ssl_engine_kernel.c revision 08e054046d0c7e5532c66769ba80c69a7b4d8245
/* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
/* _ _
* _ __ ___ ___ __| | ___ ___| | mod_ssl
* | '_ ` _ \ / _ \ / _` | / __/ __| | Apache Interface to OpenSSL
* | | | | | | (_) | (_| | \__ \__ \ |
* |_| |_| |_|\___/ \__,_|___|___/___/_|
* |_____|
* The SSL engine kernel
*/
/* ``It took me fifteen years to discover
I had no talent for programming, but
I couldn't give it up because by that
time I was too famous.''
-- Unknown */
#include "ssl_private.h"
#include "mod_ssl.h"
#include "util_md5.h"
#ifdef HAVE_TLSEXT
#endif
#define SWITCH_STATUS_LINE "HTTP/1.1 101 Switching Protocols"
#define UPGRADE_HEADER "Upgrade: TLS/1.0, HTTP/1.1"
#define CONNECTION_HEADER "Connection: Upgrade"
/* Perform an upgrade-to-TLS for the given request, per RFC 2817. */
{
"upgrading connection to TLS");
if (rv == APR_SUCCESS) {
}
if (rv) {
"failed to send 101 interim response for connection "
"upgrade");
return rv;
}
/* Perform initial SSL handshake. */
"TLS upgrade handshake failed");
return APR_ECONNABORTED;
}
return APR_SUCCESS;
}
/* Perform a speculative (and non-blocking) read from the connection
* filters for the given request, to determine whether there is any
* pending data to read. Return non-zero if there is, else zero. */
static int has_buffered_data(request_rec *r)
{
int result;
APR_NONBLOCK_READ, 1);
&& len > 0;
return result;
}
/*
* Post Read Request Handler
*/
int ssl_hook_ReadReq(request_rec *r)
{
const char *upgrade;
#ifdef HAVE_TLSEXT
const char *servername;
#endif
/* Perform TLS upgrade here if "SSLEngine optional" is configured,
* SSL is not already set up for this connection, and the client
* has sent a suitable Upgrade header. */
if (upgrade_connection(r)) {
return HTTP_INTERNAL_SERVER_ERROR;
}
}
if (!sslconn) {
return DECLINED;
}
"Reason: You're speaking plain HTTP to an SSL-enabled "
"server port.<br />\n Instead use the HTTPS scheme to "
"access this URL, please.<br />\n");
/* Now that we have caught this error, forget it. we are done
* with using SSL on this request.
*/
return HTTP_BAD_REQUEST;
}
/*
* Get the SSL connection structure and perform the
* delayed interlinking from SSL back to request_rec
*/
if (!ssl) {
return DECLINED;
}
#ifdef HAVE_TLSEXT
/*
* Perform SNI checks only on the initial request. In particular,
* if these checks detect a problem, the checks shouldn't return an
* error again when processing an ErrorDocument redirect for the
* original problem.
*/
/*
* The SNI extension supplied a hostname. So don't accept requests
* with either no hostname or a different hostname as this could
* cause us to end up in a different virtual host as the one that
* was used for the handshake causing different SSL parameters to
* be applied as SSLProtocol, SSLCACertificateFile/Path and
* SSLCADNRequestFile/Path cannot be renegotiated (SSLCA* due
* to current limitations in OpenSSL, see
* and
* )
*/
if (!r->hostname) {
"Hostname %s provided via SNI, but no hostname"
" provided in HTTP request", servername);
return HTTP_BAD_REQUEST;
}
return HTTP_BAD_REQUEST;
}
"Hostname %s provided via SNI and hostname %s provided"
return HTTP_BAD_REQUEST;
}
}
== SSL_ENABLED_TRUE)
&& r->connection->vhost_lookup_data) {
/*
* We are using a name based configuration here, but no hostname was
* provided via SNI. Don't allow that if are requested to do strict
* checking. Check whether this strict checking was set up either in the
* server config we used for handshaking or in our current server.
* This should avoid insecure configuration by accident.
*/
"No hostname was provided via SNI for a name based"
" virtual host");
"Reason: The client software did not provide a "
"hostname using Server Name Indication (SNI), "
"which is required to access this server.<br />\n");
return HTTP_FORBIDDEN;
}
}
#endif
SSL_set_app_data2(ssl, r);
/*
* Log information about incoming HTTPS requests
*/
if (APLOGrinfo(r) && ap_is_initial_req(r)) {
"%s HTTPS request received for child %ld (server %s)",
(r->connection->keepalives <= 0 ?
"Initial (No.1)" :
r->connection->id,
}
/* SetEnvIf ssl-*-shutdown flags can only be per-server,
* so they won't change across keepalive requests
*/
ssl_configure_env(r, sslconn);
}
return DECLINED;
}
/*
* to allow the close connection handler to use them.
*/
{
int i;
switch (*key) {
case 's':
/* being case-sensitive here.
* and not checking for the -shutdown since these are the only
* SetEnvIf "flags" we support
*/
key += 4;
}
}
return; /* should only ever be one ssl-*-shutdown */
}
break;
}
}
}
/*
* Access Handler
*/
int ssl_hook_Access(request_rec *r)
{
int ok, i;
if (ssl) {
/*
* We should have handshaken here (on handshakeserver),
* otherwise we are being redirected (ErrorDocument) from
* a renegotiation failure below. The access is still
* forbidden in the latter case, let ap_die() handle
* this recursive (same) error.
*/
return HTTP_FORBIDDEN;
}
}
/*
* Support for SSLRequireSSL directive
*/
/* This vhost was configured for optional SSL, just tell the
* client that we need to upgrade.
*/
return HTTP_UPGRADE_REQUIRED;
}
"access to %s failed, reason: %s",
r->filename, "SSL connection required");
/* remember forbidden access for strict require option */
return HTTP_FORBIDDEN;
}
/*
* Check to see whether SSL is in use; if it's not, then no
* further access control checks are relevant. (the test for
* sc->enabled is probably strictly unnecessary)
*/
return DECLINED;
}
#ifdef HAVE_SRP
/*
* Support for per-directory reconfigured SSL connection parameters
*
* We do not force any renegotiation if the user is already authenticated
* via SRP.
*
*/
if (SSL_get_srp_username(ssl)) {
return DECLINED;
}
#endif
/*
* Support for per-directory reconfigured SSL connection parameters.
*
* This is implemented by forcing an SSL renegotiation with the
* reconfigured parameter suite. But Apache's internal API processing
* makes our life very hard here, because when internal sub-requests occur
* we nevertheless should avoid multiple unnecessary SSL handshakes (they
* require extra network I/O and especially time to perform).
*
* But the optimization for filtering out the unnecessary handshakes isn't
* obvious and trivial. Especially because while Apache is in its
* sub-request processing the client could force additional handshakes,
* too. And these take place perhaps without our notice. So the only
* possibility is to explicitly _ask_ OpenSSL whether the renegotiation
* has to be performed or not. It has to performed when some parameters
* which were previously known (by us) are not those we've now
* reconfigured (as known by OpenSSL) or (in optimized way) at least when
* the reconfigured parameter suite is stronger (more restrictions) than
* the currently active one.
*/
/*
* Override of SSLCipherSuite
*
* We provide two options here:
*
* o The paranoid and default approach where we force a renegotiation when
* the cipher suite changed in _any_ way (which is straight-forward but
* often forces renegotiations too often and is perhaps not what the
* user actually wanted).
*
* o The optimized and still secure way where we force a renegotiation
* only if the currently active cipher is no longer contained in the
* reconfigured/new cipher suite. Any other changes are not important
* because it's the servers choice to select a cipher from the ones the
* client supports. So as long as the current cipher is still in the new
* cipher suite we're happy. Because we can assume we would have
* selected it again even when other (better) ciphers exists now in the
* new cipher suite. This approach is fine because the user explicitly
* has to enable this via ``SSLOptions +OptRenegotiate''. So we do no
* implicit optimizations.
*/
/* remember old state */
}
else {
if (cipher_list_old) {
}
}
/* configure new state */
dc->szCipherSuite :
"Unable to reconfigure (per-directory) "
"permitted SSL ciphers");
if (cipher_list_old) {
}
return HTTP_FORBIDDEN;
}
/* determine whether a renegotiation has to be forced */
/* optimized way */
if ((!cipher && cipher_list) ||
(cipher && !cipher_list))
{
renegotiate = TRUE;
}
else if (cipher && cipher_list &&
{
renegotiate = TRUE;
}
}
else {
/* paranoid way */
if ((!cipher_list_old && cipher_list) ||
(cipher_list_old && !cipher_list))
{
renegotiate = TRUE;
}
else if (cipher_list_old && cipher_list) {
for (n = 0;
n++)
{
renegotiate = TRUE;
}
}
for (n = 0;
n++)
{
renegotiate = TRUE;
}
}
}
}
/* cleanup */
if (cipher_list_old) {
}
if (renegotiate) {
}
#endif
/* tracing */
"Reconfigured cipher suite will force renegotiation");
}
}
/*
* override of SSLVerifyDepth
*
* The depth checks are handled by us manually inside the verify callback
* function and not by OpenSSL internally (and our function is aware of
* both the per-server and per-directory contexts). So we cannot ask
* OpenSSL about the currently verify depth. Instead we remember it in our
* SSLConnRec attached to the SSL* of OpenSSL. We've to force the
* renegotiation if the reconfigured/new verify depth is less than the
* currently active/remembered verify depth (because this means more
* restriction on the certificate chain).
*/
/* determine the new depth */
if (sslconn->verify_depth < n) {
renegotiate = TRUE;
"Reduced client verification depth will force "
"renegotiation");
}
/*
* override of SSLVerifyClient
*
* We force a renegotiation if the reconfigured/new verify type is
* stronger than the currently active verify type.
*
* The order is: none << optional_no_ca << optional << require
*
* Additionally the following optimization is possible here: When the
* currently active verify type is "none" but a client certificate is
* verification but at least skip the I/O-intensive renegotiation
* handshake.
*/
/* remember old state */
/* configure new state */
}
{
}
/* determine whether we've to force a renegotiation */
if (((verify_old == SSL_VERIFY_NONE) &&
(verify != SSL_VERIFY_NONE)) ||
(!(verify_old & SSL_VERIFY_PEER) &&
(verify & SSL_VERIFY_PEER)) ||
{
renegotiate = TRUE;
/* optimization */
(verify_old == SSL_VERIFY_NONE) &&
{
}
"Changed client verification type will force "
"%srenegotiation",
}
}
/* If we're handling a request for a vhost other than the default one,
* then we need to make sure that client authentication is properly
* enforced. For clients supplying an SNI extension, the peer
* certificate verification has happened in the handshake already
* (and r->server == handshakeserver). For non-SNI requests,
* an additional check is needed here. If client authentication
* is configured as mandatory, then we can only proceed if the
* CA list doesn't have to be changed (OpenSSL doesn't provide
* an option to change the list for an existing session).
*/
if ((r->server != handshakeserver)
&& renegotiate
&& ((verify & SSL_VERIFY_PEER) ||
if (verify & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) {
"Non-default virtual host with SSLVerify set to "
"'require' and VirtualHost-specific CA certificate "
"list is only available to clients with TLS server "
"name indication (SNI) support");
return HTTP_FORBIDDEN;
} else
/* let it pass, possibly with an "incorrect" peer cert,
* so make sure the SSL_CLIENT_VERIFY environment variable
* will indicate partial success only, later on.
*/
}
}
}
/* If a renegotiation is now required for this location, and the
* request includes a message body (and the client has not
* requested a "100 Continue" response), then the client will be
* streaming the request body over the wire already. In that
* case, it is not possible to stop and perform a new SSL
* handshake immediately; once the SSL library moves to the
* "accept" state, it will reject the SSL packets which the client
* is sending for the request body.
*
* To allow authentication to complete in this auth hook, the
* solution used here is to fill a (bounded) buffer with the
* request body, and then to reinject that request body later.
*/
if (renegotiate && !renegotiate_quick
&& !r->expecting_100) {
int rv;
if (rsize > 0) {
/* Fill the I/O buffer with the request body if possible. */
}
else {
/* If the reneg buffer size is set to zero, just fail. */
}
if (rv) {
"could not buffer message body to allow "
"SSL renegotiation to proceed");
return rv;
}
}
/*
* now do the renegotiation if anything was actually reconfigured
*/
if (renegotiate) {
/*
* Now we force the SSL renegotiation by sending the Hello Request
* message to the client. Here we have to do a workaround: Actually
* OpenSSL returns immediately after sending the Hello Request (the
* that the client replies to a Hello Request). But because we insist
* on a reply (anything else is an error for us) we have to go to the
* ACCEPT state manually. Using SSL_set_accept_state() doesn't work
* here because it resets too much of the connection. So we set the
* state explicitly and continue the handshake manually.
*/
"Requesting connection re-negotiation");
if (renegotiate_quick) {
/* perform just a manual re-verification of the peer */
"Performing quick renegotiation: "
"just re-verifying the peer");
if (!cert_stack && cert) {
/* client cert is in the session cache, but there is
* no chain, since ssl3_get_client_certificate()
* sk_X509_shift-ed the peer cert out of the chain.
* we put it back here for the purpose of quick_renegotiation.
*/
}
"Cannot find peer certificate chain");
return HTTP_FORBIDDEN;
}
if (!(cert_store ||
{
"Cannot find certificate storage");
return HTTP_FORBIDDEN;
}
if (!cert) {
}
if (depth >= 0) {
}
(char *)ssl);
if (!X509_verify_cert(&cert_store_ctx)) {
"Re-negotiation verification step failed");
}
/* we created this ourselves, so free it */
}
}
else {
const char *reneg_support;
/* Additional mitigation for CVE-2009-3555: At this point,
* before renegotiating, an (entire) request has been read
* from the connection. An attacker may have sent further
* data to "prefix" any subsequent request by the victim's
* client after the renegotiation; this data may already
* have been read and buffered. Forcing a connection
* closure after the response ensures such data will be
* discarded. Legimately pipelined HTTP requests will be
* retried anyway with this approach. */
if (has_buffered_data(r)) {
"insecure SSL re-negotiation required, but "
"a pipelined request is present; keepalive "
"disabled");
}
#if defined(SSL_get_secure_renegotiation_support)
"client does" : "client does not";
#else
reneg_support = "server does not";
#endif
/* Perform a full renegotiation. */
"Performing full renegotiation: complete handshake "
"protocol (%s support secure renegotiation)",
(unsigned char *)&id,
sizeof(id));
/* Toggle the renegotiation state to allow the new
* handshake to proceed. */
"Re-negotiation request failed");
return HTTP_FORBIDDEN;
}
"Awaiting re-negotiation handshake");
/* XXX: Should replace setting state with SSL_renegotiate(ssl);
* However, this causes failures in perl-framework currently,
* perhaps pre-test if we have already negotiated?
*/
#ifdef OPENSSL_NO_SSL_INTERN
#else
#endif
"Re-negotiation handshake failed");
return HTTP_FORBIDDEN;
}
}
/*
* Remember the peer certificate's DN
*/
if (sslconn->client_cert) {
}
}
/*
* Finally check for acceptable renegotiation results
*/
"Re-negotiation handshake failed: "
"Client verification failed");
return HTTP_FORBIDDEN;
}
if (do_verify) {
"Re-negotiation handshake failed: "
"Client certificate missing");
return HTTP_FORBIDDEN;
}
}
}
/*
* Also check that SSLCipherSuite has been enforced as expected.
*/
if (cipher_list) {
"SSL cipher suite not renegotiated: "
"access to %s denied using cipher %s",
r->filename,
return HTTP_FORBIDDEN;
}
}
}
/* If we're trying to have the user name set from a client
* certificate then we need to set it here. This should be safe as
* the user name probably isn't important from an auth checking point
* of view as the certificate supplied acts in that capacity.
* However, if FakeAuth is being used then this isn't the case so
* we need to postpone setting the username until later.
*/
r, (char *)dc->szUserName);
else
}
/*
* Check SSLRequire boolean expressions
*/
const char *errstring;
if (ok < 0) {
"access to %s failed, reason: Failed to execute "
"SSL requirement expression: %s",
/* remember forbidden access for strict require option */
return HTTP_FORBIDDEN;
}
if (ok != 1) {
"Access to %s denied for %s "
"(requirement expression not fulfilled)",
r->filename, r->useragent_ip);
"access to %s failed, reason: %s",
r->filename,
"SSL requirement expression not fulfilled");
/* remember forbidden access for strict require option */
return HTTP_FORBIDDEN;
}
}
/*
* Else access is granted from our point of view (except vendor
* handlers override). But we have to return DECLINED here instead
* of OK, because mod_auth and other modules still might want to
* deny access.
*/
return DECLINED;
}
/*
* Authentication Handler:
* Fake a Basic authentication from the X509 client certificate.
*
* This must be run fairly early on to prevent a real authentication from
* occuring, in particular it must be run before anything else that
* authenticates a user. This means that the Module statement for this
* module should be LAST in the Configuration file.
*/
int ssl_hook_UserCheck(request_rec *r)
{
char *user;
/*
* Additionally forbid access (again)
* when strict require option is used.
*/
{
return HTTP_FORBIDDEN;
}
/*
* We decline when we are in a subrequest. The Authorization header
* would already be present if it was added in the main request.
*/
if (!ap_is_initial_req(r)) {
return DECLINED;
}
/*
* Make sure the user is not able to fake the client certificate
* based authentication by just entering an X.509 Subject DN
* password.
*/
auth_line++;
}
"Encountered FakeBasicAuth spoof: %s", username);
return HTTP_FORBIDDEN;
}
}
}
/*
* We decline operation in various situations...
* - SSLOptions +FakeBasicAuth not configured
* - r->user already authenticated
* - ssl not enabled
* - client did not present a certificate
*/
{
return DECLINED;
}
}
/* use SSLUserName if defined, otherwise use the full client DN */
if (dc->szUserName) {
r, (char *)dc->szUserName);
APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(02434) "Failed to set FakeBasicAuth username to '%s', did not exist in certificate", dc->szUserName);
return DECLINED;
}
}
else {
}
/*
* Fake a password - which one would be immaterial, as, it seems, an empty
* password in the users file would match ALL incoming passwords, if only
* we were using the standard crypt library routine. Unfortunately, OpenSSL
* "fixes" a "bug" in crypt and thus prevents blank passwords from
* working. (IMHO what they really fix is a bug in the users of the code
* - failing to program correctly for shadow passwords). We need,
* therefore, to provide a password. This password can be matched by
* adding the string "xxj31ZMTZzkVA" as the password in the user file.
* This is just the crypted variant of the word "password" ;-)
*/
ap_pbase64encode(r->pool,
":password", NULL)),
NULL);
"Faking HTTP Basic Auth header: \"Authorization: %s\"",
return DECLINED;
}
/* authorization phase */
int ssl_hook_Auth(request_rec *r)
{
/*
* Additionally forbid access (again)
* when strict require option is used.
*/
{
return HTTP_FORBIDDEN;
}
return DECLINED;
}
/*
* Fixup Handler
*/
static const char *ssl_hook_Fixup_vars[] = {
"SSL_VERSION_INTERFACE",
"SSL_VERSION_LIBRARY",
"SSL_PROTOCOL",
"SSL_SECURE_RENEG",
"SSL_COMPRESS_METHOD",
"SSL_CIPHER",
"SSL_CIPHER_EXPORT",
"SSL_CIPHER_USEKEYSIZE",
"SSL_CIPHER_ALGKEYSIZE",
"SSL_CLIENT_VERIFY",
"SSL_CLIENT_M_VERSION",
"SSL_CLIENT_M_SERIAL",
"SSL_CLIENT_V_START",
"SSL_CLIENT_V_END",
"SSL_CLIENT_V_REMAIN",
"SSL_CLIENT_S_DN",
"SSL_CLIENT_I_DN",
"SSL_CLIENT_A_KEY",
"SSL_CLIENT_A_SIG",
"SSL_SERVER_M_VERSION",
"SSL_SERVER_M_SERIAL",
"SSL_SERVER_V_START",
"SSL_SERVER_V_END",
"SSL_SERVER_S_DN",
"SSL_SERVER_I_DN",
"SSL_SERVER_A_KEY",
"SSL_SERVER_A_SIG",
"SSL_SESSION_ID",
"SSL_SESSION_RESUMED",
#ifdef HAVE_SRP
"SSL_SRP_USER",
"SSL_SRP_USERINFO",
#endif
};
int ssl_hook_Fixup(request_rec *r)
{
#ifdef HAVE_TLSEXT
const char *servername;
#endif
int i;
/* If "SSLEngine optional" is configured, this is not an SSL
* connection, and this isn't a subrequest, send an Upgrade
* response header. */
&& !r->main) {
}
/*
* Check to see if SSL is on
*/
if (!(((sc->enabled == SSL_ENABLED_TRUE) || (sc->enabled == SSL_ENABLED_OPTIONAL)) && sslconn && (ssl = sslconn->ssl))) {
return DECLINED;
}
/*
*/
/* the always present HTTPS (=HTTP over SSL) flag! */
#ifdef HAVE_TLSEXT
/* add content of SNI TLS extension (if supplied with ClientHello) */
}
#endif
/* standard SSL environment variables */
for (i = 0; ssl_hook_Fixup_vars[i]; i++) {
var = (char *)ssl_hook_Fixup_vars[i];
if (!strIsEmpty(val)) {
}
}
}
/*
*/
r, "SSL_SERVER_CERT");
r, "SSL_CLIENT_CERT");
for (i = 0; i < sk_X509_num(peer_certs); i++) {
r, var);
if (val) {
}
}
}
}
#endif
return DECLINED;
}
/* _________________________________________________________________
**
** Authz providers for use with mod_authz_core
** _________________________________________________________________
*/
const char *require_line,
const void *parsed)
{
if (ssl)
return AUTHZ_GRANTED;
else
return AUTHZ_DENIED;
}
const char *require_line,
const void **parsed)
{
if (require_line && require_line[0])
return "'Require ssl' does not take arguments";
return NULL;
}
{
};
const char *require_line,
const void *parsed)
{
if (!ssl)
return AUTHZ_DENIED;
{
if (xs) {
return AUTHZ_GRANTED;
}
else {
}
}
return AUTHZ_DENIED;
}
const char *require_line,
const void **parsed)
{
if (require_line && require_line[0])
return "'Require ssl-verify-client' does not take arguments";
return NULL;
}
{
};
/* _________________________________________________________________
**
** OpenSSL Callback Functions
** _________________________________________________________________
*/
/*
* Hand out standard DH parameters, based on the authentication strength
*/
{
int type;
#ifdef SSL_CERT_SET_SERVER
/*
* that we get the private key which is indeed used for the current
* SSL connection (available in OpenSSL 1.0.2 or later only)
*/
#endif
/*
* OpenSSL will call us with either keylen == 512 or keylen == 1024
* (see the definition of SSL_EXPORT_PKEYLENGTH in ssl_locl.h).
* Adjust the DH parameter length according to the size of the
* use at least 1024-bit parameters.
* Note: This may cause interoperability issues with implementations
* which limit their DH support to 1024 bit - e.g. Java 7 and earlier.
* In this case, SSLCertificateFile can be used to specify fixed
* 1024-bit DH parameters (with the effect that OpenSSL skips this
* callback).
*/
}
"handing out built-in DH parameters for %d-bit authenticated connection", keylen);
return modssl_get_dh_params(keylen);
}
/*
* This OpenSSL callback function is called when OpenSSL
* does client authentication and verifies the certificate chain.
*/
{
/* Get Apache context back through OpenSSL context */
/* Get verify ingredients */
/*
* Log verification information
*/
"Certificate Verification, depth %d, "
"CRL checking mode: %s", errdepth,
"leaf" : "none"));
/*
* Check for optionally acceptable non-verifiable issuer situation
*/
}
else {
}
if (verify == SSL_CVERIFY_NONE) {
/*
* SSLProxyVerify is either not configured or set to "none".
* (this callback doesn't happen in the server context if SSLVerify
* is not configured or set to "none")
*/
return TRUE;
}
if (ssl_verify_error_is_optional(errnum) &&
{
"Certificate Verification: Verifiable Issuer is "
"configured as optional, therefore we're accepting "
"the certificate");
}
/*
* Expired certificates vs. "expired" CRLs: by default, OpenSSL
* turns X509_V_ERR_CRL_HAS_EXPIRED into a "certificate_expired(45)"
* SSL alert, but that's not really the message we should convey to the
* peer (at the very least, it's confusing, and in many cases, it's also
* inaccurate, as the certificate itself may very well not have expired
* yet). We set the X509_STORE_CTX error to something which OpenSSL's
* s3_both.c:ssl_verify_alarm_type() maps to SSL_AD_CERTIFICATE_UNKNOWN,
* i.e. the peer will receive a "certificate_unknown(46)" alert.
* We do not touch errnum, though, so that later on we will still log
* the "real" error, as returned by OpenSSL.
*/
}
#ifndef OPENSSL_NO_OCSP
/*
* Perform OCSP-based revocation checks
*/
/* If there was an optional verification error, it's not
* possible to perform OCSP validation since the issuer may be
if (ssl_verify_error_is_optional(errnum)) {
"cannot perform OCSP validation for cert "
"if issuer has not been verified "
"(optional_no_ca configured)");
} else {
if (!ok) {
}
}
}
#endif
/*
* If we already know it's not ok, log the real reason
*/
if (!ok) {
if (APLOGcinfo(conn)) {
"Certificate Verification: Error (%d): %s",
} else {
"Certificate Verification: Error (%d): %s",
}
if (sslconn->client_cert) {
}
}
/*
* Finally check the depth of the certificate verification
*/
}
else {
}
"Certificate Verification: Certificate Chain too long "
"(chain has %d certificates, but maximum allowed are "
"only %d)",
}
/*
* And finally signal OpenSSL the (perhaps changed) state
*/
return ok;
}
#define SSLPROXY_CERT_CB_LOG_FMT \
"Proxy client certificate callback: (%s) "
static void modssl_proxy_info_log(conn_rec *c,
const char *msg)
{
SSLPROXY_CERT_CB_LOG_FMT "%s, sending",
}
/*
* caller will decrement the cert and key reference
* so we need to increment here to prevent them from
* being freed.
*/
{
server_rec *s = mySrvFromConn(c);
int i, j, k;
SSLPROXY_CERT_CB_LOG_FMT "entered",
"downstream server wanted client certificate "
return FALSE;
}
/*
* downstream server didn't send us a list of acceptable CA certs,
* so we send the first client cert in the list.
*/
return TRUE;
}
for (i = 0; i < sk_X509_NAME_num(ca_list); i++) {
for (j = 0; j < sk_X509_INFO_num(certs); j++) {
/* Search certs (by issuer name) one by one*/
"found acceptable cert");
return TRUE;
}
if (ca_cert_chains) {
/*
* Failed to find direct issuer - search intermediates
* (by issuer name), if provided.
*/
ca_certs = ca_cert_chains[j];
for (k = 0; k < sk_X509_num(ca_certs); k++) {
"found acceptable cert by intermediate CA");
return TRUE;
}
} /* end loop through chained certs */
}
} /* end loop through available certs */
}
return FALSE;
}
static void ssl_session_log(server_rec *s,
const char *request,
unsigned char *id,
unsigned int idlen,
const char *status,
const char *result,
long timeout)
{
char buf[SSL_SESSION_ID_STRING_LEN];
if (!APLOGdebug(s)) {
return;
}
if (timeout) {
"timeout=%lds ", timeout);
}
"Inter-Process Session Cache: "
"request=%s status=%s id=%s %s(session %s)",
}
/*
* This callback function is executed by OpenSSL whenever a new SSL_SESSION is
* added to the internal OpenSSL session cache. We use this hook to spread the
* SSL_SESSION also to the inter-process disk-cache to make share it with our
* other Apache pre-forked server processes.
*/
{
/* Get Apache context back through OpenSSL context */
unsigned char *id;
unsigned int idlen;
/*
* Set the timeout also for the internal OpenSSL cache, because this way
* our inter-process cache is consulted only when it's really necessary.
*/
/*
* Store the SSL_SESSION in the inter-process cache with the
* same expire time, so it expires automatically there, too.
*/
#ifdef OPENSSL_NO_SSL_INTERN
#else
#endif
+ timeout),
"caching", timeout);
/*
* return 0 which means to OpenSSL that the session is still
* valid and was not freed by us with SSL_SESSION_free().
*/
return 0;
}
/*
* This callback function is executed by OpenSSL whenever a
* SSL_SESSION is looked up in the internal OpenSSL cache and it
* was not found. We use this to lookup the SSL_SESSION in the
* inter-process disk-cache where it was perhaps stored by one
* of our other Apache pre-forked server processes.
*/
unsigned char *id,
{
/* Get Apache context back through OpenSSL context */
/*
* Try to retrieve the SSL_SESSION from the inter-process cache
*/
/*
* Return NULL or the retrieved SSL_SESSION. But indicate (by
* setting do_copy to 0) that the reference count on the
* SSL_SESSION should not be incremented by the SSL library,
* because we will no longer hold a reference to it ourself.
*/
*do_copy = 0;
return session;
}
/*
* This callback function is executed by OpenSSL whenever a
* SSL_SESSION is removed from the the internal OpenSSL cache.
* We use this to remove the SSL_SESSION in the inter-process
* disk-cache, too.
*/
{
server_rec *s;
unsigned char *id;
unsigned int idlen;
/*
* Get Apache context back through OpenSSL context
*/
return; /* on server shutdown Apache is already gone */
}
sc = mySrvConfig(s);
/*
* Remove the SSL_SESSION from the inter-process cache
*/
#ifdef OPENSSL_NO_SSL_INTERN
#else
#endif
/* TODO: Do we need a temp pool here, or are we always shutting down? */
"OK", "dead", 0);
return;
}
/* Dump debugginfo trace to the log file. */
{
/*
* create the various trace messages
*/
if (where & SSL_CB_HANDSHAKE_START) {
"%s: Handshake: start", SSL_LIBRARY_NAME);
}
else if (where & SSL_CB_HANDSHAKE_DONE) {
"%s: Handshake: done", SSL_LIBRARY_NAME);
}
else if (where & SSL_CB_LOOP) {
"%s: Loop: %s",
}
else if (where & SSL_CB_READ) {
"%s: Read: %s",
}
else if (where & SSL_CB_WRITE) {
"%s: Write: %s",
}
else if (where & SSL_CB_ALERT) {
"%s: Alert: %s:%s:%s",
}
else if (where & SSL_CB_EXIT) {
if (rc == 0) {
"%s: Exit: failed in %s",
}
else if (rc < 0) {
"%s: Exit: error in %s",
}
}
/*
* Because SSL renegotiations can happen at any time (not only after
* SSL_accept()), the best way to log the current connection details is
* right after a finished handshake.
*/
if (where & SSL_CB_HANDSHAKE_DONE) {
"Protocol: %s, Cipher: %s (%s/%s bits)",
}
}
/*
* This callback function is executed while OpenSSL processes the SSL
* handshake and does SSL record layer stuff. It's used to trap
* client-initiated renegotiations, and for dumping everything to the
* log.
*/
{
conn_rec *c;
server_rec *s;
/* Retrieve the conn_rec and the associated SSLConnRec. */
return;
}
return;
}
/* If the reneg state is to reject renegotiations, check the SSL
* state machine and move to ABORT if a Client Hello is being
* read. */
if (state == SSL3_ST_SR_CLNT_HELLO_A
|| state == SSL23_ST_SR_CLNT_HELLO_A) {
"rejecting client initiated renegotiation");
}
}
/* If the first handshake is complete, change state to reject any
* subsequent client-initiated renegotiation. */
}
s = mySrvFromConn(c);
if (s && APLOGdebug(s)) {
}
}
#ifdef HAVE_TLSEXT
/*
* This callback function is executed when OpenSSL encounters an extended
* client hello with a server name indication extension ("SNI", cf. RFC 6066).
*/
{
const char *servername =
if (c) {
if (servername) {
(void *)servername)) {
"SSL virtual host for servername %s found",
return SSL_TLSEXT_ERR_OK;
}
else {
"No matching SSL virtual host for servername "
/*
* RFC 6066 section 3 says "It is NOT RECOMMENDED to send
* a warning-level unrecognized_name(112) alert, because
* the client's behavior in response to warning-level alerts
* is unpredictable."
*
* To maintain backwards compatibility in mod_ssl, we
* no longer send any alert (neither warning- nor fatal-level),
* i.e. we take the second action suggested in RFC 6066:
* "If the server understood the ClientHello extension but
* does not recognize the server name, the server SHOULD take
* one of two actions: either abort the handshake by sending
* a fatal-level unrecognized_name(112) alert or continue
* the handshake."
*/
}
}
else {
"Server name not provided via TLS extension "
}
}
return SSL_TLSEXT_ERR_NOACK;
}
/*
* Find a (name-based) SSL virtual host where either the ServerName
* or one of the ServerAliases matches the supplied name (to be used
* with ap_vhost_iterate_given_conn())
*/
{
int i;
/* check ServerName */
}
/*
* if not matched yet, check ServerAlias entries
* (adapted from vhost.c:matches_aliases())
*/
if (!found) {
if (names) {
if (!name[i])
continue;
break;
}
}
}
}
/* if still no match, check ServerAlias entries with wildcards */
if (!found) {
names = s->wild_names;
if (names) {
if (!name[i])
continue;
break;
}
}
}
}
/* set SSL_CTX (if matched) */
sslcon = myConnConfig(c);
(sc = mySrvConfig(s))) {
/*
* SSL_set_SSL_CTX() only deals with the server cert,
* so we need to duplicate a few additional settings
* from the ctx by hand
*/
(SSL_num_renegotiations(ssl) == 0)) {
/*
* Only initialize the verification settings from the ctx
* if they are not yet set, or if we're called when a new
* SSL connection is set up (num_renegotiations == 0).
* Otherwise, we would possibly reset a per-directory
* configuration which was put into effect by ssl_hook_Access.
*/
}
/*
* Adjust the session id context. ssl_init_ssl_connection()
* always picks the configuration of the first vhost when
* calling SSL_new(), but we want to tie the session to the
* vhost we have just switched to. Again, we have to make sure
* that we're not overwriting a session id context which was
* possibly set in ssl_hook_Access(), before triggering
* a renegotiation.
*/
if (SSL_num_renegotiations(ssl) == 0) {
unsigned char *sid_ctx =
(unsigned char *)ap_md5_binary(c->pool,
sc->vhost_id_len);
}
/*
* Save the found server into our SSLConnRec for later
* retrieval
*/
/*
* There is one special filter callback, which is set
* very early depending on the base_server's log level.
* If this is not the first vhost we're now selecting
* (and the first vhost doesn't use APLOG_TRACE4), then
* we need to set that callback here.
*/
if (APLOGtrace4(s)) {
}
return 1;
}
return 0;
}
#endif /* HAVE_TLSEXT */
#ifdef HAVE_TLS_SESSION_TICKETS
/*
* This callback function is executed when OpenSSL needs a key for encrypting/
* decrypting a TLS session ticket (RFC 5077) and a ticket key file has been
* configured through SSLSessionTicketKeyFile.
*/
unsigned char *keyname,
unsigned char *iv,
int mode)
{
server_rec *s = mySrvFromConn(c);
if (mode == 1) {
/*
* OpenSSL is asking for a key for encrypting a ticket,
* see s3_srvr.c:ssl3_send_newsession_ticket()
*/
if (ticket_key == NULL) {
/* should never happen, but better safe than sorry */
return -1;
}
"TLS session ticket key for %s successfully set, "
return 0;
}
else if (mode == 0) {
/*
* OpenSSL is asking for the decryption key,
* see t1_lib.c:tls_decrypt_ticket()
*/
/* check key name */
return 0;
}
"TLS session ticket key for %s successfully set, "
return 1;
}
/* OpenSSL is not expected to call us with modes other than 1 or 0 */
return -1;
}
#endif /* HAVE_TLS_SESSION_TICKETS */
#ifdef HAVE_TLS_NPN
/*
* This callback function is executed when SSL needs to decide what protocols
* to advertise during Next Protocol Negotiation (NPN). It must produce a
* string in wire format -- a sequence of length-prefixed strings -- indicating
* the advertised protocols. Refer to SSL_CTX_set_next_protos_advertised_cb
* in OpenSSL for reference.
*/
{
int num_protos;
unsigned int size;
int i;
unsigned char *data;
unsigned char *start;
*size_out = 0;
/* If the connection object is not available, or there are no NPN
* hooks registered, then there's nothing for us to do. */
return SSL_TLSEXT_ERR_OK;
}
/* Invoke our npn_advertise_protos hook, giving other modules a chance to
* add alternate protocol names to advertise. */
break;
}
/* We now have a list of null-terminated strings; we need to concatenate
* them together into a single string, where each protocol name is prefixed
* by its length. First, calculate how long that string will be. */
size = 0;
for (i = 0; i < num_protos; ++i) {
/* If the protocol name is too long (the length must fit in one byte),
* then log an error and skip it. */
if (length > 255) {
"SSL NPN protocol name too long (length=%u): %s",
continue;
}
/* Leave room for the length prefix (one byte) plus the protocol name
* itself. */
}
/* If there is nothing to advertise (either because no modules added
* anything to the protos array, or because all strings added to the array
* were skipped), then we're done. */
if (size == 0) {
return SSL_TLSEXT_ERR_OK;
}
/* Now we can build the string. Copy each protocol name string into the
* larger string, prefixed by its length. */
for (i = 0; i < num_protos; ++i) {
if (length > 255)
continue;
++start;
}
/* Success. */
return SSL_TLSEXT_ERR_OK;
}
#endif /* HAVE_TLS_NPN */
#ifdef HAVE_SRP
{
SRP_user_pwd *u;
return SSL3_AL_FATAL;
}
return SSL3_AL_FATAL;
}
/* reset all other options */
return SSL_ERROR_NONE;
}
#endif /* HAVE_SRP */