ssl_engine_kernel.c revision c10fe96ac7d024918e26af6c8ba5470273b75bb2
/* _ _
** _ __ ___ ___ __| | ___ ___| | mod_ssl
** | '_ ` _ \ / _ \ / _` | / __/ __| | Apache Interface to OpenSSL
** | | | | | | (_) | (_| | \__ \__ \ | www.modssl.org
** |_| |_| |_|\___/ \__,_|___|___/___/_| ftp.modssl.org
** |_____|
** The SSL engine kernel
*/
/* ====================================================================
* The Apache Software License, Version 1.1
*
* Copyright (c) 2000-2001 The Apache Software Foundation. All rights
* reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* distribution.
*
* 3. The end-user documentation included with the redistribution,
* if any, must include the following acknowledgment:
* "This product includes software developed by the
* Apache Software Foundation (http://www.apache.org/)."
* Alternately, this acknowledgment may appear in the software itself,
* if and wherever such third-party acknowledgments normally appear.
*
* 4. The names "Apache" and "Apache Software Foundation" must
* not be used to endorse or promote products derived from this
* software without prior written permission. For written
* permission, please contact apache@apache.org.
*
* 5. Products derived from this software may not be called "Apache",
* nor may "Apache" appear in their name, without prior written
* permission of the Apache Software Foundation.
*
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
* WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
* USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
* ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
* OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
* ====================================================================
*/
/* ``It took me fifteen years to discover
I had no talent for programming, but
I couldn't give it up because by that
time I was too famous.''
-- Unknown */
#include "mod_ssl.h"
/*
* Close the SSL part of the socket connection
* (called immediately _before_ the socket is closed)
*/
/* XXX: perhaps ssl_abort() should call us or vice-versa
* lot of the same happening in both places
*/
{
const char *cpType = "";
return APR_SUCCESS;
/*
* Now close the SSL layer of the connection. We've to take
* the TLSv1 standard into account here:
*
* | 7.2.1. Closure alerts
* |
* | The client and the server must share knowledge that the connection is
* | ending in order to avoid a truncation attack. Either party may
* | initiate the exchange of closing messages.
* |
* | close_notify
* | This message notifies the recipient that the sender will not send
* | any more messages on this connection. The session becomes
* | unresumable if any connection is terminated without proper
* | close_notify messages with level equal to warning.
* |
* | Either party may initiate a close by sending a close_notify alert.
* | Any data received after a closure alert is ignored.
* |
* | Each party is required to send a close_notify alert before closing
* | the write side of the connection. It is required that the other party
* | respond with a close_notify alert of its own and close down the
* | connection immediately, discarding any pending writes. It is not
* | required for the initiator of the close to wait for the responding
* | close_notify alert before closing the read side of the connection.
*
* This means we've to send a close notify message, but haven't to wait
* for the close notify of the client. Actually we cannot wait for the
* close notify of the client because some clients (including Netscape
* 4.x) don't send one, so we would hang.
*/
/*
* exchange close notify messages, but allow the user
* to force the type of handshake via SetEnvIf directive
*/
switch (sslconn->shutdown_type) {
case SSL_SHUTDOWN_TYPE_UNSET:
/* send close notify, but don't wait for clients close notify
(standard compliant and safe, so it's the DEFAULT!) */
cpType = "standard";
break;
/* perform no close notify handshake at all
cpType = "unclean";
break;
/* send close notify and wait for clients close notify
(standard compliant, but usually causes connection hangs) */
SSL_set_shutdown(ssl, 0);
cpType = "accurate";
break;
}
/* and finally log the fact that we've closed the connection */
"Connection to child %d closed with %s shutdown"
"(server %s, client %s)",
}
/* deallocate the SSL connection */
return APR_SUCCESS;
}
/*
* Post Read Request Handler
*/
int ssl_hook_ReadReq(request_rec *r)
{
/*
* Get the SSL connection structure and perform the
* delayed interlinking from SSL back to request_rec
*/
SSL_set_app_data2(ssl, r);
}
/*
* Force the mod_ssl content handler when URL indicates this
*/
r->handler = "mod_ssl:content-handler";
return DECLINED;
}
/*
* to allow the close connection handler to use them.
*/
{
int i;
switch (*key) {
case 's':
/* being case-sensitive here.
* and not checking for the -shutdown since these are the only
* SetEnvIf "flags" we support
*/
key += 4;
}
}
return; /* should only ever be one ssl-*-shutdown */
}
break;
}
}
}
/*
* URL Translation Handler
*/
int ssl_hook_Translate(request_rec *r)
{
return DECLINED;
/*
* Log information about incoming HTTPS requests
*/
"%s HTTPS request received for child %d (server %s)",
r->connection->keepalives <= 0 ?
"Initial (No.1)" :
r->connection->id,
}
/* SetEnvIf ssl-*-shutdown flags can only be per-server,
* so they won't change across keepalive requests
*/
ssl_configure_env(r, sslconn);
}
return DECLINED;
}
/*
* Content Handler
*/
int ssl_hook_Handler(request_rec *r)
{
int port;
char *thisport;
char *thisurl;
return DECLINED;
return DECLINED;
thisport = "";
port = ap_get_server_port(r);
if (!ap_is_default_port(port, r))
ap_get_server_name(r), thisport));
"Reason: You're speaking plain HTTP to an SSL-enabled server port.<br />\n"
"Instead use the HTTPS scheme to access this URL, please.<br />\n"
"<blockquote>Hint: <a href=\"%s\"><b>%s</b></a></blockquote>",
}
return HTTP_BAD_REQUEST;
}
/*
* Access Handler
*/
int ssl_hook_Access(request_rec *r)
{
char *cp;
int ok;
int i;
#ifdef SSL_EXPERIMENTAL_PERDIRCA
char *cpCAPath;
char *cpCAFile;
#endif
int depth;
int nVerifyOld;
int nVerify;
int n;
int rc;
dc = myDirConfig(r);
/*
* Support for SSLRequireSSL directive
*/
"access to %s failed for %s, reason: %s", r->filename,
"SSL connection required");
/* remember forbidden access for strict require option */
return HTTP_FORBIDDEN;
}
/*
* Check to see if SSL protocol is on
*/
return DECLINED;
return DECLINED;
/*
* Support for per-directory reconfigured SSL connection parameters.
*
* This is implemented by forcing an SSL renegotiation with the
* reconfigured parameter suite. But Apache's internal API processing
* makes our life very hard here, because when internal sub-requests occur
* we nevertheless should avoid multiple unnecessary SSL handshakes (they
* require extra network I/O and especially time to perform).
*
* But the optimization for filtering out the unnecessary handshakes isn't
* obvious and trivial. Especially because while Apache is in its
* sub-request processing the client could force additional handshakes,
* too. And these take place perhaps without our notice. So the only
* possibility is to explicitly _ask_ OpenSSL whether the renegotiation
* has to be performed or not. It has to performed when some parameters
* which were previously known (by us) are not those we've now
* reconfigured (as known by OpenSSL) or (in optimized way) at least when
* the reconfigured parameter suite is stronger (more restrictions) than
* the currently active one.
*/
renegotiate = FALSE;
#ifdef SSL_EXPERIMENTAL_PERDIRCA
#endif
/*
* Override of SSLCipherSuite
*
* We provide two options here:
*
* o The paranoid and default approach where we force a renegotiation when
* the cipher suite changed in _any_ way (which is straight-forward but
* often forces renegotiations too often and is perhaps not what the
* user actually wanted).
*
* o The optimized and still secure way where we force a renegotiation
* only if the currently active cipher is no longer contained in the
* reconfigured/new cipher suite. Any other changes are not important
* because it's the servers choice to select a cipher from the ones the
* client supports. So as long as the current cipher is still in the new
* cipher suite we're happy. Because we can assume we would have
* selected it again even when other (better) ciphers exists now in the
* new cipher suite. This approach is fine because the user explicitly
* has to enable this via ``SSLOptions +OptRenegotiate''. So we do no
* implicit optimizations.
*/
/* remember old state */
skCipherOld = NULL;
else {
if (skCipherOld != NULL)
}
/* configure new state */
"Unable to reconfigure (per-directory) permitted SSL ciphers");
if (skCipherOld != NULL)
return HTTP_FORBIDDEN;
}
/* determine whether a renegotiation has to be forced */
/* optimized way */
renegotiate = TRUE;
renegotiate = TRUE;
}
}
else {
/* paranoid way */
renegotiate = TRUE;
renegotiate = TRUE;
}
renegotiate = TRUE;
}
}
}
/* cleanup */
if (skCipherOld != NULL)
/* tracing */
if (renegotiate)
"Reconfigured cipher suite will force renegotiation");
}
/*
* override of SSLVerifyDepth
*
* The depth checks are handled by us manually inside the verify callback
* function and not by OpenSSL internally (and our function is aware of
* both the per-server and per-directory contexts). So we cannot ask
* OpenSSL about the currently verify depth. Instead we remember it in our
* ap_ctx attached to the SSL* of OpenSSL. We've to force the
* renegotiation if the reconfigured/new verify depth is less than the
* currently active/remembered verify depth (because this means more
* restriction on the certificate chain).
*/
/* XXX: doesnt look like sslconn->verify_depth is actually used */
if (!(n = sslconn->verify_depth)) {
}
/* determine whether a renegotiation has to be forced */
if (dc->nVerifyDepth < n) {
renegotiate = TRUE;
"Reduced client verification depth will force renegotiation");
}
}
/*
* override of SSLVerifyClient
*
* We force a renegotiation if the reconfigured/new verify type is
* stronger than the currently active verify type.
*
* The order is: none << optional_no_ca << optional << require
*
* Additionally the following optimization is possible here: When the
* currently active verify type is "none" but a client certificate is
* verification but at least skip the I/O-intensive renegotation
* handshake.
*/
/* remember old state */
/* configure new state */
/* determine whether we've to force a renegotiation */
if (nVerify != nVerifyOld) {
if ( ( (nVerifyOld == SSL_VERIFY_NONE)
&& (nVerify != SSL_VERIFY_NONE))
|| ( !(nVerifyOld & SSL_VERIFY_PEER)
&& (nVerify & SSL_VERIFY_PEER))
renegotiate = TRUE;
/* optimization */
&& nVerifyOld == SSL_VERIFY_NONE
"Changed client verification type will force %srenegotiation",
}
}
}
/*
* override SSLCACertificateFile & SSLCACertificatePath
* This is tagged experimental because it has to use an ugly kludge: We
* have to change the locations inside the SSL_CTX* (per-server global)
* instead inside SSL* (per-connection local) and reconfigure it to the
* old values later. That's problematic at least for the threaded process
* model of Apache under Win32 or when an error occurs. But unless
* OpenSSL provides a SSL_load_verify_locations() function we've no other
* chance to provide this functionality...
*/
#ifdef SSL_EXPERIMENTAL_PERDIRCA
/*
FIXME: This should be...
if (!SSL_load_verify_locations(ssl, cpCAFile, cpCAPath)) {
...but OpenSSL still doesn't provide this!
*/
"Unable to reconfigure verify locations "
"for client authentication");
return HTTP_FORBIDDEN;
}
"Unable to determine list of available "
"CA certificates for client authentication");
return HTTP_FORBIDDEN;
}
renegotiate = TRUE;
"Changed client verification locations will force renegotiation");
}
#endif /* SSL_EXPERIMENTAL_PERDIRCA */
/*
* SSL renegotiations in conjunction with HTTP
* requests using the POST method are not supported.
*
* Background:
*
* attached MIME headers ("Foo: bar") up to the terminating line ("CR
* LF"). An attached request body (for instance the data of a POST
* method) is _NOT_ read. Instead it is read by mod_cgi's content
* handler and directly passed to the CGI script.
*
* 2. mod_ssl supports per-directory re-configuration of SSL parameters.
* This is implemented by performing an SSL renegotiation of the
* re-configured parameters after the request is read, but before the
* response is sent. In more detail: the renegotiation happens after the
* request line and MIME headers were read, but _before_ the attached
* request body is read. The reason simply is that in the HTTP protocol
* usually there is no acknowledgment step between the headers and the
* body (there is the 100-continue feature and the chunking facility
* only), so Apache has no API hook for this step.
*
* 3. the problem now occurs when the client sends a POST request for
* URL /foo via HTTPS the server and the server has SSL parameters
* re-configured on a per-URL basis for /foo. Then mod_ssl has to
* perform an SSL renegotiation after the request was read and before
* the response is sent. But the problem is the pending POST body data
* in the receive buffer of SSL (which Apache still has not read - it's
* pending until mod_cgi sucks it in). When mod_ssl now tries to perform
* the renegotiation the pending data leads to an I/O error.
*
* Solution Idea:
*
* There are only two solutions: Either to simply state that POST
* requests to URLs with SSL re-configurations are not allowed, or to
* renegotiate really after the _complete_ request (i.e. including
* the POST body) was read. Obviously the latter would be preferred,
* but it cannot be done easily inside Apache, because as already
* mentioned, there is no API step between the body reading and the body
* processing. And even when we mod_ssl would hook directly into the
* loop of mod_cgi, we wouldn't solve the problem for other handlers, of
* course. So the only general solution is to suck in the pending data
* of the request body from the OpenSSL BIO into the Apache BUFF. Then
* the renegotiation can be done and after this step Apache can proceed
* processing the request as before.
*
* Solution Implementation:
*
* We cannot simply suck in the data via an SSL_read-based loop because of
* HTTP chunking. Instead we _have_ to use the Apache API for this step which
* is aware of HTTP chunking. So the trick is to suck in the pending request
* data via the Apache API (which uses Apache's BUFF code and in the
* background mod_ssl's I/O glue code) and re-inject it later into the Apache
* BUFF code again. This way the data flows twice through the Apache BUFF, of
* course. But this way the solution doesn't depend on any Apache specifics
* and is fully transparent to Apache modules.
*
* !! BUT ALL THIS IS STILL NOT RE-IMPLEMENTED FOR APACHE 2.0 !!
*/
"SSL Re-negotiation in conjunction with POST method not supported!");
return HTTP_METHOD_NOT_ALLOWED;
}
/*
* now do the renegotiation if anything was actually reconfigured
*/
if (renegotiate) {
/*
* Now we force the SSL renegotation by sending the Hello Request
* message to the client. Here we have to do a workaround: Actually
* OpenSSL returns immediately after sending the Hello Request (the
* that the client replies to a Hello Request). But because we insist
* on a reply (anything else is an error for us) we have to go to the
* ACCEPT state manually. Using SSL_set_accept_state() doesn't work
* here because it resets too much of the connection. So we set the
* state explicitly and continue the handshake manually.
*/
"Requesting connection re-negotiation");
if (renegotiate_quick) {
/* perform just a manual re-verification of the peer */
"Performing quick renegotiation: "
"just re-verifying the peer");
"Cannot find certificate storage");
return HTTP_FORBIDDEN;
}
"Cannot find peer certificate chain");
return HTTP_FORBIDDEN;
}
if (depth >= 0)
SSL_get_ex_data_X509_STORE_CTX_idx(), (char *)ssl);
if (!X509_verify_cert(&certstorectx))
"Re-negotiation verification step failed");
}
else {
/* do a full renegotiation */
"Performing full renegotiation: "
"complete handshake protocol");
sizeof(r->main));
else
SSL_set_session_id_context(ssl, (unsigned char *)&r, sizeof(r));
/* will need to push to / pull from filters to renegotiate */
"Re-negotiation request failed");
return HTTP_FORBIDDEN;
}
"Awaiting re-negotiation handshake");
"Re-negotiation handshake failed: "
"Not accepted by client!?");
return HTTP_FORBIDDEN;
}
}
/*
* Remember the peer certificate's DN
*/
}
/*
* Finally check for acceptable renegotiation results
*/
"Re-negotiation handshake failed: Client verification failed");
return HTTP_FORBIDDEN;
}
"Re-negotiation handshake failed: Client certificate missing");
return HTTP_FORBIDDEN;
}
}
}
/*
* Under old OpenSSL we had to change the X509_STORE inside the
* SSL_CTX instead inside the SSL structure, so we have to reconfigure it
* to the old values. This should be changed with forthcoming OpenSSL
* versions when better functionality is avaiable.
*/
#ifdef SSL_EXPERIMENTAL_PERDIRCA
if (renegotiate && reconfigured_locations) {
"Unable to reconfigure verify locations "
"to per-server configuration parameters");
return HTTP_FORBIDDEN;
}
}
#endif /* SSL_EXPERIMENTAL_PERDIRCA */
/*
* Check SSLRequire boolean expressions
*/
for (i = 0; i < apRequirement->nelts; i++) {
pRequirement = &pRequirements[i];
if (ok < 0) {
"access to %s failed for %s, reason: %s", r->filename,
/* remember forbidden access for strict require option */
return HTTP_FORBIDDEN;
}
if (ok != 1) {
"Access to %s denied for %s (requirement expression not fulfilled)",
"access to %s failed for %s, reason: %s", r->filename,
"SSL requirement expression not fulfilled "
"(see SSL logfile for more details)");
/* remember forbidden access for strict require option */
return HTTP_FORBIDDEN;
}
}
/*
* Else access is granted from our point of view (except vendor
* handlers override). But we have to return DECLINED here instead
* of OK, because mod_auth and other modules still might want to
* deny access.
*/
return rc;
}
/*
* Authentication Handler:
* Fake a Basic authentication from the X509 client certificate.
*
* This must be run fairly early on to prevent a real authentication from
* occuring, in particular it must be run before anything else that
* authenticates a user. This means that the Module statement for this
* module should be LAST in the Configuration file.
*/
int ssl_hook_UserCheck(request_rec *r)
{
char *clientdn;
const char *cpAL;
const char *cpUN;
const char *cpPW;
/*
* Additionally forbid access (again)
* when strict require option is used.
*/
return HTTP_FORBIDDEN;
/*
* Make sure the user is not able to fake the client certificate
* based authentication by just entering an X.509 Subject DN
* password.
*/
cpAL++;
return HTTP_FORBIDDEN;
}
}
/*
* We decline operation in various situations...
*/
return DECLINED;
return DECLINED;
return DECLINED;
if (r->user)
return DECLINED;
return DECLINED;
}
/*
* Fake a password - which one would be immaterial, as, it seems, an empty
* password in the users file would match ALL incoming passwords, if only
* we were using the standard crypt library routine. Unfortunately, OpenSSL
* "fixes" a "bug" in crypt and thus prevents blank passwords from
* working. (IMHO what they really fix is a bug in the users of the code
* - failing to program correctly for shadow passwords). We need,
* therefore, to provide a password. This password can be matched by
* adding the string "xxj31ZMTZzkVA" as the password in the user file.
* This is just the crypted variant of the word "password" ;-)
*/
"Faking HTTP Basic Auth header: \"Authorization: %s\"", b1);
return DECLINED;
}
/* authorization phase */
int ssl_hook_Auth(request_rec *r)
{
/*
* Additionally forbid access (again)
* when strict require option is used.
*/
return HTTP_FORBIDDEN;
return DECLINED;
}
/*
* Fixup Handler
*/
static const char *ssl_hook_Fixup_vars[] = {
"SSL_VERSION_INTERFACE",
"SSL_VERSION_LIBRARY",
"SSL_PROTOCOL",
"SSL_CIPHER",
"SSL_CIPHER_EXPORT",
"SSL_CIPHER_USEKEYSIZE",
"SSL_CIPHER_ALGKEYSIZE",
"SSL_CLIENT_VERIFY",
"SSL_CLIENT_M_VERSION",
"SSL_CLIENT_M_SERIAL",
"SSL_CLIENT_V_START",
"SSL_CLIENT_V_END",
"SSL_CLIENT_S_DN",
"SSL_CLIENT_S_DN_C",
"SSL_CLIENT_S_DN_ST",
"SSL_CLIENT_S_DN_L",
"SSL_CLIENT_S_DN_O",
"SSL_CLIENT_S_DN_OU",
"SSL_CLIENT_S_DN_CN",
"SSL_CLIENT_S_DN_T",
"SSL_CLIENT_S_DN_I",
"SSL_CLIENT_S_DN_G",
"SSL_CLIENT_S_DN_S",
"SSL_CLIENT_S_DN_D",
"SSL_CLIENT_S_DN_UID",
"SSL_CLIENT_S_DN_Email",
"SSL_CLIENT_I_DN",
"SSL_CLIENT_I_DN_C",
"SSL_CLIENT_I_DN_ST",
"SSL_CLIENT_I_DN_L",
"SSL_CLIENT_I_DN_O",
"SSL_CLIENT_I_DN_OU",
"SSL_CLIENT_I_DN_CN",
"SSL_CLIENT_I_DN_T",
"SSL_CLIENT_I_DN_I",
"SSL_CLIENT_I_DN_G",
"SSL_CLIENT_I_DN_S",
"SSL_CLIENT_I_DN_D",
"SSL_CLIENT_I_DN_UID",
"SSL_CLIENT_I_DN_Email",
"SSL_CLIENT_A_KEY",
"SSL_CLIENT_A_SIG",
"SSL_SERVER_M_VERSION",
"SSL_SERVER_M_SERIAL",
"SSL_SERVER_V_START",
"SSL_SERVER_V_END",
"SSL_SERVER_S_DN",
"SSL_SERVER_S_DN_C",
"SSL_SERVER_S_DN_ST",
"SSL_SERVER_S_DN_L",
"SSL_SERVER_S_DN_O",
"SSL_SERVER_S_DN_OU",
"SSL_SERVER_S_DN_CN",
"SSL_SERVER_S_DN_T",
"SSL_SERVER_S_DN_I",
"SSL_SERVER_S_DN_G",
"SSL_SERVER_S_DN_S",
"SSL_SERVER_S_DN_D",
"SSL_SERVER_S_DN_UID",
"SSL_SERVER_S_DN_Email",
"SSL_SERVER_I_DN",
"SSL_SERVER_I_DN_C",
"SSL_SERVER_I_DN_ST",
"SSL_SERVER_I_DN_L",
"SSL_SERVER_I_DN_O",
"SSL_SERVER_I_DN_OU",
"SSL_SERVER_I_DN_CN",
"SSL_SERVER_I_DN_T",
"SSL_SERVER_I_DN_I",
"SSL_SERVER_I_DN_G",
"SSL_SERVER_I_DN_S",
"SSL_SERVER_I_DN_D",
"SSL_SERVER_I_DN_UID",
"SSL_SERVER_I_DN_Email",
"SSL_SERVER_A_KEY",
"SSL_SERVER_A_SIG",
"SSL_SESSION_ID",
};
int ssl_hook_Fixup(request_rec *r)
{
apr_table_t *e = r->subprocess_env;
char *var;
char *val = "";
int i;
/*
* Check to see if SSL is on
*/
return DECLINED;
return DECLINED;
/*
*/
/* the always present HTTPS (=HTTP over SSL) flag! */
/* standard SSL environment variables */
for (i = 0; ssl_hook_Fixup_vars[i] != NULL; i++) {
var = (char *)ssl_hook_Fixup_vars[i];
if (!strIsEmpty(val))
}
}
/*
*/
for (i = 0; i < sk_X509_num(sk); i++) {
}
}
}
return DECLINED;
}
/* _________________________________________________________________
**
** OpenSSL Callback Functions
** _________________________________________________________________
*/
/*
* Handle out temporary RSA private keys on demand
*
* The background of this as the TLSv1 standard explains it:
*
* | D.1. Temporary RSA keys
* |
* | US Export restrictions limit RSA keys used for encryption to 512
* | bits, but do not place any limit on lengths of RSA keys used for
* | signing operations. Certificates often need to be larger than 512
* | bits, since 512-bit RSA keys are not secure enough for high-value
* | transactions or for applications requiring long-term security. Some
* | certificates are also designated signing-only, in which case they
* | cannot be used for key exchange.
* |
* | When the public key in the certificate cannot be used for encryption,
* | the server signs a temporary RSA key, which is then exchanged. In
* | exportable applications, the temporary RSA key should be the maximum
* | allowable length (i.e., 512 bits). Because 512-bit RSA keys are
* | relatively insecure, they should be changed often. For typical
* | electronic commerce applications, it is suggested that keys be
* | changed daily or every 500 transactions, and more often if possible.
* | Note that while it is acceptable to use the same temporary key for
* | multiple transactions, it must be signed each time it is used.
* |
* | RSA key generation is a time-consuming process. In many cases, a
* | low-priority process can be assigned the task of key generation.
* | Whenever a new key is completed, the existing temporary key can be
* | replaced with the new one.
*
* So we generated 512 and 1024 bit temporary keys on startup
* which we now just handle out on demand....
*/
{
if (nExport) {
/* It's because an export cipher is used */
if (nKeyLen == 512)
else if (nKeyLen == 1024)
else
/* it's too expensive to generate on-the-fly, so keep 1024bit */
}
else {
/* It's because a sign-only certificate situation exists */
}
return rsa;
}
/*
* Handle out the already generated DH parameters...
*/
{
if (nExport) {
/* It's because an export cipher is used */
if (nKeyLen == 512)
else if (nKeyLen == 1024)
else
/* it's too expensive to generate on-the-fly, so keep 1024bit */
}
else {
/* It's because a sign-only certificate situation exists */
}
return dh;
}
/*
* This OpenSSL callback function is called when OpenSSL
* does client authentication and verifies the certificate chain.
*/
{
server_rec *s;
request_rec *r;
int errnum;
int errdepth;
int depth;
int verify;
/*
* Get Apache context back through OpenSSL context
*/
s = conn->base_server;
sc = mySrvConfig(s);
/*
* Get verify ingredients
*/
/*
* Log verification information
*/
ssl_log(s, SSL_LOG_TRACE,
"Certificate Verification: depth: %d, subject: %s, issuer: %s",
if (cp)
if (cp2)
}
/*
* Check for optionally acceptable non-verifiable issuer situation
*/
else
if (ssl_verify_error_is_optional(errnum) &&
{
ssl_log(s, SSL_LOG_TRACE,
"Certificate Verification: Verifiable Issuer is configured as "
"optional, therefore we're accepting the certificate");
}
/*
* Additionally perform CRL-based revocation checks
*/
if (ok) {
if (!ok)
}
/*
* If we already know it's not ok, log the real reason
*/
if (!ok) {
}
/*
* Finally check the depth of the certificate verification
*/
else
ssl_log(s, SSL_LOG_ERROR,
"Certificate Verification: Certificate Chain too long "
"(chain has %d certificates, but maximum allowed are only %d)",
}
/*
* And finally signal OpenSSL the (perhaps changed) state
*/
return (ok);
}
{
int i, n, rc;
/*
* Unless a revocation store for CRLs was created we
* cannot do any CRL-based verification, of course.
*/
sc = mySrvConfig(s);
return ok;
/*
* Determine certificate ingredients in advance
*/
/*
* OpenSSL provides the general mechanism to deal with CRLs but does not
* use them automatically when verifying certificates, so we do it
* explicitly here. We will check the CRL for the currently checked
* certificate, if there is such a CRL in the store.
*
* We come through this procedure for each certificate in the certificate
* chain, starting with the root-CA's certificate. At each step we've to
* both verify the signature on the CRL (to make sure it's a valid CRL)
* and it's revocation list (to make sure the current certificate isn't
* revoked). But because to check the signature on the CRL we need the
* public key of the issuing CA certificate (which was already processed
* one round before), we've a little problem. But we can both solve it and
* at the same time optimize the processing by using the following
* verification scheme (idea and code snippets borrowed from the GLOBUS
* project):
*
* 1. We'll check the signature of a CRL in each step when we find a CRL
* through the _subject_ name of the current certificate. This CRL
* itself will be needed the first time in the next round, of course.
* But we do the signature processing one round before this where the
* public key of the CA is available.
*
* 2. We'll check the revocation list of a CRL in each step when
* we find a CRL through the _issuer_ name of the current certificate.
* This CRLs signature was then already verified one round before.
*
* This verification scheme allows a CA to revoke its own certificate as
* well, of course.
*/
/*
* Try to retrieve a CRL corresponding to the _subject_ of
* the current certificate in order to verify it's integrity.
*/
/*
* Log information about CRL
* (A little bit complicated because of ASN.1 and BIOs...)
*/
char *cp;
char *cp2;
n = BIO_pending(bio);
}
/*
* Verify the signature on this CRL
*/
return FALSE;
}
/*
* Check date of CRL to make sure it's not expired
*/
if (i == 0) {
return FALSE;
}
if (i < 0) {
ssl_log(s, SSL_LOG_WARN,
"Found CRL is expired - "
"revoking all certificates until you get updated CRL");
return FALSE;
}
}
/*
* Try to retrieve a CRL corresponding to the _issuer_ of
* the current certificate in order to check for revocation.
*/
/*
* Check if the current certificate is revoked by this CRL
*/
#if SSL_LIBRARY_VERSION < 0x00904000
#else
#endif
for (i = 0; i < n; i++) {
#if SSL_LIBRARY_VERSION < 0x00904000
#else
#endif
X509_get_serialNumber(xs)) == 0) {
long serial = ASN1_INTEGER_get(
ssl_log(s, SSL_LOG_INFO,
"Certificate with serial %ld (0x%lX) "
"revoked per CRL from issuer %s",
}
return FALSE;
}
}
}
return ok;
}
/*
* This callback function is executed by OpenSSL whenever a new SSL_SESSION is
* added to the internal OpenSSL session cache. We use this hook to spread the
* SSL_SESSION also to the inter-process disk-cache to make share it with our
* other Apache pre-forked server processes.
*/
{
server_rec *s;
long t;
unsigned char *session_id;
unsigned int session_id_length;
/*
* Get Apache context back through OpenSSL context
*/
s = conn->base_server;
sc = mySrvConfig(s);
/*
* Set the timeout also for the internal OpenSSL cache, because this way
* our inter-process cache is consulted only when it's really necessary.
*/
t = sc->nSessionCacheTimeout;
SSL_set_timeout(pNew, t);
/*
* Store the SSL_SESSION in the inter-process cache with the
* same expire time, so it expires automatically there, too.
*/
/*
* Log this cache operation
*/
"request=SET status=%s id=%s timeout=%ds (session caching)",
/*
* return 0 which means to OpenSSL that the pNew is still
* valid and was not freed by us with SSL_SESSION_free().
*/
return 0;
}
/*
* This callback function is executed by OpenSSL whenever a
* SSL_SESSION is looked up in the internal OpenSSL cache and it
* was not found. We use this to lookup the SSL_SESSION in the
* inter-process disk-cache where it was perhaps stored by one
* of our other Apache pre-forked server processes.
*/
{
server_rec *s;
/*
* Get Apache context back through OpenSSL context
*/
s = conn->base_server;
/*
* Try to retrieve the SSL_SESSION from the inter-process cache
*/
/*
* Log this cache operation
*/
"request=GET status=FOUND id=%s (session reuse)",
else
"request=GET status=MISSED id=%s (session renewal)",
/*
* Return NULL or the retrieved SSL_SESSION. But indicate (by
* setting pCopy to 0) that the reference count on the
* SSL_SESSION should not be incremented by the SSL library,
* because we will no longer hold a reference to it ourself.
*/
*pCopy = 0;
return pSession;
}
/*
* This callback function is executed by OpenSSL whenever a
* SSL_SESSION is removed from the the internal OpenSSL cache.
* We use this to remove the SSL_SESSION in the inter-process
* disk-cache, too.
*/
{
server_rec *s;
unsigned char *session_id;
unsigned int session_id_length;
/*
* Get Apache context back through OpenSSL context
*/
if (s == NULL) /* on server shutdown Apache is already gone */
return;
/*
* Remove the SSL_SESSION from the inter-process cache
*/
/*
* Log this cache operation
*/
"request=REM status=OK id=%s (session dead)",
return;
}
/*
* This callback function is executed while OpenSSL processes the
* SSL handshake and does SSL record layer stuff. We use it to
* trace OpenSSL's processing in out SSL logfile.
*/
#if SSL_LIBRARY_VERSION >= 0x00907000
#else
#endif
{
conn_rec *c;
server_rec *s;
char *str;
/*
* find corresponding server
*/
return;
s = c->base_server;
return;
/*
* create the various trace messages
*/
if (where & SSL_CB_HANDSHAKE_START)
else if (where & SSL_CB_HANDSHAKE_DONE)
else if (where & SSL_CB_LOOP)
else if (where & SSL_CB_READ)
else if (where & SSL_CB_WRITE)
else if (where & SSL_CB_ALERT) {
}
else if (where & SSL_CB_EXIT) {
if (rc == 0)
else if (rc < 0)
}
}
/*
* Because SSL renegotations can happen at any time (not only after
* SSL_accept()), the best way to log the current connection details is
* right after a finished handshake.
*/
if (where & SSL_CB_HANDSHAKE_DONE) {
ssl_log(s, SSL_LOG_INFO,
"Connection: Client IP: %s, Protocol: %s, Cipher: %s (%s/%s bits)",
}
return;
}