mod_ssl.c revision 2b7078b0c4fd5b6054f6f2d4f626177844f5c6f7
967e5f3c25249c779575864692935627004d3f9eChristian Maeder** _ __ ___ ___ __| | ___ ___| | mod_ssl
81d182b21020b815887e9057959228546cf61b6bChristian Maeder** | '_ ` _ \ / _ \ / _` | / __/ __| | Apache Interface to OpenSSL
f11f713bebd8e1e623a0a4361065df256033de47Christian Maeder** | | | | | | (_) | (_| | \__ \__ \ | www.modssl.org
98890889ffb2e8f6f722b00e265a211f13b5a861Corneliu-Claudiu Prodescu** |_| |_| |_|\___/ \__,_|___|___/___/_| ftp.modssl.org
967e5f3c25249c779575864692935627004d3f9eChristian Maeder** Apache API interface structures
717686b54b9650402e2ebfbaadf433eab8ba5171Christian Maeder/* ====================================================================
717686b54b9650402e2ebfbaadf433eab8ba5171Christian Maeder * The Apache Software License, Version 1.1
967e5f3c25249c779575864692935627004d3f9eChristian Maeder * Copyright (c) 2000-2003 The Apache Software Foundation. All rights
fd896e2068ad7e50aed66ac18c3720ea7ff2619fChristian Maeder * Redistribution and use in source and binary forms, with or without
7221c71b38c871ce66eee4537cb681d468308dfbChristian Maeder * modification, are permitted provided that the following conditions
ee93fb771fcf3000d73c8e2f2000adb4b9a5158cChristian Maeder * 1. Redistributions of source code must retain the above copyright
ac19f8695aa1b2d2d1cd1319da2530edd8f46a96Christian Maeder * notice, this list of conditions and the following disclaimer.
ee93fb771fcf3000d73c8e2f2000adb4b9a5158cChristian Maeder * 2. Redistributions in binary form must reproduce the above copyright
ee93fb771fcf3000d73c8e2f2000adb4b9a5158cChristian Maeder * notice, this list of conditions and the following disclaimer in
e1839fb37a3a2ccd457464cb0dcc5efd466dbe22Christian Maeder * the documentation and/or other materials provided with the
4ef2a978e66e2246ff0b7f00c77deb7aabb28b8eChristian Maeder * distribution.
fd896e2068ad7e50aed66ac18c3720ea7ff2619fChristian Maeder * 3. The end-user documentation included with the redistribution,
967e5f3c25249c779575864692935627004d3f9eChristian Maeder * if any, must include the following acknowledgment:
8e9c3881fb6e710b1e08bf5ac8ff9d393df2e74eChristian Maeder * "This product includes software developed by the
78eeae099616e255ccf2e5f9122387bb10c68338Christian Maeder * Apache Software Foundation (http://www.apache.org/)."
72b9099aeec0762bae4546db3bc4b48721027bf4Christian Maeder * Alternately, this acknowledgment may appear in the software itself,
72b9099aeec0762bae4546db3bc4b48721027bf4Christian Maeder * if and wherever such third-party acknowledgments normally appear.
ad187062b0009820118c1b773a232e29b879a2faChristian Maeder * 4. The names "Apache" and "Apache Software Foundation" must
ad270004874ce1d0697fb30d7309f180553bb315Christian Maeder * not be used to endorse or promote products derived from this
fd896e2068ad7e50aed66ac18c3720ea7ff2619fChristian Maeder * software without prior written permission. For written
551af0e4ba6d96bb24f3555f3b30ed648e22e34aChristian Maeder * permission, please contact apache@apache.org.
551af0e4ba6d96bb24f3555f3b30ed648e22e34aChristian Maeder * 5. Products derived from this software may not be called "Apache",
72b9099aeec0762bae4546db3bc4b48721027bf4Christian Maeder * nor may "Apache" appear in their name, without prior written
551af0e4ba6d96bb24f3555f3b30ed648e22e34aChristian Maeder * permission of the Apache Software Foundation.
551af0e4ba6d96bb24f3555f3b30ed648e22e34aChristian Maeder * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
1a75698c909ad515d59c76e65bd783f015c21c4dChristian Maeder * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
1a75698c909ad515d59c76e65bd783f015c21c4dChristian Maeder * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
51fb5d7edd9369c367dda2f8b15ddd6f8a146606Christian Maeder * DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR
1a75698c909ad515d59c76e65bd783f015c21c4dChristian Maeder * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
1a75698c909ad515d59c76e65bd783f015c21c4dChristian Maeder * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
1a75698c909ad515d59c76e65bd783f015c21c4dChristian Maeder * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
51fb5d7edd9369c367dda2f8b15ddd6f8a146606Christian Maeder * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
1a75698c909ad515d59c76e65bd783f015c21c4dChristian Maeder * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
67d92da5e9610aabad39055a16031154b4dc3748Christian Maeder * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
67d92da5e9610aabad39055a16031154b4dc3748Christian Maeder * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
67d92da5e9610aabad39055a16031154b4dc3748Christian Maeder * SUCH DAMAGE.
72b9099aeec0762bae4546db3bc4b48721027bf4Christian Maeder * ====================================================================
1a75698c909ad515d59c76e65bd783f015c21c4dChristian Maeder * the table of configuration directives we provide
67d92da5e9610aabad39055a16031154b4dc3748Christian Maeder AP_INIT_##args("SSL"#name, ssl_cmd_SSL##name, \
1a75698c909ad515d59c76e65bd783f015c21c4dChristian Maeder AP_INIT_##args("SSL"#name, ssl_cmd_SSL##name, \
1a75698c909ad515d59c76e65bd783f015c21c4dChristian Maeder#define SSL_CMD_DIR(name, type, args, desc) \
1a75698c909ad515d59c76e65bd783f015c21c4dChristian Maeder AP_INIT_##args("SSL"#name, ssl_cmd_SSL##name, \
a89389521ddf76109168a0b339031575aafbd512Christian Maeder "Valid SSLMutex mechanisms are: `none', `default'"
a89389521ddf76109168a0b339031575aafbd512Christian Maeder#if APR_HAS_SYSVSEM_SERIALIZE && !defined(PERCHILD_MPM)
a89389521ddf76109168a0b339031575aafbd512Christian Maeder ", `sysvsem'"
54ff63bb3b23ef18efbdc51b053a2ca6f348329aChristian Maeder ", `posixsem'"
54ff63bb3b23ef18efbdc51b053a2ca6f348329aChristian Maeder ", `pthread'"
54ff63bb3b23ef18efbdc51b053a2ca6f348329aChristian Maeder#if APR_HAS_FLOCK_SERIALIZE || APR_HAS_FCNTL_SERIALIZE
ceef5f7843a1f96fe5a62e0f6880e38b3d5f4708Christian Maeder#if (APR_HAS_SYSVSEM_SERIALIZE && !defined(PERCHILD_MPM)) || APR_HAS_POSIXSEM_SERIALIZE
ee93fb771fcf3000d73c8e2f2000adb4b9a5158cChristian Maederstatic const command_rec ssl_config_cmds[] = {
ee93fb771fcf3000d73c8e2f2000adb4b9a5158cChristian Maeder * Global (main-server) context configuration directives
54ff63bb3b23ef18efbdc51b053a2ca6f348329aChristian Maeder SSL_CMD_SRV(Mutex, TAKE1, ssl_valid_ssl_mutex_string)
ceef5f7843a1f96fe5a62e0f6880e38b3d5f4708Christian Maeder "SSL dialog mechanism for the pass phrase query "
ceef5f7843a1f96fe5a62e0f6880e38b3d5f4708Christian Maeder "(`builtin', `|/path/to/pipe_program`, "
54ff63bb3b23ef18efbdc51b053a2ca6f348329aChristian Maeder "SSL Session Cache storage "
ee93fb771fcf3000d73c8e2f2000adb4b9a5158cChristian Maeder "(`none', `dbm:/path/to/file')")
67d92da5e9610aabad39055a16031154b4dc3748Christian Maeder "SSL external Crypto Device usage "
ee93fb771fcf3000d73c8e2f2000adb4b9a5158cChristian Maeder "(`builtin', `...')")
717686b54b9650402e2ebfbaadf433eab8ba5171Christian Maeder "SSL Pseudo Random Number Generator (PRNG) seeding source "
717686b54b9650402e2ebfbaadf433eab8ba5171Christian Maeder "(`startup|connect builtin|file:/path|exec:/path [bytes]')")
717686b54b9650402e2ebfbaadf433eab8ba5171Christian Maeder * Per-server context configuration directives
588c0c022a0f4e129a89c3bc569daf6a835e182dChristian Maeder "SSL switch for the protocol engine "
d48085f765fca838c1d972d2123601997174583dChristian Maeder "(`on', `off')")
717686b54b9650402e2ebfbaadf433eab8ba5171Christian Maeder "Colon-delimited list of permitted SSL Ciphers "
e7ce154edb906685b3fa7f6c0a764e18a4658068Christian Maeder "(`XXX:...:XXX' - see manual)")
9b30898b139ee02f97ac933b6d935ef0a4206921Christian Maeder "SSL Server Certificate file "
b66eb6038bfbcd2fe520d87c151bb4f1f510e985Christian Maeder "(`/path/to/file' - PEM or DER encoded)")
b66eb6038bfbcd2fe520d87c151bb4f1f510e985Christian Maeder "SSL Server Private Key file "
1a75698c909ad515d59c76e65bd783f015c21c4dChristian Maeder "(`/path/to/file' - PEM or DER encoded)")
1a75698c909ad515d59c76e65bd783f015c21c4dChristian Maeder "SSL Server CA Certificate Chain file "
1a75698c909ad515d59c76e65bd783f015c21c4dChristian Maeder "(`/path/to/file' - PEM encoded)")
b66eb6038bfbcd2fe520d87c151bb4f1f510e985Christian Maeder "SSL CA Certificate path "
67d92da5e9610aabad39055a16031154b4dc3748Christian Maeder "(`/path/to/dir' - contains PEM encoded files)")
1a75698c909ad515d59c76e65bd783f015c21c4dChristian Maeder "SSL CA Certificate file "
1a75698c909ad515d59c76e65bd783f015c21c4dChristian Maeder "(`/path/to/file' - PEM encoded)")
1a75698c909ad515d59c76e65bd783f015c21c4dChristian Maeder "SSL CA Certificate Revocation List (CRL) path "
c5c193a80459071696b68baf835f1b88f0f8c82eChristian Maeder "(`/path/to/dir' - contains PEM encoded files)")
967e5f3c25249c779575864692935627004d3f9eChristian Maeder "SSL CA Certificate Revocation List (CRL) file "
18b513ff41708f24e1a7407f36b719add813ffeaChristian Maeder "(`/path/to/file' - PEM encoded)")
a89e661aad28f1b39f4fc9f9f9a4d46074234123Christian Maeder "SSL Client verify type "
a23e572c8f957cc051a1b0831abd6fe9380d45c7Christian Maeder "(`none', `optional', `require', `optional_no_ca')")
58b5ac21d1c88344246aaedab0c0bdc7b759d7c6Christian Maeder "SSL Client verify depth "
3c8d067accf18572352351ec42ff905c7297a8a5Christian Maeder "(`N' - number of intermediate certificates)")
f2ee9fc53048ea92bad79e3f5d292d83efd7f8beMihai Codescu "SSL Session Cache object lifetime "
3c8d067accf18572352351ec42ff905c7297a8a5Christian Maeder "(`N' - number of seconds)")
58b5ac21d1c88344246aaedab0c0bdc7b759d7c6Christian Maeder "Enable or disable various SSL protocols"
242397ba0f1cc490e892130bf0df239deeecf5daChristian Maeder "(`[+-][SSLv2|SSLv3|TLSv1] ...' - see manual)")
58b5ac21d1c88344246aaedab0c0bdc7b759d7c6Christian Maeder * Proxy configuration for remote SSL connections
58b5ac21d1c88344246aaedab0c0bdc7b759d7c6Christian Maeder "SSL switch for the proxy protocol engine "
551af0e4ba6d96bb24f3555f3b30ed648e22e34aChristian Maeder "(`on', `off')")
c5c193a80459071696b68baf835f1b88f0f8c82eChristian Maeder "SSL Proxy: enable or disable SSL protocol flavors "
a74f814d3b445eadad6f68737a98a7a303698affChristian Maeder "(`[+-][SSLv2|SSLv3|TLSv1] ...' - see manual)")
c5c193a80459071696b68baf835f1b88f0f8c82eChristian Maeder "SSL Proxy: colon-delimited list of permitted SSL ciphers "
c5c193a80459071696b68baf835f1b88f0f8c82eChristian Maeder "(`XXX:...:XXX' - see manual)")
58b5ac21d1c88344246aaedab0c0bdc7b759d7c6Christian Maeder "SSL Proxy: whether to verify the remote certificate "
ad187062b0009820118c1b773a232e29b879a2faChristian Maeder "(`on' or `off')")
551af0e4ba6d96bb24f3555f3b30ed648e22e34aChristian Maeder "SSL Proxy: maximum certificate verification depth "
dedabc954aa15f6ad0764472a9434dc6dafe3db2Christian Maeder "(`N' - number of intermediate certificates)")
588c0c022a0f4e129a89c3bc569daf6a835e182dChristian Maeder "SSL Proxy: file containing server certificates "
588c0c022a0f4e129a89c3bc569daf6a835e182dChristian Maeder "(`/path/to/file' - PEM encoded certificates)")
842eedc62639561781b6c33533d1949693ef6cc5Christian Maeder "SSL Proxy: directory containing server certificates "
bfa9e03532243ceb487f0384d0f6a447f1ce7670Till Mossakowski "(`/path/to/dir' - contains PEM encoded certificates)")
967e5f3c25249c779575864692935627004d3f9eChristian Maeder "SSL Proxy: CA Certificate Revocation List (CRL) path "
f2ee9fc53048ea92bad79e3f5d292d83efd7f8beMihai Codescu "(`/path/to/dir' - contains PEM encoded files)")
a95f5379cabb30d3beb0545002cf50e9e4fc2c86Christian Maeder "SSL Proxy: CA Certificate Revocation List (CRL) file "
a95f5379cabb30d3beb0545002cf50e9e4fc2c86Christian Maeder "(`/path/to/file' - PEM encoded)")
a95f5379cabb30d3beb0545002cf50e9e4fc2c86Christian Maeder SSL_CMD_SRV(ProxyMachineCertificateFile, TAKE1,
a95f5379cabb30d3beb0545002cf50e9e4fc2c86Christian Maeder "SSL Proxy: file containing client certificates "
a95f5379cabb30d3beb0545002cf50e9e4fc2c86Christian Maeder "(`/path/to/file' - PEM encoded certificates)")
a95f5379cabb30d3beb0545002cf50e9e4fc2c86Christian Maeder SSL_CMD_SRV(ProxyMachineCertificatePath, TAKE1,
a95f5379cabb30d3beb0545002cf50e9e4fc2c86Christian Maeder "SSL Proxy: directory containing client certificates "
a95f5379cabb30d3beb0545002cf50e9e4fc2c86Christian Maeder "(`/path/to/dir' - contains PEM encoded certificates)")
a95f5379cabb30d3beb0545002cf50e9e4fc2c86Christian Maeder * Per-directory context configuration directives
967e5f3c25249c779575864692935627004d3f9eChristian Maeder "Set one or more options to configure the SSL engine"
ad187062b0009820118c1b773a232e29b879a2faChristian Maeder "(`[+-]option[=value] ...' - see manual)")
a95f5379cabb30d3beb0545002cf50e9e4fc2c86Christian Maeder "Require the SSL protocol for the per-directory context "
a95f5379cabb30d3beb0545002cf50e9e4fc2c86Christian Maeder "(no arguments)")
a95f5379cabb30d3beb0545002cf50e9e4fc2c86Christian Maeder "Require a boolean expression to evaluate to true for granting access"
a95f5379cabb30d3beb0545002cf50e9e4fc2c86Christian Maeder "(arbitrary complex boolean expression - see manual)")
a95f5379cabb30d3beb0545002cf50e9e4fc2c86Christian Maeder /* Deprecated directives. */
a95f5379cabb30d3beb0545002cf50e9e4fc2c86Christian Maeder AP_INIT_RAW_ARGS("SSLLog", ap_set_deprecated, NULL, OR_ALL,
a95f5379cabb30d3beb0545002cf50e9e4fc2c86Christian Maeder "SSLLog directive is no longer supported - use ErrorLog."),
a95f5379cabb30d3beb0545002cf50e9e4fc2c86Christian Maeder AP_INIT_RAW_ARGS("SSLLogLevel", ap_set_deprecated, NULL, OR_ALL,
a95f5379cabb30d3beb0545002cf50e9e4fc2c86Christian Maeder "SSLLogLevel directive is no longer supported - use LogLevel."),
1a75698c909ad515d59c76e65bd783f015c21c4dChristian Maeder * the various processing hooks
1a75698c909ad515d59c76e65bd783f015c21c4dChristian Maederstatic apr_status_t ssl_cleanup_pre_config(void *data)
1a75698c909ad515d59c76e65bd783f015c21c4dChristian Maeder * Try to kill the internals of the SSL library.
ad187062b0009820118c1b773a232e29b879a2faChristian Maeder /* Corresponds to OPENSSL_load_builtin_modules():
a95f5379cabb30d3beb0545002cf50e9e4fc2c86Christian Maeder * XXX: borrowed from apps.h, but why not CONF_modules_free()
a95f5379cabb30d3beb0545002cf50e9e4fc2c86Christian Maeder * which also invokes CONF_modules_finish()?
ad187062b0009820118c1b773a232e29b879a2faChristian Maeder /* Corresponds to SSL_library_init: */
1a75698c909ad515d59c76e65bd783f015c21c4dChristian Maeder * TODO: determine somewhere we can safely shove out diagnostics
1a75698c909ad515d59c76e65bd783f015c21c4dChristian Maeder * (when enabled) at this late stage in the game:
1a75698c909ad515d59c76e65bd783f015c21c4dChristian Maeder * CRYPTO_mem_leaks_fp(stderr);
551af0e4ba6d96bb24f3555f3b30ed648e22e34aChristian Maederstatic int ssl_hook_pre_config(apr_pool_t *pconf,
a95f5379cabb30d3beb0545002cf50e9e4fc2c86Christian Maeder /* We must register the library in full, to ensure our configuration
83814002b4922114cbe7e9ba728472a0bf44aac5Christian Maeder * code can successfully test the SSL environment.
2dfc7b04f2db681992ca04175f2beb0f127c9844Christian Maeder * Let us cleanup the ssl library when the module is unloaded
a74f814d3b445eadad6f68737a98a7a303698affChristian Maeder apr_pool_cleanup_register(pconf, NULL, ssl_cleanup_pre_config,
588c0c022a0f4e129a89c3bc569daf6a835e182dChristian Maeder /* Register us to handle mod_log_config %c/%x variables */
588c0c022a0f4e129a89c3bc569daf6a835e182dChristian Maeder#if 0 /* XXX */
ad187062b0009820118c1b773a232e29b879a2faChristian Maeder /* XXX: Register us to handle mod_status extensions that don't exist yet */
return OK;
if (sslconn) {
return sslconn;
return sslconn;
char *vhost_md5;
if (!sslconn) {
return APR_SUCCESS;
return NULL;
return DECLINED;
if (!sslconn) {
return DECLINED;
return ssl_init_ssl_connection(c);