mod_ssl.c revision 807c436563a054c3513648163fd2e36612b68c9a
01aafb6a9520f05df5ff467b591ecb5474dcfc86Christian Maeder/* Licensed to the Apache Software Foundation (ASF) under one or more
01aafb6a9520f05df5ff467b591ecb5474dcfc86Christian Maeder * contributor license agreements. See the NOTICE file distributed with
01aafb6a9520f05df5ff467b591ecb5474dcfc86Christian Maeder * this work for additional information regarding copyright ownership.
01aafb6a9520f05df5ff467b591ecb5474dcfc86Christian Maeder * The ASF licenses this file to You under the Apache License, Version 2.0
75a6279dbae159d018ef812185416cf6df386c10Till Mossakowski * (the "License"); you may not use this file except in compliance with
01aafb6a9520f05df5ff467b591ecb5474dcfc86Christian Maeder * the License. You may obtain a copy of the License at
01aafb6a9520f05df5ff467b591ecb5474dcfc86Christian Maeder * http://www.apache.org/licenses/LICENSE-2.0
01aafb6a9520f05df5ff467b591ecb5474dcfc86Christian Maeder * Unless required by applicable law or agreed to in writing, software
01aafb6a9520f05df5ff467b591ecb5474dcfc86Christian Maeder * distributed under the License is distributed on an "AS IS" BASIS,
01aafb6a9520f05df5ff467b591ecb5474dcfc86Christian Maeder * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
01aafb6a9520f05df5ff467b591ecb5474dcfc86Christian Maeder * See the License for the specific language governing permissions and
01aafb6a9520f05df5ff467b591ecb5474dcfc86Christian Maeder * limitations under the License.
01aafb6a9520f05df5ff467b591ecb5474dcfc86Christian Maeder * _ __ ___ ___ __| | ___ ___| | mod_ssl
01aafb6a9520f05df5ff467b591ecb5474dcfc86Christian Maeder * | '_ ` _ \ / _ \ / _` | / __/ __| | Apache Interface to OpenSSL
01aafb6a9520f05df5ff467b591ecb5474dcfc86Christian Maeder * | | | | | | (_) | (_| | \__ \__ \ |
01aafb6a9520f05df5ff467b591ecb5474dcfc86Christian Maeder * |_| |_| |_|\___/ \__,_|___|___/___/_|
01aafb6a9520f05df5ff467b591ecb5474dcfc86Christian Maeder * Apache API interface structures
b10d6cef708b7a659f2d3b367e8e0db0d03ae3f5Till Mossakowski * the table of configuration directives we provide
01aafb6a9520f05df5ff467b591ecb5474dcfc86Christian Maeder AP_INIT_##args("SSL"#name, ssl_cmd_SSL##name, \
01aafb6a9520f05df5ff467b591ecb5474dcfc86Christian Maeder AP_INIT_##args("SSL"#name, ssl_cmd_SSL##name, \
4b6aa93c12e4db86ccc7694a48a73e9cf7262d06Christian Maeder#define SSL_CMD_DIR(name, type, args, desc) \
4b6aa93c12e4db86ccc7694a48a73e9cf7262d06Christian Maeder AP_INIT_##args("SSL"#name, ssl_cmd_SSL##name, \
5e46b572ed576c0494768998b043d9d340594122Till Mossakowskistatic const command_rec ssl_config_cmds[] = {
4b6aa93c12e4db86ccc7694a48a73e9cf7262d06Christian Maeder * Global (main-server) context configuration directives
4b6aa93c12e4db86ccc7694a48a73e9cf7262d06Christian Maeder "SSL dialog mechanism for the pass phrase query "
4b6aa93c12e4db86ccc7694a48a73e9cf7262d06Christian Maeder "('builtin', '|/path/to/pipe_program', "
01aafb6a9520f05df5ff467b591ecb5474dcfc86Christian Maeder "SSL Session Cache storage "
01aafb6a9520f05df5ff467b591ecb5474dcfc86Christian Maeder "('none', 'nonenotnull', 'dbm:/path/to/file')")
01aafb6a9520f05df5ff467b591ecb5474dcfc86Christian Maeder#if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
01aafb6a9520f05df5ff467b591ecb5474dcfc86Christian Maeder "SSL external Crypto Device usage "
b10d6cef708b7a659f2d3b367e8e0db0d03ae3f5Till Mossakowski "('builtin', '...')")
b10d6cef708b7a659f2d3b367e8e0db0d03ae3f5Till Mossakowski "SSL Pseudo Random Number Generator (PRNG) seeding source "
b10d6cef708b7a659f2d3b367e8e0db0d03ae3f5Till Mossakowski "('startup|connect builtin|file:/path|exec:/path [bytes]')")
b10d6cef708b7a659f2d3b367e8e0db0d03ae3f5Till Mossakowski * Per-server context configuration directives
b10d6cef708b7a659f2d3b367e8e0db0d03ae3f5Till Mossakowski "SSL switch for the protocol engine "
b10d6cef708b7a659f2d3b367e8e0db0d03ae3f5Till Mossakowski "('on', 'off')")
01aafb6a9520f05df5ff467b591ecb5474dcfc86Christian Maeder "Enable FIPS-140 mode "
01aafb6a9520f05df5ff467b591ecb5474dcfc86Christian Maeder "(`on', `off')")
01aafb6a9520f05df5ff467b591ecb5474dcfc86Christian Maeder "Colon-delimited list of permitted SSL Ciphers "
4b6aa93c12e4db86ccc7694a48a73e9cf7262d06Christian Maeder "('XXX:...:XXX' - see manual)")
4b6aa93c12e4db86ccc7694a48a73e9cf7262d06Christian Maeder "SSL Server Certificate file "
4b6aa93c12e4db86ccc7694a48a73e9cf7262d06Christian Maeder "('/path/to/file' - PEM or DER encoded)")
01aafb6a9520f05df5ff467b591ecb5474dcfc86Christian Maeder "SSL Server Private Key file "
01aafb6a9520f05df5ff467b591ecb5474dcfc86Christian Maeder "('/path/to/file' - PEM or DER encoded)")
01aafb6a9520f05df5ff467b591ecb5474dcfc86Christian Maeder "SSL Server CA Certificate Chain file "
01aafb6a9520f05df5ff467b591ecb5474dcfc86Christian Maeder "('/path/to/file' - PEM encoded)")
01aafb6a9520f05df5ff467b591ecb5474dcfc86Christian Maeder "PKCS#7 file containing server certificate and chain"
01aafb6a9520f05df5ff467b591ecb5474dcfc86Christian Maeder " certificates ('/path/to/file' - PEM encoded)")
01aafb6a9520f05df5ff467b591ecb5474dcfc86Christian Maeder "TLS session ticket encryption/decryption key file (RFC 5077) "
01aafb6a9520f05df5ff467b591ecb5474dcfc86Christian Maeder "('/path/to/file' - file with 48 bytes of random data)")
01aafb6a9520f05df5ff467b591ecb5474dcfc86Christian Maeder "SSL CA Certificate path "
01aafb6a9520f05df5ff467b591ecb5474dcfc86Christian Maeder "('/path/to/dir' - contains PEM encoded files)")
01aafb6a9520f05df5ff467b591ecb5474dcfc86Christian Maeder "SSL CA Certificate file "
01aafb6a9520f05df5ff467b591ecb5474dcfc86Christian Maeder "('/path/to/file' - PEM encoded)")
01aafb6a9520f05df5ff467b591ecb5474dcfc86Christian Maeder "SSL CA Distinguished Name path "
01aafb6a9520f05df5ff467b591ecb5474dcfc86Christian Maeder "('/path/to/dir' - symlink hashes to PEM of acceptable CA names to request)")
01aafb6a9520f05df5ff467b591ecb5474dcfc86Christian Maeder "SSL CA Distinguished Name file "
01aafb6a9520f05df5ff467b591ecb5474dcfc86Christian Maeder "('/path/to/file' - PEM encoded to derive acceptable CA names to request)")
01aafb6a9520f05df5ff467b591ecb5474dcfc86Christian Maeder "SSL CA Certificate Revocation List (CRL) path "
01aafb6a9520f05df5ff467b591ecb5474dcfc86Christian Maeder "('/path/to/dir' - contains PEM encoded files)")
01aafb6a9520f05df5ff467b591ecb5474dcfc86Christian Maeder "SSL CA Certificate Revocation List (CRL) file "
01aafb6a9520f05df5ff467b591ecb5474dcfc86Christian Maeder "('/path/to/file' - PEM encoded)")
01aafb6a9520f05df5ff467b591ecb5474dcfc86Christian Maeder "SSL CA Certificate Revocation List (CRL) checking mode")
5e46b572ed576c0494768998b043d9d340594122Till Mossakowski "SSL Client verify type "
5e46b572ed576c0494768998b043d9d340594122Till Mossakowski "('none', 'optional', 'require', 'optional_no_ca')")
5e46b572ed576c0494768998b043d9d340594122Till Mossakowski "SSL Client verify depth "
01aafb6a9520f05df5ff467b591ecb5474dcfc86Christian Maeder "('N' - number of intermediate certificates)")
b10d6cef708b7a659f2d3b367e8e0db0d03ae3f5Till Mossakowski "SSL Session Cache object lifetime "
01aafb6a9520f05df5ff467b591ecb5474dcfc86Christian Maeder "('N' - number of seconds)")
01aafb6a9520f05df5ff467b591ecb5474dcfc86Christian Maeder#define SSL_PROTOCOLS "SSLv3|TLSv1|TLSv1.1|TLSv1.2"
01aafb6a9520f05df5ff467b591ecb5474dcfc86Christian Maeder "Enable or disable various SSL protocols "
01aafb6a9520f05df5ff467b591ecb5474dcfc86Christian Maeder "('[+-][" SSL_PROTOCOLS "] ...' - see manual)")
01aafb6a9520f05df5ff467b591ecb5474dcfc86Christian Maeder "Use the server's cipher ordering preference")
01aafb6a9520f05df5ff467b591ecb5474dcfc86Christian Maeder "Enable SSL level compression "
01aafb6a9520f05df5ff467b591ecb5474dcfc86Christian Maeder "(`on', `off')")
01aafb6a9520f05df5ff467b591ecb5474dcfc86Christian Maeder "Enable support for insecure renegotiation")
01aafb6a9520f05df5ff467b591ecb5474dcfc86Christian Maeder "Set user name to SSL variable value")
01aafb6a9520f05df5ff467b591ecb5474dcfc86Christian Maeder "Strict SNI virtual host checking")
01aafb6a9520f05df5ff467b591ecb5474dcfc86Christian Maeder "SRP verifier file "
01aafb6a9520f05df5ff467b591ecb5474dcfc86Christian Maeder "('/path/to/file' - created by srptool)")
01aafb6a9520f05df5ff467b591ecb5474dcfc86Christian Maeder "SRP seed for unknown users (to avoid leaking a user's existence) "
01aafb6a9520f05df5ff467b591ecb5474dcfc86Christian Maeder "('some secret text')")
01aafb6a9520f05df5ff467b591ecb5474dcfc86Christian Maeder * Proxy configuration for remote SSL connections
01aafb6a9520f05df5ff467b591ecb5474dcfc86Christian Maeder "SSL switch for the proxy protocol engine "
4b6aa93c12e4db86ccc7694a48a73e9cf7262d06Christian Maeder "('on', 'off')")
5e46b572ed576c0494768998b043d9d340594122Till Mossakowski "SSL Proxy: enable or disable SSL protocol flavors "
5e46b572ed576c0494768998b043d9d340594122Till Mossakowski "('[+-][" SSL_PROTOCOLS "] ...' - see manual)")
5e46b572ed576c0494768998b043d9d340594122Till Mossakowski "SSL Proxy: colon-delimited list of permitted SSL ciphers "
5e46b572ed576c0494768998b043d9d340594122Till Mossakowski "('XXX:...:XXX' - see manual)")
5e46b572ed576c0494768998b043d9d340594122Till Mossakowski "SSL Proxy: whether to verify the remote certificate "
5e46b572ed576c0494768998b043d9d340594122Till Mossakowski "('on' or 'off')")
5e46b572ed576c0494768998b043d9d340594122Till Mossakowski "SSL Proxy: maximum certificate verification depth "
5e46b572ed576c0494768998b043d9d340594122Till Mossakowski "('N' - number of intermediate certificates)")
5e46b572ed576c0494768998b043d9d340594122Till Mossakowski "SSL Proxy: file containing server certificates "
5e46b572ed576c0494768998b043d9d340594122Till Mossakowski "('/path/to/file' - PEM encoded certificates)")
5e46b572ed576c0494768998b043d9d340594122Till Mossakowski "SSL Proxy: directory containing server certificates "
5e46b572ed576c0494768998b043d9d340594122Till Mossakowski "('/path/to/dir' - contains PEM encoded certificates)")
5e46b572ed576c0494768998b043d9d340594122Till Mossakowski "SSL Proxy: CA Certificate Revocation List (CRL) path "
01aafb6a9520f05df5ff467b591ecb5474dcfc86Christian Maeder "('/path/to/dir' - contains PEM encoded files)")
01aafb6a9520f05df5ff467b591ecb5474dcfc86Christian Maeder "SSL Proxy: CA Certificate Revocation List (CRL) file "
01aafb6a9520f05df5ff467b591ecb5474dcfc86Christian Maeder "('/path/to/file' - PEM encoded)")
01aafb6a9520f05df5ff467b591ecb5474dcfc86Christian Maeder "SSL Proxy: CA Certificate Revocation List (CRL) checking mode")
01aafb6a9520f05df5ff467b591ecb5474dcfc86Christian Maeder SSL_CMD_SRV(ProxyMachineCertificateFile, TAKE1,
01aafb6a9520f05df5ff467b591ecb5474dcfc86Christian Maeder "SSL Proxy: file containing client certificates "
01aafb6a9520f05df5ff467b591ecb5474dcfc86Christian Maeder "('/path/to/file' - PEM encoded certificates)")
01aafb6a9520f05df5ff467b591ecb5474dcfc86Christian Maeder SSL_CMD_SRV(ProxyMachineCertificatePath, TAKE1,
b10d6cef708b7a659f2d3b367e8e0db0d03ae3f5Till Mossakowski "SSL Proxy: directory containing client certificates "
b10d6cef708b7a659f2d3b367e8e0db0d03ae3f5Till Mossakowski "('/path/to/dir' - contains PEM encoded certificates)")
5e46b572ed576c0494768998b043d9d340594122Till Mossakowski SSL_CMD_SRV(ProxyMachineCertificateChainFile, TAKE1,
5e46b572ed576c0494768998b043d9d340594122Till Mossakowski "SSL Proxy: file containing issuing certificates "
5e46b572ed576c0494768998b043d9d340594122Till Mossakowski "of the client certificate "
5e46b572ed576c0494768998b043d9d340594122Till Mossakowski "(`/path/to/file' - PEM encoded certificates)")
5e46b572ed576c0494768998b043d9d340594122Till Mossakowski "SSL Proxy: check the peer certificate's expiration date")
5e46b572ed576c0494768998b043d9d340594122Till Mossakowski "SSL Proxy: check the peer certificate's CN")
5e46b572ed576c0494768998b043d9d340594122Till Mossakowski "SSL Proxy: check the peer certificate's name "
5e46b572ed576c0494768998b043d9d340594122Till Mossakowski "(must be present in subjectAltName extension or CN")
5e46b572ed576c0494768998b043d9d340594122Till Mossakowski * Per-directory context configuration directives
5e46b572ed576c0494768998b043d9d340594122Till Mossakowski "Set one or more options to configure the SSL engine"
b10d6cef708b7a659f2d3b367e8e0db0d03ae3f5Till Mossakowski "('[+-]option[=value] ...' - see manual)")
5e46b572ed576c0494768998b043d9d340594122Till Mossakowski "Require the SSL protocol for the per-directory context "
b10d6cef708b7a659f2d3b367e8e0db0d03ae3f5Till Mossakowski "(no arguments)")
b10d6cef708b7a659f2d3b367e8e0db0d03ae3f5Till Mossakowski "Require a boolean expression to evaluate to true for granting access"
b10d6cef708b7a659f2d3b367e8e0db0d03ae3f5Till Mossakowski "(arbitrary complex boolean expression - see manual)")
b10d6cef708b7a659f2d3b367e8e0db0d03ae3f5Till Mossakowski SSL_CMD_DIR(RenegBufferSize, AUTHCFG, TAKE1,
b10d6cef708b7a659f2d3b367e8e0db0d03ae3f5Till Mossakowski "Configure the amount of memory that will be used for buffering the "
5e46b572ed576c0494768998b043d9d340594122Till Mossakowski "request body if a per-location SSL renegotiation is required due to "
b10d6cef708b7a659f2d3b367e8e0db0d03ae3f5Till Mossakowski "changed access control requirements")
b10d6cef708b7a659f2d3b367e8e0db0d03ae3f5Till Mossakowski "Enable use of OCSP to verify certificate revocation ('on', 'off')")
b10d6cef708b7a659f2d3b367e8e0db0d03ae3f5Till Mossakowski "URL of the default OCSP Responder")
5e46b572ed576c0494768998b043d9d340594122Till Mossakowski "Force use of the default responder URL ('on', 'off')")
5e46b572ed576c0494768998b043d9d340594122Till Mossakowski "Maximum time difference in OCSP responses")
5e46b572ed576c0494768998b043d9d340594122Till Mossakowski "Maximum age of OCSP responses")
5e46b572ed576c0494768998b043d9d340594122Till Mossakowski "OCSP responder query timeout")
5e46b572ed576c0494768998b043d9d340594122Till Mossakowski * OCSP Stapling options
5e46b572ed576c0494768998b043d9d340594122Till Mossakowski "SSL Stapling Response Cache storage "
5e46b572ed576c0494768998b043d9d340594122Till Mossakowski "SSL switch for the OCSP Stapling protocol " "(`on', `off')")
5e46b572ed576c0494768998b043d9d340594122Till Mossakowski SSL_CMD_SRV(StaplingResponseTimeSkew, TAKE1,
5e46b572ed576c0494768998b043d9d340594122Till Mossakowski "SSL stapling option for maximum time difference in OCSP responses")
5e46b572ed576c0494768998b043d9d340594122Till Mossakowski SSL_CMD_SRV(StaplingResponderTimeout, TAKE1,
5e46b572ed576c0494768998b043d9d340594122Till Mossakowski "SSL stapling option for OCSP responder timeout")
5e46b572ed576c0494768998b043d9d340594122Till Mossakowski "SSL stapling option for maximum age of OCSP responses")
a938729e277da5c7742bb88946ab2c150416fd5dTill Mossakowski SSL_CMD_SRV(StaplingStandardCacheTimeout, TAKE1,
5e46b572ed576c0494768998b043d9d340594122Till Mossakowski "SSL stapling option for normal OCSP Response Cache Lifetime")
5e46b572ed576c0494768998b043d9d340594122Till Mossakowski SSL_CMD_SRV(StaplingReturnResponderErrors, FLAG,
5e46b572ed576c0494768998b043d9d340594122Till Mossakowski "SSL stapling switch to return Status Errors Back to Client"
5e46b572ed576c0494768998b043d9d340594122Till Mossakowski "(`on', `off')")
5e46b572ed576c0494768998b043d9d340594122Till Mossakowski "SSL stapling switch to send tryLater response to client on error "
5e46b572ed576c0494768998b043d9d340594122Till Mossakowski "(`on', `off')")
5e46b572ed576c0494768998b043d9d340594122Till Mossakowski SSL_CMD_SRV(StaplingErrorCacheTimeout, TAKE1,
5e46b572ed576c0494768998b043d9d340594122Till Mossakowski "SSL stapling option for OCSP Response Error Cache Lifetime")
5e46b572ed576c0494768998b043d9d340594122Till Mossakowski "SSL stapling option to Force the OCSP Stapling URL")
5e46b572ed576c0494768998b043d9d340594122Till Mossakowski "OpenSSL configuration command")
5e46b572ed576c0494768998b043d9d340594122Till Mossakowski /* Deprecated directives. */
5e46b572ed576c0494768998b043d9d340594122Till Mossakowski AP_INIT_RAW_ARGS("SSLLog", ap_set_deprecated, NULL, OR_ALL,
5e46b572ed576c0494768998b043d9d340594122Till Mossakowski "SSLLog directive is no longer supported - use ErrorLog."),
5e46b572ed576c0494768998b043d9d340594122Till Mossakowski AP_INIT_RAW_ARGS("SSLLogLevel", ap_set_deprecated, NULL, OR_ALL,
5e46b572ed576c0494768998b043d9d340594122Till Mossakowski "SSLLogLevel directive is no longer supported - use LogLevel."),
5e46b572ed576c0494768998b043d9d340594122Till Mossakowski * the various processing hooks
5e46b572ed576c0494768998b043d9d340594122Till Mossakowskistatic apr_status_t ssl_cleanup_pre_config(void *data)
5e46b572ed576c0494768998b043d9d340594122Till Mossakowski * Try to kill the internals of the SSL library.
a938729e277da5c7742bb88946ab2c150416fd5dTill Mossakowski /* Corresponds to OPENSSL_load_builtin_modules():
a938729e277da5c7742bb88946ab2c150416fd5dTill Mossakowski * XXX: borrowed from apps.h, but why not CONF_modules_free()
a938729e277da5c7742bb88946ab2c150416fd5dTill Mossakowski * which also invokes CONF_modules_finish()?
5e46b572ed576c0494768998b043d9d340594122Till Mossakowski /* Corresponds to SSL_library_init: */
5e46b572ed576c0494768998b043d9d340594122Till Mossakowski /* Don't call ERR_free_strings here; ERR_load_*_strings only
5e46b572ed576c0494768998b043d9d340594122Till Mossakowski * actually load the error strings once per process due to static
a938729e277da5c7742bb88946ab2c150416fd5dTill Mossakowski * variable abuse in OpenSSL. */
return APR_SUCCESS;
#if HAVE_VALGRIND
#ifdef HAVE_OCSP_STAPLING
return OK;
if (sslconn) {
return sslconn;
return sslconn;
if (sslconn) {
#ifdef HAVE_TLS_NPN
if (!sslconn) {
return DECLINED;
if (advertisefn)
if (negotiatedfn)
return OK;
return DECLINED;
char *vhost_md5;
if (!sslconn) {
#ifndef OPENSSL_NO_EC
return APR_SUCCESS;
return NULL;
if (sslconn) {
return DECLINED;
if (!sslconn) {
return DECLINED;
ssl_var_register(p);