132N/A _ __ ___ ___ __| | ___ ___| |
132N/A | '_ ` _ \ / _ \ / _` | / __/ __| |
132N/A | | | | | | (_) | (_| | \__ \__ \ | ``mod_ssl combines the flexibility of
132N/A |_| |_| |_|\___/ \__,_|___|___/___/_| Apache with the security of OpenSSL.''
132N/A mod_ssl ``Ralf Engelschall has released an
132N/A Apache Interface to OpenSSL excellent module that integrates
132N/A Version 2.8 -- Tim J. Hudson
132N/A This Apache module provides strong cryptography for the Apache 1.3 webserver
132N/A via the Secure Sockets Layer (SSL
v2/v3) and Transport Layer Security (TLS
132N/A v1) protocols by the help of the
SSL/TLS implementation library OpenSSL which
132N/A is based on SSLeay from Eric A. Young and Tim J. Hudson. The mod_ssl package
132N/A was created in April 1998 by Ralf S. Engelschall and was originally derived
132N/A from software developed by Ben Laurie for use in the Apache-SSL HTTP server
132N/A Here is a short overview of the source files:
132N/A * README .................. This file ;)
132N/A #
config.m4 ............... Autoconf stub for the Apache config mechanism
132N/A #
mod_ssl.c ............... main source file containing API structures
132N/A Legend: # = already ported to Apache 2.0 and is cleaned up
132N/A * = ported to Apache 2.0 but still needs cleaning up
132N/A - = port still not finished
132N/A The source files are written in clean ANSI C and pass the ``gcc -O -g
132N/A -ggdb3 -Wall -Wshadow -Wpointer-arith -Wcast-align -Wmissing-prototypes
132N/A -Wmissing-declarations -Wnested-externs -Winline'' compiler test
132N/A (assuming `gcc' is GCC 2.95.2 or newer) without any complains. When
132N/A you make changes or additions make sure the source still passes this
132N/A Inside the source code you will be confronted with the following types of
132N/A functions which can be identified by their prefixes:
132N/A ap_xxxx() ............... Apache API function
132N/A ssl_xxxx() .............. mod_ssl function
132N/A SSL_xxxx() .............. OpenSSL function (SSL library)
132N/A OpenSSL_xxxx() .......... OpenSSL function (SSL library)
132N/A X509_xxxx() ............. OpenSSL function (Crypto library)
132N/A PEM_xxxx() .............. OpenSSL function (Crypto library)
132N/A EVP_xxxx() .............. OpenSSL function (Crypto library)
132N/A RSA_xxxx() .............. OpenSSL function (Crypto library)
132N/A Inside the source code you will be confronted with the following
620N/A server_rec .............. Apache (Virtual) Server
220N/A conn_rec ................ Apache Connection
341N/A BUFF .................... Apache Connection Buffer
341N/A request_rec ............. Apache Request
379N/A SSLModConfig ............ mod_ssl (Global) Module Configuration
411N/A SSLSrvConfig ............ mod_ssl (Virtual) Server Configuration
487N/A SSLDirConfig ............ mod_ssl Directory Configuration
706N/A SSL_CTX ................. OpenSSL Context
706N/A SSL_METHOD .............. OpenSSL Protocol Method
706N/A SSL_CIPHER .............. OpenSSL Cipher
741N/A SSL_SESSION ............. OpenSSL Session
741N/A SSL ..................... OpenSSL Connection
706N/A BIO ..................... OpenSSL Connection Buffer
706N/A SSLFilterRec ............ mod_ssl Filter Context
487N/A For an overview how these are related and chained together have a look at the
487N/A structures. It's designed for DIN A4 paper size, but you can easily generate
704N/A a smaller version inside XFig by specifing a magnification on the Export
320N/A Experimental code is always encapsulated as following:
336N/A | #ifdef SSL_EXPERIMENTAL_xxxx
336N/A This way it is only compiled in when this define is enabled with
336N/A the APACI --enable-rule=SSL_EXPERIMENTAL option and as long as the
341N/A C pre-processor variable SSL_EXPERIMENTAL_xxxx_IGNORE is _NOT_
487N/A defined (via CFLAGS). Or in other words: SSL_EXPERIMENTAL enables all
336N/A SSL_EXPERIMENTAL_xxxx variables, except if SSL_EXPERIMENTAL_xxxx_IGNORE
336N/A is already defined. Currently the following features are experimental:
379N/A o SSL_EXPERIMENTAL_PERDIRCA
379N/A The ability to use SSLCACertificateFile and SSLCACertificatePath
487N/A in a per-directory context (.htaccess). This is provided by some nasty
379N/A reconfiguration hacks until OpenSSL has better support for this. It
379N/A should work on non-multithreaded platforms (all but Win32).
411N/A o SSL_EXPERIMENTAL_PROXY
487N/A The ability to use various additional SSLProxyXXX directives in
411N/A oder to control extended client functionality in the HTTPS proxy
320N/A o SSL_EXPERIMENTAL_ENGINE
336N/A The ability to support the new forthcoming OpenSSL ENGINE stuff.
320N/A Until this development branch of OpenSSL is merged into the main
320N/A mod_ssl automatically recognizes this OpenSSL variant and then can
320N/A activate external crypto devices through SSLCryptoDevice directive.
132N/A The following intentional incompatibilities exist between mod_ssl
2.x 132N/A from Apache 1.3 and this mod_ssl version for Apache 2.0:
671N/A o The complete EAPI-based SSL_VENDOR stuff was removed.
671N/A o The complete EAPI-based SSL_COMPAT stuff was removed.
825N/A o The <IfDefine> variable MOD_SSL is no longer provided automatically
825N/A o The complete SSL_CONSERVATIVE stuff was removed,
i.e.,
132N/A SSL renegotiations in combination with POST request are not supported
132N/A unless the problem is solved again, but this time through layered I/O.
244N/A The following major changes were made between mod_ssl
2.x 132N/A from Apache 1.3 and this mod_ssl version for Apache 2.0:
132N/A o The DBM based session cache is now based on APR's DBM API only.
132N/A o Introduced Filter logic (similar to mod_tls)
190N/A o Eliminated ap_global_ctx. Storing Persistant information in
132N/A process_rec->pool->user_data. The ssl_pphrase_Handle_CB() and
132N/A ssl_config_global_* () functions have an extra parameter now -
132N/A "server_rec *" - which is used to retrieve the SSLModConfigRec.
132N/A o Port all remaining code (code inside #if 0...#endif blocks)
230N/A o Do we need SSL_set_read_ahead()?
230N/A o Enable use of MM, SHMCB and SHMHT.