mod_ssl namespacing: Rename ssl_util_ssl.h macros from SSL_foo to MODSSL_foo. For related discussion, see the dev@ thread starting at: http://mail-archives.apache.org/mod_mbox/httpd-dev/201504.mbox/%3C20150415163613.GC15209%40fintan.stsp.name%3E

Add support for extracting subjectAltName entries of type rfc822Name and dNSName into SSL_{CLIENT,SERVER}_SAN_{Email,DNS}_n variables. * docs/manual/mod/mod_ssl.xml: add SSL_*_SAN_*_n entries to the environment variables table * modules/ssl/ssl_engine_kernel.c: in ssl_hook_Fixup, add extraction of subjectAltName entries for the "StdEnvVars" case * modules/ssl/ssl_engine_vars.c: add support for retrieving the SSL_{CLIENT,SERVER}_SAN_{Email,DNS}_n variables, either with individual on-demand lookup (ssl_var_lookup_ssl_cert_san), or with full-list extraction to the environment ("StdEnvVars") * modules/ssl/ssl_private.h: add modssl_var_extract_san_entries prototype * modules/ssl/ssl_util_ssl.c: implement SSL_X509_getSAN and SSL_ASN1_STRING_to_utf8 helper functions, with factoring out common code from SSL_X509_getIDs and SSL_X509_NAME_ENTRY_to_string where suitable. Limit SSL_X509_getSAN to the two most common subjectAltName entry types appearing in user or server certificates (i.e., rfc822Name and dNSName), for the time being. * modules/ssl/ssl_util_ssl.h: add SSL_ASN1_STRING_to_utf8 and SSL_X509_getSAN prototypes

Remove the hardcoded algorithm-type dependency for the SSLCertificateFile and SSLCertificateKeyFile directives, and deprecate SSLCertificateChainFile Splitting the patch into smaller pieces turned out to be infeasible, unfortunately, due to the heavily intertwined code in ssl_engine_config.c, ssl_engine_init.c and ssl_engine_pphrase.c, which all depends on the modssl_pk_server_t data structure. For better comprehensibility, a detailed listing of the changes follows: ssl_private.h - drop the X509 certs and EVP_PKEY keys arrays from modssl_pk_server_t - use apr_array_header_t for cert_files and key_files - drop tPublicCert from SSLModConfigRec - drop the ssl_algo_t struct and the SSL_ALGO_* and SSL_AIDX_* constants ssl_engine_config.c - change to apr_array_header_t for SSLCertificate[Key]File - drop ssl_cmd_check_aidx_max, i.e. allow an arbitrary number of certs and keys (in theory; currently OpenSSL does not support more than one cert/key per algorithm type) - add deprecation warning for SSLCertificateChainFile ssl_engine_init.c - configure server certs/keys in ssl_init_server_certs (no longer via ssl_pphrase_Handle in ssl_init_Module) - in ssl_init_server_certs, read in certificates and keys with standard OpenSSL API functions (SSL_CTX_use_*_file), and only fall back to ssl_load_encrypted_pkey when encountering an encrypted private key - drop ssl_server_import_cert, ssl_server_import_key, ssl_init_server_check, and ssl_init_ctx_cleanup_server - move the "problematic re-initialization" check to ssl_init_server_ctx ssl_engine_pphrase.c - use servername:port:index as the key identifier, instead of the previously used servername:port:algorithm - ssl_pphrase_Handle overhaul: remove all cert/public-key handling, make it only load a single (encrypted) private key, and rename to ssl_load_encrypted_pkey - in the passphrase prompt message, show the private key file name instead of the vhost id and the algorithm name - do no longer supply the algorithm name as an argument to "exec"-type passphrase prompting programs ssl_util.c - drop ssl_util_algotypeof, ssl_util_algotypestr, ssl_asn1_keystr, and ssl_asn1_table_keyfmt ssl_util_ssl.{c,h} - drop SSL_read_X509 - constify the filename arg for SSL_read_PrivateKey

SGC became dead in January 2000, effectively (http://www.gpo.gov/fdsys/pkg/FR-2000-01-14/pdf/00-983.pdf) Almost 14 years later, there's certainly no longer any need to spit out some fancy log message.

mod_ssl: add support for subjectAltName-based host name checking in proxy mode (PR 54030) factor out code from ssl_engine_init.c:ssl_check_public_cert() to ssl_util_ssl.c:SSL_X509_match_name() introduce new SSLProxyCheckPeerName directive, which should eventually obsolete SSLProxyCheckPeerCN ssl_engine_io.c:ssl_io_filter_handshake(): avoid code duplication when aborting with HTTP_BAD_GATEWAY

fix signedness issue with SSL_X509_NAME_to_string()'s maxlen argument

Set OPENSSL_NO_SSL_INTERN when compiling against OpenSSL 1.0.1 or later, so that mod_ssl retains binary compatibility with future versions when internal structures are changed. Use API functions where available, and fall back to direct access for OpenSSL up to 1.0.0, where needed. Remove SSL_make_ciphersuite() from ssl_util_ssl.[ch], as it was never used by any released version of mod_ssl.

In ssl_check_public_cert(), also take dNSNames in the subjectAltName extension into account when checking the cert against the configured ServerName. PR 32652, PR 47051. Replace SSL_X509_getCN() by SSL_X509_getIDs(), which returns an array of a cert's DNS-IDs and CN-IDs (terms as coined by RFC 6125).

Cleanup effort in prep for GA push: Trim trailing whitespace... no func change

Add ssl_log_xerror() and ssl_log_rxerror(), modeled after ssl_log_cxerror(). Add SSL_X509_NAME_to_string(), which converts an X509 distinguished name to an RFC 2253 formatted string. Adapt ssl_log_*error() to make use of SSL_X509_NAME_to_string().

Modify SSLProxyMachineCertificateChainFile to use X509 instead of X509_INFO and use openssl to construct the chain

Revamp CRL checking for client and remote servers: - completely delegate CRL processing to OpenSSL - introduce a new [Proxy]CARevocationCheck directive - drop ssl_callback_SSLVerify_CRL from ssl_engine_kernel.c - remove X509_STORE from modssl_ctx_t - drop CRL store helper functions from ssl_util_ssl.c - avoid sending "certificate_expired" SSL alerts to peers when the nextUpdate field of a CRL is in the past

Add SSLProxyMachineCertificateChainFile directive and documentation for bug 50812

Remove the ssl_toolkit_compat layer, which is no longer needed after support for non-OpenSSL toolkits has been dropped. Replace macros by their value proper where feasible, and keep those definitions in ssl_private.h which depend on specific OpenSSL versions.

Drop support for the RSA BSAFE SSL-C toolkit from configure, and remove #ifdef'ed code from mod_ssl and ab where applicable. Consensus for dropping support for SSL/TLS toolkits other than OpenSSL was reached on dev@httpd in June 2010 (message with ID <20100602162310.GA11156@redhat.com> and follow-ups).

Change the format of the SSL_{CLIENT,SERVER}_{I,S}_DN variables to be RFC 2253 compatible, convert non-ASCII characters to UTF8, and escape other special characters with backslashes. The old format can still be used with the LegacyDNStringFormat argument to SSLOptions.

*) adds compile-time/run time SSL-C version support *) simplify a ton of overly-verbose legacy code *) split the compiled-against v.s. runtime library *) precache the results of the version string touchup

update license header text

Update the copyright year in all .c, .h and .xml files

Doxygen fixup / cleanup submited by: Neale Ranns neale ranns.org reviewed by: Ian Holsman

Update copyright year to 2005 and standardize on current copyright owner line.

fix name of The Apache Software Foundation

fix copyright dates according to the first check in

apply Apache License, Version 2.0

update license to 2004.

Introduce a number of SSLC hints to mod_ssl, including the following type overrides; MODSSL_CLIENT_CERT_CB_ARG_TYPE MODSSL_PCHAR_CAST (for a host of non-void/const sslc values) modssl_read_bio_cb_fn (for several callbacks with same prototypes) Declare callback functions appropriately. And protect us from indetermineant toolkits with #error "Unrecognized SSL Toolkit!"

finished that boring job: update license to 2003. Happy New Year! ;-))

enable/cleanup SSL_X509_INFO_load_{file,path} functions for use in proxy context

move prototype for modssl_session_get_time to ssl_util_ssl.h

add modssl_dh_configure() function to fold some duplication in get_dh{512,1024} and provide toolkit compat for sslc 2.x

Update our copyright for this year.

SSL_SESSION_id2sz() was NOT THREAD SAFE. it returned a pointer to a static variable. fixed.

move OpenSSL specific SSL_{get,set}_state macros to the #ifdef'd group of macros for OpenSSL in mod_ssl.h

get rid of SSL_get_app_data2_idx() which had a race condition when writing to app_data2_idx, and another inside OpenSSL when calling SSL_get_ex_new_index(). add SSL_init_app_data2_idx() to provide the same functionality but in a safe place: called during ssl_init_Module PR: Obtained from: Submitted by: Reviewed by:

Explicitly fix some types, and opt-out on macro conflicts

This patch eliminates the direct use of OS library calls (fopen and other depreciated Apache 1.3 library utilities) from ssl_engine_pphrase.c and ssl_util_ssl.c. Submitted by: Madhusudan Mathihalli <madhusudan_mathihalli@hp.com>

Apply mod_ssl MEGA porting patch. This is a cleaned up version of the latest patches from Madhusudan which makes mod_ssl 95% working inside Apache 2.0. There is still a lot of more work (both porting and cleanup) to do be done. See modules/ssl/README for details. Submitted by: Madhusudan Mathihalli <madhusudan_mathihalli@hp.com>

Quiet the compiler, msvc is sticky about arg lists being consistent.

Port ssl_util_ssl.[ch] stuff to APR.

Use different namespace for internal defines.

Nothing to port for ssl_engine_dh.c except that SSL_LIBRARY_VERSION has to be already available.

Next step in mod_ssl integration: Add missing files to build environment.

mod_ssl integration step 2: transfer copyright of all code to ASF by using Apache Software License v1.1

Initial revision