107N/A This Apache module provides strong cryptography for the Apache 2.0 webserver
107N/A via the Secure Sockets Layer (SSL
v2/v3) and Transport Layer Security (TLS
107N/A v1) protocols by the help of the
SSL/TLS implementation library OpenSSL which
107N/A is based on SSLeay from Eric A. Young and Tim J. Hudson.
107N/A The mod_ssl package was created in April 1998 by Ralf S. Engelschall
107N/A and was originally derived from software developed by Ben Laurie for
107N/A use in the Apache-SSL HTTP server project. The mod_ssl implementation
107N/A for Apache 1.3 continues to be supported by the modssl project
107N/A See the top-level LAYOUT file in httpd-2.0 for file descriptions.
107N/A The source files are written in clean ANSI C and pass the ``gcc -O -g
107N/A -ggdb3 -Wall -Wshadow -Wpointer-arith -Wcast-align -Wmissing-prototypes
107N/A -Wmissing-declarations -Wnested-externs -Winline'' compiler test
107N/A (assuming `gcc' is GCC 2.95.2 or newer) without any complains. When
107N/A you make changes or additions make sure the source still passes this
107N/A Inside the source code you will be confronted with the following types of
107N/A functions which can be identified by their prefixes:
107N/A ap_xxxx() ............... Apache API function
107N/A ssl_xxxx() .............. mod_ssl function
107N/A SSL_xxxx() .............. OpenSSL function (SSL library)
107N/A OpenSSL_xxxx() .......... OpenSSL function (SSL library)
107N/A X509_xxxx() ............. OpenSSL function (Crypto library)
107N/A PEM_xxxx() .............. OpenSSL function (Crypto library)
107N/A EVP_xxxx() .............. OpenSSL function (Crypto library)
107N/A RSA_xxxx() .............. OpenSSL function (Crypto library)
107N/A Inside the source code you will be confronted with the following
107N/A server_rec .............. Apache (Virtual) Server
107N/A conn_rec ................ Apache Connection
107N/A request_rec ............. Apache Request
107N/A SSLModConfig ............ mod_ssl (Global) Module Configuration
107N/A SSLSrvConfig ............ mod_ssl (Virtual) Server Configuration
107N/A SSLDirConfig ............ mod_ssl Directory Configuration
107N/A SSLConnConfig ........... mod_ssl Connection Configuration
107N/A SSLFilterRec ............ mod_ssl Filter Context
107N/A SSL_CTX ................. OpenSSL Context
107N/A SSL_METHOD .............. OpenSSL Protocol Method
107N/A SSL_CIPHER .............. OpenSSL Cipher
107N/A SSL_SESSION ............. OpenSSL Session
107N/A SSL ..................... OpenSSL Connection
107N/A BIO ..................... OpenSSL Connection Buffer
107N/A For an overview how these are related and chained together have a look at the
107N/A structures. It's designed for DIN A4 paper size, but you can easily generate
107N/A a smaller version inside XFig by specifing a magnification on the Export
107N/A Experimental code is always encapsulated as following:
107N/A | #ifdef SSL_EXPERIMENTAL_xxxx
This way it is only compiled in when this define is enabled with
the APACI --enable-rule=SSL_EXPERIMENTAL option and as long as the
C pre-processor variable SSL_EXPERIMENTAL_xxxx_IGNORE is _NOT_
defined (via CFLAGS). Or in other words: SSL_EXPERIMENTAL enables all
SSL_EXPERIMENTAL_xxxx variables, except if SSL_EXPERIMENTAL_xxxx_IGNORE
is already defined. Currently the following features are experimental:
o SSL_EXPERIMENTAL_ENGINE
The ability to support the new forthcoming OpenSSL ENGINE stuff.
Until this development branch of OpenSSL is merged into the main
mod_ssl automatically recognizes this OpenSSL variant and then can
activate external crypto devices through SSLCryptoDevice directive.
The following intentional incompatibilities exist between mod_ssl
2.x from Apache 1.3 and this mod_ssl version for Apache 2.0:
o The complete EAPI-based SSL_VENDOR stuff was removed.
o The complete EAPI-based SSL_COMPAT stuff was removed.
o The <IfDefine> variable MOD_SSL is no longer provided automatically
The following major changes were made between mod_ssl
2.x from Apache 1.3 and this mod_ssl version for Apache 2.0:
o The DBM based session cache is now based on APR's DBM API only.
o The shared memory based session cache is now based on APR's APIs.
o SSL I/O is now implemented in terms of filters rather than BUFF
o Eliminated ap_global_ctx. Storing Persistant information in
process_rec->pool->user_data. The ssl_pphrase_Handle_CB() and
ssl_config_global_* () functions have an extra parameter now -
"server_rec *" - which is used to retrieve the SSLModConfigRec.
o Properly support restarts, allowing mod_ssl to be added to a server
that is already running and to change server
certs/keys on restart
o Various performance enhancements
o proxy support is no longer an "extension", much of the mod_ssl core
was re-written (ssl_engine_{init,kernel,config}.c) to be generic so
it could be re-used in proxy mode.
- the optional function ssl_proxy_enable is provide for mod_proxy
- proxy support now requires 'SSLProxyEngine on' to be configured
- proxy now supports SSLProxyCARevocation{Path,File} in addition to
the original SSLProxy* directives
o per-directory SSLCACertificate{File,Path} is now thread-safe but
requires SSL_set_cert_store patch to OpenSSL
o the ssl_engine_{ds,ext}.c source files are obsolete and no longer
See the top-level STATUS file in httpd-2.0 for current efforts and goals.