Checkout Tools
  • last updated 3 hours ago
Constraints: committers
Constraints: files
Constraints: dates
Add a docs remark about "SSLOptions StdEnvVars"

being not necessary for mod_rewrite

"%{SSL:VARIABLE}" feature and for the mod_ssl

extensions to mod_log_config (%{VARIABLE}x).


Backport of r1706989 from trunk resp. r1707123

from 2.4.x.

  1. … 2 more files in changeset.
Try to clarify extended uses of SSLCertificateFile.

Backport of r1682923 and r1682937 from trunk,

resp. r1682929 and r1682939 from 2.4.x.

  1. … 2 more files in changeset.
Be more precise.

docs = CTR.

Backport of r1681037 from trunk resp. r1681034 from 2.4.x.

  1. … 1 more file in changeset.
Merge r1526168, r1527291, r1527295, r1563420, r1588851, r1666363, r1679470

r1526168 | kbrand | 2013-09-25 14:52:35 +0200 (Wed, 25 Sep 2013) | 21 lines

Streamline ephemeral key handling:

- drop support for ephemeral RSA keys (only allowed/needed

for export ciphers)

- drop pTmpKeys from the per-process SSLModConfigRec, and remove

the temp key generation at startup (unnecessary for DHE/ECDHE)

- unconditionally disable null and export-grade ciphers by always

prepending "!aNULL:!eNULL:!EXP:" to any cipher suite string

- do not configure per-connection SSL_tmp_*_callbacks, as it is

sufficient to set them for the SSL_CTX

- set default curve for ECDHE at startup, obviating the need

for a per-handshake callback, for the time being (and also

configure SSL_OP_SINGLE_ECDH_USE, previously left out)

For additional background, see

r1527291 | kbrand | 2013-09-29 11:36:31 +0200 (Sun, 29 Sep 2013) | 9 lines

Follow-up fixes for r1526168:

- drop SSL_TMP_KEY_* constants from ssl_private.h, too

- make sure we also disable aNULL, eNULL and EXP ciphers

for per-directory SSLCipherSuite directives

- apply the same treatment to SSLProxyCipherSuite

r1527295 | kbrand | 2013-09-29 12:35:46 +0200 (Sun, 29 Sep 2013) | 20 lines

Improve ephemeral key handling (companion to r1526168):

- allow to configure custom DHE or ECDHE parameters via the

SSLCertificateFile directive, and adapt its documentation

accordingly (addresses PR 49559)

- add standardized DH parameters from RFCs 2409 and 3526,

use them based on the length of the certificate's RSA/DSA key,

and add a FAQ entry for clients which limit DH support

to 1024 bits (such as Java 7 and earlier)

- move ssl_dh_GetParamFromFile() from ssl_engine_dh.c to

ssl_util_ssl.c, and add ssl_ec_GetParamFromFile()

- drop ssl_engine_dh.c from mod_ssl

For the standardized DH parameters, OpenSSL version 0.9.8a

or later is required, which was therefore made a new minimum

requirement in r1527294.

r1563420 | kbrand | 2014-02-01 15:04:23 +0100 (Sat, 01 Feb 2014) | 3 lines

enable auto curve selection for ephemeral ECDH keys

when compiled against OpenSSL 1.0.2 or later

r1588851 | kbrand | 2014-04-21 08:39:24 +0200 (Mon, 21 Apr 2014) | 3 lines

ssl_callback_TmpDH: for OpenSSL 1.0.2 and later, set the current cert to the

one actually used for the connection before calling SSL_get_privatekey(ssl)

r1666363 | jkaluza | 2015-03-13 08:32:46 +0100 (Fri, 13 Mar 2015) | 4 lines

* mod_ssl: fix small memory leak in ssl_init_server_certs when ECDH is used.

SSL_CTX_set_tmp_ecdh increases reference count, so we have to call EC_KEY_free,

otherwise eckey will not be freed.

r1679470 | ylavic | 2015-05-15 00:38:20 +0200 (Fri, 15 May 2015) | 5 lines

mod_ssl: follow up to r1527291.

Always prepend "!aNULL:!eNULL:" to SSL_DEFAULT_CIPHER_LIST (default for

SSL[Proxy]CipherSuite) since we support OpenSSL versions where this was

not yet included by default.

Reviewed by: ylavic, wrowe, rjung

Backported by: ylavic

  1. … 12 more files in changeset.
Merge r1200040, r1200372, r1200374, r1213380 from trunk.

r1200040 | pquerna | 2011-11-10 00:37:37 +0100 (Thu, 10 Nov 2011) | 5 lines

Add support for RFC 5077 TLS Session tickets. This adds two new directives:

* SSLTicketKeyFile: To store the private information for the encryption of the ticket.

* SSLTicketKeyDefault To set the default, otherwise the first listed token is used. This enables key rotation across servers.

r1200372 | pquerna | 2011-11-10 16:17:18 +0100 (Thu, 10 Nov 2011) | 4 lines

Apply ap_server_root_relative to the path used for the ticket secrets file.

Suggested by: Rüdiger Plüm

r1200374 | pquerna | 2011-11-10 16:19:15 +0100 (Thu, 10 Nov 2011) | 4 lines

Remove unneeded memcpy.

Spotted by: Rüdiger Plüm

r1213380 | kbrand | 2011-12-12 20:21:35 +0100 (Mon, 12 Dec 2011) | 9 lines

Streamline TLS session ticket key handling (added in r1200040):

- drop the SSLTicketKeyDefault directive, and only support a single

ticket key per server/vhost

- rename the SSLTicketKeyFile directive to SSLSessionTicketKeyFile,

remove the keyname parameter

- move ticket key parameters from SSLSrvConfigRec to modssl_ctx_t

- configure the tlsext_ticket_key_cb only when in server mode

- add documentation for SSLSessionTicketKeyFile

Reviewed by: ylavic, wrowe, rjung

Backported by: ylavic

  1. … 8 more files in changeset.
Merge r1650310, r1650320 from trunk.

Add SSLSessionTickets (on|off).

It controls the use of TLS session tickets

(RFC 5077). Default is unchanged (on).

Using session tickets without restarting

the web server with an appropriate frequency

(e.g. daily) compromises perfect forward


As long as we do not have a nice key management

there should be a way to deactivate session


Fix copy and paste error in docs of new feature.

Committed by: rjung

Reviewed by: ylavic, rjung, gsmith

Backported by: ylavic

  1. … 7 more files in changeset.
Extend the scope of SSLSessionCacheTimeout to sessions

resumed by TLS session resumption (RFC 5077).

  1. … 4 more files in changeset.
Merge r834378, r835046, r1040304, r1040373, r1090645, r1294306, r1509872, r1308862, r1509875 from trunk:

enable support for ECC keys and ECDH ciphers. Tested against

OpenSSL 1.0.0b3. [Vipul Gupta vipul.gupta, Sander Temme]

* Use correct #ifndef's to compile again on openssl 0.9.8 and fix compiler


Noted by: sf

Removed unused var.

Stop warning, init should be an int.

Remove unused variable

Initialize EC temporary key on server startup, as for DH and

RSA. This fixes a race condition that could lead to a crash with threaded


Mention ECC support

Submitted by: sctemme, rpluem, fuankg, drh, sf, sf, sf, jim, sf

Reviewed/backported by: jim

  1. … 16 more files in changeset.
revert unintentional commit r1515537
  1. … 9 more files in changeset.
2 votes in one proposal for 1082189 and 1 vote in another = approval
  1. … 9 more files in changeset.
Merge r1400700:

Change default for SSLCompression to off, as compression

causes security issues in most setups

Reviewed by sf, fuankg, rjung

  1. … 4 more files in changeset.
The first release with SSLProxyMachineCertificateChainFile was 2.2.23, not 2.2.22.

grab r1487451 from trunk:

s/proxy image/proxy/

add SSL_TLS_SNI to the list of variables
mod_ssl: Add new directive SSLCompression to disable

TLS-level compression.

PR 53219.

Backport of r1345319 and r1348656 from trunk.

Submitted by: Bjoern Jacke <bjoern j3e de>, sf

Reviewed by: rjung, kbrand

Backported by: covener

  1. … 6 more files in changeset.
s/it's/its/ and fix another minor error
  1. … 1 more file in changeset.
mod_ssl: when compiled against OpenSSL 1.0.1 or later, allow explicit

control of TLSv1.1 and TLSv1.2 through the SSLProtocol directive,

adding TLSv1.1 and TLSv1.2 support by default given 'SSLProtocol All'.

Picked up comment edit, trusting openssl compilation state and current

method which openssl uses to include opensslconf.h - if this should be

refined, it needs to be refined for other openssl operations as well.

Any #define OPENSSL_* for httpd alone would be invalid, these are all

namespace protected by project.

Submitted by: kbrand, wrowe

Backports: 1222921, 1222930, 1225476, 1225792

Reviewed by: sf, kbrand, rjung

  1. … 8 more files in changeset.
mod_ssl: Add SSLProxyMachineCertificateChainFile directive uses openssl

to construct a chain for each proxy cert. When a remote server requests

a client certificate that is NOT the direct issuer of any available client

certificate, the chain for that certificate will be used to trace it to a

known CA and that client certificate will be used.

Submitted by: druggeri

Reviewed by: kbrand, rpluem

Backports: 1160863,1162103,1170833,1172010,1175946,1242089

  1. … 9 more files in changeset.
some more typo fixes
  1. … 2 more files in changeset.
typo fixes
Applying patch from PR 53201

  1. … 1 more file in changeset.
Backport r1308707 from trunk to 2.2 and rebuild.
  1. … 1 more file in changeset.
Correct SSLCipherSuite + documentation (move rather than add)
As per, remove

references to a Makefile that no longer exists. If you are able to

provide more details here, that would be great.

  1. … 1 more file in changeset.

  1. … 1 more file in changeset.
Clarify SSL/ENV variables, as per PR 50979

PR#48720: SSLProxyVerify is per-server, not per-directory.

  1. … 1 more file in changeset.
Be a little more forceful regarding where to put SSLEngine On.

  1. … 1 more file in changeset.
FakeBasicAuth, not FakeBasic
  1. … 1 more file in changeset.
* Introduce SSLFIPS directive to support OpenSSL FIPS_mode; permits all

builds of mod_ssl to use 'SSLFIPS off' for portability, but the proper

build of openssl is required for 'SSLFIPS on'.

PR: 46270 [Dr Stephen Henson <steve>, William Rowe]

Trunk patch:

2.2.x patch:

+1: wrowe

minfrin: Doesn't build on v2.2 until you add r926614. With r926614, +1.

wrowe: Added both of rpluem's proposed patched, 926614 and 926619

+1: drh, rjung, jim

rjung: We should add a note about the first version providing this

option in the docs page, like e.g. we did for SSLInsecureRenegotiation.

wrowe asks; you mean <Compatibility> tag? Yes, of course.

  1. … 6 more files in changeset.