4e191199a0aeab09d78df8f5579e745572e8b7bcwsanchez This Apache module provides strong cryptography for the Apache 2 webserver
25b49572a3aae1c1ba13d60a317579d1ccd47620wrowe via the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS
25b49572a3aae1c1ba13d60a317579d1ccd47620wrowe v1) protocols by the help of the SSL/TLS implementation library OpenSSL which
24506d391380bbdca873f78ac8e147b346b26ccdwrowe is based on SSLeay from Eric A. Young and Tim J. Hudson.
24506d391380bbdca873f78ac8e147b346b26ccdwrowe The mod_ssl package was created in April 1998 by Ralf S. Engelschall
24506d391380bbdca873f78ac8e147b346b26ccdwrowe and was originally derived from software developed by Ben Laurie for
24506d391380bbdca873f78ac8e147b346b26ccdwrowe use in the Apache-SSL HTTP server project. The mod_ssl implementation
24506d391380bbdca873f78ac8e147b346b26ccdwrowe for Apache 1.3 continues to be supported by the modssl project
8afa7897894d641cb8ec4f601b9869f9b509609efielding See the top-level LAYOUT file for file descriptions.
25b49572a3aae1c1ba13d60a317579d1ccd47620wrowe The source files are written in clean ANSI C and pass the ``gcc -O -g
25b49572a3aae1c1ba13d60a317579d1ccd47620wrowe -ggdb3 -Wall -Wshadow -Wpointer-arith -Wcast-align -Wmissing-prototypes
25b49572a3aae1c1ba13d60a317579d1ccd47620wrowe -Wmissing-declarations -Wnested-externs -Winline'' compiler test
25b49572a3aae1c1ba13d60a317579d1ccd47620wrowe (assuming `gcc' is GCC 2.95.2 or newer) without any complains. When
25b49572a3aae1c1ba13d60a317579d1ccd47620wrowe you make changes or additions make sure the source still passes this
25b49572a3aae1c1ba13d60a317579d1ccd47620wrowe compiler test.
25b49572a3aae1c1ba13d60a317579d1ccd47620wrowe Inside the source code you will be confronted with the following types of
25b49572a3aae1c1ba13d60a317579d1ccd47620wrowe functions which can be identified by their prefixes:
25b49572a3aae1c1ba13d60a317579d1ccd47620wrowe ap_xxxx() ............... Apache API function
25b49572a3aae1c1ba13d60a317579d1ccd47620wrowe ssl_xxxx() .............. mod_ssl function
25b49572a3aae1c1ba13d60a317579d1ccd47620wrowe SSL_xxxx() .............. OpenSSL function (SSL library)
25b49572a3aae1c1ba13d60a317579d1ccd47620wrowe OpenSSL_xxxx() .......... OpenSSL function (SSL library)
25b49572a3aae1c1ba13d60a317579d1ccd47620wrowe X509_xxxx() ............. OpenSSL function (Crypto library)
25b49572a3aae1c1ba13d60a317579d1ccd47620wrowe PEM_xxxx() .............. OpenSSL function (Crypto library)
25b49572a3aae1c1ba13d60a317579d1ccd47620wrowe EVP_xxxx() .............. OpenSSL function (Crypto library)
25b49572a3aae1c1ba13d60a317579d1ccd47620wrowe RSA_xxxx() .............. OpenSSL function (Crypto library)
1c6191318b2fc162240d88579d56125d1d306270wroweDATA STRUCTURES
25b49572a3aae1c1ba13d60a317579d1ccd47620wrowe Inside the source code you will be confronted with the following
25b49572a3aae1c1ba13d60a317579d1ccd47620wrowe data structures:
25b49572a3aae1c1ba13d60a317579d1ccd47620wrowe server_rec .............. Apache (Virtual) Server
25b49572a3aae1c1ba13d60a317579d1ccd47620wrowe conn_rec ................ Apache Connection
25b49572a3aae1c1ba13d60a317579d1ccd47620wrowe request_rec ............. Apache Request
25b49572a3aae1c1ba13d60a317579d1ccd47620wrowe SSLModConfig ............ mod_ssl (Global) Module Configuration
25b49572a3aae1c1ba13d60a317579d1ccd47620wrowe SSLSrvConfig ............ mod_ssl (Virtual) Server Configuration
25b49572a3aae1c1ba13d60a317579d1ccd47620wrowe SSLDirConfig ............ mod_ssl Directory Configuration
25b49572a3aae1c1ba13d60a317579d1ccd47620wrowe SSLConnConfig ........... mod_ssl Connection Configuration
25b49572a3aae1c1ba13d60a317579d1ccd47620wrowe SSLFilterRec ............ mod_ssl Filter Context
25b49572a3aae1c1ba13d60a317579d1ccd47620wrowe SSL_CTX ................. OpenSSL Context
25b49572a3aae1c1ba13d60a317579d1ccd47620wrowe SSL_METHOD .............. OpenSSL Protocol Method
25b49572a3aae1c1ba13d60a317579d1ccd47620wrowe SSL_CIPHER .............. OpenSSL Cipher
25b49572a3aae1c1ba13d60a317579d1ccd47620wrowe SSL_SESSION ............. OpenSSL Session
25b49572a3aae1c1ba13d60a317579d1ccd47620wrowe SSL ..................... OpenSSL Connection
25b49572a3aae1c1ba13d60a317579d1ccd47620wrowe BIO ..................... OpenSSL Connection Buffer
25b49572a3aae1c1ba13d60a317579d1ccd47620wrowe For an overview how these are related and chained together have a look at the
25b49572a3aae1c1ba13d60a317579d1ccd47620wrowe page in README.dsov.{fig,ps}. It contains overview diagrams for those data
25b49572a3aae1c1ba13d60a317579d1ccd47620wrowe structures. It's designed for DIN A4 paper size, but you can easily generate
25b49572a3aae1c1ba13d60a317579d1ccd47620wrowe a smaller version inside XFig by specifing a magnification on the Export
1c6191318b2fc162240d88579d56125d1d306270wroweINCOMPATIBILITIES
25b49572a3aae1c1ba13d60a317579d1ccd47620wrowe The following intentional incompatibilities exist between mod_ssl 2.x
4e191199a0aeab09d78df8f5579e745572e8b7bcwsanchez from Apache 1.3 and this mod_ssl version for Apache 2:
25b49572a3aae1c1ba13d60a317579d1ccd47620wrowe o The complete EAPI-based SSL_VENDOR stuff was removed.
25b49572a3aae1c1ba13d60a317579d1ccd47620wrowe o The complete EAPI-based SSL_COMPAT stuff was removed.
25b49572a3aae1c1ba13d60a317579d1ccd47620wrowe o The <IfDefine> variable MOD_SSL is no longer provided automatically
1c6191318b2fc162240d88579d56125d1d306270wroweMAJOR CHANGES
4e191199a0aeab09d78df8f5579e745572e8b7bcwsanchez For a complete history of changes for Apache 2 mod_ssl, see the
8afa7897894d641cb8ec4f601b9869f9b509609efielding CHANGES file in the top-level directory. The following
fa563b81d94fc4811ca73df2889f22ec522fc95ewrowe is a condensed summary of the major changes were made between
4e191199a0aeab09d78df8f5579e745572e8b7bcwsanchez mod_ssl 2.x from Apache 1.3 and this mod_ssl version for Apache 2:
25b49572a3aae1c1ba13d60a317579d1ccd47620wrowe o The DBM based session cache is now based on APR's DBM API only.
25b49572a3aae1c1ba13d60a317579d1ccd47620wrowe o The shared memory based session cache is now based on APR's APIs.
25b49572a3aae1c1ba13d60a317579d1ccd47620wrowe o SSL I/O is now implemented in terms of filters rather than BUFF
25b49572a3aae1c1ba13d60a317579d1ccd47620wrowe o Eliminated ap_global_ctx. Storing Persistant information in
25b49572a3aae1c1ba13d60a317579d1ccd47620wrowe process_rec->pool->user_data. The ssl_pphrase_Handle_CB() and
25b49572a3aae1c1ba13d60a317579d1ccd47620wrowe ssl_config_global_* () functions have an extra parameter now -
25b49572a3aae1c1ba13d60a317579d1ccd47620wrowe "server_rec *" - which is used to retrieve the SSLModConfigRec.
25b49572a3aae1c1ba13d60a317579d1ccd47620wrowe o Properly support restarts, allowing mod_ssl to be added to a server
25b49572a3aae1c1ba13d60a317579d1ccd47620wrowe that is already running and to change server certs/keys on restart
25b49572a3aae1c1ba13d60a317579d1ccd47620wrowe o Various performance enhancements
25b49572a3aae1c1ba13d60a317579d1ccd47620wrowe o proxy support is no longer an "extension", much of the mod_ssl core
25b49572a3aae1c1ba13d60a317579d1ccd47620wrowe was re-written (ssl_engine_{init,kernel,config}.c) to be generic so
25b49572a3aae1c1ba13d60a317579d1ccd47620wrowe it could be re-used in proxy mode.
25b49572a3aae1c1ba13d60a317579d1ccd47620wrowe - the optional function ssl_proxy_enable is provide for mod_proxy
25b49572a3aae1c1ba13d60a317579d1ccd47620wrowe to enable proxy support
25b49572a3aae1c1ba13d60a317579d1ccd47620wrowe - proxy support now requires 'SSLProxyEngine on' to be configured
25b49572a3aae1c1ba13d60a317579d1ccd47620wrowe - proxy now supports SSLProxyCARevocation{Path,File} in addition to
25b49572a3aae1c1ba13d60a317579d1ccd47620wrowe the original SSLProxy* directives
25b49572a3aae1c1ba13d60a317579d1ccd47620wrowe o per-directory SSLCACertificate{File,Path} is now thread-safe but
25b49572a3aae1c1ba13d60a317579d1ccd47620wrowe requires SSL_set_cert_store patch to OpenSSL
25b49572a3aae1c1ba13d60a317579d1ccd47620wrowe o the ssl_engine_{ds,ext}.c source files are obsolete and no longer
8afa7897894d641cb8ec4f601b9869f9b509609efielding See the top-level STATUS file for current efforts and goals.