ssl_engine_init.c revision 5077eceb48bb505d610bea89067c8569b5174983
585895b11fc5072edf78147f9820d97bb020608drjung/* Licensed to the Apache Software Foundation (ASF) under one or more
7d5ac94fda90b837211dadf2585c0fe8c5dc3e5djerenkrantz * contributor license agreements. See the NOTICE file distributed with
c330021bf3f45cbf187fa644781e67f7e470a58awrowe * this work for additional information regarding copyright ownership.
ecf8d72af432e53e4c0661fb99dfda8061507bfajerenkrantz * The ASF licenses this file to You under the Apache License, Version 2.0
62f7716b14b71603a8004434ca3536902bfb8899wrowe * (the "License"); you may not use this file except in compliance with
366616a5cc6212cbf7134ccf877f965d668c6b04wrowe * the License. You may obtain a copy of the License at
366616a5cc6212cbf7134ccf877f965d668c6b04wrowe * Unless required by applicable law or agreed to in writing, software
366616a5cc6212cbf7134ccf877f965d668c6b04wrowe * distributed under the License is distributed on an "AS IS" BASIS,
366616a5cc6212cbf7134ccf877f965d668c6b04wrowe * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
366616a5cc6212cbf7134ccf877f965d668c6b04wrowe * See the License for the specific language governing permissions and
366616a5cc6212cbf7134ccf877f965d668c6b04wrowe * limitations under the License.
366616a5cc6212cbf7134ccf877f965d668c6b04wrowe * _ __ ___ ___ __| | ___ ___| | mod_ssl
366616a5cc6212cbf7134ccf877f965d668c6b04wrowe * | '_ ` _ \ / _ \ / _` | / __/ __| | Apache Interface to OpenSSL
38dc50ae00a1ea57fa41500d74f4e818747e3cefpquerna * | | | | | | (_) | (_| | \__ \__ \ |
585895b11fc5072edf78147f9820d97bb020608drjung * |_| |_| |_|\___/ \__,_|___|___/___/_|
f19a8656f9b21bf3e66eb96e25eac2046c2d102bjim * Initialization of Servers
80464b326874ee15d74742ae39708ec3f2eae1d7wrowe /* ``Recursive, adj.;
80464b326874ee15d74742ae39708ec3f2eae1d7wrowe see Recursive.''
38dc50ae00a1ea57fa41500d74f4e818747e3cefpquerna -- Unknown */
f610c7c704235bc327dbe9b62982f5b3f8e30a77wrowe/* _________________________________________________________________
d96ee8cda2799e1f2743c1603adeb4833ed0e15fslive** Module Initialization
9e86ff266f053757dd96dab7cf4bc53aaaaa583ewrowe** _________________________________________________________________
62f7716b14b71603a8004434ca3536902bfb8899wrowe char *modver = ssl_var_lookup(p, s, NULL, NULL, "SSL_VERSION_INTERFACE");
4b62424416882687387923b3130b96241503cbe0jerenkrantz char *libver = ssl_var_lookup(p, s, NULL, NULL, "SSL_VERSION_LIBRARY");
62f7716b14b71603a8004434ca3536902bfb8899wrowe "SSL_VERSION_LIBRARY_INTERFACE");
c4beaaf4e697ed012c8c535f849bb13a77620f05sf ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, APLOGNO(01876)
c4beaaf4e697ed012c8c535f849bb13a77620f05sf "%s compiled against Server: %s, Library: %s",
c4beaaf4e697ed012c8c535f849bb13a77620f05sf * Handle the Temporary RSA Keys and DH Params
9e86ff266f053757dd96dab7cf4bc53aaaaa583ewrowe MODSSL_TMP_KEY_FREE(mc, type, SSL_TMP_KEY_##type##_512); \
9e86ff266f053757dd96dab7cf4bc53aaaaa583ewrowe MODSSL_TMP_KEY_FREE(mc, type, SSL_TMP_KEY_##type##_1024)
53e66a2931d02e84628ba946055cc92e56b43db8wrowe ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01877)
1b3f48fd6b1ccb8745f908e40156c5a85ca3c347jerenkrantz "Init: Skipping generating temporary "
9e86ff266f053757dd96dab7cf4bc53aaaaa583ewrowe ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01878)
9e86ff266f053757dd96dab7cf4bc53aaaaa583ewrowe "Init: Failed to generate temporary "
9e86ff266f053757dd96dab7cf4bc53aaaaa583ewrowe ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01879)
9e86ff266f053757dd96dab7cf4bc53aaaaa583ewrowe "Init: Failed to generate temporary "
9e86ff266f053757dd96dab7cf4bc53aaaaa583ewrowe ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01880)
9e86ff266f053757dd96dab7cf4bc53aaaaa583ewrowe "Init: Skipping generating temporary "
9e86ff266f053757dd96dab7cf4bc53aaaaa583ewrowe ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01881)
9e86ff266f053757dd96dab7cf4bc53aaaaa583ewrowe "Init: Failed to generate temporary "
9e86ff266f053757dd96dab7cf4bc53aaaaa583ewrowe /* XXX: Are there any FIPS constraints we should enforce? */
9e86ff266f053757dd96dab7cf4bc53aaaaa583ewrowe ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02298)
9e86ff266f053757dd96dab7cf4bc53aaaaa583ewrowe "Init: Failed to generate temporary "
9e86ff266f053757dd96dab7cf4bc53aaaaa583ewrowe "%d bit EC parameters, only 256 bits supported", bits);
9e86ff266f053757dd96dab7cf4bc53aaaaa583ewrowe EC_KEY_set_group(ecdh, EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1)) != 1)
9e86ff266f053757dd96dab7cf4bc53aaaaa583ewrowe ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02299)
9e86ff266f053757dd96dab7cf4bc53aaaaa583ewrowe "Init: Failed to generate temporary "
9e86ff266f053757dd96dab7cf4bc53aaaaa583ewrowe "Init: Generating temporary RSA private keys (512/1024 bits)");
9e86ff266f053757dd96dab7cf4bc53aaaaa583ewrowe "Init: Generating temporary DH parameters (512/1024 bits)");
9e86ff266f053757dd96dab7cf4bc53aaaaa583ewrowe "Init: Generating temporary EC parameters (256 bits)");
9e86ff266f053757dd96dab7cf4bc53aaaaa583ewrowe * Per-module initialization
9e86ff266f053757dd96dab7cf4bc53aaaaa583ewrowe ap_log_error(APLOG_MARK, APLOG_WARNING, 0, base_server, APLOGNO(01882)
9e86ff266f053757dd96dab7cf4bc53aaaaa583ewrowe "Init: this version of mod_ssl was compiled against "
9e86ff266f053757dd96dab7cf4bc53aaaaa583ewrowe "a newer library (%s, version currently loaded is %s)"
9e86ff266f053757dd96dab7cf4bc53aaaaa583ewrowe " - may result in undefined or erroneous behavior",
9e86ff266f053757dd96dab7cf4bc53aaaaa583ewrowe /* We initialize mc->pid per-process in the child init,
9e86ff266f053757dd96dab7cf4bc53aaaaa583ewrowe * but it should be initialized for startup before we
9e86ff266f053757dd96dab7cf4bc53aaaaa583ewrowe * call ssl_rand_seed() below.
9e86ff266f053757dd96dab7cf4bc53aaaaa583ewrowe * Let us cleanup on restarts and exits
9e86ff266f053757dd96dab7cf4bc53aaaaa583ewrowe * Any init round fixes the global config
9e86ff266f053757dd96dab7cf4bc53aaaaa583ewrowe ssl_config_global_create(base_server); /* just to avoid problems */
9e86ff266f053757dd96dab7cf4bc53aaaaa583ewrowe * try to fix the configuration and open the dedicated SSL
9e86ff266f053757dd96dab7cf4bc53aaaaa583ewrowe * logfile as early as possible
9e86ff266f053757dd96dab7cf4bc53aaaaa583ewrowe * Create the server host:port string because we need it a lot
9e86ff266f053757dd96dab7cf4bc53aaaaa583ewrowe /* If sc->enabled is UNSET, then SSL is optional on this vhost */
9e86ff266f053757dd96dab7cf4bc53aaaaa583ewrowe /* Fix up stuff that may not have been set */
9e86ff266f053757dd96dab7cf4bc53aaaaa583ewrowe sc->session_cache_timeout = SSL_SESSION_CACHE_TIMEOUT;
9e86ff266f053757dd96dab7cf4bc53aaaaa583ewrowe if (sc->server && sc->server->pphrase_dialog_type == SSL_PPTYPE_UNSET) {
28c4fe67d75f8f26504d75b7aa8dc5d868032888wrowe * SSL external crypto device ("engine") support
28c4fe67d75f8f26504d75b7aa8dc5d868032888wrowe#if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
9e86ff266f053757dd96dab7cf4bc53aaaaa583ewrowe ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, APLOGNO(01883)
9e86ff266f053757dd96dab7cf4bc53aaaaa583ewrowe * Seed the Pseudo Random Number Generator (PRNG)
28c4fe67d75f8f26504d75b7aa8dc5d868032888wrowe * only need ptemp here; nothing inside allocated from the pool
9e86ff266f053757dd96dab7cf4bc53aaaaa583ewrowe * needs to live once we return from ssl_rand_seed().
9e86ff266f053757dd96dab7cf4bc53aaaaa583ewrowe ssl_rand_seed(base_server, ptemp, SSL_RSCTX_STARTUP, "Init: ");
9e86ff266f053757dd96dab7cf4bc53aaaaa583ewrowe ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, s, APLOGNO(01884)
9e86ff266f053757dd96dab7cf4bc53aaaaa583ewrowe "Operating in SSL FIPS mode");
820e91baab4f9a45001d668698d2fae3501cb4b0trawick ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01885) "FIPS mode failed");
9e86ff266f053757dd96dab7cf4bc53aaaaa583ewrowe ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01886)
9e86ff266f053757dd96dab7cf4bc53aaaaa583ewrowe "SSL FIPS mode disabled");
ddd44b06b04507cae083c52451e28f54f0bdb5afstoddard * read server private keys/public certs into memory.
3a86b95ac291f1af18df0ca2bd6d51c8b35f1241rjung * decrypting any encrypted keys via configured SSLPassPhraseDialogs
ddd44b06b04507cae083c52451e28f54f0bdb5afstoddard * anything that needs to live longer than ptemp needs to also survive
9e86ff266f053757dd96dab7cf4bc53aaaaa583ewrowe * restarts, in which case they'll live inside s->process->pool.
9e86ff266f053757dd96dab7cf4bc53aaaaa583ewrowe * initialize the mutex handling
9e86ff266f053757dd96dab7cf4bc53aaaaa583ewrowe * initialize session caching
9e86ff266f053757dd96dab7cf4bc53aaaaa583ewrowe * initialize servers
9e86ff266f053757dd96dab7cf4bc53aaaaa583ewrowe ap_log_error(APLOG_MARK, APLOG_INFO, 0, base_server, APLOGNO(01887)
9e86ff266f053757dd96dab7cf4bc53aaaaa583ewrowe "Init: Initializing (virtual) servers for SSL");
62f7716b14b71603a8004434ca3536902bfb8899wrowe * Either now skip this server when SSL is disabled for
62f7716b14b71603a8004434ca3536902bfb8899wrowe * it or give out some information about what we're
62f7716b14b71603a8004434ca3536902bfb8899wrowe * configuring.
return OK;
ENGINE *e;
ssl_die(s);
ssl_die(s);
ENGINE_free(e);
apr_pool_t *p,
ssl_die(s);
#ifndef OPENSSL_NO_EC
ssl_die(s);
#ifndef OPENSSL_NO_TLSEXT
apr_pool_t *p,
ssl_die(s);
#ifdef HAVE_OCSP_STAPLING
#ifndef OPENSSL_NO_SRP
int err;
ssl_die(s);
ssl_die(s);
apr_pool_t *p,
char *cp;
ssl_die(s);
#ifdef HAVE_TLSV1_X
NULL);
#ifdef HAVE_TLSV1_X
#ifdef HAVE_TLSV1_X
#ifndef OPENSSL_NO_COMP
#ifdef SSL_OP_NO_COMPRESSION
#ifdef HAVE_SSL_CONF_CMD
ssl_die(s);
#ifdef SSL_MODE_RELEASE_BUFFERS
apr_pool_t *p,
apr_pool_t *p,
#ifndef OPENSSL_NO_EC
#ifdef HAVE_TLS_NPN
apr_pool_t *p,
ssl_die(s);
ssl_die(s);
apr_pool_t *p,
if (!suite) {
suite);
ssl_die(s);
apr_pool_t *p,
unsigned long crlflags = 0;
ssl_die(s);
ssl_die(s);
case SSL_CRLCHECK_LEAF:
case SSL_CRLCHECK_CHAIN:
crlflags = 0;
if (crlflags) {
#ifdef OPENSSL_NO_SSL_INTERN
if (!extra_certs)
apr_pool_t *p,
if (!chain) {
(char *)chain,
ssl_die(s);
apr_pool_t *p,
#ifndef OPENSSL_NO_TLSEXT
const char *id,
int idx,
const char *authz_file)
return FALSE;
ssl_die(s);
ssl_die(s);
#ifdef HAVE_OCSP_STAPLING
if (authz_file) {
ssl_die(s);
ssl_die(s);
return TRUE;
const char *id,
int idx)
int pkey_type;
#ifndef OPENSSL_NO_EC
return FALSE;
ssl_die(s);
ssl_die(s);
return TRUE;
int type)
if (!cert) {
if (is_ca) {
if (pathlen > 0) {
apr_pool_t *p,
#ifndef OPENSSL_NO_EC
const char *ecc_id;
#ifndef OPENSSL_NO_EC
int have_ecc;
#ifndef OPENSSL_NO_EC
#ifndef OPENSSL_NO_EC
#ifndef OPENSSL_NO_EC
|| have_ecc
ssl_die(s);
for (i = 0; i < SSL_AIDX_MAX; i++) {
#ifndef OPENSSL_NO_EC
#ifndef OPENSSL_NO_EC
|| have_ecc
ssl_die(s);
#ifdef HAVE_TLS_SESSION_TICKETS
apr_pool_t *p,
char *path;
ssl_die(s);
ssl_die(s);
ssl_die(s);
apr_pool_t *p,
int n, ncerts = 0;
for (n = 0; n < ncerts; n++) {
ssl_die(s);
ssl_die(s);
ncerts);
if (!sctx) {
ssl_die(s);
for (n = 0; n < ncerts; n++) {
apr_pool_t *p,
apr_pool_t *p,
#ifdef HAVE_TLS_SESSION_TICKETS
apr_pool_t *p,
const char *key;
ssl_util_vhostid(p, s),
ssl_util_vhostid(p, s),
* just the certificate/keys of one virtual host (which one cannot be said
char *addr;
#ifdef OPENSSL_NO_TLSEXT
s->defn_line_number,
if (conflict) {
#ifdef OPENSSL_NO_TLSEXT
const X509_NAME * const *b)
return(X509_NAME_cmp(*a, *b));
const char *file)
if (!sk) {
const char *ca_file,
const char *ca_path)
if (ca_file) {
if (ca_path) {
ca_path);
ssl_die(s);
const char *file;
return ca_list;
ssl_mutex_reinit(s, p);
#ifdef HAVE_OCSP_STAPLING
ssl_stapling_mutex_reinit(s, p);
if (item) { \
#ifndef OPENSSL_NO_SRP
for (i = 0; i < ncerts; i++) {
for (i=0; i < SSL_AIDX_MAX; i++) {
server_rec *s;
return APR_SUCCESS;