkit_compat.h: Define HAVE_OCSP_STAPLING if
OpenSSL is of suitable version (>= 0.9.8g) and capability (TLS
extension support enabled).
* modules/ssl/mod_ssl.c: Add config directives.
* modules/ssl/ssl_private.h: Add prototypes for new functions.
(SSLModConfigRec): Add fields for stapling socache instance and
associated mutex.
(modssl_ctx_t): Add config fields for stapling.
* modules/ssl/ssl_engine_init.c (ssl_init_Module, ssl_init_Child):
Call the stapling initialization functions.
* modules/ssl/ssl_engine_config.c: Add config hooks.
* modules/ssl/ssl_scache.c: Create, initialize and destroy the socache
instance for OCSP responses.
Submitted by: Dr Stephen Henson <shenson oss-institute.org> |
0de29985d3f84de428d0744b9dafb8a6b086d034 815719 |
|
16-Sep-2009 |
jorton |
* modules/ssl/ssl_util_ocsp.c (send_request,
modssl_dispatch_ocsp_request): Take timeout as argument, as pass through.
* modules/ssl/ssl_engine_ocsp.c (verify_ocsp_status): Pass server timeout
to modssl_dispatch_ocsp_request.
Submitted by: Dr Stephen Henson <shenson oss-institute.org> |
681d773821cf3ac791ea88ffd07c0d7ea42864f2 770907 |
|
02-May-2009 |
rpluem |
* As proposed by wrowe on list always define SSLStrictSNIVHostCheck, but error
out if we are not compiled against an SNI capable OpenSSL. |
e3715027f352040ef98da03359b00f13ddb506cb 768596 |
|
25-Apr-2009 |
rpluem |
* Add SSLStrictSNIVHostCheck to allow / disallow non SNI clients to connect to
name based virtual hosts. |
8f2700898323915da289644dc1f3ee11a5e5b4ea 760866 |
|
01-Apr-2009 |
rpluem |
* Add SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN directives to enable
stricter checking of remote server certificates.
(docs/manual/mod/mod_ssl.xml)
Documentation of SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN.
(modules/proxy/mod_proxy_http.c)
Set the hostname of the request URL as note on the connection.
(modules/ssl/ssl_private.h)
Add proxy_ssl_check_peer_expire and proxy_ssl_check_peer_cn fields to
the SSLSrvConfigRec.
(modules/ssl/ssl_engine_config.c)
Directives stuff for SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN.
(modules/ssl/ssl_engine_io.c)
Check whether the remote servers certificate is expired / if there is a
mismatch between the requested hostanme and the remote server certificates
CN field.
Be able to parse ASN1 times.
(modules/ssl/mod_ssl.c)
Directives stuff for SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN. |
dd028aa8111afb6534fece555e8c2d408894671e 757853 |
|
24-Mar-2009 |
trawick |
Introduce a new set of APIs to allow MPMs to be proper modules instead
of integral parts which share global variables, functions, and macros
with the rest of httpd.
Converted now:
prefork, worker, event, simple, WinNT*
*WinNT hasn't been built or tested, and relies on a hack to include the
WinNT mpm.h to disable Unixy MPM support routines in mpm_common.c |
807c9f7266ad3a966b6714fe578f3c9da1ca868b 757463 |
|
23-Mar-2009 |
rpluem |
* Store the correct server_rec in the connection record configuration and
adjust the remaining part of mod_ssl to use this server_rec instead of
c->base_server.
modules/ssl/ssl_private.h:
- server_rec member to SSLConnRec struct
- Add macros to extract data from connection_rec
mySrvFromConn(c)
mySrvConfigFromConn(c)
myModConfigFromConn(c)
modules/ssl/ssl_engine_io.c
modules/ssl/ssl_util_ocsp.c
modules/ssl/ssl_engine_kernel.c
modules/ssl/mod_ssl.c
modules/ssl/ssl_engine_log.c
- Use the new macros to extract data fron connection_rec
and use the server_rec stored in SSLConnRec instead of
c->base_server whereever appropriate. |
509111f5f58a9effd4c832f6a0cbd6ad9d549188 726109 |
|
12-Dec-2008 |
jorton |
mod_ssl: Make the size of the per-dir-reneg request-body buffer
configurable, by popular demand:
* modules/ssl/ssl_private.h: Define DEFAULT_RENEG_BUFFER_SIZE.
(SSLDirConfigRec): Add nRenegBufferSize field.
* modules/ssl/ssl_engine_config.c (ssl_cmd_SSLRenegBufferSize): New
function.
(ssl_config_perdir_create, ssl_config_perdir_merge): Handle
nRenegBufferSize.
* modules/ssl/ssl_engine_io.c (ssl_io_buffer_fill): Take max buffer
size as an argument rather than compile-time constant.
* modules/ssl/ssl_engine_kernel.c (ssl_hook_Access): Pass
nRenegBufferSize to ssl_io_buffer_fill.
* modules/ssl/mod_ssl.c (ssl_config_cmds): Add SSLRenegBufferSize.
PR: 39243 |
9bed1d2e9a0952c187e7046df4cfd5f8381558f0 724802 |
|
09-Dec-2008 |
jorton |
* modules/ssl/ssl_private.h: Add a big fat warning about
the SSLModConfigRec lifetime. |
66b8ec445dced7a2036bcd3b87b6fc3f08a1ab24 724717 |
|
09-Dec-2008 |
jorton |
Improve mod_ssl's environment variable extraction to correctly handle
DNs with duplicate tags:
* modules/ssl/ssl_engine_vars.c:
Augment the ssl_var_lookup_ssl_cert_dn_rec table with a flag
to indicate whether RDNs of the given NID should be extracted
to the environment.
(extract_dn, modssl_var_extract_dns): New functions.
* modules/ssl/ssl_private.h (modssl_var_extract_dns): Add prototype.
* modules/ssl/ssl_engine_kernel.c: Remove SSL_*_DN_ from the list
of variables to insert into the environment.
(ssl_hook_Fixup): Use modssl_var_extract_dns to insert the
SSL_*_DN_ variables efficiently and accurately, handling
certs with duplicate RDN tags correctly.
PR: 45875 |
8e09f1830f114c016598a3b76fd6d31e1589c012 687819 |
|
21-Aug-2008 |
sctemme |
Move struct definition out of the header file since it is only used in this source file |
1eddce0da057f6fa5c5e9dde32e9dc6596616b12 687550 |
|
21-Aug-2008 |
sctemme |
Implement dynamic mutex callbacks for the benefit of OpenSSL. |
1e046c430fedc2d319088d925fd044710b3596b9 645940 |
|
08-Apr-2008 |
jorton |
Session cache interface redesign, Part 9:
Switch mod_ssl to use the ap_socache interface.
* modules/ssl/ssl_scache_shmcb.c, modules/ssl/ssl_scache_memcache.c,
modules/ssl/ssl_scache_dc.c, modules/ssl/ssl_scache_dbm.c: Remove
files.
* modules/ssl/mod_ssl.c (modssl_register_scache): Remove function.
* modules/ssl/ssl_private.h: Remove modssl_sesscache_provider etc.
(SSLModConfigRec): Switch to using socache types.
* modules/ssl/ssl_engine_config.c (ssl_cmd_SSLSessionCache): Switch to
use socache provider.
* modules/ssl/ssl_engine_mutex.c, modules/ssl/ssl_scache.c: Switch to
using socache constants.
* modules/ssl/config.m4: Drop distache/memcache configuration, remove
old objects. |
341bd61e8bccf51d8f2a5580168272e6e9098500 633526 |
|
04-Mar-2008 |
jorton |
Session cache interface redesign, Part 7:
Clean up provider interface, removing use of mod_ssl-specific types:
* modules/ssl/ssl_private.h (modssl_sesscache_provider): Replace BOOL
with apr_status_t, UCHAR with unsigned char; use 'unsigned int' for
idlen; constify id arguments; remove pool argument from ->status.
* modules/ssl/ssl_scache_dc.c, modules/ssl/ssl_scache_memcache,
modules/ssl/ssl_scache_shmcb.c, modules/ssl_scache_dbm.c: Update
accordingly.
* modules/ssl/ssl_scache.c (ssl_scache_retrieve, ssl_scache_store):
Adjust for BOOL->apr_status_t change.
(ssl_ext_status_hook): Update for dropped pool argument. |
6fca32e7b306e285a3be6879e2ed62b8875b3410 631297 |
|
26-Feb-2008 |
jorton |
Session cache interface redesign, Part 6:
Move mutex handling up out of the session cache providers:
* modules/ssl/ssl_private.h (modssl_sesscache_provider): Add name and
flags fields. Define MODSSL_SESSCACHE_FLAG_NOTMPSAFE constant.
* modules/ssl/ssl_scache.c (ssl_scache_store, ssl_scache_retrieve,
ssl_scache_remove, ssl_ext_status_hook): Lock and release the mutex
around provider calls, if necessary.
* modules/ssl/ssl_engine_mutex.c (ssl_mutex_init): Do nothing if no
session cache is configured, or the session cache does not require a
mutex. Otherwise, fail if no mutex is configured and the session
cache *does* require a mutex.
(ssl_mutex_on, ssl_mutex_off): Remove checks for mutex mode;
functions now invoked only if necessary.
* modules/ssl/ssl_scache_dc.c, modules/ssl/ssl_scache_memcache: Set
name and flags fields in provider structures.
* modules/ssl/ssl_scache_shmcb.c, modules/ssl_scache_dbm.c: Remove
mutex handling through; set name and flags fields in provider
structures; mark both as unsafe for concurrent access in flags. |
1660a5facf5797acb7aa1300f5ef86756a0bf493 631000 |
|
25-Feb-2008 |
jorton |
Session cache interface redesign, Part 5:
Use the ap_provider interface for session cache storage providers.
* modules/ssl/mod_ssl.c (modssl_register_scache): New function.
(ssl_register_hooks): Call it.
* modules/ssl/ssl_private.h: Define MODSSL_SESSCACHE_PROVIDER_GROUP
and MODSSL_SESSCACHE_PROVIDER_VERSION constants.
Remove ssl_scmode_t type. Change nSessionCacheMode in
SSLModConfigRec into a long sesscache_mode, storing the OpenSSL
SSL_SESS_CACHE_* flags directly.
* modules/ssl/ssl_engine_config.c (ssl_config_global_create): Set
sesscache_mode to SSL_SESS_CACHE_OFF by default.
(ssl_cmd_SSLSessionCache): Remove ifdef spaghetti; fetch configured
session cache by provider name. Set mc->sesscache_mode for
configured providers.
* modules/ssl/ssl_engine_init.c (ssl_init_ctx_session_cache): Use the
configured mode flags directly from mc->sesscache_mode. |
ce86c333d89ba6af7d75625af535e6c08cfec5b7 630974 |
|
25-Feb-2008 |
jorton |
Session cache interface redesign, Part 4:
Move provider-specific configuration handling down into the provider
code. Eliminate all use of SSLModConfigRec within provider code.
* modules/ssl/ssl_private.h (modssl_sesscache_provider): Add 'create'
function which creates and configures the cache provider, before
initialisation. Change 'init' function to take the context pointer
as an input parameter, and reorder to be first.
* modules/ssl/ssl_scache.c (ssl_scache_init): Adjust accordingly.
* modules/ssl/ssl_scache_memcache.c (struct context): Add servers
field.
(ssl_scache_mc_create): New function.
(ssl_scache_mc_init): Use servers from context not SSLModConfigRec.
* modules/ssl/ssl_scache_dbm.c (struct context): Define.
(ssl_scache_dbm_create): New function.
(ssl_scache_dbm_init, ssl_scache_dbm_kill): Adjust to use filename
and pool from context.
(ssl_scache_dbm_store, ssl_scache_dbm_retrieve,
ssl_scache_dbm_status): Use filename from context. Use context pool
for temp storage of the DBM object, and clear before use.
(ssl_scache_dbm_expire): Remove static tLast; use last_expiry from
context. Use context pool for temp storage and clear before use.
* modules/ssl/ssl_scache_dc.c (struct context): Add target field.
(ssl_scache_dc_init, ssl_scache_dc_status): Use target from context.
* modules/ssl/ssl_scache_shmcb.c (struct context): Add data_file,
shm_size fields.
(ssl_scache_shmcb_create): New function; moved argument parsing
logic from ssl_cmd_SSLSessionCache
(ssl_scache_shmcb_init, ssl_scache_shmcb_status): Use config from
context.
* modules/ssl/ssl_engine_config.c (ssl_config_global_create): Remove
handling of old provider-specific fields.
(ssl_cmd_SSLSessionCache): Call provider ->create function to parse
the argument and create provider-specific context structure. |
14f4bb835ebae81e8c3a3fc4570110ba2ba6ba3c 630795 |
|
25-Feb-2008 |
jorton |
* modules/ssl/ssl_private.h: Specify extern storage for
modssl_sesscache_provider objects.
Found by: rpluem |
bd7270bfdb852814828f7da65ac42fa20620f826 630323 |
|
22-Feb-2008 |
jorton |
Session cache interface redesign, Part 3:
Move provider-private context out of SSLModConfigRec and into an
opaque context pointer. Use real error propagation in the ->init
functions rather than ssl_die().
* modules/ssl/ssl_private.h (modssl_sesscache_provider): Take a
context out-parameter from ->init, and return an apr_status_t.
Add context pointer as first arg for the other function types.
(SSLModConfigRec): Remove tSessionCacheData* fields; add
sesscache_context field.
* modules/ssl/ssl_scache.c (ssl_scache_init): Move once-per-process
invocation check back into here.
(ssl_scache_*): Adjust to use context pointer.
* modules/ssl/ssl_scache_shmcb.c, modules/ssl/ssl_scache_dc.c,
modules/ssl/ssl_scache_dbm.c: Adjust all implementations to use
opaque context pointer.
* modules/ssl/ssl_scache_memcache.c: Move memcache context into the
context structure rather than using global state.
* modules/ssl/ssl_engine_config.c: Remove handling of
pSessionCacheData* fields in SSLModConfigRec. |
2d4180e0520fbba07aed22d25dd1e9fce4935d94 630307 |
|
22-Feb-2008 |
jorton |
Move SSL session data deserialization up out of the session cache
storage providers; includes a significant change to the shmcb storage
structure:
* modules/ssl/ssl_private.h (modssl_sesscache_provider): Change
retrieve function to take dest/destlen output buffer, to take a
constant id paramater, and to return a BOOL.
* modules/ssl/ssl_scache.c (ssl_scache_retrieve): Update accordingly,
perform SSL deserialization here.
* modules/ssl/ssl_scache_dc.c (ssl_scache_dc_retrieve),
modules/ssl/ssl_scache_dbm.c (ssl_scache_dbm_retrieve),
modules/ssl/ssl_scache_memcache.c (ssl_scache_mc_retrieve):
Update accordingly.
* modules/ssl/ssl_scache_shmcb.c: Store the whole ID in the cache
before the data, so that each index can be compared against the
requested ID without deserializing the data. This requires approx
20% extra storage per session in the common case, though should
reduce CPU overhead in some retrieval paths.
(SHMCBIndex): Replace s_id2 field with id_len.
(shmcb_cyclic_memcmp): New function.
(ssl_scache_shmcb_init): Change the heuristics to allow for increase
in per-session storage requirement.
(ssl_scache_shmcb_retrieve): Drop requirement on ID length.
(shmcb_subcache_store): Store the ID in the cyclic buffer.
(shmcb_subcache_retrieve, shmcb_subcache_remove): Compare against
the stored ID rather than deserializing the data.
(ssl_scache_shmcb_retrieve, ssl_scache_shmcb_store): Update
accordingly. |
a64f647f3dfca4b531d4d624bdc806f550812eba 630168 |
|
22-Feb-2008 |
jorton |
Move SSL session data serialization up out of the session cache
storage providers:
* modules/ssl/ssl_private.h (modssl_sesscache_provider): Change
'store' interface to take a data/length pair rather than an
SSL_SESSION pointer.
* modules/ssl/ssl_scache.c (ssl_scache_store): Serialize the SSL
session here and pass down the raw DER.
* modules/ssl/ssl_scache_dc.c, modules/ssl_scache_mc.c,
modules/ssl_scache_shmcb.c, modules/ssl_scache_dbm.c: Adjust ->store
implementations accordingly, removing the four sets of identical
code doing the i2d dance. |
f37e6552e77e4f299ed8f90a3e8f05859ea7017c 630163 |
|
22-Feb-2008 |
jorton |
Re-implement the SSL session cache abstraction using a vtable; first
step towards use of the ap_provider interface:
* modules/ssl/ssl_private.h (modssl_sesscache_provider): Add new
vtable type.
(SSLModConfigRec): Reference the vtable here.
Replace all the ssl_scache_* prototypes with provider vtable objects.
* modules/ssl/ssl_scache.c (ssl_scache_init, ssl_scache_kill,
ssl_scache_retrieve, ssl_scache_store, ssl_scache_remove,
ssl_ext_status_hook): Use callbacks from vtable rather than ifdef
spaghetti.
* modules/ssl/ssl_engine_init.c (ssl_init_ctx_session_cache):
Only install the OpenSSL callbacks if a vtable is configured.
* modules/ssl/ssl_engine_config.c (ssl_cmd_SSLSessionCache): Set up
vtable pointer.
* modules/ssl/ssl_scache_dc.c, modules/ssl_scache_mc.c: Adjust to make
implementations static, and add vtable definition.
* modules/ssl_scache_shmcb.c: Likewise; also move the init
one-per-process requirement down here.
* modules/ssl_scache_dbm.c: Likewise; also (temporarily) use a local
subpool in the store callback. |
609ce4fda10d49722bce73df97e3a398b662fecb 611216 |
|
11-Jan-2008 |
fuankg |
Restructured server name indication support (PR 34607);
added missing client cert support.
Submitted by: Kaspar Brand <asfbugz velox.ch> |
79793fb029e11b556dcfe373ddf9a7663549b6fc 607420 |
|
29-Dec-2007 |
fuankg |
fixed code style, missing prototype warnings, disabled init for proxy, removed obsolete cast. |
1841deff37939a00a56b466722ce4309f9d15031 600486 |
|
03-Dec-2007 |
jorton |
* modules/ssl/ssl_engine_log.c (ssl_log_cxerror): Drop 'peer' from the
log message since the passed-in cert may be e.g. the peer's issuer.
* modules/ssl/ssl_private.h (ssl_log_cxerror): Don't mention the word
peer here either. |
a8ee5666c0b624353fdf7831e94e4f09a16d45f7 599497 |
|
29-Nov-2007 |
jorton |
* modules/ssl/ssl_engine_ocsp.c, modules/ssl/ssl_private.h: Comment
tweaks, no functional change. |
39c7699ec0799d394d3f67145d4a12ed82f587b8 599385 |
|
29-Nov-2007 |
jorton |
mod_ssl: Add support for OCSP validation of client certificates:
* modules/ssl/ssl_engine_config.c (modssl_ctx_init,
modssl_ctx_cfg_merge): Initialize and merge OCSP config options.
(ssl_cmd_SSLOCSPOverrideResponder, ssl_cmd_SSLOCSPDefaultResponder,
ssl_cmd_SSLOCSPEnable): Add functions.
* modules/ssl/mod_ssl.c (ssl_config_cmds): Add config options.
* modules/ssl/ssl_private.h: Add prototypes, config options to
modssl_ctx_t.
* modules/ssl/ssl_util_ocsp.c: New file, utility interface for
dispatching OCSP requests.
* modules/ssl/ssl_engine_ocsp.c: New file, interface for performing
OCSP validation.
* modules/ssl/ssl_engine_kernel.c (ssl_callback_SSLVerify): Perform
OCSP validation if configured, and the cert is so-far verified to be
trusted. Fail if OCSP validation is configured an the optional-no-ca
check tripped.
* modules/ssl/config.m4: Check for OCSP support, build new files.
* modules/ssl/mod_ssl.dsp: Build new files.
* modules/ssl/ssl_toolkit_compat.h: Include headers for OCSP
interfaces.
PR: 41123
Submitted by: Marc Stern <marc.stern approach.be>, Joe Orton
Reviewed by: Steve Henson <steve openssl.org> |
8ec5cc2de6b079c1a686cc5f258806ae53928639 597651 |
|
23-Nov-2007 |
jorton |
* modules/ssl/ssl_engine_log.c (ssl_log_cxerror): New function,
factored out from ssl_callback_SSLVerify.
* modules/ssl/ssl_private: Add prototype.
* modules/ssl/ssl_engine_kernel.c (ssl_callback_SSLVerify): Use it. |
4ede070ca63bd4c48045e35a7192582769770290 592446 |
|
06-Nov-2007 |
jorton |
mod_ssl: Fix forever-broken TLS upgrade support; perform the upgrade
in the post_read_request hook rather than in a filter, and fix the
filter insertion issue:
* modules/ssl/ssl_engine_kernel.c (upgrade_connection): New function,
mostly moved from ssl_io_filter_Upgrade.
(ssl_hook_ReadReq): Call upgrade_connection to upgrade to TLS if
required.
* modules/ssl/ssl_engine_io.c (ssl_io_filter_Upgrade): Remove
function.
(ssl_io_input_add_filter, ssl_io_filter_init): Take a request_rec
pointer and pass to ap_add_*_filter to ensure the filter chain
is modified correctly; remove it from the filter afterwards.
(ssl_io_filter_register): Drop UPGRADE_FILTER registration.
* modules/ssl/mod_ssl.c (ssl_init_ssl_connection): Take a request_rec
pointer, pass to ssl_io_filter_init.
(ssl_hook_pre_connection): Pass NULL request_rec pointer to above.
(ssl_hook_Insert_Filter): Remove function.
(ssl_register_hooks): Drop insert_filter hook.
* modules/ssl/ssl_private.h: Update prototypes.
PR: 41231 |
17f61d2695369a9b62bc0e5f38e9c4d23eebc664 591384 |
|
02-Nov-2007 |
jorton |
* modules/ssl/ssl_engine_vars.c (ssl_var_register): Take a pool
argument; determine library version strings once at startup.
(ssl_var_lookup_ssl_version): Drop 'pp' argument; use new global
variables rather than modifying process-global state in a function
which must be thread-safe. (all callers changed)
* modules/ssl/mod_ssl.c (ssl_register_hooks): Pass pool to
ssl_var_register. |
2b58197335a56bf6f237f1c6c7e6d7eaf5ff521c 545610 |
|
08-Jun-2007 |
pquerna |
For the DBM SSL Session Cache, propogate down pools to use for allocations. In most cases, we can use the conn_rec::pool, but for ssl_callback_DelSessionCacheEntry, we still use the long lived configuration pool, but this change at least makes it easier to fix in the future. |
6071f6bd88f58458bd308196698ea3e10cb1d04b 545608 |
|
08-Jun-2007 |
pquerna |
Propogate the conn_rec::pool down to ssl_scache_retrieve so that the memcache layer doesn't 'leak' into a long lived pool for temp allocations. |
33069f28e6db2966c6f4216494a40910e1ad736d 545392 |
|
08-Jun-2007 |
pquerna |
Increment the enum correctly.
Noticed By: Ryan Phillips |
e4b96ba15dc8b2b27d251d53e29b86da32cd5066 545379 |
|
08-Jun-2007 |
pquerna |
Add support for distributed caching of SSL Sessions inside memcached, using apr_memcache, which is present in APR-Util 1.3/trunk.
This was originally written at ApacheCon US 2005 (San Diego), and was sent to the list:
http://mail-archives.apache.org/mod_mbox/httpd-dev/200512.mbox/%3C439C6C07.9030904@force-elite.com%3E
This version is slightly cleaned up, and of course, uses the now bundled apr_memcache, rather than an external dependency. |
67139e2d50d1e11558d87f7042f61cb04bb0d1d2 467326 |
|
24-Oct-2006 |
jim |
Once SSLMutex allowed for the setting of both the
locking method and the lockfile location, I never
liked how AcceptMutex was linked to LockFile. This
seemed unnecessary. Much better to have AcceptMutex
do both as well. Plus, now that we will likely see
other modules require a "standard" way of setting
mutexes, why not have Apache provide that as
an API of sorts.
Anyway, LockFile is now depreciated and AcceptMutex
is now SSLMutex-like. We also provide a short
function that "parses" out a mutex parameter
and strips out the mechanism and lockfile location.
AcceptMutex and SSLMutex is this capability. |
176c2742db03fcb7b7d13e6408dd967d87e542e9 424707 |
|
23-Jul-2006 |
ben |
Add PKCS#7 support. |
842ae4bd224140319ae7feec1872b93dfd491143 420983 |
|
11-Jul-2006 |
fielding |
update license header text |
3c36b0324c8486306904c84eb0264affc45ed56c 416265 |
|
22-Jun-2006 |
wrowe |
New SSLLogLevelDebugDump [ None (default) | IO (not bytes) | Bytes ]
configures the I/O Dump of SSL traffic, when LogLevel is set to Debug.
The default is none as this is far greater debugging resolution than
the typical administrator is prepared to untangle. |
3d81f57512275ca06a60a9bcbd23c1f8b429fdf2 395228 |
|
19-Apr-2006 |
colm |
Update the copyright year in all .c, .h and .xml files |
e6b8fcf35ed1dfe140b97bea7e532911d7965d02 290965 |
|
22-Sep-2005 |
jorton |
Implement a (bounded) buffer of request body data to provide a limited
but safe fix for the mod_ssl renegotiation-vs-requests-with-bodies
bug:
* modules/ssl/ssl_private.h (ssl_io_buffer_fill): Add prototype.
* modules/ssl/ssl_engine_io.c (ssl_io_buffer_fill,
ssl_io_filter_buffer): New functions.
* modules/ssl/ssl_engine_kernel.c (ssl_hook_Access): If a
renegotiation is needed, and the request has a non-zero
content-length, or a t-e header (and 100-continue was not requested),
call ssl_io_buffer_fill to set aside the request body data if
possible, then proceed with the negotiation.
PR: 12355 |
93be7f634f9ab62b564793ca2872d460190a02ba 289444 |
|
16-Sep-2005 |
dreid |
- remove ssl_ext_lookup and replace it with ssl_ext_list
- change ssl_expr_eval_oid to use ssl_ext_list
This change provides for a singfle function that provides an array of all
values from a certificate that match a given extension and removes the
duplictaed code that was present.
Reviewed by: Joe Orton |
9d129b55f5a43abf43865c6b0eb6dd19bc22aba8 263931 |
|
29-Aug-2005 |
ianh |
Doxygen fixup / cleanup
submited by: Neale Ranns neale ranns.org
reviewed by: Ian Holsman |
ffc73e4aea6c747e13214e75117ada2d74500d14 224722 |
|
25-Jul-2005 |
jorton |
* modules/ssl/ssl_expr_eval.c (ssl_expr_eval_oid): Remove unused
variable.
* modules/ssl/ssl_private.h, modules/ssl/mod_ssl.h
(ssl_extlist_by_oid): Move prototype to ssl_private.h. |
42167da203d969a1402cf7ce09c14586c04af1df 209827 |
|
08-Jul-2005 |
jim |
Good suggestion from a private Email. name changes. |
81ebf4d4f943d1ec988dd10105354e510c2da1d8 209821 |
|
08-Jul-2005 |
jim |
Fix case where buggy OpenSSL internal cache continually grows.
So don't bother to store it, but still force OpenSSL
to provide a Session ID. |
825479074daa2c65852666c4b26d771dff957507 161958 |
|
19-Apr-2005 |
jorton |
Fix issue where mod_ssl does not pick up the ssl-unclean-shutdown
setting when configured e.g. as a reverse proxy:
* modules/ssl/ssl_private.h: Remove ssl_hook_Translate.
* modules/ssl/ssl_engine_kernel.c (ssl_hook_ReadReq): Merge in
ssl_hook_Translate. (ssl_hook_Translate): Remove.
* modules/ssl/mod_ssl.c (ssl_register_hooks): Ensure that _ReadReq
hook runs after mod_setenvif.c; don't register translate_name hook.
PR: 34452 |
628cf3411e8a6d09e27b3666312e43832dda93f3 153933 |
|
15-Feb-2005 |
jorton |
* modules/ssl/mod_ssl.h: Add ssl_ext_lookup optional hook declaration.
* modules/ssl/ssl_engine_vars.c (ssl_ext_lookup): New function.
(ssl_var_register): Register optional function.
* modules/ssl/ssl_private.h (ssl_ext_lookup): Add prototype.
Submitted by: David Reid, Joe Orton |
08cb74ca432a8c24e39f17dedce527e6a47b8001 151408 |
|
04-Feb-2005 |
jerenkrantz |
Update copyright year to 2005 and standardize on current copyright owner line. |
e335319a08e12eb7daff9afa80e985dc53f652b8 125165 |
|
14-Jan-2005 |
jorton |
* modules/ssl/mod_ssl.c: Declare new config directives
SSLCADNRequestFile and SSLCADNRequestPath.
* modules/ssl/ssl_private.h (modssl_pk_server_t): Add ca_name_path,
ca_name_file fields.
* modules/ssl/ssl_engine_init.c (ssl_init_ctx_verify): If either of
SSLCADNRequestFile or SSLCADNRequestPath are configured, load the CA
DN list sent in the CertificateRequest from those certificates.
* modules/ssl/ssl_engine_config.c (modssl_ctx_init_server): Use
pcalloc to zero-initialize the entire modssl_pk_server_t structure.
(ssl_config_server_new): Merge the ca_name_* fields.
(ssl_cmd_SSLCADNRequestPath, ssl_cmd_SSLCADNRequestFile): New
functions.
PR: 32848
Submitted by: Tim Taylor <tim.taylor dfas.mil> |
d2ffb32434f79782ff7a364ffa31064698c5c645 105741 |
|
10-Nov-2004 |
jorton |
Add -t -DDUMP_CERTS option to mod_ssl which dumps the filenames of all
configured SSL certificates to stdout, useful for cron-ing through a
"do I need to renew any of my certificates this week" tool:
* modules/ssl/ssl_engine_config.c (ssl_hook_ConfigTest): New function.
* modules/ssl/mod_ssl.c (ssl_register_hooks): ...register it as a
test_config hook. |
f84d3d83a741c21154d42e0ebdec9b9b37efeedc 103834 |
|
03-Jun-2004 |
jorton |
Add "SSLUserName" directive to set r->user based on a chosen SSL
environment variable name.
* modules/ssl/ssl_private.h (struct SSLDirConfigRec): Add
szUserName field.
* modules/ssl/ssl_engine_config.c (ssl_config_perdir_create,
ssl_config_perdir_merge): Initialize and merge szUserName field.
(ssl_cmd_SSLUserName): New function.
* modules/ssl/ssl_engine_kernel.c (ssl_hook_Fixup): Set r->user to
the value of the chosen SSL environment variable.
* modules/ssl/mod_ssl.c: Add SSLUserName config directive.
PR: 20957
Submitted by: Martin v. Loewis <martin v.loewis.de> |
7efe7de73c89c26518714a504359244d03cfbbc5 103832 |
|
03-Jun-2004 |
jorton |
Add "SSLHonorCipherOrder" directive to enable the OpenSSL 0.9.7 flag
which uses the server's cipher preference order rather than the
client's.
* modules/ssl/ssl_private.h (struct SSLSrvConfigRec): Add
cipher_server_pref field.
* modules/ssl/ssl_engine_config.c (ssl_config_server_create,
ssl_config_server_merge): Initialize and merge cipher_server_pref
field.
(ssl_cmd_SSLHonorCipherOrder): New function.
* modules/ssl/ssl_engine_init.c (ssl_init_ctx_protocol): Set the
context option SSL_OP_CIPHER_SERVER_PREFERENCE when required.
PR: 28665
Submitted by: Jim Shneider <jschneid netilla.com> |
d60027cde3289d3ef35bc9d815882975eb60e6ab 103829 |
|
03-Jun-2004 |
jorton |
Drop support for the "CompatEnvVars" argument to SSLOptions, which was
never implemented in 2.0 and never needed to be.
* docs/ssl/ssl-std.conf.in: Remove CompatEnvVars examples.
* modules/ssl/ssl_engine_config.c (ssl_cmd_SSLOptions): Don't allow
the CompatEnvVars argument.
* modules/ssl/ssl_private.h: Remove SSL_OPT_COMPATENVVARS macro. |
160bda047cd72fec58224f4eaa0647cb9095d868 103793 |
|
27-May-2004 |
jorton |
* modules/ssl/ssl_scache.c (ssl_scache_expire): Remove unused function.
* modules/ssl/ssl_scache_dc.c (ssl_scache_dc_expire): Likewise.
* modules/ssl/ssl_scache_shmcb.c (ssl_scache_shmcb_expire): Likewise.
* modules/ssl/ssl_scache_dbm.c (ssl_scache_dbm_expire): Make static.
* modules/ssl/ssl_private.h: Remove prototypes. |
b9d16b347b2230229dbaba492468270acfddcedb 103755 |
|
25-May-2004 |
jorton |
* modules/ssl/ssl_util.c, modules/ssl/ssl_private.h: Remove unused
functions ssl_util_strupper, ssl_util_ptxtstub, and
ssl_util_uuencode*. |
e42baee4b4254a1fe6347c11d53e92e5242d19dc 102860 |
|
05-Mar-2004 |
bnicholes |
Allow the enabled flag to be set to more than just TRUE or FALSE so that
the OPTIONAL flag can be correctly merged within the
ssl_config_server_merge() function. |
70535d6421eb979ac79d8f49d31cd94d75dd8b2f 102803 |
|
28-Feb-2004 |
jorton |
Move mod_ssl-internal interfaces into ssl_private.h; allow mod_ssl.h
to be included even when mod_ssl is not enabled.
* Makefile.in (install-include): Only install mod_ssl.h.
* modules/ssl/ssl_private.h: New file.
* modules/ssl/mod_ssl.h: Move everything apart from than the optional
hook definitions into ssl_private.h.
* modules/ssl/*.c: Include ssl_private.h not mod_ssl.h
* modules/ssl/config.m4: Always add the mod_ssl directory to the
include path so other modules can find mod_ssl.h.
* modules/proxy/mod_proxy.c: Include mod_ssl.h to pick up the optional
hook definitions rather than copy'n'pasting them. |