f4c3ded5dd561f8aa9779f227fed41303c15efaa 1666297 |
|
12-Mar-2015 |
ylavic |
ssl_util: Fix possible crash (free => OPENSSL_free) and error path leaks when
checking the server certificate constraints (SSL_X509_getBC()). |
032982212dbcc7c3cce95bf89c503bb56e185ac7 1650047 |
|
07-Jan-2015 |
kbrand |
Add support for extracting subjectAltName entries of type
rfc822Name and dNSName into SSL_{CLIENT,SERVER}_SAN_{Email,DNS}_n
variables.
* docs/manual/mod/mod_ssl.xml: add SSL_*_SAN_*_n entries to the
environment variables table
* modules/ssl/ssl_engine_kernel.c: in ssl_hook_Fixup, add extraction
of subjectAltName entries for the "StdEnvVars" case
* modules/ssl/ssl_engine_vars.c: add support for retrieving the
SSL_{CLIENT,SERVER}_SAN_{Email,DNS}_n variables, either with
individual on-demand lookup (ssl_var_lookup_ssl_cert_san),
or with full-list extraction to the environment ("StdEnvVars")
* modules/ssl/ssl_private.h: add modssl_var_extract_san_entries prototype
* modules/ssl/ssl_util_ssl.c: implement SSL_X509_getSAN and
SSL_ASN1_STRING_to_utf8 helper functions, with factoring out common
code from SSL_X509_getIDs and SSL_X509_NAME_ENTRY_to_string where
suitable. Limit SSL_X509_getSAN to the two most common subjectAltName
entry types appearing in user or server certificates (i.e., rfc822Name
and dNSName), for the time being.
* modules/ssl/ssl_util_ssl.h: add SSL_ASN1_STRING_to_utf8
and SSL_X509_getSAN prototypes |
79f464f872d97336c20515910e9ef4896c218c87 1601274 |
|
09-Jun-2014 |
ylavic |
mod_ssl: SSL_smart_shutdown(): follow up to r1601184.
Use SSL_get_wbio() to comply with OPENSSL_NO_SSL_INTERN.
Stop SSL shutdown loop when flush fails. |
01402a0fbec8bd11f6c10d8ef9c9cceac68bb787 1601184 |
|
08-Jun-2014 |
ylavic |
mod_ssl: Ensure that the SSL close notify alert is flushed to the client.
PR54998.
Submitted By: Tim Kosse <tim.kosse filezilla-project.org>, ylavic
Committed By: ylavic |
60998c490ad3334eb07ae63b23b479ac564dec94 1553824 |
|
28-Dec-2013 |
kbrand |
Remove the hardcoded algorithm-type dependency for the SSLCertificateFile
and SSLCertificateKeyFile directives, and deprecate SSLCertificateChainFile
Splitting the patch into smaller pieces turned out to be infeasible,
unfortunately, due to the heavily intertwined code in ssl_engine_config.c,
ssl_engine_init.c and ssl_engine_pphrase.c, which all depends on the
modssl_pk_server_t data structure. For better comprehensibility,
a detailed listing of the changes follows:
ssl_private.h
- drop the X509 certs and EVP_PKEY keys arrays from modssl_pk_server_t
- use apr_array_header_t for cert_files and key_files
- drop tPublicCert from SSLModConfigRec
- drop the ssl_algo_t struct and the SSL_ALGO_* and SSL_AIDX_* constants
ssl_engine_config.c
- change to apr_array_header_t for SSLCertificate[Key]File
- drop ssl_cmd_check_aidx_max, i.e. allow an arbitrary number of certs
and keys (in theory; currently OpenSSL does not support more than
one cert/key per algorithm type)
- add deprecation warning for SSLCertificateChainFile
ssl_engine_init.c
- configure server certs/keys in ssl_init_server_certs (no longer via
ssl_pphrase_Handle in ssl_init_Module)
- in ssl_init_server_certs, read in certificates and keys with standard
OpenSSL API functions (SSL_CTX_use_*_file), and only fall back to
ssl_load_encrypted_pkey when encountering an encrypted private key
- drop ssl_server_import_cert, ssl_server_import_key, ssl_init_server_check,
and ssl_init_ctx_cleanup_server
- move the "problematic re-initialization" check to ssl_init_server_ctx
ssl_engine_pphrase.c
- use servername:port:index as the key identifier, instead of the
previously used servername:port:algorithm
- ssl_pphrase_Handle overhaul: remove all cert/public-key handling,
make it only load a single (encrypted) private key, and rename
to ssl_load_encrypted_pkey
- in the passphrase prompt message, show the private key file name
instead of the vhost id and the algorithm name
- do no longer supply the algorithm name as an argument to "exec"-type
passphrase prompting programs
ssl_util.c
- drop ssl_util_algotypeof, ssl_util_algotypestr, ssl_asn1_keystr,
and ssl_asn1_table_keyfmt
ssl_util_ssl.{c,h}
- drop SSL_read_X509
- constify the filename arg for SSL_read_PrivateKey |
98ea7234320e62075374137a3be1fd4a8de1af0b 1546805 |
|
01-Dec-2013 |
kbrand |
SGC became dead in January 2000, effectively
(http://www.gpo.gov/fdsys/pkg/FR-2000-01-14/pdf/00-983.pdf)
Almost 14 years later, there's certainly no longer any need
to spit out some fancy log message. |
b4e664baba9a4be0457c31f84b3dcc4c31f2cb07 1527295 |
|
29-Sep-2013 |
kbrand |
Improve ephemeral key handling (companion to r1526168):
- allow to configure custom DHE or ECDHE parameters via the
SSLCertificateFile directive, and adapt its documentation
accordingly (addresses PR 49559)
- add standardized DH parameters from RFCs 2409 and 3526,
use them based on the length of the certificate's RSA/DSA key,
and add a FAQ entry for clients which limit DH support
to 1024 bits (such as Java 7 and earlier)
- move ssl_dh_GetParamFromFile() from ssl_engine_dh.c to
ssl_util_ssl.c, and add ssl_ec_GetParamFromFile()
- drop ssl_engine_dh.c from mod_ssl
For the standardized DH parameters, OpenSSL version 0.9.8a
or later is required, which was therefore made a new minimum
requirement in r1527294. |
21b72c73161fea0fc150a1e2c59be5e7c0be79f1 1451484 |
|
01-Mar-2013 |
jailletc36 |
SSL_SESSION_id2sz is only used for logging, having it in lowercase shouldn't be an issue. |
76fd02ce6aa984189050fa979bb5142dc409fc66 1429559 |
|
06-Jan-2013 |
jailletc36 |
According top my testing 'SSL_SESSION_id2sz' is 4x faster with the use 'ap_bin2hex' instead of
apr_snprintf(..., "%02X" for each character.
Output is the same.
I have left the uppercase conversion, because I'm unsure if it is usefull or not. |
85378b9f9e4b0d6cdd7f3d61d919191520ecdd19 1426850 |
|
29-Dec-2012 |
sf |
Fix warning about discarding 'const' qualifier from pointer |
d58a822aff1dfda25384d3d009f88f1883c95436 1425874 |
|
26-Dec-2012 |
kbrand |
mod_ssl: add support for subjectAltName-based host name checking in proxy mode
(PR 54030)
factor out code from ssl_engine_init.c:ssl_check_public_cert()
to ssl_util_ssl.c:SSL_X509_match_name()
introduce new SSLProxyCheckPeerName directive, which should eventually
obsolete SSLProxyCheckPeerCN
ssl_engine_io.c:ssl_io_filter_handshake(): avoid code duplication
when aborting with HTTP_BAD_GATEWAY |
e0ddd66eab7de16fdf7c29a02885c53015a8fa16 1294471 |
|
28-Feb-2012 |
kbrand |
properly free the GENERAL_NAMEs, as pointed out in PR 32652 |
41cfeab1b7ec1ed81de039e811565b1c6df999f9 1228816 |
|
08-Jan-2012 |
kbrand |
fix signedness issue with SSL_X509_NAME_to_string()'s maxlen argument |
53e2218c565ed45d3a7c69dd4c4ef6b1aad5f70a 1222917 |
|
24-Dec-2011 |
kbrand |
Set OPENSSL_NO_SSL_INTERN when compiling against OpenSSL 1.0.1
or later, so that mod_ssl retains binary compatibility with future
versions when internal structures are changed. Use API functions
where available, and fall back to direct access for OpenSSL up
to 1.0.0, where needed.
Remove SSL_make_ciphersuite() from ssl_util_ssl.[ch], as it was
never used by any released version of mod_ssl. |
2c238b83c08ac2d040d9057b1ba83ba7f71138b7 1176752 |
|
28-Sep-2011 |
kbrand |
In ssl_check_public_cert(), also take dNSNames in the subjectAltName
extension into account when checking the cert against the configured
ServerName. PR 32652, PR 47051.
Replace SSL_X509_getCN() by SSL_X509_getIDs(), which returns an array
of a cert's DNS-IDs and CN-IDs (terms as coined by RFC 6125). |
5bfaaf573bacb45c1cf290ce85ecc676587e8a64 1174751 |
|
23-Sep-2011 |
jim |
Cleanup effort in prep for GA push:
Trim trailing whitespace... no func change |
8f435d95de2724d4bc75338a9af8ef995e451599 1172797 |
|
19-Sep-2011 |
kbrand |
Add ssl_log_xerror() and ssl_log_rxerror(), modeled after ssl_log_cxerror().
Add SSL_X509_NAME_to_string(), which converts an X509 distinguished name
to an RFC 2253 formatted string.
Adapt ssl_log_*error() to make use of SSL_X509_NAME_to_string(). |
329aafcb026993f7566d517835613a9fa837ab1d 1170833 |
|
14-Sep-2011 |
druggeri |
Modify SSLProxyMachineCertificateChainFile to use X509 instead of X509_INFO and use openssl to construct the chain |
77504f17963a8dd941a921d9ddfa25ddb0f348d6 1165056 |
|
04-Sep-2011 |
kbrand |
Revamp CRL checking for client and remote servers:
- completely delegate CRL processing to OpenSSL
- introduce a new [Proxy]CARevocationCheck directive
- drop ssl_callback_SSLVerify_CRL from ssl_engine_kernel.c
- remove X509_STORE from modssl_ctx_t
- drop CRL store helper functions from ssl_util_ssl.c
- avoid sending "certificate_expired" SSL alerts to peers
when the nextUpdate field of a CRL is in the past |
06333dd19193064baaa80be43738c1bb1cbc74d5 1161011 |
|
24-Aug-2011 |
rpluem |
* Style fixes. No functional change. |
44985e4f931d3a75a7e5108705010cc21605ee34 1160863 |
|
23-Aug-2011 |
druggeri |
Add SSLProxyMachineCertificateChainFile directive and documentation for bug 50812 |
292707b9868335763d6f2bb74a263134eeeb8cad 1154688 |
|
07-Aug-2011 |
kbrand |
Enforce OpenSSL 0.9.7 as a minimum requirement in configure, and
remove #ifdef'ed code which was relevant for earlier versions only. |
070235bcb25af37efebf6405b082413144968289 1154687 |
|
07-Aug-2011 |
kbrand |
Remove the ssl_toolkit_compat layer, which is no longer needed
after support for non-OpenSSL toolkits has been dropped.
Replace macros by their value proper where feasible, and keep
those definitions in ssl_private.h which depend on specific
OpenSSL versions. |
4281cf6a722c99ae21394dc2000bd48efcebdb3a 1154683 |
|
07-Aug-2011 |
kbrand |
Drop support for the RSA BSAFE SSL-C toolkit from configure,
and remove #ifdef'ed code from mod_ssl and ab where applicable.
Consensus for dropping support for SSL/TLS toolkits other
than OpenSSL was reached on dev@httpd in June 2010 (message
with ID <20100602162310.GA11156@redhat.com> and follow-ups). |
891dbb7544437f18df066dd6f967cf5199b4f6f2 1054453 |
|
02-Jan-2011 |
sf |
Fix EBCDIC related cut'n'paste error |
1b1621900bd89ddc496d721c865a726f635ebd7e 1054323 |
|
02-Jan-2011 |
sf |
Change the format of the SSL_{CLIENT,SERVER}_{I,S}_DN variables
to be RFC 2253 compatible, convert non-ASCII characters to UTF8, and
escape other special characters with backslashes. The old format can
still be used with the LegacyDNStringFormat argument to SSLOptions. |
dcdabda52983308aa928293a933a4d1b87c2ec51 954641 |
|
14-Jun-2010 |
sf |
Fix some compiler warnings:
- suggest braces around empty body in an 'if' statement
- comparison of unsigned expression >= 0 is always true
- comparison of unsigned expression < 0 is always false
Please review carefully. |
de354043e97eca0e40f5cf222eb1931b0027240e 930892 |
|
05-Apr-2010 |
rpluem |
* Fix compiler warning |
fce1531e42e00be4b381527ad13b6c765a8628f4 930131 |
|
02-Apr-2010 |
drh |
Code tidy, certificate extension decode can be done with the single
function X509_get_ext_d2i(). |
7ddf719489971b2a300535f8faedc0809fb201fa 748396 |
|
27-Feb-2009 |
sctemme |
The development trunk of OpenSSL has tightened up the type safety of the STACK construct
and the functions that manipulate it. Make httpd trunk compile against OpenSSL HEAD
as well as OpenSSL 0.9.8j. Also, get rid of some warnings. |
842ae4bd224140319ae7feec1872b93dfd491143 420983 |
|
11-Jul-2006 |
fielding |
update license header text |
3d81f57512275ca06a60a9bcbd23c1f8b429fdf2 395228 |
|
19-Apr-2006 |
colm |
Update the copyright year in all .c, .h and .xml files |
e8f95a682820a599fe41b22977010636be5c2717 332306 |
|
10-Nov-2005 |
jim |
No functional Change: Removing trailing whitespace. This also
means that "blank" lines consisting of just spaces or
tabs are now really blank lines |
b57d193942edf0ba2c04cecbcd43859ed3e25293 265702 |
|
01-Sep-2005 |
jorton |
* modules/ssl/ssl_util_ssl.c (SSL_X509_STORE_create): Catch errors
returned by X509_LOOKUP_add_dir or X509_LOOKUP_load_file to detect
malformed or misconfigured CRLs. Clear error stack beforehand to
ensure reported errors are relevant.
PR: 36438 |
08cb74ca432a8c24e39f17dedce527e6a47b8001 151408 |
|
04-Feb-2005 |
jerenkrantz |
Update copyright year to 2005 and standardize on current copyright owner line. |
70535d6421eb979ac79d8f49d31cd94d75dd8b2f 102803 |
|
28-Feb-2004 |
jorton |
Move mod_ssl-internal interfaces into ssl_private.h; allow mod_ssl.h
to be included even when mod_ssl is not enabled.
* Makefile.in (install-include): Only install mod_ssl.h.
* modules/ssl/ssl_private.h: New file.
* modules/ssl/mod_ssl.h: Move everything apart from than the optional
hook definitions into ssl_private.h.
* modules/ssl/*.c: Include ssl_private.h not mod_ssl.h
* modules/ssl/config.m4: Always add the mod_ssl directory to the
include path so other modules can find mod_ssl.h.
* modules/proxy/mod_proxy.c: Include mod_ssl.h to pick up the optional
hook definitions rather than copy'n'pasting them. |
78cd48acd325773619d78ac0d7263a99a8922fae 102618 |
|
09-Feb-2004 |
nd |
fix name of The Apache Software Foundation |
460e3d5eb142dab19f47842c85d0a522aab49b68 102573 |
|
08-Feb-2004 |
nd |
fix copyright dates according to the first check in |
ce9621257ef9e54c1bbe5ad8a5f445a1f211c2dc 102525 |
|
06-Feb-2004 |
nd |
apply Apache License, Version 2.0 |
26a4456dd6f1a5d7d7fff766551461a578687c4a 102135 |
|
01-Jan-2004 |
nd |
update license to 2004. |
75e45aecbfb2f11f3aaab3e2571386101967522f 100314 |
|
20-Jun-2003 |
martin |
Use portable macro instead of the (no longer working) Apache-1.3 code |
b40799adcfd0f0a2a465c2934585986f7bbc9bbc 99183 |
|
03-Apr-2003 |
wrowe |
Introduce a number of SSLC hints to mod_ssl, including the following
type overrides;
MODSSL_CLIENT_CERT_CB_ARG_TYPE
MODSSL_PCHAR_CAST (for a host of non-void/const sslc values)
modssl_read_bio_cb_fn (for several callbacks with same prototypes)
Declare callback functions appropriately.
And protect us from indetermineant toolkits with
#error "Unrecognized SSL Toolkit!" |
33bdcae1f7a1a65e351dda2a766a0cf28b1e695d 98573 |
|
03-Feb-2003 |
nd |
finished that boring job:
update license to 2003.
Happy New Year! ;-)) |
c14b311793c9e0d498e7ed1baf05d365fb8a2e8c 98090 |
|
23-Dec-2002 |
wrowe |
All we care about is the type and name, just ask for the type and name. |
fd75ff2d3551332b02994496a088f89fa488dc3d 97308 |
|
26-Oct-2002 |
trawick |
fix the interface to PEM_read_bio_X509() with OpenSSL versions older than 0.9.4.
Submitted by: Madhu Mathihalli <madhusudan_mathihalli@hp.com>
Reviewed by: Jeff Trawick |
dba4976101d25e62fb6dcee15862208a4c9f3d87 97298 |
|
25-Oct-2002 |
trawick |
stylistic improvements
Submitted by: Madhu Mathihalli <madhusudan_mathihalli@hp.com>
Reviewed by: Jeff Trawick |
f4c472b8dce3c2e559232dbb5b27ed2466922ea4 96818 |
|
15-Sep-2002 |
jerenkrantz |
Remove warnings seen with Sun's Forte compiler. |
16e8fecd2783ad8838eb5782a050f5ed74a49915 94406 |
|
03-Apr-2002 |
dougm |
fix SSL_X509_INFO_load_path so SSLProxyMachineCertificatePath works |
9d0d2ad2438f2e8c9ff1dd64b243605170d739ae 94323 |
|
30-Mar-2002 |
dougm |
enable/cleanup SSL_X509_INFO_load_{file,path} functions for use in
proxy context |
8a96aa4ee2febc7cd4454abf7bacb049d8a811bf 94225 |
|
27-Mar-2002 |
dougm |
add modssl_dh_configure() function to fold some duplication in
get_dh{512,1024} and provide toolkit compat for sslc 2.x |
1640d64f4f55300ae8e627bb6e9351938dbad5e8 94216 |
|
27-Mar-2002 |
dougm |
sslc does not currently support X509V3_EXT_d2i |
fa4cfabc823d4518b120303025354de99c44127e 94215 |
|
27-Mar-2002 |
dougm |
toolkit compat for PEM_read_bio_PrivateKey |
9ba6a373bd1f11b36c5d6612b44e930b73d7d142 94214 |
|
27-Mar-2002 |
dougm |
use compat macro for another PEM_read_bio_X509 |
b216613d863eb562edab1af4f8c6ee719e88bdf1 94213 |
|
27-Mar-2002 |
dougm |
toolkit compat for PEM_read_bio_X509 |
8625a88be934bc27aa9374bd8d80ba1b7e10ee0a 94195 |
|
27-Mar-2002 |
dougm |
add modssl_session_get_time() function to give mod_ssl what it needs
from SSL_SESSION_get_time() if using OpenSSL or sslc. |
bc8fd1b0b1afdf89b8d28eefa8cd74e26ba97986 93918 |
|
13-Mar-2002 |
fielding |
Update our copyright for this year. |
bdec92dd2c27b079aebb91250204febb4c59d7ea 93899 |
|
13-Mar-2002 |
dougm |
SSL_SESSION_id2sz() was NOT THREAD SAFE. it returned a pointer to a
static variable. fixed. |
7f683bb300df767164724ebc664f339ac396b434 92800 |
|
10-Jan-2002 |
dougm |
mod_ssl adjustments to help with using toolkits other than OpenSSL:
Use SSL functions/macros instead of directly dereferencing SSL
structures wherever possible.
Add type-casts for the cases where functions return a generic pointer.
Add $SSL/include to configure search path.
PR:
Obtained from:
Submitted by: Madhusudan Mathihalli <madhusudan_mathihalli@hp.com>
Reviewed by: dougm |
726be39314e1b2ede8378630efccce4cdeb88a31 92110 |
|
21-Nov-2001 |
dougm |
get rid of SSL_get_app_data2_idx() which had a race condition when
writing to app_data2_idx, and another inside OpenSSL when calling
SSL_get_ex_new_index().
add SSL_init_app_data2_idx() to provide the same functionality but in
a safe place: called during ssl_init_Module
PR:
Obtained from:
Submitted by:
Reviewed by: |
5f5cf29f312202de493ce7f406992c13c1d13c32 89871 |
|
02-Aug-2001 |
wrowe |
Adapt to changed declaration of apr_pool_sub_make() |
11d86cf418a6bbd569546bfbf3306d75dd115cbb 89818 |
|
31-Jul-2001 |
wrowe |
This patch eliminates the direct use of OS library calls (fopen and
other depreciated Apache 1.3 library utilities) from ssl_engine_pphrase.c
and ssl_util_ssl.c.
Submitted by: Madhusudan Mathihalli <madhusudan_mathihalli@hp.com> |
a943533fd4d91d114af622731a405407990c4fb1 89618 |
|
19-Jul-2001 |
rse |
Apply mod_ssl MEGA porting patch. This is a cleaned up version of the
latest patches from Madhusudan which makes mod_ssl 95% working inside
Apache 2.0. There is still a lot of more work (both porting and cleanup)
to do be done. See modules/ssl/README for details.
Submitted by: Madhusudan Mathihalli <madhusudan_mathihalli@hp.com> |
611cb193576274ee9aa7b40c5f70f279e2dd0b16 89461 |
|
28-Jun-2001 |
wrowe |
Quiet the compiler, msvc is sticky about arg lists being consistent. |
8f814b7f614b48dfa686cae4f7142df28a752b31 89029 |
|
05-May-2001 |
rse |
Port ssl_util_ssl.[ch] stuff to APR. |
02c7b3fa1c2c34a3a9bd236f6cbf2fc5486b8bb0 89006 |
|
05-May-2001 |
rse |
Next step in mod_ssl integration:
Add missing files to build environment. |
d86ef5503dcbc38e87c0e03cd3e1f16458cb6323 88995 |
|
05-May-2001 |
rse |
mod_ssl integration step 2:
transfer copyright of all code to ASF by using Apache Software License v1.1 |
cc003103e52ff9d5fe9bed567ef9438613ab4fbf 88988 |
|
04-May-2001 |
rse |
Initial revision |