ssl_util: Fix possible crash (free => OPENSSL_free) and error path leaks when checking the server certificate constraints (SSL_X509_getBC()).

Add support for extracting subjectAltName entries of type rfc822Name and dNSName into SSL_{CLIENT,SERVER}_SAN_{Email,DNS}_n variables. * docs/manual/mod/mod_ssl.xml: add SSL_*_SAN_*_n entries to the environment variables table * modules/ssl/ssl_engine_kernel.c: in ssl_hook_Fixup, add extraction of subjectAltName entries for the "StdEnvVars" case * modules/ssl/ssl_engine_vars.c: add support for retrieving the SSL_{CLIENT,SERVER}_SAN_{Email,DNS}_n variables, either with individual on-demand lookup (ssl_var_lookup_ssl_cert_san), or with full-list extraction to the environment ("StdEnvVars") * modules/ssl/ssl_private.h: add modssl_var_extract_san_entries prototype * modules/ssl/ssl_util_ssl.c: implement SSL_X509_getSAN and SSL_ASN1_STRING_to_utf8 helper functions, with factoring out common code from SSL_X509_getIDs and SSL_X509_NAME_ENTRY_to_string where suitable. Limit SSL_X509_getSAN to the two most common subjectAltName entry types appearing in user or server certificates (i.e., rfc822Name and dNSName), for the time being. * modules/ssl/ssl_util_ssl.h: add SSL_ASN1_STRING_to_utf8 and SSL_X509_getSAN prototypes

mod_ssl: SSL_smart_shutdown(): follow up to r1601184. Use SSL_get_wbio() to comply with OPENSSL_NO_SSL_INTERN. Stop SSL shutdown loop when flush fails.

mod_ssl: Ensure that the SSL close notify alert is flushed to the client. PR54998. Submitted By: Tim Kosse <tim.kosse filezilla-project.org>, ylavic Committed By: ylavic

Remove the hardcoded algorithm-type dependency for the SSLCertificateFile and SSLCertificateKeyFile directives, and deprecate SSLCertificateChainFile Splitting the patch into smaller pieces turned out to be infeasible, unfortunately, due to the heavily intertwined code in ssl_engine_config.c, ssl_engine_init.c and ssl_engine_pphrase.c, which all depends on the modssl_pk_server_t data structure. For better comprehensibility, a detailed listing of the changes follows: ssl_private.h - drop the X509 certs and EVP_PKEY keys arrays from modssl_pk_server_t - use apr_array_header_t for cert_files and key_files - drop tPublicCert from SSLModConfigRec - drop the ssl_algo_t struct and the SSL_ALGO_* and SSL_AIDX_* constants ssl_engine_config.c - change to apr_array_header_t for SSLCertificate[Key]File - drop ssl_cmd_check_aidx_max, i.e. allow an arbitrary number of certs and keys (in theory; currently OpenSSL does not support more than one cert/key per algorithm type) - add deprecation warning for SSLCertificateChainFile ssl_engine_init.c - configure server certs/keys in ssl_init_server_certs (no longer via ssl_pphrase_Handle in ssl_init_Module) - in ssl_init_server_certs, read in certificates and keys with standard OpenSSL API functions (SSL_CTX_use_*_file), and only fall back to ssl_load_encrypted_pkey when encountering an encrypted private key - drop ssl_server_import_cert, ssl_server_import_key, ssl_init_server_check, and ssl_init_ctx_cleanup_server - move the "problematic re-initialization" check to ssl_init_server_ctx ssl_engine_pphrase.c - use servername:port:index as the key identifier, instead of the previously used servername:port:algorithm - ssl_pphrase_Handle overhaul: remove all cert/public-key handling, make it only load a single (encrypted) private key, and rename to ssl_load_encrypted_pkey - in the passphrase prompt message, show the private key file name instead of the vhost id and the algorithm name - do no longer supply the algorithm name as an argument to "exec"-type passphrase prompting programs ssl_util.c - drop ssl_util_algotypeof, ssl_util_algotypestr, ssl_asn1_keystr, and ssl_asn1_table_keyfmt ssl_util_ssl.{c,h} - drop SSL_read_X509 - constify the filename arg for SSL_read_PrivateKey

SGC became dead in January 2000, effectively (http://www.gpo.gov/fdsys/pkg/FR-2000-01-14/pdf/00-983.pdf) Almost 14 years later, there's certainly no longer any need to spit out some fancy log message.

Improve ephemeral key handling (companion to r1526168): - allow to configure custom DHE or ECDHE parameters via the SSLCertificateFile directive, and adapt its documentation accordingly (addresses PR 49559) - add standardized DH parameters from RFCs 2409 and 3526, use them based on the length of the certificate's RSA/DSA key, and add a FAQ entry for clients which limit DH support to 1024 bits (such as Java 7 and earlier) - move ssl_dh_GetParamFromFile() from ssl_engine_dh.c to ssl_util_ssl.c, and add ssl_ec_GetParamFromFile() - drop ssl_engine_dh.c from mod_ssl For the standardized DH parameters, OpenSSL version 0.9.8a or later is required, which was therefore made a new minimum requirement in r1527294.

SSL_SESSION_id2sz is only used for logging, having it in lowercase shouldn't be an issue.

According top my testing 'SSL_SESSION_id2sz' is 4x faster with the use 'ap_bin2hex' instead of apr_snprintf(..., "%02X" for each character. Output is the same. I have left the uppercase conversion, because I'm unsure if it is usefull or not.

Fix warning about discarding 'const' qualifier from pointer

mod_ssl: add support for subjectAltName-based host name checking in proxy mode (PR 54030) factor out code from ssl_engine_init.c:ssl_check_public_cert() to ssl_util_ssl.c:SSL_X509_match_name() introduce new SSLProxyCheckPeerName directive, which should eventually obsolete SSLProxyCheckPeerCN ssl_engine_io.c:ssl_io_filter_handshake(): avoid code duplication when aborting with HTTP_BAD_GATEWAY

properly free the GENERAL_NAMEs, as pointed out in PR 32652

fix signedness issue with SSL_X509_NAME_to_string()'s maxlen argument

Set OPENSSL_NO_SSL_INTERN when compiling against OpenSSL 1.0.1 or later, so that mod_ssl retains binary compatibility with future versions when internal structures are changed. Use API functions where available, and fall back to direct access for OpenSSL up to 1.0.0, where needed. Remove SSL_make_ciphersuite() from ssl_util_ssl.[ch], as it was never used by any released version of mod_ssl.

In ssl_check_public_cert(), also take dNSNames in the subjectAltName extension into account when checking the cert against the configured ServerName. PR 32652, PR 47051. Replace SSL_X509_getCN() by SSL_X509_getIDs(), which returns an array of a cert's DNS-IDs and CN-IDs (terms as coined by RFC 6125).

Cleanup effort in prep for GA push: Trim trailing whitespace... no func change

Add ssl_log_xerror() and ssl_log_rxerror(), modeled after ssl_log_cxerror(). Add SSL_X509_NAME_to_string(), which converts an X509 distinguished name to an RFC 2253 formatted string. Adapt ssl_log_*error() to make use of SSL_X509_NAME_to_string().

Modify SSLProxyMachineCertificateChainFile to use X509 instead of X509_INFO and use openssl to construct the chain

Revamp CRL checking for client and remote servers: - completely delegate CRL processing to OpenSSL - introduce a new [Proxy]CARevocationCheck directive - drop ssl_callback_SSLVerify_CRL from ssl_engine_kernel.c - remove X509_STORE from modssl_ctx_t - drop CRL store helper functions from ssl_util_ssl.c - avoid sending "certificate_expired" SSL alerts to peers when the nextUpdate field of a CRL is in the past

* Style fixes. No functional change.

Add SSLProxyMachineCertificateChainFile directive and documentation for bug 50812

Enforce OpenSSL 0.9.7 as a minimum requirement in configure, and remove #ifdef'ed code which was relevant for earlier versions only.

Remove the ssl_toolkit_compat layer, which is no longer needed after support for non-OpenSSL toolkits has been dropped. Replace macros by their value proper where feasible, and keep those definitions in ssl_private.h which depend on specific OpenSSL versions.

Drop support for the RSA BSAFE SSL-C toolkit from configure, and remove #ifdef'ed code from mod_ssl and ab where applicable. Consensus for dropping support for SSL/TLS toolkits other than OpenSSL was reached on dev@httpd in June 2010 (message with ID <20100602162310.GA11156@redhat.com> and follow-ups).

Fix EBCDIC related cut'n'paste error

Change the format of the SSL_{CLIENT,SERVER}_{I,S}_DN variables to be RFC 2253 compatible, convert non-ASCII characters to UTF8, and escape other special characters with backslashes. The old format can still be used with the LegacyDNStringFormat argument to SSLOptions.

Fix some compiler warnings: - suggest braces around empty body in an 'if' statement - comparison of unsigned expression >= 0 is always true - comparison of unsigned expression < 0 is always false Please review carefully.

* Fix compiler warning

Code tidy, certificate extension decode can be done with the single function X509_get_ext_d2i().

The development trunk of OpenSSL has tightened up the type safety of the STACK construct and the functions that manipulate it. Make httpd trunk compile against OpenSSL HEAD as well as OpenSSL 0.9.8j. Also, get rid of some warnings.

update license header text

Update the copyright year in all .c, .h and .xml files

No functional Change: Removing trailing whitespace. This also means that "blank" lines consisting of just spaces or tabs are now really blank lines

* modules/ssl/ssl_util_ssl.c (SSL_X509_STORE_create): Catch errors returned by X509_LOOKUP_add_dir or X509_LOOKUP_load_file to detect malformed or misconfigured CRLs. Clear error stack beforehand to ensure reported errors are relevant. PR: 36438

Update copyright year to 2005 and standardize on current copyright owner line.

Move mod_ssl-internal interfaces into ssl_private.h; allow mod_ssl.h to be included even when mod_ssl is not enabled. * Makefile.in (install-include): Only install mod_ssl.h. * modules/ssl/ssl_private.h: New file. * modules/ssl/mod_ssl.h: Move everything apart from than the optional hook definitions into ssl_private.h. * modules/ssl/*.c: Include ssl_private.h not mod_ssl.h * modules/ssl/config.m4: Always add the mod_ssl directory to the include path so other modules can find mod_ssl.h. * modules/proxy/mod_proxy.c: Include mod_ssl.h to pick up the optional hook definitions rather than copy'n'pasting them.

fix name of The Apache Software Foundation

fix copyright dates according to the first check in

apply Apache License, Version 2.0

update license to 2004.

Use portable macro instead of the (no longer working) Apache-1.3 code

Introduce a number of SSLC hints to mod_ssl, including the following type overrides; MODSSL_CLIENT_CERT_CB_ARG_TYPE MODSSL_PCHAR_CAST (for a host of non-void/const sslc values) modssl_read_bio_cb_fn (for several callbacks with same prototypes) Declare callback functions appropriately. And protect us from indetermineant toolkits with #error "Unrecognized SSL Toolkit!"

finished that boring job: update license to 2003. Happy New Year! ;-))

All we care about is the type and name, just ask for the type and name.

fix the interface to PEM_read_bio_X509() with OpenSSL versions older than 0.9.4. Submitted by: Madhu Mathihalli <madhusudan_mathihalli@hp.com> Reviewed by: Jeff Trawick

stylistic improvements Submitted by: Madhu Mathihalli <madhusudan_mathihalli@hp.com> Reviewed by: Jeff Trawick

Remove warnings seen with Sun's Forte compiler.

fix SSL_X509_INFO_load_path so SSLProxyMachineCertificatePath works

enable/cleanup SSL_X509_INFO_load_{file,path} functions for use in proxy context

add modssl_dh_configure() function to fold some duplication in get_dh{512,1024} and provide toolkit compat for sslc 2.x

sslc does not currently support X509V3_EXT_d2i

toolkit compat for PEM_read_bio_PrivateKey

use compat macro for another PEM_read_bio_X509

toolkit compat for PEM_read_bio_X509

add modssl_session_get_time() function to give mod_ssl what it needs from SSL_SESSION_get_time() if using OpenSSL or sslc.

Update our copyright for this year.

SSL_SESSION_id2sz() was NOT THREAD SAFE. it returned a pointer to a static variable. fixed.

mod_ssl adjustments to help with using toolkits other than OpenSSL: Use SSL functions/macros instead of directly dereferencing SSL structures wherever possible. Add type-casts for the cases where functions return a generic pointer. Add $SSL/include to configure search path. PR: Obtained from: Submitted by: Madhusudan Mathihalli <madhusudan_mathihalli@hp.com> Reviewed by: dougm

get rid of SSL_get_app_data2_idx() which had a race condition when writing to app_data2_idx, and another inside OpenSSL when calling SSL_get_ex_new_index(). add SSL_init_app_data2_idx() to provide the same functionality but in a safe place: called during ssl_init_Module PR: Obtained from: Submitted by: Reviewed by:

Adapt to changed declaration of apr_pool_sub_make()

This patch eliminates the direct use of OS library calls (fopen and other depreciated Apache 1.3 library utilities) from ssl_engine_pphrase.c and ssl_util_ssl.c. Submitted by: Madhusudan Mathihalli <madhusudan_mathihalli@hp.com>

Apply mod_ssl MEGA porting patch. This is a cleaned up version of the latest patches from Madhusudan which makes mod_ssl 95% working inside Apache 2.0. There is still a lot of more work (both porting and cleanup) to do be done. See modules/ssl/README for details. Submitted by: Madhusudan Mathihalli <madhusudan_mathihalli@hp.com>

Quiet the compiler, msvc is sticky about arg lists being consistent.

Port ssl_util_ssl.[ch] stuff to APR.

Next step in mod_ssl integration: Add missing files to build environment.

mod_ssl integration step 2: transfer copyright of all code to ASF by using Apache Software License v1.1

Initial revision