modules/ssl/mod_ssl.c

	mod_ssl.c revision 4ede070ca63bd4c48045e35a7192582769770290
842ae4bd224140319ae7feec1872b93dfd491143fielding/* Licensed to the Apache Software Foundation (ASF) under one or more
842ae4bd224140319ae7feec1872b93dfd491143fielding * contributor license agreements.  See the NOTICE file distributed with
842ae4bd224140319ae7feec1872b93dfd491143fielding * this work for additional information regarding copyright ownership.
842ae4bd224140319ae7feec1872b93dfd491143fielding * The ASF licenses this file to You under the Apache License, Version 2.0
842ae4bd224140319ae7feec1872b93dfd491143fielding * (the "License"); you may not use this file except in compliance with
842ae4bd224140319ae7feec1872b93dfd491143fielding * the License.  You may obtain a copy of the License at
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse *
ce9621257ef9e54c1bbe5ad8a5f445a1f211c2dcnd *     http://www.apache.org/licenses/LICENSE-2.0
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse *
ce9621257ef9e54c1bbe5ad8a5f445a1f211c2dcnd * Unless required by applicable law or agreed to in writing, software
ce9621257ef9e54c1bbe5ad8a5f445a1f211c2dcnd * distributed under the License is distributed on an "AS IS" BASIS,
ce9621257ef9e54c1bbe5ad8a5f445a1f211c2dcnd * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
ce9621257ef9e54c1bbe5ad8a5f445a1f211c2dcnd * See the License for the specific language governing permissions and
ce9621257ef9e54c1bbe5ad8a5f445a1f211c2dcnd * limitations under the License.
ce9621257ef9e54c1bbe5ad8a5f445a1f211c2dcnd */
ce9621257ef9e54c1bbe5ad8a5f445a1f211c2dcnd
ce9621257ef9e54c1bbe5ad8a5f445a1f211c2dcnd/*                      _             _
ce9621257ef9e54c1bbe5ad8a5f445a1f211c2dcnd *  _ __ ___   ___   __| |    ___ ___| |  mod_ssl
ce9621257ef9e54c1bbe5ad8a5f445a1f211c2dcnd * | '_ ` _ \ / _ \ / _` |   / __/ __| |  Apache Interface to OpenSSL
ce9621257ef9e54c1bbe5ad8a5f445a1f211c2dcnd * | | | | | | (_) | (_| |   \__ \__ \ |
ce9621257ef9e54c1bbe5ad8a5f445a1f211c2dcnd * |_| |_| |_|\___/ \__,_|___|___/___/_|
ce9621257ef9e54c1bbe5ad8a5f445a1f211c2dcnd *                      |_____|
ce9621257ef9e54c1bbe5ad8a5f445a1f211c2dcnd *  mod_ssl.c
ce9621257ef9e54c1bbe5ad8a5f445a1f211c2dcnd *  Apache API interface structures
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse */
6ace32dacb8313226eb9019275d0e4fa45a15148rse
70535d6421eb979ac79d8f49d31cd94d75dd8b2fjorton#include "ssl_private.h"
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse#include "mod_ssl.h"
a943533fd4d91d114af622731a405407990c4fb1rse#include "util_md5.h"
67139e2d50d1e11558d87f7042f61cb04bb0d1d2jim#include "util_mutex.h"
a943533fd4d91d114af622731a405407990c4fb1rse#include <assert.h>
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse/*
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse *  the table of configuration directives we provide
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse */
7933d4a963def02417113b6798d87a36395053b0rse
7933d4a963def02417113b6798d87a36395053b0rse#define SSL_CMD_ALL(name, args, desc) \
71c00f988beb28388702e14cb7fe06f08bd792bbdougm        AP_INIT_##args("SSL"#name, ssl_cmd_SSL##name, \
71c00f988beb28388702e14cb7fe06f08bd792bbdougm                       NULL, RSRC_CONF|OR_AUTHCFG, desc),
71c00f988beb28388702e14cb7fe06f08bd792bbdougm
7933d4a963def02417113b6798d87a36395053b0rse#define SSL_CMD_SRV(name, args, desc) \
71c00f988beb28388702e14cb7fe06f08bd792bbdougm        AP_INIT_##args("SSL"#name, ssl_cmd_SSL##name, \
71c00f988beb28388702e14cb7fe06f08bd792bbdougm                       NULL, RSRC_CONF, desc),
71c00f988beb28388702e14cb7fe06f08bd792bbdougm
7933d4a963def02417113b6798d87a36395053b0rse#define SSL_CMD_DIR(name, type, args, desc) \
71c00f988beb28388702e14cb7fe06f08bd792bbdougm        AP_INIT_##args("SSL"#name, ssl_cmd_SSL##name, \
71c00f988beb28388702e14cb7fe06f08bd792bbdougm                       NULL, OR_##type, desc),
71c00f988beb28388702e14cb7fe06f08bd792bbdougm
7933d4a963def02417113b6798d87a36395053b0rse#define AP_END_CMD { NULL }
7933d4a963def02417113b6798d87a36395053b0rse
d1bb6e2664788e0437acc18e877562c9a796d7cersestatic const command_rec ssl_config_cmds[] = {
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse    /*
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse     * Global (main-server) context configuration directives
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse     */
c95d39bd1b86b856ca72485516e7b2e61008fe96wrowe    SSL_CMD_SRV(Mutex, TAKE1, AP_ALL_AVAILABLE_MUTEXES_STRING)
7933d4a963def02417113b6798d87a36395053b0rse    SSL_CMD_SRV(PassPhraseDialog, TAKE1,
7933d4a963def02417113b6798d87a36395053b0rse                "SSL dialog mechanism for the pass phrase query "
71c00f988beb28388702e14cb7fe06f08bd792bbdougm                "(`builtin', `|/path/to/pipe_program`, "
71c00f988beb28388702e14cb7fe06f08bd792bbdougm                "or `exec:/path/to/cgi_program')")
7933d4a963def02417113b6798d87a36395053b0rse    SSL_CMD_SRV(SessionCache, TAKE1,
7933d4a963def02417113b6798d87a36395053b0rse                "SSL Session Cache storage "
42167da203d969a1402cf7ce09c14586c04af1dfjim                "(`none', `nonenotnull', `dbm:/path/to/file')")
53c239bee62c6d55b5ddfba5d99376d4c8de924ejwoolley#if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
7933d4a963def02417113b6798d87a36395053b0rse    SSL_CMD_SRV(CryptoDevice, TAKE1,
7933d4a963def02417113b6798d87a36395053b0rse                "SSL external Crypto Device usage "
7933d4a963def02417113b6798d87a36395053b0rse                "(`builtin', `...')")
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse#endif
7933d4a963def02417113b6798d87a36395053b0rse    SSL_CMD_SRV(RandomSeed, TAKE23,
7933d4a963def02417113b6798d87a36395053b0rse                "SSL Pseudo Random Number Generator (PRNG) seeding source "
7933d4a963def02417113b6798d87a36395053b0rse                "(`startup|connect builtin|file:/path|exec:/path [bytes]')")
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse    /*
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse     * Per-server context configuration directives
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse     */
e726f34f8da08c01ee8bc90904b26196b69c8587wrowe    SSL_CMD_SRV(Engine, TAKE1,
7933d4a963def02417113b6798d87a36395053b0rse                "SSL switch for the protocol engine "
7933d4a963def02417113b6798d87a36395053b0rse                "(`on', `off')")
7933d4a963def02417113b6798d87a36395053b0rse    SSL_CMD_ALL(CipherSuite, TAKE1,
7933d4a963def02417113b6798d87a36395053b0rse                "Colon-delimited list of permitted SSL Ciphers "
7933d4a963def02417113b6798d87a36395053b0rse                "(`XXX:...:XXX' - see manual)")
7933d4a963def02417113b6798d87a36395053b0rse    SSL_CMD_SRV(CertificateFile, TAKE1,
7933d4a963def02417113b6798d87a36395053b0rse                "SSL Server Certificate file "
7933d4a963def02417113b6798d87a36395053b0rse                "(`/path/to/file' - PEM or DER encoded)")
7933d4a963def02417113b6798d87a36395053b0rse    SSL_CMD_SRV(CertificateKeyFile, TAKE1,
7933d4a963def02417113b6798d87a36395053b0rse                "SSL Server Private Key file "
7933d4a963def02417113b6798d87a36395053b0rse                "(`/path/to/file' - PEM or DER encoded)")
7933d4a963def02417113b6798d87a36395053b0rse    SSL_CMD_SRV(CertificateChainFile, TAKE1,
7933d4a963def02417113b6798d87a36395053b0rse                "SSL Server CA Certificate Chain file "
7933d4a963def02417113b6798d87a36395053b0rse                "(`/path/to/file' - PEM encoded)")
176c2742db03fcb7b7d13e6408dd967d87e542e9ben    SSL_CMD_SRV(PKCS7CertificateFile, TAKE1,
e0c3fda9f782aee1140d83fbce32672ac299f2a4ben                "PKCS#7 file containing server certificate and chain"
3a8856c9ca9e996d3a1fae2c65943c35eed97481rpluem                " certificates (`/path/to/file' - PEM encoded)")
7933d4a963def02417113b6798d87a36395053b0rse    SSL_CMD_ALL(CACertificatePath, TAKE1,
7933d4a963def02417113b6798d87a36395053b0rse                "SSL CA Certificate path "
7933d4a963def02417113b6798d87a36395053b0rse                "(`/path/to/dir' - contains PEM encoded files)")
7933d4a963def02417113b6798d87a36395053b0rse    SSL_CMD_ALL(CACertificateFile, TAKE1,
7933d4a963def02417113b6798d87a36395053b0rse                "SSL CA Certificate file "
7933d4a963def02417113b6798d87a36395053b0rse                "(`/path/to/file' - PEM encoded)")
e335319a08e12eb7daff9afa80e985dc53f652b8jorton    SSL_CMD_SRV(CADNRequestPath, TAKE1,
e335319a08e12eb7daff9afa80e985dc53f652b8jorton                "SSL CA Distinguished Name path "
e335319a08e12eb7daff9afa80e985dc53f652b8jorton                "(`/path/to/dir' - symlink hashes to PEM of acceptable CA names to request)")
e335319a08e12eb7daff9afa80e985dc53f652b8jorton    SSL_CMD_SRV(CADNRequestFile, TAKE1,
e335319a08e12eb7daff9afa80e985dc53f652b8jorton                "SSL CA Distinguished Name file "
e335319a08e12eb7daff9afa80e985dc53f652b8jorton                "(`/path/to/file' - PEM encoded to derive acceptable CA names to request)")
7933d4a963def02417113b6798d87a36395053b0rse    SSL_CMD_SRV(CARevocationPath, TAKE1,
7933d4a963def02417113b6798d87a36395053b0rse                "SSL CA Certificate Revocation List (CRL) path "
7933d4a963def02417113b6798d87a36395053b0rse                "(`/path/to/dir' - contains PEM encoded files)")
7933d4a963def02417113b6798d87a36395053b0rse    SSL_CMD_SRV(CARevocationFile, TAKE1,
7933d4a963def02417113b6798d87a36395053b0rse                "SSL CA Certificate Revocation List (CRL) file "
7933d4a963def02417113b6798d87a36395053b0rse                "(`/path/to/file' - PEM encoded)")
7933d4a963def02417113b6798d87a36395053b0rse    SSL_CMD_ALL(VerifyClient, TAKE1,
7933d4a963def02417113b6798d87a36395053b0rse                "SSL Client verify type "
7933d4a963def02417113b6798d87a36395053b0rse                "(`none', `optional', `require', `optional_no_ca')")
7933d4a963def02417113b6798d87a36395053b0rse    SSL_CMD_ALL(VerifyDepth, TAKE1,
7933d4a963def02417113b6798d87a36395053b0rse                "SSL Client verify depth "
7933d4a963def02417113b6798d87a36395053b0rse                "(`N' - number of intermediate certificates)")
7933d4a963def02417113b6798d87a36395053b0rse    SSL_CMD_SRV(SessionCacheTimeout, TAKE1,
7933d4a963def02417113b6798d87a36395053b0rse                "SSL Session Cache object lifetime "
7933d4a963def02417113b6798d87a36395053b0rse                "(`N' - number of seconds)")
7933d4a963def02417113b6798d87a36395053b0rse    SSL_CMD_SRV(Protocol, RAW_ARGS,
7933d4a963def02417113b6798d87a36395053b0rse                "Enable or disable various SSL protocols"
7933d4a963def02417113b6798d87a36395053b0rse                "(`[+-][SSLv2|SSLv3|TLSv1] ...' - see manual)")
7efe7de73c89c26518714a504359244d03cfbbc5jorton    SSL_CMD_SRV(HonorCipherOrder, FLAG,
7efe7de73c89c26518714a504359244d03cfbbc5jorton                "Use the server's cipher ordering preference")
f84d3d83a741c21154d42e0ebdec9b9b37efeedcjorton    SSL_CMD_ALL(UserName, TAKE1,
43c3e6a4b559b76b750c245ee95e2782c15b4296jim                "Set user name to SSL variable value")
3c36b0324c8486306904c84eb0264affc45ed56cwrowe    SSL_CMD_SRV(LogLevelDebugDump, TAKE1,
3c36b0324c8486306904c84eb0264affc45ed56cwrowe                "Include I/O Dump when LogLevel is set to Debug "
3c36b0324c8486306904c84eb0264affc45ed56cwrowe                "([ None (default) | IO (not bytes) | Bytes ])")
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
e8f95a682820a599fe41b22977010636be5c2717jim    /*
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse     * Proxy configuration for remote SSL connections
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse     */
cde1010d880fb6230f80c9d697842ea0b1cb79c7dougm    SSL_CMD_SRV(ProxyEngine, FLAG,
cde1010d880fb6230f80c9d697842ea0b1cb79c7dougm                "SSL switch for the proxy protocol engine "
cde1010d880fb6230f80c9d697842ea0b1cb79c7dougm                "(`on', `off')")
7933d4a963def02417113b6798d87a36395053b0rse    SSL_CMD_SRV(ProxyProtocol, RAW_ARGS,
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse               "SSL Proxy: enable or disable SSL protocol flavors "
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse               "(`[+-][SSLv2|SSLv3|TLSv1] ...' - see manual)")
7933d4a963def02417113b6798d87a36395053b0rse    SSL_CMD_SRV(ProxyCipherSuite, TAKE1,
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse               "SSL Proxy: colon-delimited list of permitted SSL ciphers "
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse               "(`XXX:...:XXX' - see manual)")
8fdc55d1624c714391fe1f93ebafe98ace427f4adougm    SSL_CMD_SRV(ProxyVerify, TAKE1,
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse               "SSL Proxy: whether to verify the remote certificate "
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse               "(`on' or `off')")
7933d4a963def02417113b6798d87a36395053b0rse    SSL_CMD_SRV(ProxyVerifyDepth, TAKE1,
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse               "SSL Proxy: maximum certificate verification depth "
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse               "(`N' - number of intermediate certificates)")
7933d4a963def02417113b6798d87a36395053b0rse    SSL_CMD_SRV(ProxyCACertificateFile, TAKE1,
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse               "SSL Proxy: file containing server certificates "
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse               "(`/path/to/file' - PEM encoded certificates)")
7933d4a963def02417113b6798d87a36395053b0rse    SSL_CMD_SRV(ProxyCACertificatePath, TAKE1,
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse               "SSL Proxy: directory containing server certificates "
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse               "(`/path/to/dir' - contains PEM encoded certificates)")
a72de14bfdbf0be9d935be9bdc2df631ca5e032bdougm    SSL_CMD_SRV(ProxyCARevocationPath, TAKE1,
a72de14bfdbf0be9d935be9bdc2df631ca5e032bdougm                "SSL Proxy: CA Certificate Revocation List (CRL) path "
a72de14bfdbf0be9d935be9bdc2df631ca5e032bdougm                "(`/path/to/dir' - contains PEM encoded files)")
a72de14bfdbf0be9d935be9bdc2df631ca5e032bdougm    SSL_CMD_SRV(ProxyCARevocationFile, TAKE1,
a72de14bfdbf0be9d935be9bdc2df631ca5e032bdougm                "SSL Proxy: CA Certificate Revocation List (CRL) file "
a72de14bfdbf0be9d935be9bdc2df631ca5e032bdougm                "(`/path/to/file' - PEM encoded)")
7933d4a963def02417113b6798d87a36395053b0rse    SSL_CMD_SRV(ProxyMachineCertificateFile, TAKE1,
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse               "SSL Proxy: file containing client certificates "
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse               "(`/path/to/file' - PEM encoded certificates)")
7933d4a963def02417113b6798d87a36395053b0rse    SSL_CMD_SRV(ProxyMachineCertificatePath, TAKE1,
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse               "SSL Proxy: directory containing client certificates "
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse               "(`/path/to/dir' - contains PEM encoded certificates)")
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse    /*
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse     * Per-directory context configuration directives
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse     */
7933d4a963def02417113b6798d87a36395053b0rse    SSL_CMD_DIR(Options, OPTIONS, RAW_ARGS,
0839d91ee551a0e19ea9577bb00976b97308dfddmartin               "Set one or more options to configure the SSL engine"
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse               "(`[+-]option[=value] ...' - see manual)")
7933d4a963def02417113b6798d87a36395053b0rse    SSL_CMD_DIR(RequireSSL, AUTHCFG, NO_ARGS,
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse               "Require the SSL protocol for the per-directory context "
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse               "(no arguments)")
7933d4a963def02417113b6798d87a36395053b0rse    SSL_CMD_DIR(Require, AUTHCFG, RAW_ARGS,
0839d91ee551a0e19ea9577bb00976b97308dfddmartin               "Require a boolean expression to evaluate to true for granting access"
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse               "(arbitrary complex boolean expression - see manual)")
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
e6e65585927961caf45d4e9e932bb1f4e9e89ca1jerenkrantz    /* Deprecated directives. */
e8f95a682820a599fe41b22977010636be5c2717jim    AP_INIT_RAW_ARGS("SSLLog", ap_set_deprecated, NULL, OR_ALL,
e6e65585927961caf45d4e9e932bb1f4e9e89ca1jerenkrantz      "SSLLog directive is no longer supported - use ErrorLog."),
e8f95a682820a599fe41b22977010636be5c2717jim    AP_INIT_RAW_ARGS("SSLLogLevel", ap_set_deprecated, NULL, OR_ALL,
e6e65585927961caf45d4e9e932bb1f4e9e89ca1jerenkrantz      "SSLLogLevel directive is no longer supported - use LogLevel."),
e8f95a682820a599fe41b22977010636be5c2717jim
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse    AP_END_CMD
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse};
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse
7933d4a963def02417113b6798d87a36395053b0rse/*
7933d4a963def02417113b6798d87a36395053b0rse *  the various processing hooks
7933d4a963def02417113b6798d87a36395053b0rse */
2b7078b0c4fd5b6054f6f2d4f626177844f5c6f7wrowestatic apr_status_t ssl_cleanup_pre_config(void *data)
2b7078b0c4fd5b6054f6f2d4f626177844f5c6f7wrowe{
2b7078b0c4fd5b6054f6f2d4f626177844f5c6f7wrowe    /*
2b7078b0c4fd5b6054f6f2d4f626177844f5c6f7wrowe     * Try to kill the internals of the SSL library.
2b7078b0c4fd5b6054f6f2d4f626177844f5c6f7wrowe     */
239dd0cf663713025d4451ddd465685021007d82wrowe#ifdef HAVE_OPENSSL
2b7078b0c4fd5b6054f6f2d4f626177844f5c6f7wrowe#if OPENSSL_VERSION_NUMBER >= 0x00907001
2b7078b0c4fd5b6054f6f2d4f626177844f5c6f7wrowe    /* Corresponds to OPENSSL_load_builtin_modules():
2b7078b0c4fd5b6054f6f2d4f626177844f5c6f7wrowe     * XXX: borrowed from apps.h, but why not CONF_modules_free()
2b7078b0c4fd5b6054f6f2d4f626177844f5c6f7wrowe     * which also invokes CONF_modules_finish()?
2b7078b0c4fd5b6054f6f2d4f626177844f5c6f7wrowe     */
2b7078b0c4fd5b6054f6f2d4f626177844f5c6f7wrowe    CONF_modules_unload(1);
2b7078b0c4fd5b6054f6f2d4f626177844f5c6f7wrowe#endif
2b7078b0c4fd5b6054f6f2d4f626177844f5c6f7wrowe#endif
2b7078b0c4fd5b6054f6f2d4f626177844f5c6f7wrowe    /* Corresponds to SSL_library_init: */
2b7078b0c4fd5b6054f6f2d4f626177844f5c6f7wrowe    EVP_cleanup();
2b7078b0c4fd5b6054f6f2d4f626177844f5c6f7wrowe#if HAVE_ENGINE_LOAD_BUILTIN_ENGINES
2b7078b0c4fd5b6054f6f2d4f626177844f5c6f7wrowe    ENGINE_cleanup();
2b7078b0c4fd5b6054f6f2d4f626177844f5c6f7wrowe#endif
239dd0cf663713025d4451ddd465685021007d82wrowe#ifdef HAVE_OPENSSL
239dd0cf663713025d4451ddd465685021007d82wrowe#if OPENSSL_VERSION_NUMBER >= 0x00907001
2b7078b0c4fd5b6054f6f2d4f626177844f5c6f7wrowe    CRYPTO_cleanup_all_ex_data();
239dd0cf663713025d4451ddd465685021007d82wrowe#endif
239dd0cf663713025d4451ddd465685021007d82wrowe#endif
2b7078b0c4fd5b6054f6f2d4f626177844f5c6f7wrowe    ERR_remove_state(0);
56bd16e394f49423a22aa82643eb27f26db2c748jorton
56bd16e394f49423a22aa82643eb27f26db2c748jorton    /* Don't call ERR_free_strings here; ERR_load_*_strings only
56bd16e394f49423a22aa82643eb27f26db2c748jorton     * actually load the error strings once per process due to static
56bd16e394f49423a22aa82643eb27f26db2c748jorton     * variable abuse in OpenSSL. */
56bd16e394f49423a22aa82643eb27f26db2c748jorton
e8f95a682820a599fe41b22977010636be5c2717jim    /*
e8f95a682820a599fe41b22977010636be5c2717jim     * TODO: determine somewhere we can safely shove out diagnostics
2b7078b0c4fd5b6054f6f2d4f626177844f5c6f7wrowe     *       (when enabled) at this late stage in the game:
2b7078b0c4fd5b6054f6f2d4f626177844f5c6f7wrowe     * CRYPTO_mem_leaks_fp(stderr);
2b7078b0c4fd5b6054f6f2d4f626177844f5c6f7wrowe     */
239dd0cf663713025d4451ddd465685021007d82wrowe    return APR_SUCCESS;
2b7078b0c4fd5b6054f6f2d4f626177844f5c6f7wrowe}
d1bb6e2664788e0437acc18e877562c9a796d7cerse
71c00f988beb28388702e14cb7fe06f08bd792bbdougmstatic int ssl_hook_pre_config(apr_pool_t *pconf,
71c00f988beb28388702e14cb7fe06f08bd792bbdougm                               apr_pool_t *plog,
71c00f988beb28388702e14cb7fe06f08bd792bbdougm                               apr_pool_t *ptemp)
7933d4a963def02417113b6798d87a36395053b0rse{
e8f95a682820a599fe41b22977010636be5c2717jim    /* We must register the library in full, to ensure our configuration
b5451913a64155af2eab4f12ecbaf16e15acafc3wrowe     * code can successfully test the SSL environment.
b5451913a64155af2eab4f12ecbaf16e15acafc3wrowe     */
8aced0b621ea45e8621c7073b0bfbe5ea91c2329wrowe    CRYPTO_malloc_init();
239dd0cf663713025d4451ddd465685021007d82wrowe#ifdef HAVE_OPENSSL
b5451913a64155af2eab4f12ecbaf16e15acafc3wrowe    ERR_load_crypto_strings();
239dd0cf663713025d4451ddd465685021007d82wrowe#endif
93350a0dfa22a2c523cdcbad3357327013ecc145martin    SSL_load_error_strings();
2c038bf2465bf2150c396f4e67f68ebc5bb9e6e9wrowe    SSL_library_init();
b5451913a64155af2eab4f12ecbaf16e15acafc3wrowe#if HAVE_ENGINE_LOAD_BUILTIN_ENGINES
b5451913a64155af2eab4f12ecbaf16e15acafc3wrowe    ENGINE_load_builtin_engines();
b5451913a64155af2eab4f12ecbaf16e15acafc3wrowe#endif
239dd0cf663713025d4451ddd465685021007d82wrowe#ifdef HAVE_OPENSSL
8a5120efd60acf0323371cb30cba489723b03819jorton    OpenSSL_add_all_algorithms();
e13735ceb2025ea8ed0c530093e13fe57b62f1efwrowe#if OPENSSL_VERSION_NUMBER >= 0x00907001
b5451913a64155af2eab4f12ecbaf16e15acafc3wrowe    OPENSSL_load_builtin_modules();
e13735ceb2025ea8ed0c530093e13fe57b62f1efwrowe#endif
e13735ceb2025ea8ed0c530093e13fe57b62f1efwrowe#endif
8aced0b621ea45e8621c7073b0bfbe5ea91c2329wrowe
2b7078b0c4fd5b6054f6f2d4f626177844f5c6f7wrowe    /*
2b7078b0c4fd5b6054f6f2d4f626177844f5c6f7wrowe     * Let us cleanup the ssl library when the module is unloaded
2b7078b0c4fd5b6054f6f2d4f626177844f5c6f7wrowe     */
2b7078b0c4fd5b6054f6f2d4f626177844f5c6f7wrowe    apr_pool_cleanup_register(pconf, NULL, ssl_cleanup_pre_config,
2b7078b0c4fd5b6054f6f2d4f626177844f5c6f7wrowe                                           apr_pool_cleanup_null);
2b7078b0c4fd5b6054f6f2d4f626177844f5c6f7wrowe
af5dd1c93d2185f7e37f8783c593b64fd35ea8a6wrowe    /* Register us to handle mod_log_config %c/%x variables */
af5dd1c93d2185f7e37f8783c593b64fd35ea8a6wrowe    ssl_var_log_config_register(pconf);
8dc154408549195c828b823e9dc7396f107f2512jorton
8dc154408549195c828b823e9dc7396f107f2512jorton    /* Register to handle mod_status status page generation */
b79b480213d7452db127eec054e52eb2b4fa6153wrowe    ssl_scache_status_register(pconf);
417f504d4d11631c0d062be85347f82a26c88677aaron
417f504d4d11631c0d062be85347f82a26c88677aaron    return OK;
7933d4a963def02417113b6798d87a36395053b0rse}
7933d4a963def02417113b6798d87a36395053b0rse
9cb81d96f6b556cec1aa456191f43f7932aabaaedougmstatic SSLConnRec *ssl_init_connection_ctx(conn_rec *c)
9cb81d96f6b556cec1aa456191f43f7932aabaaedougm{
9cb81d96f6b556cec1aa456191f43f7932aabaaedougm    SSLConnRec *sslconn = myConnConfig(c);
9cb81d96f6b556cec1aa456191f43f7932aabaaedougm
9cb81d96f6b556cec1aa456191f43f7932aabaaedougm    if (sslconn) {
9cb81d96f6b556cec1aa456191f43f7932aabaaedougm        return sslconn;
9cb81d96f6b556cec1aa456191f43f7932aabaaedougm    }
9cb81d96f6b556cec1aa456191f43f7932aabaaedougm
9cb81d96f6b556cec1aa456191f43f7932aabaaedougm    sslconn = apr_pcalloc(c->pool, sizeof(*sslconn));
9cb81d96f6b556cec1aa456191f43f7932aabaaedougm
9cb81d96f6b556cec1aa456191f43f7932aabaaedougm    myConnConfigSet(c, sslconn);
9cb81d96f6b556cec1aa456191f43f7932aabaaedougm
9cb81d96f6b556cec1aa456191f43f7932aabaaedougm    return sslconn;
9cb81d96f6b556cec1aa456191f43f7932aabaaedougm}
9cb81d96f6b556cec1aa456191f43f7932aabaaedougm
9cb81d96f6b556cec1aa456191f43f7932aabaaedougmint ssl_proxy_enable(conn_rec *c)
9cb81d96f6b556cec1aa456191f43f7932aabaaedougm{
cde1010d880fb6230f80c9d697842ea0b1cb79c7dougm    SSLSrvConfigRec *sc = mySrvConfig(c->base_server);
cde1010d880fb6230f80c9d697842ea0b1cb79c7dougm
9cb81d96f6b556cec1aa456191f43f7932aabaaedougm    SSLConnRec *sslconn = ssl_init_connection_ctx(c);
9cb81d96f6b556cec1aa456191f43f7932aabaaedougm
cde1010d880fb6230f80c9d697842ea0b1cb79c7dougm    if (!sc->proxy_enabled) {
2261f694ce2fc09f9df6c65bd8e1f4230313696bjorton        ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
2261f694ce2fc09f9df6c65bd8e1f4230313696bjorton                      "SSL Proxy requested for %s but not enabled "
2261f694ce2fc09f9df6c65bd8e1f4230313696bjorton                      "[Hint: SSLProxyEngine]", sc->vhost_id);
cde1010d880fb6230f80c9d697842ea0b1cb79c7dougm
cde1010d880fb6230f80c9d697842ea0b1cb79c7dougm        return 0;
cde1010d880fb6230f80c9d697842ea0b1cb79c7dougm    }
cde1010d880fb6230f80c9d697842ea0b1cb79c7dougm
9cb81d96f6b556cec1aa456191f43f7932aabaaedougm    sslconn->is_proxy = 1;
621bd763d2e4d32f19013ac8b76b375b5a01851fdougm    sslconn->disabled = 0;
621bd763d2e4d32f19013ac8b76b375b5a01851fdougm
621bd763d2e4d32f19013ac8b76b375b5a01851fdougm    return 1;
621bd763d2e4d32f19013ac8b76b375b5a01851fdougm}
621bd763d2e4d32f19013ac8b76b375b5a01851fdougm
621bd763d2e4d32f19013ac8b76b375b5a01851fdougmint ssl_engine_disable(conn_rec *c)
621bd763d2e4d32f19013ac8b76b375b5a01851fdougm{
621bd763d2e4d32f19013ac8b76b375b5a01851fdougm    SSLSrvConfigRec *sc = mySrvConfig(c->base_server);
621bd763d2e4d32f19013ac8b76b375b5a01851fdougm
621bd763d2e4d32f19013ac8b76b375b5a01851fdougm    SSLConnRec *sslconn;
621bd763d2e4d32f19013ac8b76b375b5a01851fdougm
ccbf65bf19ac58a396133923aee4597e0870ec47bnicholes    if (sc->enabled == SSL_ENABLED_FALSE) {
621bd763d2e4d32f19013ac8b76b375b5a01851fdougm        return 0;
621bd763d2e4d32f19013ac8b76b375b5a01851fdougm    }
621bd763d2e4d32f19013ac8b76b375b5a01851fdougm
621bd763d2e4d32f19013ac8b76b375b5a01851fdougm    sslconn = ssl_init_connection_ctx(c);
621bd763d2e4d32f19013ac8b76b375b5a01851fdougm
621bd763d2e4d32f19013ac8b76b375b5a01851fdougm    sslconn->disabled = 1;
9cb81d96f6b556cec1aa456191f43f7932aabaaedougm
9cb81d96f6b556cec1aa456191f43f7932aabaaedougm    return 1;
9cb81d96f6b556cec1aa456191f43f7932aabaaedougm}
9cb81d96f6b556cec1aa456191f43f7932aabaaedougm
4ede070ca63bd4c48045e35a7192582769770290jortonint ssl_init_ssl_connection(conn_rec *c, request_rec *r)
7933d4a963def02417113b6798d87a36395053b0rse{
a943533fd4d91d114af622731a405407990c4fb1rse    SSLSrvConfigRec *sc = mySrvConfig(c->base_server);
a943533fd4d91d114af622731a405407990c4fb1rse    SSL *ssl;
9cb81d96f6b556cec1aa456191f43f7932aabaaedougm    SSLConnRec *sslconn = myConnConfig(c);
469549ac22c6f7b9ecdd9df2565925563e4df84djwoolley    char *vhost_md5;
9cb81d96f6b556cec1aa456191f43f7932aabaaedougm    modssl_ctx_t *mctx;
a943533fd4d91d114af622731a405407990c4fb1rse
a943533fd4d91d114af622731a405407990c4fb1rse    /*
e726f34f8da08c01ee8bc90904b26196b69c8587wrowe     * Seed the Pseudo Random Number Generator (PRNG)
a943533fd4d91d114af622731a405407990c4fb1rse     */
e726f34f8da08c01ee8bc90904b26196b69c8587wrowe    ssl_rand_seed(c->base_server, c->pool, SSL_RSCTX_CONNECT, "");
a943533fd4d91d114af622731a405407990c4fb1rse
9cb81d96f6b556cec1aa456191f43f7932aabaaedougm    if (!sslconn) {
9cb81d96f6b556cec1aa456191f43f7932aabaaedougm        sslconn = ssl_init_connection_ctx(c);
9cb81d96f6b556cec1aa456191f43f7932aabaaedougm    }
9cb81d96f6b556cec1aa456191f43f7932aabaaedougm
9cb81d96f6b556cec1aa456191f43f7932aabaaedougm    mctx = sslconn->is_proxy ? sc->proxy : sc->server;
9cb81d96f6b556cec1aa456191f43f7932aabaaedougm
a943533fd4d91d114af622731a405407990c4fb1rse    /*
a943533fd4d91d114af622731a405407990c4fb1rse     * Create a new SSL connection with the configured server SSL context and
a943533fd4d91d114af622731a405407990c4fb1rse     * attach this to the socket. Additionally we register this attachment
a943533fd4d91d114af622731a405407990c4fb1rse     * so we can detach later.
a943533fd4d91d114af622731a405407990c4fb1rse     */
9cb81d96f6b556cec1aa456191f43f7932aabaaedougm    if (!(ssl = SSL_new(mctx->ssl_ctx))) {
2261f694ce2fc09f9df6c65bd8e1f4230313696bjorton        ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
2261f694ce2fc09f9df6c65bd8e1f4230313696bjorton                      "Unable to create a new SSL connection from the SSL "
2261f694ce2fc09f9df6c65bd8e1f4230313696bjorton                      "context");
e16695d440d82ec6f9a4b9af18ae38dbeaa19366jerenkrantz        ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, c->base_server);
71c00f988beb28388702e14cb7fe06f08bd792bbdougm
a943533fd4d91d114af622731a405407990c4fb1rse        c->aborted = 1;
71c00f988beb28388702e14cb7fe06f08bd792bbdougm
a943533fd4d91d114af622731a405407990c4fb1rse        return DECLINED; /* XXX */
a943533fd4d91d114af622731a405407990c4fb1rse    }
6d7efb8c76b56eaebd6032096771c9e44b247f3fdougm
f4c472b8dce3c2e559232dbb5b27ed2466922ea4jerenkrantz    vhost_md5 = ap_md5_binary(c->pool, (unsigned char *)sc->vhost_id,
f4c472b8dce3c2e559232dbb5b27ed2466922ea4jerenkrantz                              sc->vhost_id_len);
469549ac22c6f7b9ecdd9df2565925563e4df84djwoolley
469549ac22c6f7b9ecdd9df2565925563e4df84djwoolley    if (!SSL_set_session_id_context(ssl, (unsigned char *)vhost_md5,
d0ba3b97557d47323bd055fb4002ed7692f703b9jerenkrantz                                    APR_MD5_DIGESTSIZE*2))
71c00f988beb28388702e14cb7fe06f08bd792bbdougm    {
2261f694ce2fc09f9df6c65bd8e1f4230313696bjorton        ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
2261f694ce2fc09f9df6c65bd8e1f4230313696bjorton                      "Unable to set session id context to `%s'", vhost_md5);
e16695d440d82ec6f9a4b9af18ae38dbeaa19366jerenkrantz        ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, c->base_server);
71c00f988beb28388702e14cb7fe06f08bd792bbdougm
a943533fd4d91d114af622731a405407990c4fb1rse        c->aborted = 1;
71c00f988beb28388702e14cb7fe06f08bd792bbdougm
a943533fd4d91d114af622731a405407990c4fb1rse        return DECLINED; /* XXX */
a943533fd4d91d114af622731a405407990c4fb1rse    }
71c00f988beb28388702e14cb7fe06f08bd792bbdougm
a943533fd4d91d114af622731a405407990c4fb1rse    SSL_set_app_data(ssl, c);
d28d7091912b3d911bdbe18df2d37d315681054bdougm    SSL_set_app_data2(ssl, NULL); /* will be request_rec */
a943533fd4d91d114af622731a405407990c4fb1rse
931b4fd1cc9dd3da096c45f4bf7ddcc14e0985c1dougm    sslconn->ssl = ssl;
a943533fd4d91d114af622731a405407990c4fb1rse
a943533fd4d91d114af622731a405407990c4fb1rse    /*
a943533fd4d91d114af622731a405407990c4fb1rse     *  Configure callbacks for SSL connection
a943533fd4d91d114af622731a405407990c4fb1rse     */
a943533fd4d91d114af622731a405407990c4fb1rse    SSL_set_tmp_rsa_callback(ssl, ssl_callback_TmpRSA);
a943533fd4d91d114af622731a405407990c4fb1rse    SSL_set_tmp_dh_callback(ssl,  ssl_callback_TmpDH);
c947acd3d1a604a0acad6a53ef685312d4410fc5dougm
a943533fd4d91d114af622731a405407990c4fb1rse    SSL_set_verify_result(ssl, X509_V_OK);
a943533fd4d91d114af622731a405407990c4fb1rse
4ede070ca63bd4c48045e35a7192582769770290jorton    ssl_io_filter_init(c, r, ssl);
a943533fd4d91d114af622731a405407990c4fb1rse
a943533fd4d91d114af622731a405407990c4fb1rse    return APR_SUCCESS;
7933d4a963def02417113b6798d87a36395053b0rse}
7933d4a963def02417113b6798d87a36395053b0rse
7b6ba9c468f26bdb3492d5e8cb79628a3b04e8c8wrowestatic const char *ssl_hook_http_scheme(const request_rec *r)
7933d4a963def02417113b6798d87a36395053b0rse{
a943533fd4d91d114af622731a405407990c4fb1rse    SSLSrvConfigRec *sc = mySrvConfig(r->server);
a943533fd4d91d114af622731a405407990c4fb1rse
2f32a3d146dc55d81b31660386e17c3b83ad61b8bnicholes    if (sc->enabled == SSL_ENABLED_FALSE || sc->enabled == SSL_ENABLED_OPTIONAL) {
a943533fd4d91d114af622731a405407990c4fb1rse        return NULL;
71c00f988beb28388702e14cb7fe06f08bd792bbdougm    }
a943533fd4d91d114af622731a405407990c4fb1rse
a943533fd4d91d114af622731a405407990c4fb1rse    return "https";
7933d4a963def02417113b6798d87a36395053b0rse}
7933d4a963def02417113b6798d87a36395053b0rse
71c00f988beb28388702e14cb7fe06f08bd792bbdougmstatic apr_port_t ssl_hook_default_port(const request_rec *r)
7933d4a963def02417113b6798d87a36395053b0rse{
a943533fd4d91d114af622731a405407990c4fb1rse    SSLSrvConfigRec *sc = mySrvConfig(r->server);
a943533fd4d91d114af622731a405407990c4fb1rse
2f32a3d146dc55d81b31660386e17c3b83ad61b8bnicholes    if (sc->enabled == SSL_ENABLED_FALSE || sc->enabled == SSL_ENABLED_OPTIONAL) {
a943533fd4d91d114af622731a405407990c4fb1rse        return 0;
71c00f988beb28388702e14cb7fe06f08bd792bbdougm    }
71c00f988beb28388702e14cb7fe06f08bd792bbdougm
a943533fd4d91d114af622731a405407990c4fb1rse    return 443;
7933d4a963def02417113b6798d87a36395053b0rse}
7933d4a963def02417113b6798d87a36395053b0rse
e726f34f8da08c01ee8bc90904b26196b69c8587wrowestatic int ssl_hook_pre_connection(conn_rec *c, void *csd)
e726f34f8da08c01ee8bc90904b26196b69c8587wrowe{
e726f34f8da08c01ee8bc90904b26196b69c8587wrowe    SSLSrvConfigRec *sc = mySrvConfig(c->base_server);
e726f34f8da08c01ee8bc90904b26196b69c8587wrowe    SSLConnRec *sslconn = myConnConfig(c);
e726f34f8da08c01ee8bc90904b26196b69c8587wrowe
e726f34f8da08c01ee8bc90904b26196b69c8587wrowe    /*
e726f34f8da08c01ee8bc90904b26196b69c8587wrowe     * Immediately stop processing if SSL is disabled for this connection
e726f34f8da08c01ee8bc90904b26196b69c8587wrowe     */
ccbf65bf19ac58a396133923aee4597e0870ec47bnicholes    if (!(sc && (sc->enabled == SSL_ENABLED_TRUE ||
e726f34f8da08c01ee8bc90904b26196b69c8587wrowe                 (sslconn && sslconn->is_proxy))))
e726f34f8da08c01ee8bc90904b26196b69c8587wrowe    {
e726f34f8da08c01ee8bc90904b26196b69c8587wrowe        return DECLINED;
e726f34f8da08c01ee8bc90904b26196b69c8587wrowe    }
e726f34f8da08c01ee8bc90904b26196b69c8587wrowe
e726f34f8da08c01ee8bc90904b26196b69c8587wrowe    /*
e726f34f8da08c01ee8bc90904b26196b69c8587wrowe     * Create SSL context
e726f34f8da08c01ee8bc90904b26196b69c8587wrowe     */
e726f34f8da08c01ee8bc90904b26196b69c8587wrowe    if (!sslconn) {
e726f34f8da08c01ee8bc90904b26196b69c8587wrowe        sslconn = ssl_init_connection_ctx(c);
e726f34f8da08c01ee8bc90904b26196b69c8587wrowe    }
e726f34f8da08c01ee8bc90904b26196b69c8587wrowe
e726f34f8da08c01ee8bc90904b26196b69c8587wrowe    if (sslconn->disabled) {
e726f34f8da08c01ee8bc90904b26196b69c8587wrowe        return DECLINED;
e726f34f8da08c01ee8bc90904b26196b69c8587wrowe    }
e726f34f8da08c01ee8bc90904b26196b69c8587wrowe
e726f34f8da08c01ee8bc90904b26196b69c8587wrowe    /*
e726f34f8da08c01ee8bc90904b26196b69c8587wrowe     * Remember the connection information for
e726f34f8da08c01ee8bc90904b26196b69c8587wrowe     * later access inside callback functions
e726f34f8da08c01ee8bc90904b26196b69c8587wrowe     */
e726f34f8da08c01ee8bc90904b26196b69c8587wrowe
2261f694ce2fc09f9df6c65bd8e1f4230313696bjorton    ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c,
2261f694ce2fc09f9df6c65bd8e1f4230313696bjorton                  "Connection to child %ld established "
2261f694ce2fc09f9df6c65bd8e1f4230313696bjorton                  "(server %s)", c->id, sc->vhost_id);
e726f34f8da08c01ee8bc90904b26196b69c8587wrowe
4ede070ca63bd4c48045e35a7192582769770290jorton    return ssl_init_ssl_connection(c, NULL);
e726f34f8da08c01ee8bc90904b26196b69c8587wrowe}
e726f34f8da08c01ee8bc90904b26196b69c8587wrowe
e726f34f8da08c01ee8bc90904b26196b69c8587wrowe
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse/*
7933d4a963def02417113b6798d87a36395053b0rse *  the module registration phase
cc003103e52ff9d5fe9bed567ef9438613ab4fbfrse */
a943533fd4d91d114af622731a405407990c4fb1rse
7933d4a963def02417113b6798d87a36395053b0rsestatic void ssl_register_hooks(apr_pool_t *p)
7933d4a963def02417113b6798d87a36395053b0rse{
825479074daa2c65852666c4b26d771dff957507jorton    /* ssl_hook_ReadReq needs to use the BrowserMatch settings so must
e8f95a682820a599fe41b22977010636be5c2717jim     * run after mod_setenvif's post_read_request hook. */
825479074daa2c65852666c4b26d771dff957507jorton    static const char *pre_prr[] = { "mod_setenvif.c", NULL };
825479074daa2c65852666c4b26d771dff957507jorton
a943533fd4d91d114af622731a405407990c4fb1rse    ssl_io_filter_register(p);
dfaea9dfb7e6fd2c97b9d35a75d7bcab94af8ff8dougm
a943533fd4d91d114af622731a405407990c4fb1rse    ap_hook_pre_connection(ssl_hook_pre_connection,NULL,NULL, APR_HOOK_MIDDLE);
d2ffb32434f79782ff7a364ffa31064698c5c645jorton    ap_hook_test_config   (ssl_hook_ConfigTest,    NULL,NULL, APR_HOOK_MIDDLE);
a943533fd4d91d114af622731a405407990c4fb1rse    ap_hook_post_config   (ssl_init_Module,        NULL,NULL, APR_HOOK_MIDDLE);
7b6ba9c468f26bdb3492d5e8cb79628a3b04e8c8wrowe    ap_hook_http_scheme   (ssl_hook_http_scheme,   NULL,NULL, APR_HOOK_MIDDLE);
a943533fd4d91d114af622731a405407990c4fb1rse    ap_hook_default_port  (ssl_hook_default_port,  NULL,NULL, APR_HOOK_MIDDLE);
fa599e0e097d4d933c4dc378ffbfc3c045dd589ewrowe    ap_hook_pre_config    (ssl_hook_pre_config,    NULL,NULL, APR_HOOK_MIDDLE);
a943533fd4d91d114af622731a405407990c4fb1rse    ap_hook_child_init    (ssl_init_Child,         NULL,NULL, APR_HOOK_MIDDLE);
0fce4eaa9fdf964f33fab19d0adac422a5305261dougm    ap_hook_check_user_id (ssl_hook_UserCheck,     NULL,NULL, APR_HOOK_FIRST);
a943533fd4d91d114af622731a405407990c4fb1rse    ap_hook_fixups        (ssl_hook_Fixup,         NULL,NULL, APR_HOOK_MIDDLE);
a943533fd4d91d114af622731a405407990c4fb1rse    ap_hook_access_checker(ssl_hook_Access,        NULL,NULL, APR_HOOK_MIDDLE);
0fce4eaa9fdf964f33fab19d0adac422a5305261dougm    ap_hook_auth_checker  (ssl_hook_Auth,          NULL,NULL, APR_HOOK_MIDDLE);
825479074daa2c65852666c4b26d771dff957507jorton    ap_hook_post_read_request(ssl_hook_ReadReq, pre_prr,NULL, APR_HOOK_MIDDLE);
dfaea9dfb7e6fd2c97b9d35a75d7bcab94af8ff8dougm
17f61d2695369a9b62bc0e5f38e9c4d23eebc664jorton    ssl_var_register(p);
9cb81d96f6b556cec1aa456191f43f7932aabaaedougm
9cb81d96f6b556cec1aa456191f43f7932aabaaedougm    APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable);
621bd763d2e4d32f19013ac8b76b375b5a01851fdougm    APR_REGISTER_OPTIONAL_FN(ssl_engine_disable);
7933d4a963def02417113b6798d87a36395053b0rse}
7933d4a963def02417113b6798d87a36395053b0rse
6ace32dacb8313226eb9019275d0e4fa45a15148rsemodule AP_MODULE_DECLARE_DATA ssl_module = {
6ace32dacb8313226eb9019275d0e4fa45a15148rse    STANDARD20_MODULE_STUFF,
7933d4a963def02417113b6798d87a36395053b0rse    ssl_config_perdir_create,   /* create per-dir    config structures */
7933d4a963def02417113b6798d87a36395053b0rse    ssl_config_perdir_merge,    /* merge  per-dir    config structures */
7933d4a963def02417113b6798d87a36395053b0rse    ssl_config_server_create,   /* create per-server config structures */
7933d4a963def02417113b6798d87a36395053b0rse    ssl_config_server_merge,    /* merge  per-server config structures */
7933d4a963def02417113b6798d87a36395053b0rse    ssl_config_cmds,            /* table of configuration directives   */
7933d4a963def02417113b6798d87a36395053b0rse    ssl_register_hooks          /* register hooks */
6ace32dacb8313226eb9019275d0e4fa45a15148rse};