modules/ssl/mod_ssl.c

	mod_ssl.c revision 28a2a3f8cc81354f027a4ac95abbbcd9e190db3f
842ae4bd224140319ae7feec1872b93dfd491143fielding/* Licensed to the Apache Software Foundation (ASF) under one or more
842ae4bd224140319ae7feec1872b93dfd491143fielding * contributor license agreements.  See the NOTICE file distributed with
842ae4bd224140319ae7feec1872b93dfd491143fielding * this work for additional information regarding copyright ownership.
842ae4bd224140319ae7feec1872b93dfd491143fielding * The ASF licenses this file to You under the Apache License, Version 2.0
842ae4bd224140319ae7feec1872b93dfd491143fielding * (the "License"); you may not use this file except in compliance with
842ae4bd224140319ae7feec1872b93dfd491143fielding * the License.  You may obtain a copy of the License at
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse *
ce9621257ef9e54c1bbe5ad8a5f445a1f211c2dcnd *     http://www.apache.org/licenses/LICENSE-2.0
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse *
ce9621257ef9e54c1bbe5ad8a5f445a1f211c2dcnd * Unless required by applicable law or agreed to in writing, software
ce9621257ef9e54c1bbe5ad8a5f445a1f211c2dcnd * distributed under the License is distributed on an "AS IS" BASIS,
ce9621257ef9e54c1bbe5ad8a5f445a1f211c2dcnd * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
ce9621257ef9e54c1bbe5ad8a5f445a1f211c2dcnd * See the License for the specific language governing permissions and
ce9621257ef9e54c1bbe5ad8a5f445a1f211c2dcnd * limitations under the License.
ce9621257ef9e54c1bbe5ad8a5f445a1f211c2dcnd */
ce9621257ef9e54c1bbe5ad8a5f445a1f211c2dcnd
ce9621257ef9e54c1bbe5ad8a5f445a1f211c2dcnd/*                      _             _
ce9621257ef9e54c1bbe5ad8a5f445a1f211c2dcnd *  _ __ ___   ___   __| |    ___ ___| |  mod_ssl
ce9621257ef9e54c1bbe5ad8a5f445a1f211c2dcnd * | '_ ` _ \ / _ \ / _` |   / __/ __| |  Apache Interface to OpenSSL
ce9621257ef9e54c1bbe5ad8a5f445a1f211c2dcnd * | | | | | | (_) | (_| |   \__ \__ \ |
ce9621257ef9e54c1bbe5ad8a5f445a1f211c2dcnd * |_| |_| |_|\___/ \__,_|___|___/___/_|
ce9621257ef9e54c1bbe5ad8a5f445a1f211c2dcnd *                      |_____|
ce9621257ef9e54c1bbe5ad8a5f445a1f211c2dcnd *  mod_ssl.c
ce9621257ef9e54c1bbe5ad8a5f445a1f211c2dcnd *  Apache API interface structures
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse */
6ace32dacb8313226eb9019275d0e4fa45a15148rse
70535d6421eb979ac79d8f49d31cd94d75dd8b2fjorton#include "ssl_private.h"
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse#include "mod_ssl.h"
5716f9c6daa92dde5f2f9d11ed63f7c9549c223atrawick#include "mod_ssl_openssl.h"
a943533fd4d91d114af622731a405407990c4fb1rse#include "util_md5.h"
67139e2d50d1e11558d87f7042f61cb04bb0d1d2jim#include "util_mutex.h"
1660a5facf5797acb7aa1300f5ef86756a0bf493jorton#include "ap_provider.h"
1660a5facf5797acb7aa1300f5ef86756a0bf493jorton
a943533fd4d91d114af622731a405407990c4fb1rse#include <assert.h>
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
c12917da693bae4028a1d5a5e8224bceed8c739dsf#if HAVE_VALGRIND
c12917da693bae4028a1d5a5e8224bceed8c739dsf#include <valgrind.h>
c12917da693bae4028a1d5a5e8224bceed8c739dsfint ssl_running_on_valgrind = 0;
c12917da693bae4028a1d5a5e8224bceed8c739dsf#endif
c12917da693bae4028a1d5a5e8224bceed8c739dsf
5716f9c6daa92dde5f2f9d11ed63f7c9549c223atrawickAPR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ssl, SSL, int, pre_handshake,
5716f9c6daa92dde5f2f9d11ed63f7c9549c223atrawick                                    (conn_rec *c,SSL *ssl),
5716f9c6daa92dde5f2f9d11ed63f7c9549c223atrawick                                    (c,ssl), OK, DECLINED);
5716f9c6daa92dde5f2f9d11ed63f7c9549c223atrawick
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse/*
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse *  the table of configuration directives we provide
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse */
7933d4a963def02417113b6798d87a36395053b0rse
7933d4a963def02417113b6798d87a36395053b0rse#define SSL_CMD_ALL(name, args, desc) \
71c00f988beb28388702e14cb7fe06f08bd792bbdougm        AP_INIT_##args("SSL"#name, ssl_cmd_SSL##name, \
71c00f988beb28388702e14cb7fe06f08bd792bbdougm                       NULL, RSRC_CONF|OR_AUTHCFG, desc),
71c00f988beb28388702e14cb7fe06f08bd792bbdougm
7933d4a963def02417113b6798d87a36395053b0rse#define SSL_CMD_SRV(name, args, desc) \
71c00f988beb28388702e14cb7fe06f08bd792bbdougm        AP_INIT_##args("SSL"#name, ssl_cmd_SSL##name, \
71c00f988beb28388702e14cb7fe06f08bd792bbdougm                       NULL, RSRC_CONF, desc),
71c00f988beb28388702e14cb7fe06f08bd792bbdougm
7933d4a963def02417113b6798d87a36395053b0rse#define SSL_CMD_DIR(name, type, args, desc) \
71c00f988beb28388702e14cb7fe06f08bd792bbdougm        AP_INIT_##args("SSL"#name, ssl_cmd_SSL##name, \
71c00f988beb28388702e14cb7fe06f08bd792bbdougm                       NULL, OR_##type, desc),
71c00f988beb28388702e14cb7fe06f08bd792bbdougm
7933d4a963def02417113b6798d87a36395053b0rse#define AP_END_CMD { NULL }
7933d4a963def02417113b6798d87a36395053b0rse
d1bb6e2664788e0437acc18e877562c9a796d7cersestatic const command_rec ssl_config_cmds[] = {
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse    /*
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse     * Global (main-server) context configuration directives
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse     */
7933d4a963def02417113b6798d87a36395053b0rse    SSL_CMD_SRV(PassPhraseDialog, TAKE1,
7933d4a963def02417113b6798d87a36395053b0rse                "SSL dialog mechanism for the pass phrase query "
7988a91d9a1c6413f2c1a2138847f513d20de856fuankg                "('builtin', '|/path/to/pipe_program', "
7988a91d9a1c6413f2c1a2138847f513d20de856fuankg                "or 'exec:/path/to/cgi_program')")
7933d4a963def02417113b6798d87a36395053b0rse    SSL_CMD_SRV(SessionCache, TAKE1,
7933d4a963def02417113b6798d87a36395053b0rse                "SSL Session Cache storage "
7988a91d9a1c6413f2c1a2138847f513d20de856fuankg                "('none', 'nonenotnull', 'dbm:/path/to/file')")
53c239bee62c6d55b5ddfba5d99376d4c8de924ejwoolley#if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
7933d4a963def02417113b6798d87a36395053b0rse    SSL_CMD_SRV(CryptoDevice, TAKE1,
7933d4a963def02417113b6798d87a36395053b0rse                "SSL external Crypto Device usage "
7988a91d9a1c6413f2c1a2138847f513d20de856fuankg                "('builtin', '...')")
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse#endif
7933d4a963def02417113b6798d87a36395053b0rse    SSL_CMD_SRV(RandomSeed, TAKE23,
7933d4a963def02417113b6798d87a36395053b0rse                "SSL Pseudo Random Number Generator (PRNG) seeding source "
7988a91d9a1c6413f2c1a2138847f513d20de856fuankg                "('startup|connect builtin|file:/path|exec:/path [bytes]')")
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse    /*
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse     * Per-server context configuration directives
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse     */
e726f34f8da08c01ee8bc90904b26196b69c8587wrowe    SSL_CMD_SRV(Engine, TAKE1,
7933d4a963def02417113b6798d87a36395053b0rse                "SSL switch for the protocol engine "
7988a91d9a1c6413f2c1a2138847f513d20de856fuankg                "('on', 'off')")
e9eabac76b50e8f00d0c391f6070d0f42db77aa2wrowe    SSL_CMD_SRV(FIPS, FLAG,
e9eabac76b50e8f00d0c391f6070d0f42db77aa2wrowe                "Enable FIPS-140 mode "
e9eabac76b50e8f00d0c391f6070d0f42db77aa2wrowe                "(`on', `off')")
7933d4a963def02417113b6798d87a36395053b0rse    SSL_CMD_ALL(CipherSuite, TAKE1,
7933d4a963def02417113b6798d87a36395053b0rse                "Colon-delimited list of permitted SSL Ciphers "
7988a91d9a1c6413f2c1a2138847f513d20de856fuankg                "('XXX:...:XXX' - see manual)")
7933d4a963def02417113b6798d87a36395053b0rse    SSL_CMD_SRV(CertificateFile, TAKE1,
7933d4a963def02417113b6798d87a36395053b0rse                "SSL Server Certificate file "
7988a91d9a1c6413f2c1a2138847f513d20de856fuankg                "('/path/to/file' - PEM or DER encoded)")
7933d4a963def02417113b6798d87a36395053b0rse    SSL_CMD_SRV(CertificateKeyFile, TAKE1,
7933d4a963def02417113b6798d87a36395053b0rse                "SSL Server Private Key file "
7988a91d9a1c6413f2c1a2138847f513d20de856fuankg                "('/path/to/file' - PEM or DER encoded)")
7933d4a963def02417113b6798d87a36395053b0rse    SSL_CMD_SRV(CertificateChainFile, TAKE1,
7933d4a963def02417113b6798d87a36395053b0rse                "SSL Server CA Certificate Chain file "
7988a91d9a1c6413f2c1a2138847f513d20de856fuankg                "('/path/to/file' - PEM encoded)")
7a4e3510f3516132ff057ac986fd6350164b7950kbrand#ifdef HAVE_TLS_SESSION_TICKETS
7a4e3510f3516132ff057ac986fd6350164b7950kbrand    SSL_CMD_SRV(SessionTicketKeyFile, TAKE1,
7a4e3510f3516132ff057ac986fd6350164b7950kbrand                "TLS session ticket encryption/decryption key file (RFC 5077) "
7a4e3510f3516132ff057ac986fd6350164b7950kbrand                "('/path/to/file' - file with 48 bytes of random data)")
7a4e3510f3516132ff057ac986fd6350164b7950kbrand#endif
7933d4a963def02417113b6798d87a36395053b0rse    SSL_CMD_ALL(CACertificatePath, TAKE1,
7933d4a963def02417113b6798d87a36395053b0rse                "SSL CA Certificate path "
7988a91d9a1c6413f2c1a2138847f513d20de856fuankg                "('/path/to/dir' - contains PEM encoded files)")
7933d4a963def02417113b6798d87a36395053b0rse    SSL_CMD_ALL(CACertificateFile, TAKE1,
7933d4a963def02417113b6798d87a36395053b0rse                "SSL CA Certificate file "
7988a91d9a1c6413f2c1a2138847f513d20de856fuankg                "('/path/to/file' - PEM encoded)")
e335319a08e12eb7daff9afa80e985dc53f652b8jorton    SSL_CMD_SRV(CADNRequestPath, TAKE1,
e335319a08e12eb7daff9afa80e985dc53f652b8jorton                "SSL CA Distinguished Name path "
7988a91d9a1c6413f2c1a2138847f513d20de856fuankg                "('/path/to/dir' - symlink hashes to PEM of acceptable CA names to request)")
e335319a08e12eb7daff9afa80e985dc53f652b8jorton    SSL_CMD_SRV(CADNRequestFile, TAKE1,
e335319a08e12eb7daff9afa80e985dc53f652b8jorton                "SSL CA Distinguished Name file "
7988a91d9a1c6413f2c1a2138847f513d20de856fuankg                "('/path/to/file' - PEM encoded to derive acceptable CA names to request)")
7933d4a963def02417113b6798d87a36395053b0rse    SSL_CMD_SRV(CARevocationPath, TAKE1,
7933d4a963def02417113b6798d87a36395053b0rse                "SSL CA Certificate Revocation List (CRL) path "
7988a91d9a1c6413f2c1a2138847f513d20de856fuankg                "('/path/to/dir' - contains PEM encoded files)")
7933d4a963def02417113b6798d87a36395053b0rse    SSL_CMD_SRV(CARevocationFile, TAKE1,
7933d4a963def02417113b6798d87a36395053b0rse                "SSL CA Certificate Revocation List (CRL) file "
7988a91d9a1c6413f2c1a2138847f513d20de856fuankg                "('/path/to/file' - PEM encoded)")
77504f17963a8dd941a921d9ddfa25ddb0f348d6kbrand    SSL_CMD_SRV(CARevocationCheck, TAKE1,
77504f17963a8dd941a921d9ddfa25ddb0f348d6kbrand                "SSL CA Certificate Revocation List (CRL) checking mode")
7933d4a963def02417113b6798d87a36395053b0rse    SSL_CMD_ALL(VerifyClient, TAKE1,
7933d4a963def02417113b6798d87a36395053b0rse                "SSL Client verify type "
7988a91d9a1c6413f2c1a2138847f513d20de856fuankg                "('none', 'optional', 'require', 'optional_no_ca')")
7933d4a963def02417113b6798d87a36395053b0rse    SSL_CMD_ALL(VerifyDepth, TAKE1,
7933d4a963def02417113b6798d87a36395053b0rse                "SSL Client verify depth "
7988a91d9a1c6413f2c1a2138847f513d20de856fuankg                "('N' - number of intermediate certificates)")
7933d4a963def02417113b6798d87a36395053b0rse    SSL_CMD_SRV(SessionCacheTimeout, TAKE1,
7933d4a963def02417113b6798d87a36395053b0rse                "SSL Session Cache object lifetime "
7988a91d9a1c6413f2c1a2138847f513d20de856fuankg                "('N' - number of seconds)")
a1de5cf47c9ccfbf493264e8a3fa7ddd5a9c80d1kbrand#ifdef HAVE_TLSV1_X
1fd6337111a9607570691e38857dcece7fb84abekbrand#define SSL_PROTOCOLS "SSLv3|TLSv1|TLSv1.1|TLSv1.2"
a1de5cf47c9ccfbf493264e8a3fa7ddd5a9c80d1kbrand#else
1fd6337111a9607570691e38857dcece7fb84abekbrand#define SSL_PROTOCOLS "SSLv3|TLSv1"
a1de5cf47c9ccfbf493264e8a3fa7ddd5a9c80d1kbrand#endif
1fd6337111a9607570691e38857dcece7fb84abekbrand    SSL_CMD_SRV(Protocol, RAW_ARGS,
1fd6337111a9607570691e38857dcece7fb84abekbrand                "Enable or disable various SSL protocols "
1fd6337111a9607570691e38857dcece7fb84abekbrand                "('[+-][" SSL_PROTOCOLS "] ...' - see manual)")
7efe7de73c89c26518714a504359244d03cfbbc5jorton    SSL_CMD_SRV(HonorCipherOrder, FLAG,
7efe7de73c89c26518714a504359244d03cfbbc5jorton                "Use the server's cipher ordering preference")
d9b079a6dd66d36313be56f859c8c61153146527sf    SSL_CMD_SRV(Compression, FLAG,
807c436563a054c3513648163fd2e36612b68c9atrawick                "Enable SSL level compression "
d9b079a6dd66d36313be56f859c8c61153146527sf                "(`on', `off')")
2b4e45d87889ab2f6b432690cc993a42bc607fafjorton    SSL_CMD_SRV(InsecureRenegotiation, FLAG,
2b4e45d87889ab2f6b432690cc993a42bc607fafjorton                "Enable support for insecure renegotiation")
f84d3d83a741c21154d42e0ebdec9b9b37efeedcjorton    SSL_CMD_ALL(UserName, TAKE1,
43c3e6a4b559b76b750c245ee95e2782c15b4296jim                "Set user name to SSL variable value")
e3715027f352040ef98da03359b00f13ddb506cbrpluem    SSL_CMD_SRV(StrictSNIVHostCheck, FLAG,
e3715027f352040ef98da03359b00f13ddb506cbrpluem                "Strict SNI virtual host checking")
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
ac0c8366f49659958162b4bfb3d625a77343eda3kbrand#ifdef HAVE_SRP
099c357f282d4aebf2b32264f7dce6ffc0497c37sf    SSL_CMD_SRV(SRPVerifierFile, TAKE1,
099c357f282d4aebf2b32264f7dce6ffc0497c37sf                "SRP verifier file "
099c357f282d4aebf2b32264f7dce6ffc0497c37sf                "('/path/to/file' - created by srptool)")
099c357f282d4aebf2b32264f7dce6ffc0497c37sf    SSL_CMD_SRV(SRPUnknownUserSeed, TAKE1,
099c357f282d4aebf2b32264f7dce6ffc0497c37sf                "SRP seed for unknown users (to avoid leaking a user's existence) "
099c357f282d4aebf2b32264f7dce6ffc0497c37sf                "('some secret text')")
099c357f282d4aebf2b32264f7dce6ffc0497c37sf#endif
099c357f282d4aebf2b32264f7dce6ffc0497c37sf
e8f95a682820a599fe41b22977010636be5c2717jim    /*
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse     * Proxy configuration for remote SSL connections
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse     */
cde1010d880fb6230f80c9d697842ea0b1cb79c7dougm    SSL_CMD_SRV(ProxyEngine, FLAG,
cde1010d880fb6230f80c9d697842ea0b1cb79c7dougm                "SSL switch for the proxy protocol engine "
7988a91d9a1c6413f2c1a2138847f513d20de856fuankg                "('on', 'off')")
7933d4a963def02417113b6798d87a36395053b0rse    SSL_CMD_SRV(ProxyProtocol, RAW_ARGS,
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse               "SSL Proxy: enable or disable SSL protocol flavors "
1fd6337111a9607570691e38857dcece7fb84abekbrand                "('[+-][" SSL_PROTOCOLS "] ...' - see manual)")
7933d4a963def02417113b6798d87a36395053b0rse    SSL_CMD_SRV(ProxyCipherSuite, TAKE1,
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse               "SSL Proxy: colon-delimited list of permitted SSL ciphers "
7988a91d9a1c6413f2c1a2138847f513d20de856fuankg               "('XXX:...:XXX' - see manual)")
8fdc55d1624c714391fe1f93ebafe98ace427f4adougm    SSL_CMD_SRV(ProxyVerify, TAKE1,
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse               "SSL Proxy: whether to verify the remote certificate "
7988a91d9a1c6413f2c1a2138847f513d20de856fuankg               "('on' or 'off')")
7933d4a963def02417113b6798d87a36395053b0rse    SSL_CMD_SRV(ProxyVerifyDepth, TAKE1,
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse               "SSL Proxy: maximum certificate verification depth "
7988a91d9a1c6413f2c1a2138847f513d20de856fuankg               "('N' - number of intermediate certificates)")
7933d4a963def02417113b6798d87a36395053b0rse    SSL_CMD_SRV(ProxyCACertificateFile, TAKE1,
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse               "SSL Proxy: file containing server certificates "
7988a91d9a1c6413f2c1a2138847f513d20de856fuankg               "('/path/to/file' - PEM encoded certificates)")
7933d4a963def02417113b6798d87a36395053b0rse    SSL_CMD_SRV(ProxyCACertificatePath, TAKE1,
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse               "SSL Proxy: directory containing server certificates "
7988a91d9a1c6413f2c1a2138847f513d20de856fuankg               "('/path/to/dir' - contains PEM encoded certificates)")
a72de14bfdbf0be9d935be9bdc2df631ca5e032bdougm    SSL_CMD_SRV(ProxyCARevocationPath, TAKE1,
a72de14bfdbf0be9d935be9bdc2df631ca5e032bdougm                "SSL Proxy: CA Certificate Revocation List (CRL) path "
7988a91d9a1c6413f2c1a2138847f513d20de856fuankg                "('/path/to/dir' - contains PEM encoded files)")
a72de14bfdbf0be9d935be9bdc2df631ca5e032bdougm    SSL_CMD_SRV(ProxyCARevocationFile, TAKE1,
a72de14bfdbf0be9d935be9bdc2df631ca5e032bdougm                "SSL Proxy: CA Certificate Revocation List (CRL) file "
7988a91d9a1c6413f2c1a2138847f513d20de856fuankg                "('/path/to/file' - PEM encoded)")
77504f17963a8dd941a921d9ddfa25ddb0f348d6kbrand    SSL_CMD_SRV(ProxyCARevocationCheck, TAKE1,
77504f17963a8dd941a921d9ddfa25ddb0f348d6kbrand                "SSL Proxy: CA Certificate Revocation List (CRL) checking mode")
7933d4a963def02417113b6798d87a36395053b0rse    SSL_CMD_SRV(ProxyMachineCertificateFile, TAKE1,
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse               "SSL Proxy: file containing client certificates "
7988a91d9a1c6413f2c1a2138847f513d20de856fuankg               "('/path/to/file' - PEM encoded certificates)")
7933d4a963def02417113b6798d87a36395053b0rse    SSL_CMD_SRV(ProxyMachineCertificatePath, TAKE1,
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse               "SSL Proxy: directory containing client certificates "
7988a91d9a1c6413f2c1a2138847f513d20de856fuankg               "('/path/to/dir' - contains PEM encoded certificates)")
44985e4f931d3a75a7e5108705010cc21605ee34druggeri    SSL_CMD_SRV(ProxyMachineCertificateChainFile, TAKE1,
44985e4f931d3a75a7e5108705010cc21605ee34druggeri               "SSL Proxy: file containing issuing certificates "
44985e4f931d3a75a7e5108705010cc21605ee34druggeri               "of the client certificate "
44985e4f931d3a75a7e5108705010cc21605ee34druggeri               "(`/path/to/file' - PEM encoded certificates)")
8f2700898323915da289644dc1f3ee11a5e5b4earpluem    SSL_CMD_SRV(ProxyCheckPeerExpire, FLAG,
d58a822aff1dfda25384d3d009f88f1883c95436kbrand                "SSL Proxy: check the peer certificate's expiration date")
8f2700898323915da289644dc1f3ee11a5e5b4earpluem    SSL_CMD_SRV(ProxyCheckPeerCN, FLAG,
d58a822aff1dfda25384d3d009f88f1883c95436kbrand                "SSL Proxy: check the peer certificate's CN")
d58a822aff1dfda25384d3d009f88f1883c95436kbrand    SSL_CMD_SRV(ProxyCheckPeerName, FLAG,
d58a822aff1dfda25384d3d009f88f1883c95436kbrand                "SSL Proxy: check the peer certificate's name "
d58a822aff1dfda25384d3d009f88f1883c95436kbrand                "(must be present in subjectAltName extension or CN")
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse    /*
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse     * Per-directory context configuration directives
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse     */
7933d4a963def02417113b6798d87a36395053b0rse    SSL_CMD_DIR(Options, OPTIONS, RAW_ARGS,
0839d91ee551a0e19ea9577bb00976b97308dfddmartin               "Set one or more options to configure the SSL engine"
7988a91d9a1c6413f2c1a2138847f513d20de856fuankg               "('[+-]option[=value] ...' - see manual)")
7933d4a963def02417113b6798d87a36395053b0rse    SSL_CMD_DIR(RequireSSL, AUTHCFG, NO_ARGS,
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse               "Require the SSL protocol for the per-directory context "
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse               "(no arguments)")
7933d4a963def02417113b6798d87a36395053b0rse    SSL_CMD_DIR(Require, AUTHCFG, RAW_ARGS,
0839d91ee551a0e19ea9577bb00976b97308dfddmartin               "Require a boolean expression to evaluate to true for granting access"
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse               "(arbitrary complex boolean expression - see manual)")
509111f5f58a9effd4c832f6a0cbd6ad9d549188jorton    SSL_CMD_DIR(RenegBufferSize, AUTHCFG, TAKE1,
509111f5f58a9effd4c832f6a0cbd6ad9d549188jorton                "Configure the amount of memory that will be used for buffering the "
509111f5f58a9effd4c832f6a0cbd6ad9d549188jorton                "request body if a per-location SSL renegotiation is required due to "
509111f5f58a9effd4c832f6a0cbd6ad9d549188jorton                "changed access control requirements")
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
39c7699ec0799d394d3f67145d4a12ed82f587b8jorton    SSL_CMD_SRV(OCSPEnable, FLAG,
7988a91d9a1c6413f2c1a2138847f513d20de856fuankg               "Enable use of OCSP to verify certificate revocation ('on', 'off')")
39c7699ec0799d394d3f67145d4a12ed82f587b8jorton    SSL_CMD_SRV(OCSPDefaultResponder, TAKE1,
39c7699ec0799d394d3f67145d4a12ed82f587b8jorton               "URL of the default OCSP Responder")
39c7699ec0799d394d3f67145d4a12ed82f587b8jorton    SSL_CMD_SRV(OCSPOverrideResponder, FLAG,
7988a91d9a1c6413f2c1a2138847f513d20de856fuankg               "Force use of the default responder URL ('on', 'off')")
a2558ec3af4391b7da7fe61e1e53383bbd0174b9jorton    SSL_CMD_SRV(OCSPResponseTimeSkew, TAKE1,
a2558ec3af4391b7da7fe61e1e53383bbd0174b9jorton                "Maximum time difference in OCSP responses")
a2558ec3af4391b7da7fe61e1e53383bbd0174b9jorton    SSL_CMD_SRV(OCSPResponseMaxAge, TAKE1,
a2558ec3af4391b7da7fe61e1e53383bbd0174b9jorton                "Maximum age of OCSP responses")
a2558ec3af4391b7da7fe61e1e53383bbd0174b9jorton    SSL_CMD_SRV(OCSPResponderTimeout, TAKE1,
a2558ec3af4391b7da7fe61e1e53383bbd0174b9jorton                "OCSP responder query timeout")
1716538bf2c1a52278afc6830c84f4f232329d1aylavic    SSL_CMD_SRV(OCSPUseRequestNonce, FLAG,
1716538bf2c1a52278afc6830c84f4f232329d1aylavic                "Whether OCSP queries use a nonce or not ('on', 'off')")
39c7699ec0799d394d3f67145d4a12ed82f587b8jorton
89b8bbc89404e7071e573c4f0a17f528996e855djorton#ifdef HAVE_OCSP_STAPLING
89b8bbc89404e7071e573c4f0a17f528996e855djorton    /*
89b8bbc89404e7071e573c4f0a17f528996e855djorton     * OCSP Stapling options
89b8bbc89404e7071e573c4f0a17f528996e855djorton     */
89b8bbc89404e7071e573c4f0a17f528996e855djorton    SSL_CMD_SRV(StaplingCache, TAKE1,
89b8bbc89404e7071e573c4f0a17f528996e855djorton                "SSL Stapling Response Cache storage "
89b8bbc89404e7071e573c4f0a17f528996e855djorton                "(`dbm:/path/to/file')")
89b8bbc89404e7071e573c4f0a17f528996e855djorton    SSL_CMD_SRV(UseStapling, FLAG,
89b8bbc89404e7071e573c4f0a17f528996e855djorton                "SSL switch for the OCSP Stapling protocol " "(`on', `off')")
89b8bbc89404e7071e573c4f0a17f528996e855djorton    SSL_CMD_SRV(StaplingResponseTimeSkew, TAKE1,
89b8bbc89404e7071e573c4f0a17f528996e855djorton                "SSL stapling option for maximum time difference in OCSP responses")
89b8bbc89404e7071e573c4f0a17f528996e855djorton    SSL_CMD_SRV(StaplingResponderTimeout, TAKE1,
89b8bbc89404e7071e573c4f0a17f528996e855djorton                "SSL stapling option for OCSP responder timeout")
89b8bbc89404e7071e573c4f0a17f528996e855djorton    SSL_CMD_SRV(StaplingResponseMaxAge, TAKE1,
89b8bbc89404e7071e573c4f0a17f528996e855djorton                "SSL stapling option for maximum age of OCSP responses")
89b8bbc89404e7071e573c4f0a17f528996e855djorton    SSL_CMD_SRV(StaplingStandardCacheTimeout, TAKE1,
89b8bbc89404e7071e573c4f0a17f528996e855djorton                "SSL stapling option for normal OCSP Response Cache Lifetime")
89b8bbc89404e7071e573c4f0a17f528996e855djorton    SSL_CMD_SRV(StaplingReturnResponderErrors, FLAG,
89b8bbc89404e7071e573c4f0a17f528996e855djorton                "SSL stapling switch to return Status Errors Back to Client"
11e076839c8d5a82d55e710194d0daac51390dbdsf                "(`on', `off')")
89b8bbc89404e7071e573c4f0a17f528996e855djorton    SSL_CMD_SRV(StaplingFakeTryLater, FLAG,
89b8bbc89404e7071e573c4f0a17f528996e855djorton                "SSL stapling switch to send tryLater response to client on error "
11e076839c8d5a82d55e710194d0daac51390dbdsf                "(`on', `off')")
89b8bbc89404e7071e573c4f0a17f528996e855djorton    SSL_CMD_SRV(StaplingErrorCacheTimeout, TAKE1,
89b8bbc89404e7071e573c4f0a17f528996e855djorton                "SSL stapling option for OCSP Response Error Cache Lifetime")
89b8bbc89404e7071e573c4f0a17f528996e855djorton    SSL_CMD_SRV(StaplingForceURL, TAKE1,
89b8bbc89404e7071e573c4f0a17f528996e855djorton                "SSL stapling option to Force the OCSP Stapling URL")
89b8bbc89404e7071e573c4f0a17f528996e855djorton#endif
89b8bbc89404e7071e573c4f0a17f528996e855djorton
1366443dc565c33e7b449ae428bbfc4c86f33935drh#ifdef HAVE_SSL_CONF_CMD
1366443dc565c33e7b449ae428bbfc4c86f33935drh    SSL_CMD_SRV(OpenSSLConfCmd, TAKE2,
1cb35ac84e3ff37ec77837d1e3702a74604ab6f0fuankg                "OpenSSL configuration command")
1366443dc565c33e7b449ae428bbfc4c86f33935drh#endif
1366443dc565c33e7b449ae428bbfc4c86f33935drh
e6e65585927961caf45d4e9e932bb1f4e9e89ca1jerenkrantz    /* Deprecated directives. */
e8f95a682820a599fe41b22977010636be5c2717jim    AP_INIT_RAW_ARGS("SSLLog", ap_set_deprecated, NULL, OR_ALL,
e6e65585927961caf45d4e9e932bb1f4e9e89ca1jerenkrantz      "SSLLog directive is no longer supported - use ErrorLog."),
e8f95a682820a599fe41b22977010636be5c2717jim    AP_INIT_RAW_ARGS("SSLLogLevel", ap_set_deprecated, NULL, OR_ALL,
e6e65585927961caf45d4e9e932bb1f4e9e89ca1jerenkrantz      "SSLLogLevel directive is no longer supported - use LogLevel."),
e8f95a682820a599fe41b22977010636be5c2717jim
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse    AP_END_CMD
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse};
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
7933d4a963def02417113b6798d87a36395053b0rse/*
7933d4a963def02417113b6798d87a36395053b0rse *  the various processing hooks
7933d4a963def02417113b6798d87a36395053b0rse */
2b7078b0c4fd5b6054f6f2d4f626177844f5c6f7wrowestatic apr_status_t ssl_cleanup_pre_config(void *data)
2b7078b0c4fd5b6054f6f2d4f626177844f5c6f7wrowe{
2b7078b0c4fd5b6054f6f2d4f626177844f5c6f7wrowe    /*
2b7078b0c4fd5b6054f6f2d4f626177844f5c6f7wrowe     * Try to kill the internals of the SSL library.
2b7078b0c4fd5b6054f6f2d4f626177844f5c6f7wrowe     */
2b7078b0c4fd5b6054f6f2d4f626177844f5c6f7wrowe    /* Corresponds to OPENSSL_load_builtin_modules():
2b7078b0c4fd5b6054f6f2d4f626177844f5c6f7wrowe     * XXX: borrowed from apps.h, but why not CONF_modules_free()
2b7078b0c4fd5b6054f6f2d4f626177844f5c6f7wrowe     * which also invokes CONF_modules_finish()?
2b7078b0c4fd5b6054f6f2d4f626177844f5c6f7wrowe     */
2b7078b0c4fd5b6054f6f2d4f626177844f5c6f7wrowe    CONF_modules_unload(1);
2b7078b0c4fd5b6054f6f2d4f626177844f5c6f7wrowe    /* Corresponds to SSL_library_init: */
2b7078b0c4fd5b6054f6f2d4f626177844f5c6f7wrowe    EVP_cleanup();
2b7078b0c4fd5b6054f6f2d4f626177844f5c6f7wrowe#if HAVE_ENGINE_LOAD_BUILTIN_ENGINES
2b7078b0c4fd5b6054f6f2d4f626177844f5c6f7wrowe    ENGINE_cleanup();
239dd0cf663713025d4451ddd465685021007d82wrowe#endif
aafba4d7e3ecc7fcaa87efa8d7fae3e700d2428bdrh#if OPENSSL_VERSION_NUMBER >= 0x1000000fL
aafba4d7e3ecc7fcaa87efa8d7fae3e700d2428bdrh    ERR_remove_thread_state(NULL);
aafba4d7e3ecc7fcaa87efa8d7fae3e700d2428bdrh#else
2b7078b0c4fd5b6054f6f2d4f626177844f5c6f7wrowe    ERR_remove_state(0);
aafba4d7e3ecc7fcaa87efa8d7fae3e700d2428bdrh#endif
56bd16e394f49423a22aa82643eb27f26db2c748jorton
28a2a3f8cc81354f027a4ac95abbbcd9e190db3fjkaluza    /* Don't call ERR_free_strings in earlier versions, ERR_load_*_strings only
28a2a3f8cc81354f027a4ac95abbbcd9e190db3fjkaluza     * actually loaded the error strings once per process due to static
56bd16e394f49423a22aa82643eb27f26db2c748jorton     * variable abuse in OpenSSL. */
28a2a3f8cc81354f027a4ac95abbbcd9e190db3fjkaluza#if (OPENSSL_VERSION_NUMBER >= 0x00090805f)
28a2a3f8cc81354f027a4ac95abbbcd9e190db3fjkaluza    ERR_free_strings();
28a2a3f8cc81354f027a4ac95abbbcd9e190db3fjkaluza#endif
56bd16e394f49423a22aa82643eb27f26db2c748jorton
a73ec375db18806018eabc968baa85b250bbbf5djorton    /* Also don't call CRYPTO_cleanup_all_ex_data here; any registered
a73ec375db18806018eabc968baa85b250bbbf5djorton     * ex_data indices may have been cached in static variables in
a73ec375db18806018eabc968baa85b250bbbf5djorton     * OpenSSL; removing them may cause havoc.  Notably, with OpenSSL
a73ec375db18806018eabc968baa85b250bbbf5djorton     * versions >= 0.9.8f, COMP_CTX cleanups would not be run, which
a73ec375db18806018eabc968baa85b250bbbf5djorton     * could result in a per-connection memory leak (!). */
a73ec375db18806018eabc968baa85b250bbbf5djorton
e8f95a682820a599fe41b22977010636be5c2717jim    /*
e8f95a682820a599fe41b22977010636be5c2717jim     * TODO: determine somewhere we can safely shove out diagnostics
2b7078b0c4fd5b6054f6f2d4f626177844f5c6f7wrowe     *       (when enabled) at this late stage in the game:
2b7078b0c4fd5b6054f6f2d4f626177844f5c6f7wrowe     * CRYPTO_mem_leaks_fp(stderr);
2b7078b0c4fd5b6054f6f2d4f626177844f5c6f7wrowe     */
239dd0cf663713025d4451ddd465685021007d82wrowe    return APR_SUCCESS;
2b7078b0c4fd5b6054f6f2d4f626177844f5c6f7wrowe}
d1bb6e2664788e0437acc18e877562c9a796d7cerse
71c00f988beb28388702e14cb7fe06f08bd792bbdougmstatic int ssl_hook_pre_config(apr_pool_t *pconf,
71c00f988beb28388702e14cb7fe06f08bd792bbdougm                               apr_pool_t *plog,
71c00f988beb28388702e14cb7fe06f08bd792bbdougm                               apr_pool_t *ptemp)
7933d4a963def02417113b6798d87a36395053b0rse{
c12917da693bae4028a1d5a5e8224bceed8c739dsf
c12917da693bae4028a1d5a5e8224bceed8c739dsf#if HAVE_VALGRIND
c12917da693bae4028a1d5a5e8224bceed8c739dsf     ssl_running_on_valgrind = RUNNING_ON_VALGRIND;
c12917da693bae4028a1d5a5e8224bceed8c739dsf#endif
c12917da693bae4028a1d5a5e8224bceed8c739dsf
e8f95a682820a599fe41b22977010636be5c2717jim    /* We must register the library in full, to ensure our configuration
b5451913a64155af2eab4f12ecbaf16e15acafc3wrowe     * code can successfully test the SSL environment.
b5451913a64155af2eab4f12ecbaf16e15acafc3wrowe     */
8aced0b621ea45e8621c7073b0bfbe5ea91c2329wrowe    CRYPTO_malloc_init();
b5451913a64155af2eab4f12ecbaf16e15acafc3wrowe    ERR_load_crypto_strings();
93350a0dfa22a2c523cdcbad3357327013ecc145martin    SSL_load_error_strings();
2c038bf2465bf2150c396f4e67f68ebc5bb9e6e9wrowe    SSL_library_init();
b5451913a64155af2eab4f12ecbaf16e15acafc3wrowe#if HAVE_ENGINE_LOAD_BUILTIN_ENGINES
b5451913a64155af2eab4f12ecbaf16e15acafc3wrowe    ENGINE_load_builtin_engines();
b5451913a64155af2eab4f12ecbaf16e15acafc3wrowe#endif
8a5120efd60acf0323371cb30cba489723b03819jorton    OpenSSL_add_all_algorithms();
b5451913a64155af2eab4f12ecbaf16e15acafc3wrowe    OPENSSL_load_builtin_modules();
8aced0b621ea45e8621c7073b0bfbe5ea91c2329wrowe
2b7078b0c4fd5b6054f6f2d4f626177844f5c6f7wrowe    /*
2b7078b0c4fd5b6054f6f2d4f626177844f5c6f7wrowe     * Let us cleanup the ssl library when the module is unloaded
2b7078b0c4fd5b6054f6f2d4f626177844f5c6f7wrowe     */
2b7078b0c4fd5b6054f6f2d4f626177844f5c6f7wrowe    apr_pool_cleanup_register(pconf, NULL, ssl_cleanup_pre_config,
2b7078b0c4fd5b6054f6f2d4f626177844f5c6f7wrowe                                           apr_pool_cleanup_null);
2b7078b0c4fd5b6054f6f2d4f626177844f5c6f7wrowe
af5dd1c93d2185f7e37f8783c593b64fd35ea8a6wrowe    /* Register us to handle mod_log_config %c/%x variables */
af5dd1c93d2185f7e37f8783c593b64fd35ea8a6wrowe    ssl_var_log_config_register(pconf);
8dc154408549195c828b823e9dc7396f107f2512jorton
8dc154408549195c828b823e9dc7396f107f2512jorton    /* Register to handle mod_status status page generation */
b79b480213d7452db127eec054e52eb2b4fa6153wrowe    ssl_scache_status_register(pconf);
417f504d4d11631c0d062be85347f82a26c88677aaron
11f2c481e1d57bedb3f758565307501e9a2730ddtrawick    /* Register mutex type names so they can be configured with Mutex */
2792780a6fb0951dc304b940ba9274ed1e37fe26wrowe    ap_mutex_register(pconf, SSL_CACHE_MUTEX_TYPE, NULL, APR_LOCK_DEFAULT, 0);
11f2c481e1d57bedb3f758565307501e9a2730ddtrawick#ifdef HAVE_OCSP_STAPLING
2792780a6fb0951dc304b940ba9274ed1e37fe26wrowe    ap_mutex_register(pconf, SSL_STAPLING_MUTEX_TYPE, NULL, APR_LOCK_DEFAULT, 0);
11f2c481e1d57bedb3f758565307501e9a2730ddtrawick#endif
11f2c481e1d57bedb3f758565307501e9a2730ddtrawick
417f504d4d11631c0d062be85347f82a26c88677aaron    return OK;
7933d4a963def02417113b6798d87a36395053b0rse}
7933d4a963def02417113b6798d87a36395053b0rse
9cb81d96f6b556cec1aa456191f43f7932aabaaedougmstatic SSLConnRec *ssl_init_connection_ctx(conn_rec *c)
9cb81d96f6b556cec1aa456191f43f7932aabaaedougm{
9cb81d96f6b556cec1aa456191f43f7932aabaaedougm    SSLConnRec *sslconn = myConnConfig(c);
9cb81d96f6b556cec1aa456191f43f7932aabaaedougm
9cb81d96f6b556cec1aa456191f43f7932aabaaedougm    if (sslconn) {
9cb81d96f6b556cec1aa456191f43f7932aabaaedougm        return sslconn;
9cb81d96f6b556cec1aa456191f43f7932aabaaedougm    }
9cb81d96f6b556cec1aa456191f43f7932aabaaedougm
9cb81d96f6b556cec1aa456191f43f7932aabaaedougm    sslconn = apr_pcalloc(c->pool, sizeof(*sslconn));
9cb81d96f6b556cec1aa456191f43f7932aabaaedougm
807c9f7266ad3a966b6714fe578f3c9da1ca868brpluem    sslconn->server = c->base_server;
2ce2fc3287632e20f1b8759aa17e571f68c6fe6dsf    sslconn->verify_depth = UNSET;
807c9f7266ad3a966b6714fe578f3c9da1ca868brpluem
9cb81d96f6b556cec1aa456191f43f7932aabaaedougm    myConnConfigSet(c, sslconn);
9cb81d96f6b556cec1aa456191f43f7932aabaaedougm
9cb81d96f6b556cec1aa456191f43f7932aabaaedougm    return sslconn;
9cb81d96f6b556cec1aa456191f43f7932aabaaedougm}
9cb81d96f6b556cec1aa456191f43f7932aabaaedougm
73c7bbd51ac1420b4bb98d1c8b3cc97d57f21c56jortonstatic int ssl_proxy_enable(conn_rec *c)
9cb81d96f6b556cec1aa456191f43f7932aabaaedougm{
807c9f7266ad3a966b6714fe578f3c9da1ca868brpluem    SSLSrvConfigRec *sc;
cde1010d880fb6230f80c9d697842ea0b1cb79c7dougm
9cb81d96f6b556cec1aa456191f43f7932aabaaedougm    SSLConnRec *sslconn = ssl_init_connection_ctx(c);
807c9f7266ad3a966b6714fe578f3c9da1ca868brpluem    sc = mySrvConfig(sslconn->server);
9cb81d96f6b556cec1aa456191f43f7932aabaaedougm
cde1010d880fb6230f80c9d697842ea0b1cb79c7dougm    if (!sc->proxy_enabled) {
185aa71728867671e105178b4c66fbc22b65ae26sf        ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(01961)
2261f694ce2fc09f9df6c65bd8e1f4230313696bjorton                      "SSL Proxy requested for %s but not enabled "
2261f694ce2fc09f9df6c65bd8e1f4230313696bjorton                      "[Hint: SSLProxyEngine]", sc->vhost_id);
cde1010d880fb6230f80c9d697842ea0b1cb79c7dougm
cde1010d880fb6230f80c9d697842ea0b1cb79c7dougm        return 0;
cde1010d880fb6230f80c9d697842ea0b1cb79c7dougm    }
cde1010d880fb6230f80c9d697842ea0b1cb79c7dougm
9cb81d96f6b556cec1aa456191f43f7932aabaaedougm    sslconn->is_proxy = 1;
621bd763d2e4d32f19013ac8b76b375b5a01851fdougm    sslconn->disabled = 0;
621bd763d2e4d32f19013ac8b76b375b5a01851fdougm
621bd763d2e4d32f19013ac8b76b375b5a01851fdougm    return 1;
621bd763d2e4d32f19013ac8b76b375b5a01851fdougm}
621bd763d2e4d32f19013ac8b76b375b5a01851fdougm
73c7bbd51ac1420b4bb98d1c8b3cc97d57f21c56jortonstatic int ssl_engine_disable(conn_rec *c)
621bd763d2e4d32f19013ac8b76b375b5a01851fdougm{
807c9f7266ad3a966b6714fe578f3c9da1ca868brpluem    SSLSrvConfigRec *sc;
621bd763d2e4d32f19013ac8b76b375b5a01851fdougm
807c9f7266ad3a966b6714fe578f3c9da1ca868brpluem    SSLConnRec *sslconn = myConnConfig(c);
621bd763d2e4d32f19013ac8b76b375b5a01851fdougm
807c9f7266ad3a966b6714fe578f3c9da1ca868brpluem    if (sslconn) {
807c9f7266ad3a966b6714fe578f3c9da1ca868brpluem        sc = mySrvConfig(sslconn->server);
807c9f7266ad3a966b6714fe578f3c9da1ca868brpluem    }
807c9f7266ad3a966b6714fe578f3c9da1ca868brpluem    else {
807c9f7266ad3a966b6714fe578f3c9da1ca868brpluem        sc = mySrvConfig(c->base_server);
807c9f7266ad3a966b6714fe578f3c9da1ca868brpluem    }
ccbf65bf19ac58a396133923aee4597e0870ec47bnicholes    if (sc->enabled == SSL_ENABLED_FALSE) {
621bd763d2e4d32f19013ac8b76b375b5a01851fdougm        return 0;
621bd763d2e4d32f19013ac8b76b375b5a01851fdougm    }
621bd763d2e4d32f19013ac8b76b375b5a01851fdougm
621bd763d2e4d32f19013ac8b76b375b5a01851fdougm    sslconn = ssl_init_connection_ctx(c);
621bd763d2e4d32f19013ac8b76b375b5a01851fdougm
621bd763d2e4d32f19013ac8b76b375b5a01851fdougm    sslconn->disabled = 1;
9cb81d96f6b556cec1aa456191f43f7932aabaaedougm
9cb81d96f6b556cec1aa456191f43f7932aabaaedougm    return 1;
9cb81d96f6b556cec1aa456191f43f7932aabaaedougm}
9cb81d96f6b556cec1aa456191f43f7932aabaaedougm
8a2483ae14c7d9c1ee21a92e4251202456af5747jortonstatic int modssl_register_npn(conn_rec *c,
8a2483ae14c7d9c1ee21a92e4251202456af5747jorton                               ssl_npn_advertise_protos advertisefn,
8a2483ae14c7d9c1ee21a92e4251202456af5747jorton                               ssl_npn_proto_negotiated negotiatedfn)
8a2483ae14c7d9c1ee21a92e4251202456af5747jorton{
8a2483ae14c7d9c1ee21a92e4251202456af5747jorton#ifdef HAVE_TLS_NPN
8a2483ae14c7d9c1ee21a92e4251202456af5747jorton    SSLConnRec *sslconn = myConnConfig(c);
8a2483ae14c7d9c1ee21a92e4251202456af5747jorton
8a2483ae14c7d9c1ee21a92e4251202456af5747jorton    if (!sslconn) {
8a2483ae14c7d9c1ee21a92e4251202456af5747jorton        return DECLINED;
8a2483ae14c7d9c1ee21a92e4251202456af5747jorton    }
8a2483ae14c7d9c1ee21a92e4251202456af5747jorton
8a2483ae14c7d9c1ee21a92e4251202456af5747jorton    if (!sslconn->npn_advertfns) {
8a2483ae14c7d9c1ee21a92e4251202456af5747jorton        sslconn->npn_advertfns =
8a2483ae14c7d9c1ee21a92e4251202456af5747jorton            apr_array_make(c->pool, 5, sizeof(ssl_npn_advertise_protos));
8a2483ae14c7d9c1ee21a92e4251202456af5747jorton        sslconn->npn_negofns =
8a2483ae14c7d9c1ee21a92e4251202456af5747jorton            apr_array_make(c->pool, 5, sizeof(ssl_npn_proto_negotiated));
8a2483ae14c7d9c1ee21a92e4251202456af5747jorton    }
8a2483ae14c7d9c1ee21a92e4251202456af5747jorton
8a2483ae14c7d9c1ee21a92e4251202456af5747jorton    if (advertisefn)
8a2483ae14c7d9c1ee21a92e4251202456af5747jorton        APR_ARRAY_PUSH(sslconn->npn_advertfns, ssl_npn_advertise_protos) =
8a2483ae14c7d9c1ee21a92e4251202456af5747jorton            advertisefn;
8a2483ae14c7d9c1ee21a92e4251202456af5747jorton    if (negotiatedfn)
8a2483ae14c7d9c1ee21a92e4251202456af5747jorton        APR_ARRAY_PUSH(sslconn->npn_negofns, ssl_npn_proto_negotiated) =
8a2483ae14c7d9c1ee21a92e4251202456af5747jorton            negotiatedfn;
8a2483ae14c7d9c1ee21a92e4251202456af5747jorton
8a2483ae14c7d9c1ee21a92e4251202456af5747jorton    return OK;
8a2483ae14c7d9c1ee21a92e4251202456af5747jorton#else
8a2483ae14c7d9c1ee21a92e4251202456af5747jorton    return DECLINED;
8a2483ae14c7d9c1ee21a92e4251202456af5747jorton#endif
8a2483ae14c7d9c1ee21a92e4251202456af5747jorton}
8a2483ae14c7d9c1ee21a92e4251202456af5747jorton
4ede070ca63bd4c48045e35a7192582769770290jortonint ssl_init_ssl_connection(conn_rec *c, request_rec *r)
7933d4a963def02417113b6798d87a36395053b0rse{
807c9f7266ad3a966b6714fe578f3c9da1ca868brpluem    SSLSrvConfigRec *sc;
a943533fd4d91d114af622731a405407990c4fb1rse    SSL *ssl;
9cb81d96f6b556cec1aa456191f43f7932aabaaedougm    SSLConnRec *sslconn = myConnConfig(c);
469549ac22c6f7b9ecdd9df2565925563e4df84djwoolley    char *vhost_md5;
5716f9c6daa92dde5f2f9d11ed63f7c9549c223atrawick    int rc;
9cb81d96f6b556cec1aa456191f43f7932aabaaedougm    modssl_ctx_t *mctx;
807c9f7266ad3a966b6714fe578f3c9da1ca868brpluem    server_rec *server;
a943533fd4d91d114af622731a405407990c4fb1rse
9cb81d96f6b556cec1aa456191f43f7932aabaaedougm    if (!sslconn) {
9cb81d96f6b556cec1aa456191f43f7932aabaaedougm        sslconn = ssl_init_connection_ctx(c);
9cb81d96f6b556cec1aa456191f43f7932aabaaedougm    }
807c9f7266ad3a966b6714fe578f3c9da1ca868brpluem    server = sslconn->server;
807c9f7266ad3a966b6714fe578f3c9da1ca868brpluem    sc = mySrvConfig(server);
807c9f7266ad3a966b6714fe578f3c9da1ca868brpluem
807c9f7266ad3a966b6714fe578f3c9da1ca868brpluem    /*
807c9f7266ad3a966b6714fe578f3c9da1ca868brpluem     * Seed the Pseudo Random Number Generator (PRNG)
807c9f7266ad3a966b6714fe578f3c9da1ca868brpluem     */
807c9f7266ad3a966b6714fe578f3c9da1ca868brpluem    ssl_rand_seed(server, c->pool, SSL_RSCTX_CONNECT, "");
9cb81d96f6b556cec1aa456191f43f7932aabaaedougm
9cb81d96f6b556cec1aa456191f43f7932aabaaedougm    mctx = sslconn->is_proxy ? sc->proxy : sc->server;
9cb81d96f6b556cec1aa456191f43f7932aabaaedougm
a943533fd4d91d114af622731a405407990c4fb1rse    /*
a943533fd4d91d114af622731a405407990c4fb1rse     * Create a new SSL connection with the configured server SSL context and
a943533fd4d91d114af622731a405407990c4fb1rse     * attach this to the socket. Additionally we register this attachment
a943533fd4d91d114af622731a405407990c4fb1rse     * so we can detach later.
a943533fd4d91d114af622731a405407990c4fb1rse     */
9cb81d96f6b556cec1aa456191f43f7932aabaaedougm    if (!(ssl = SSL_new(mctx->ssl_ctx))) {
185aa71728867671e105178b4c66fbc22b65ae26sf        ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(01962)
2261f694ce2fc09f9df6c65bd8e1f4230313696bjorton                      "Unable to create a new SSL connection from the SSL "
2261f694ce2fc09f9df6c65bd8e1f4230313696bjorton                      "context");
baa6746bc66ff1daa1852a3a085906d2dfa96bb6sf        ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, server);
71c00f988beb28388702e14cb7fe06f08bd792bbdougm
a943533fd4d91d114af622731a405407990c4fb1rse        c->aborted = 1;
71c00f988beb28388702e14cb7fe06f08bd792bbdougm
a943533fd4d91d114af622731a405407990c4fb1rse        return DECLINED; /* XXX */
a943533fd4d91d114af622731a405407990c4fb1rse    }
6d7efb8c76b56eaebd6032096771c9e44b247f3fdougm
5716f9c6daa92dde5f2f9d11ed63f7c9549c223atrawick    rc = ssl_run_pre_handshake(c, ssl);
5716f9c6daa92dde5f2f9d11ed63f7c9549c223atrawick    if (rc != OK && rc != DECLINED) {
5716f9c6daa92dde5f2f9d11ed63f7c9549c223atrawick        return rc;
5716f9c6daa92dde5f2f9d11ed63f7c9549c223atrawick    }
5716f9c6daa92dde5f2f9d11ed63f7c9549c223atrawick
f4c472b8dce3c2e559232dbb5b27ed2466922ea4jerenkrantz    vhost_md5 = ap_md5_binary(c->pool, (unsigned char *)sc->vhost_id,
f4c472b8dce3c2e559232dbb5b27ed2466922ea4jerenkrantz                              sc->vhost_id_len);
469549ac22c6f7b9ecdd9df2565925563e4df84djwoolley
469549ac22c6f7b9ecdd9df2565925563e4df84djwoolley    if (!SSL_set_session_id_context(ssl, (unsigned char *)vhost_md5,
d0ba3b97557d47323bd055fb4002ed7692f703b9jerenkrantz                                    APR_MD5_DIGESTSIZE*2))
71c00f988beb28388702e14cb7fe06f08bd792bbdougm    {
185aa71728867671e105178b4c66fbc22b65ae26sf        ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(01963)
7988a91d9a1c6413f2c1a2138847f513d20de856fuankg                      "Unable to set session id context to '%s'", vhost_md5);
baa6746bc66ff1daa1852a3a085906d2dfa96bb6sf        ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, server);
71c00f988beb28388702e14cb7fe06f08bd792bbdougm
a943533fd4d91d114af622731a405407990c4fb1rse        c->aborted = 1;
71c00f988beb28388702e14cb7fe06f08bd792bbdougm
a943533fd4d91d114af622731a405407990c4fb1rse        return DECLINED; /* XXX */
a943533fd4d91d114af622731a405407990c4fb1rse    }
71c00f988beb28388702e14cb7fe06f08bd792bbdougm
a943533fd4d91d114af622731a405407990c4fb1rse    SSL_set_app_data(ssl, c);
d28d7091912b3d911bdbe18df2d37d315681054bdougm    SSL_set_app_data2(ssl, NULL); /* will be request_rec */
a943533fd4d91d114af622731a405407990c4fb1rse
931b4fd1cc9dd3da096c45f4bf7ddcc14e0985c1dougm    sslconn->ssl = ssl;
a943533fd4d91d114af622731a405407990c4fb1rse
a943533fd4d91d114af622731a405407990c4fb1rse    SSL_set_verify_result(ssl, X509_V_OK);
a943533fd4d91d114af622731a405407990c4fb1rse
4ede070ca63bd4c48045e35a7192582769770290jorton    ssl_io_filter_init(c, r, ssl);
a943533fd4d91d114af622731a405407990c4fb1rse
a943533fd4d91d114af622731a405407990c4fb1rse    return APR_SUCCESS;
7933d4a963def02417113b6798d87a36395053b0rse}
7933d4a963def02417113b6798d87a36395053b0rse
7b6ba9c468f26bdb3492d5e8cb79628a3b04e8c8wrowestatic const char *ssl_hook_http_scheme(const request_rec *r)
7933d4a963def02417113b6798d87a36395053b0rse{
a943533fd4d91d114af622731a405407990c4fb1rse    SSLSrvConfigRec *sc = mySrvConfig(r->server);
a943533fd4d91d114af622731a405407990c4fb1rse
2f32a3d146dc55d81b31660386e17c3b83ad61b8bnicholes    if (sc->enabled == SSL_ENABLED_FALSE || sc->enabled == SSL_ENABLED_OPTIONAL) {
a943533fd4d91d114af622731a405407990c4fb1rse        return NULL;
71c00f988beb28388702e14cb7fe06f08bd792bbdougm    }
a943533fd4d91d114af622731a405407990c4fb1rse
a943533fd4d91d114af622731a405407990c4fb1rse    return "https";
7933d4a963def02417113b6798d87a36395053b0rse}
7933d4a963def02417113b6798d87a36395053b0rse
71c00f988beb28388702e14cb7fe06f08bd792bbdougmstatic apr_port_t ssl_hook_default_port(const request_rec *r)
7933d4a963def02417113b6798d87a36395053b0rse{
a943533fd4d91d114af622731a405407990c4fb1rse    SSLSrvConfigRec *sc = mySrvConfig(r->server);
a943533fd4d91d114af622731a405407990c4fb1rse
2f32a3d146dc55d81b31660386e17c3b83ad61b8bnicholes    if (sc->enabled == SSL_ENABLED_FALSE || sc->enabled == SSL_ENABLED_OPTIONAL) {
a943533fd4d91d114af622731a405407990c4fb1rse        return 0;
71c00f988beb28388702e14cb7fe06f08bd792bbdougm    }
71c00f988beb28388702e14cb7fe06f08bd792bbdougm
a943533fd4d91d114af622731a405407990c4fb1rse    return 443;
7933d4a963def02417113b6798d87a36395053b0rse}
7933d4a963def02417113b6798d87a36395053b0rse
e726f34f8da08c01ee8bc90904b26196b69c8587wrowestatic int ssl_hook_pre_connection(conn_rec *c, void *csd)
e726f34f8da08c01ee8bc90904b26196b69c8587wrowe{
807c9f7266ad3a966b6714fe578f3c9da1ca868brpluem    SSLSrvConfigRec *sc;
e726f34f8da08c01ee8bc90904b26196b69c8587wrowe    SSLConnRec *sslconn = myConnConfig(c);
e726f34f8da08c01ee8bc90904b26196b69c8587wrowe
807c9f7266ad3a966b6714fe578f3c9da1ca868brpluem    if (sslconn) {
807c9f7266ad3a966b6714fe578f3c9da1ca868brpluem        sc = mySrvConfig(sslconn->server);
807c9f7266ad3a966b6714fe578f3c9da1ca868brpluem    }
807c9f7266ad3a966b6714fe578f3c9da1ca868brpluem    else {
807c9f7266ad3a966b6714fe578f3c9da1ca868brpluem        sc = mySrvConfig(c->base_server);
807c9f7266ad3a966b6714fe578f3c9da1ca868brpluem    }
e726f34f8da08c01ee8bc90904b26196b69c8587wrowe    /*
e726f34f8da08c01ee8bc90904b26196b69c8587wrowe     * Immediately stop processing if SSL is disabled for this connection
e726f34f8da08c01ee8bc90904b26196b69c8587wrowe     */
ccbf65bf19ac58a396133923aee4597e0870ec47bnicholes    if (!(sc && (sc->enabled == SSL_ENABLED_TRUE ||
e726f34f8da08c01ee8bc90904b26196b69c8587wrowe                 (sslconn && sslconn->is_proxy))))
e726f34f8da08c01ee8bc90904b26196b69c8587wrowe    {
e726f34f8da08c01ee8bc90904b26196b69c8587wrowe        return DECLINED;
e726f34f8da08c01ee8bc90904b26196b69c8587wrowe    }
e726f34f8da08c01ee8bc90904b26196b69c8587wrowe
e726f34f8da08c01ee8bc90904b26196b69c8587wrowe    /*
e726f34f8da08c01ee8bc90904b26196b69c8587wrowe     * Create SSL context
e726f34f8da08c01ee8bc90904b26196b69c8587wrowe     */
e726f34f8da08c01ee8bc90904b26196b69c8587wrowe    if (!sslconn) {
e726f34f8da08c01ee8bc90904b26196b69c8587wrowe        sslconn = ssl_init_connection_ctx(c);
e726f34f8da08c01ee8bc90904b26196b69c8587wrowe    }
e726f34f8da08c01ee8bc90904b26196b69c8587wrowe
e726f34f8da08c01ee8bc90904b26196b69c8587wrowe    if (sslconn->disabled) {
e726f34f8da08c01ee8bc90904b26196b69c8587wrowe        return DECLINED;
e726f34f8da08c01ee8bc90904b26196b69c8587wrowe    }
e726f34f8da08c01ee8bc90904b26196b69c8587wrowe
e726f34f8da08c01ee8bc90904b26196b69c8587wrowe    /*
e726f34f8da08c01ee8bc90904b26196b69c8587wrowe     * Remember the connection information for
e726f34f8da08c01ee8bc90904b26196b69c8587wrowe     * later access inside callback functions
e726f34f8da08c01ee8bc90904b26196b69c8587wrowe     */
e726f34f8da08c01ee8bc90904b26196b69c8587wrowe
185aa71728867671e105178b4c66fbc22b65ae26sf    ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c, APLOGNO(01964)
2261f694ce2fc09f9df6c65bd8e1f4230313696bjorton                  "Connection to child %ld established "
2261f694ce2fc09f9df6c65bd8e1f4230313696bjorton                  "(server %s)", c->id, sc->vhost_id);
e726f34f8da08c01ee8bc90904b26196b69c8587wrowe
4ede070ca63bd4c48045e35a7192582769770290jorton    return ssl_init_ssl_connection(c, NULL);
e726f34f8da08c01ee8bc90904b26196b69c8587wrowe}
e726f34f8da08c01ee8bc90904b26196b69c8587wrowe
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse/*
7933d4a963def02417113b6798d87a36395053b0rse *  the module registration phase
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse */
a943533fd4d91d114af622731a405407990c4fb1rse
7933d4a963def02417113b6798d87a36395053b0rsestatic void ssl_register_hooks(apr_pool_t *p)
7933d4a963def02417113b6798d87a36395053b0rse{
825479074daa2c65852666c4b26d771dff957507jorton    /* ssl_hook_ReadReq needs to use the BrowserMatch settings so must
e8f95a682820a599fe41b22977010636be5c2717jim     * run after mod_setenvif's post_read_request hook. */
825479074daa2c65852666c4b26d771dff957507jorton    static const char *pre_prr[] = { "mod_setenvif.c", NULL };
825479074daa2c65852666c4b26d771dff957507jorton
a943533fd4d91d114af622731a405407990c4fb1rse    ssl_io_filter_register(p);
dfaea9dfb7e6fd2c97b9d35a75d7bcab94af8ff8dougm
a943533fd4d91d114af622731a405407990c4fb1rse    ap_hook_pre_connection(ssl_hook_pre_connection,NULL,NULL, APR_HOOK_MIDDLE);
d2ffb32434f79782ff7a364ffa31064698c5c645jorton    ap_hook_test_config   (ssl_hook_ConfigTest,    NULL,NULL, APR_HOOK_MIDDLE);
a943533fd4d91d114af622731a405407990c4fb1rse    ap_hook_post_config   (ssl_init_Module,        NULL,NULL, APR_HOOK_MIDDLE);
7b6ba9c468f26bdb3492d5e8cb79628a3b04e8c8wrowe    ap_hook_http_scheme   (ssl_hook_http_scheme,   NULL,NULL, APR_HOOK_MIDDLE);
a943533fd4d91d114af622731a405407990c4fb1rse    ap_hook_default_port  (ssl_hook_default_port,  NULL,NULL, APR_HOOK_MIDDLE);
fa599e0e097d4d933c4dc378ffbfc3c045dd589ewrowe    ap_hook_pre_config    (ssl_hook_pre_config,    NULL,NULL, APR_HOOK_MIDDLE);
a943533fd4d91d114af622731a405407990c4fb1rse    ap_hook_child_init    (ssl_init_Child,         NULL,NULL, APR_HOOK_MIDDLE);
a72211e92bab814bfa28ee086ca9b2a1a6095c92chrisd    ap_hook_check_authn   (ssl_hook_UserCheck,     NULL,NULL, APR_HOOK_FIRST,
a72211e92bab814bfa28ee086ca9b2a1a6095c92chrisd                           AP_AUTH_INTERNAL_PER_CONF);
a943533fd4d91d114af622731a405407990c4fb1rse    ap_hook_fixups        (ssl_hook_Fixup,         NULL,NULL, APR_HOOK_MIDDLE);
a72211e92bab814bfa28ee086ca9b2a1a6095c92chrisd    ap_hook_check_access  (ssl_hook_Access,        NULL,NULL, APR_HOOK_MIDDLE,
a72211e92bab814bfa28ee086ca9b2a1a6095c92chrisd                           AP_AUTH_INTERNAL_PER_CONF);
a72211e92bab814bfa28ee086ca9b2a1a6095c92chrisd    ap_hook_check_authz   (ssl_hook_Auth,          NULL,NULL, APR_HOOK_MIDDLE,
a72211e92bab814bfa28ee086ca9b2a1a6095c92chrisd                           AP_AUTH_INTERNAL_PER_CONF);
825479074daa2c65852666c4b26d771dff957507jorton    ap_hook_post_read_request(ssl_hook_ReadReq, pre_prr,NULL, APR_HOOK_MIDDLE);
dfaea9dfb7e6fd2c97b9d35a75d7bcab94af8ff8dougm
17f61d2695369a9b62bc0e5f38e9c4d23eebc664jorton    ssl_var_register(p);
9cb81d96f6b556cec1aa456191f43f7932aabaaedougm
9cb81d96f6b556cec1aa456191f43f7932aabaaedougm    APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable);
621bd763d2e4d32f19013ac8b76b375b5a01851fdougm    APR_REGISTER_OPTIONAL_FN(ssl_engine_disable);
8a2483ae14c7d9c1ee21a92e4251202456af5747jorton    APR_REGISTER_OPTIONAL_FN(modssl_register_npn);
fc58f0ff708564b67cd578c626b6500d1cd63a51sf
fc58f0ff708564b67cd578c626b6500d1cd63a51sf    ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "ssl",
fc58f0ff708564b67cd578c626b6500d1cd63a51sf                              AUTHZ_PROVIDER_VERSION,
fc58f0ff708564b67cd578c626b6500d1cd63a51sf                              &ssl_authz_provider_require_ssl,
fc58f0ff708564b67cd578c626b6500d1cd63a51sf                              AP_AUTH_INTERNAL_PER_CONF);
fc58f0ff708564b67cd578c626b6500d1cd63a51sf
fc58f0ff708564b67cd578c626b6500d1cd63a51sf    ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "ssl-verify-client",
fc58f0ff708564b67cd578c626b6500d1cd63a51sf                              AUTHZ_PROVIDER_VERSION,
fc58f0ff708564b67cd578c626b6500d1cd63a51sf                              &ssl_authz_provider_verify_client,
fc58f0ff708564b67cd578c626b6500d1cd63a51sf                              AP_AUTH_INTERNAL_PER_CONF);
fc58f0ff708564b67cd578c626b6500d1cd63a51sf
7933d4a963def02417113b6798d87a36395053b0rse}
7933d4a963def02417113b6798d87a36395053b0rse
6ace32dacb8313226eb9019275d0e4fa45a15148rsemodule AP_MODULE_DECLARE_DATA ssl_module = {
6ace32dacb8313226eb9019275d0e4fa45a15148rse    STANDARD20_MODULE_STUFF,
7933d4a963def02417113b6798d87a36395053b0rse    ssl_config_perdir_create,   /* create per-dir    config structures */
7933d4a963def02417113b6798d87a36395053b0rse    ssl_config_perdir_merge,    /* merge  per-dir    config structures */
7933d4a963def02417113b6798d87a36395053b0rse    ssl_config_server_create,   /* create per-server config structures */
7933d4a963def02417113b6798d87a36395053b0rse    ssl_config_server_merge,    /* merge  per-server config structures */
7933d4a963def02417113b6798d87a36395053b0rse    ssl_config_cmds,            /* table of configuration directives   */
7933d4a963def02417113b6798d87a36395053b0rse    ssl_register_hooks          /* register hooks */
6ace32dacb8313226eb9019275d0e4fa45a15148rse};