ssl_engine_config.c

Checkout Tools
  • last updated 2 hours ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
Support compilation against libssl built with OPENSSL_NO_SSL3.

backport https://svn.apache.org/r1706008 from 2.4.x

Submitted by: kbrand

Reviewed by: ylavic, wrowe, covener

  1. … 6 more files in changeset.
Merge r1653997 from trunk.

r1653997 | ylavic | 2015-01-22 19:37:06 +0100 (Thu, 22 Jan 2015) | 7 lines

mod_ssl: Fix merge problem with SSLProtocol that made SSLProtocol ALL ignored

in virtualhost context (new version of r1653906 reverted by r1653993).

Submitted By: Michael Kaufmann <apache-bugzilla michael-kaufmann.ch>

Committed/modified By: ylavic

Reviewed by: ylavic, wrowe, rjung

Backported by: ylavic

  1. … 4 more files in changeset.
Merge r1526168, r1527291, r1527295, r1563420, r1588851, r1666363, r1679470

r1526168 | kbrand | 2013-09-25 14:52:35 +0200 (Wed, 25 Sep 2013) | 21 lines

Streamline ephemeral key handling:

- drop support for ephemeral RSA keys (only allowed/needed

for export ciphers)

- drop pTmpKeys from the per-process SSLModConfigRec, and remove

the temp key generation at startup (unnecessary for DHE/ECDHE)

- unconditionally disable null and export-grade ciphers by always

prepending "!aNULL:!eNULL:!EXP:" to any cipher suite string

- do not configure per-connection SSL_tmp_*_callbacks, as it is

sufficient to set them for the SSL_CTX

- set default curve for ECDHE at startup, obviating the need

for a per-handshake callback, for the time being (and also

configure SSL_OP_SINGLE_ECDH_USE, previously left out)

For additional background, see

https://mail-archives.apache.org/mod_mbox/httpd-dev/201309.mbox/%3C52358ED1.2070704@velox.ch%3E

r1527291 | kbrand | 2013-09-29 11:36:31 +0200 (Sun, 29 Sep 2013) | 9 lines

Follow-up fixes for r1526168:

- drop SSL_TMP_KEY_* constants from ssl_private.h, too

- make sure we also disable aNULL, eNULL and EXP ciphers

for per-directory SSLCipherSuite directives

- apply the same treatment to SSLProxyCipherSuite

r1527295 | kbrand | 2013-09-29 12:35:46 +0200 (Sun, 29 Sep 2013) | 20 lines

Improve ephemeral key handling (companion to r1526168):

- allow to configure custom DHE or ECDHE parameters via the

SSLCertificateFile directive, and adapt its documentation

accordingly (addresses PR 49559)

- add standardized DH parameters from RFCs 2409 and 3526,

use them based on the length of the certificate's RSA/DSA key,

and add a FAQ entry for clients which limit DH support

to 1024 bits (such as Java 7 and earlier)

- move ssl_dh_GetParamFromFile() from ssl_engine_dh.c to

ssl_util_ssl.c, and add ssl_ec_GetParamFromFile()

- drop ssl_engine_dh.c from mod_ssl

For the standardized DH parameters, OpenSSL version 0.9.8a

or later is required, which was therefore made a new minimum

requirement in r1527294.

r1563420 | kbrand | 2014-02-01 15:04:23 +0100 (Sat, 01 Feb 2014) | 3 lines

enable auto curve selection for ephemeral ECDH keys

when compiled against OpenSSL 1.0.2 or later

r1588851 | kbrand | 2014-04-21 08:39:24 +0200 (Mon, 21 Apr 2014) | 3 lines

ssl_callback_TmpDH: for OpenSSL 1.0.2 and later, set the current cert to the

one actually used for the connection before calling SSL_get_privatekey(ssl)

r1666363 | jkaluza | 2015-03-13 08:32:46 +0100 (Fri, 13 Mar 2015) | 4 lines

* mod_ssl: fix small memory leak in ssl_init_server_certs when ECDH is used.

SSL_CTX_set_tmp_ecdh increases reference count, so we have to call EC_KEY_free,

otherwise eckey will not be freed.

r1679470 | ylavic | 2015-05-15 00:38:20 +0200 (Fri, 15 May 2015) | 5 lines

mod_ssl: follow up to r1527291.

Always prepend "!aNULL:!eNULL:" to SSL_DEFAULT_CIPHER_LIST (default for

SSL[Proxy]CipherSuite) since we support OpenSSL versions where this was

not yet included by default.

Reviewed by: ylavic, wrowe, rjung

Backported by: ylavic

  1. … 12 more files in changeset.
Merge r1200040, r1200372, r1200374, r1213380 from trunk.

r1200040 | pquerna | 2011-11-10 00:37:37 +0100 (Thu, 10 Nov 2011) | 5 lines

Add support for RFC 5077 TLS Session tickets. This adds two new directives:

* SSLTicketKeyFile: To store the private information for the encryption of the ticket.

* SSLTicketKeyDefault To set the default, otherwise the first listed token is used. This enables key rotation across servers.

r1200372 | pquerna | 2011-11-10 16:17:18 +0100 (Thu, 10 Nov 2011) | 4 lines

Apply ap_server_root_relative to the path used for the ticket secrets file.

Suggested by: Rüdiger Plüm

r1200374 | pquerna | 2011-11-10 16:19:15 +0100 (Thu, 10 Nov 2011) | 4 lines

Remove unneeded memcpy.

Spotted by: Rüdiger Plüm

r1213380 | kbrand | 2011-12-12 20:21:35 +0100 (Mon, 12 Dec 2011) | 9 lines

Streamline TLS session ticket key handling (added in r1200040):

- drop the SSLTicketKeyDefault directive, and only support a single

ticket key per server/vhost

- rename the SSLTicketKeyFile directive to SSLSessionTicketKeyFile,

remove the keyname parameter

- move ticket key parameters from SSLSrvConfigRec to modssl_ctx_t

- configure the tlsext_ticket_key_cb only when in server mode

- add documentation for SSLSessionTicketKeyFile

Reviewed by: ylavic, wrowe, rjung

Backported by: ylavic

  1. … 8 more files in changeset.
Merge r1650310, r1650320 from trunk.

Add SSLSessionTickets (on|off).

It controls the use of TLS session tickets

(RFC 5077). Default is unchanged (on).

Using session tickets without restarting

the web server with an appropriate frequency

(e.g. daily) compromises perfect forward

secrecy.

As long as we do not have a nice key management

there should be a way to deactivate session

tickets.

Fix copy and paste error in docs of new feature.

Committed by: rjung

Reviewed by: ylavic, rjung, gsmith

Backported by: ylavic

  1. … 7 more files in changeset.
r954641: Fix some compiler warnings:

  1. … 1 more file in changeset.
fix a few indentation oddities which are already resolved in 2.4.x
  1. … 1 more file in changeset.
mod_ssl: Add new directive SSLCompression to disable

TLS-level compression.

PR 53219.

Backport of r1345319 and r1348656 from trunk.

Submitted by: Bjoern Jacke <bjoern j3e de>, sf

Reviewed by: rjung, kbrand

Backported by: covener

  1. … 6 more files in changeset.
mod_ssl: when compiled against OpenSSL 1.0.1 or later, allow explicit

control of TLSv1.1 and TLSv1.2 through the SSLProtocol directive,

adding TLSv1.1 and TLSv1.2 support by default given 'SSLProtocol All'.

Picked up comment edit, trusting openssl compilation state and current

method which openssl uses to include opensslconf.h - if this should be

refined, it needs to be refined for other openssl operations as well.

Any #define OPENSSL_* for httpd alone would be invalid, these are all

namespace protected by openssl.org project.

Submitted by: kbrand, wrowe

Backports: 1222921, 1222930, 1225476, 1225792

Reviewed by: sf, kbrand, rjung

  1. … 8 more files in changeset.
mod_ssl: Add SSLProxyMachineCertificateChainFile directive uses openssl

to construct a chain for each proxy cert. When a remote server requests

a client certificate that is NOT the direct issuer of any available client

certificate, the chain for that certificate will be used to trace it to a

known CA and that client certificate will be used.

Submitted by: druggeri

Reviewed by: kbrand, rpluem

Backports: 1160863,1162103,1170833,1172010,1175946,1242089

  1. … 9 more files in changeset.
mod_ssl, ab: Support OpenSSL compiled without SSLv2 support.

Submitted by: sf

Reviewed by: trawick, wrowe

  1. … 5 more files in changeset.
* Introduce SSLFIPS directive to support OpenSSL FIPS_mode; permits all

builds of mod_ssl to use 'SSLFIPS off' for portability, but the proper

build of openssl is required for 'SSLFIPS on'.

PR: 46270 [Dr Stephen Henson <steve openssl.org>, William Rowe]

Trunk patch: http://svn.apache.org/viewvc?rev=925980&view=rev

http://svn.apache.org/viewvc?rev=926000&view=rev

http://svn.apache.org/viewvc?rev=926614&view=rev

http://svn.apache.org/viewvc?rev=926619&view=rev

2.2.x patch: http://people.apache.org/~wrowe/ssl-fips-2.2.patch

+1: wrowe

minfrin: Doesn't build on v2.2 until you add r926614. With r926614, +1.

wrowe: Added both of rpluem's proposed patched, 926614 and 926619

+1: drh, rjung, jim

rjung: We should add a note about the first version providing this

option in the docs page, like e.g. we did for SSLInsecureRenegotiation.

wrowe asks; you mean <Compatibility> tag? Yes, of course.

  1. … 6 more files in changeset.
Revert premature commit, sorry. It's time to stop using -m :/

Of course r925983 is one more way to review this patch,

if you like.

  1. … 5 more files in changeset.
pick a number, 1 to 1m
  1. … 6 more files in changeset.
Backport:

mod_ssl: Add SSLInsecureRenegotiation directive.

+1: jorton, trawick, minfrin

  1. … 8 more files in changeset.
* mod_ssl: Add server name indication support (RFC 4366) and better

support for name based virtual hosts with SSL. PR 34607

  1. … 10 more files in changeset.
Backport of r760866:

* Add SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN directives to enable

stricter checking of remote server certificates.

(docs/manual/mod/mod_ssl.xml)

Documentation of SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN.

(modules/proxy/mod_proxy_http.c)

Set the hostname of the request URL as note on the connection.

(modules/ssl/ssl_private.h)

Add proxy_ssl_check_peer_expire and proxy_ssl_check_peer_cn fields to

the SSLSrvConfigRec.

(modules/ssl/ssl_engine_config.c)

Directives stuff for SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN.

(modules/ssl/ssl_engine_io.c)

Check whether the remote servers certificate is expired / if there is a

mismatch between the requested hostanme and the remote server certificates

CN field.

Be able to parse ASN1 times.

(modules/ssl/mod_ssl.c)

Directives stuff for SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN.

Submitted by: rpluem

Reviewed by: rpluem, jim, jfclere

  1. … 7 more files in changeset.
Merge r726109, r733465, r733467, r733695 from trunk:

mod_ssl: Make the size of the per-dir-reneg request-body buffer

configurable, by popular demand:

* modules/ssl/ssl_private.h: Define DEFAULT_RENEG_BUFFER_SIZE.

(SSLDirConfigRec): Add nRenegBufferSize field.

* modules/ssl/ssl_engine_config.c (ssl_cmd_SSLRenegBufferSize): New

function.

(ssl_config_perdir_create, ssl_config_perdir_merge): Handle

nRenegBufferSize.

* modules/ssl/ssl_engine_io.c (ssl_io_buffer_fill): Take max buffer

size as an argument rather than compile-time constant.

* modules/ssl/ssl_engine_kernel.c (ssl_hook_Access): Pass

nRenegBufferSize to ssl_io_buffer_fill.

* modules/ssl/mod_ssl.c (ssl_config_cmds): Add SSLRenegBufferSize.

PR: 39243

* Correctly merge SSLRenegBufferSize directive.

PR: 46508

Submitted by: <tlhackque yahoo.com>

Reviewed by: rpluem, jorton, pgollucci

* Add a stub documentation for SSLRenegBufferSize.

* docs/manual/mod/mod_ssl.xml: Flesh out SSLRenegBufferSize

docs a little - thanks rpluem!

  1. … 8 more files in changeset.
Reverse PKCS#7 patch.

  1. … 5 more files in changeset.
Add PKCS#7 support.

  1. … 5 more files in changeset.
update license header text
  1. … 339 more files in changeset.
Revert r395231 from the 2.2.x branch. This gets us back to the old place with regard to the copyright statements.

  1. … 828 more files in changeset.
Update the last year of copyright for the 2.2.x branch

  1. … 828 more files in changeset.
No functional change: remove trailing whitespace. This also means

that "blank" lines, which had consisted of just spaces

and/or tabs are now truly blank lines

  1. … 175 more files in changeset.
No functional change: detab all indenting to be consistent

with our formatting standards.

  1. … 69 more files in changeset.