ssl_engine_config.c

Checkout Tools
  • last updated 3 hours ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
mod_ssl: Correctly merge configurations that have client certificates set

by SSLProxyMachineCertificate{File|Path}.

The certificates and keys loaded during configuration time got lost during

runtime if e.g. SSLProxyMachineCertificate{File|Path} was set on virtual host

level and there was an SSL directive at directory level, e.g. SSLRequire.

This fixes a regression likely introduced in r1740928 (backported in r1824187).

Backport of r1844002 from trunk.

Submitted by: rjung

Reviewed by: rjung, rpluem, jorton

  1. … 2 more files in changeset.
  1. … 8 more files in changeset.
Merge r1826995, r1827001 from trunk:

Extend SSLOCSPEnable with mode 'leaf' that only checks the leaf of a

certificate chain. PR62112 [Ricardo Martin Camarero <rickyepoderi yahoo.es>]

Fixed OCSPEnable to keep accepting "off", not "none".

Submitted by: icing

Reviewedby: icing, ylavic, rpluem

  1. … 8 more files in changeset.
Merge r1828390 from trunk:

mod_ssl: Fix merging of proxy SSL context outside <Proxy> sections.

Regression introduced in 2.4.30. PR 62232.

The proxy SSL_CTX was not inherited from the vhost (the only available in

2.4.29) in/for any directory context besides <Proxy>...

Mostly debugged and fixed by Rainer, thanks!

Submitted by: ylavic

Reviewed by: ylavic, rpluem, jim

  1. … 3 more files in changeset.
  1. … 30 more files in changeset.
Merge r1556473 from trunk:

* modules/ssl/ssl_engine_config.c (ssl_cmd_SSLCompression): Fail if

enabled *and* if OpenSSL does not make any compression methods

available. Tweak wording for failure without SSL_OP_NO_COMPRESSION.

Submitted by: jorton

Reviewed by: jorton, jim, ylavic

  1. … 2 more files in changeset.
Merge r1781575, r1781577, r1781580, r1781687, r1783305 from trunk:

Add Configuration for trusted OCSP responder certificates

Fix for PR 46037

Add back the file I removed in r1781575.

Add missing documentation for r1781575

Fix for PR 46037

Remove unused variable

Fix OpenSSL 1.1.0 breakage in r1781575; BIO_s_file_internal() is gone.

Submitted by: jfclere, druggeri, wrowe

Reviewed by: jfclere, jim, ylavic

Merge r1788430 from trunk:

mod_ssl: follow up to r1781575

Fix SSLOCSPNoVerify merging, and while at it capitalize Verify as suggested

by wrowe.

Submitted by: ylavic

Reviewed by: jfclere, jim, ylavic

  1. … 10 more files in changeset.
Merge r1781187, r1781190, r1781312 from trunk:

mod_ssl: work around leaks on (graceful) restart.

Tested with valgrind and --with-ssl shared/static.

mod_ssl: follow up to r1781187.

The ssl_util_thread_*() functions are not necessary with openssl-1.1+

mod_ssl: follow up to r1781187.

Address SSL_CTX leak in (merged) proxy_ctx.

Reviewed by: ylavic, jim, wrowe

  1. … 7 more files in changeset.
mod_ssl: Add "no_crl_for_cert_ok" flag to SSLCARevocationCheck directive

to opt-in previous behaviour (2.2) with CRLs verification when checking

certificate(s) with no corresponding CRL.

Submitted by: ylavic

Reviewed by: icing, minfrin

  1. … 8 more files in changeset.
Merge r1726881, r1727111 from trunk:

* Introduce SSLOCSPProxyURL in order to do OCSP requests via a HTTP proxy.

Documentation to follow.

* Change entry and documentation for SSLOCSPProxyURL

Submitted by: rpluem

Reviewed/backported by: jim

  1. … 6 more files in changeset.
backport of r1718514,1721313
  1. … 4 more files in changeset.
Merge r1715273 from trunk:

Save a few bytes in conf pool.

Submitted by: jailletc36

Reviewed/backported by: jim

  1. … 2 more files in changeset.
merge r1703952 from trunk

Support compilation against libssl built with OPENSSL_NO_SSL3,

and change the compiled-in default for SSL[Proxy]Protocol to "all -SSLv3",

in accordance with RFC 7568. PR 58349, PR 57120.

Proposed by: kbrand

Reviewed by: ylavic, jorton

  1. … 8 more files in changeset.
merge r1702643 from trunk

Append :!aNULL:!eNULL:!EXP to the cipher string settings,

instead of prepending !aNULL:!eNULL:!EXP: (as was the case in 2.4.7

and later). Enables support for configuring the SUITEB* cipher

strings introduced in OpenSSL 1.0.2. PR 58213.

Apply the same treatment to the "SSLOpenSSLConfCmd CipherString ..." directive.

Proposed by: kbrand

Reviewed by: ylavic, jorton

  1. … 5 more files in changeset.
merge r1674538, r1677143, r1677144, r1677145, r1677146, r1677149, r1677151,

r1677153, r1677154, r1677155, r1677156, r1677159, r1677830, r1677832,

r1677834, r1677835 from trunk

mod_ssl namespacing

Proposed by: kbrand

Reviewed by: ylavic, jorton

mod_ssl namespacing: Rename ssl_util_ssl.h macros from SSL_foo to MODSSL_foo.

For related discussion, see the dev@ thread starting at:

http://mail-archives.apache.org/mod_mbox/httpd-dev/201504.mbox/%3C20150415163613.GC15209%40fintan.stsp.name%3E

mod_ssl namespacing: Rename SSL_init_app_data2_idx, SSL_get_app_data2,

and SSL_set_app_data2 from SSL_* to modssl_*. Update references in

README.dsov.* files. Rename static variable SSL_app_data2_idx to just

app_data2_idx since the symbol is internal to ssl_util_ssl.c.

mod_ssl namespacing: SSL_read_PrivateKey -> modssl_read_privatekey

mod_ssl namespacing: SSL_smart_shutdown -> modssl_smart_shutdown

mod_ssl namespacing: SSL_X509_getBC -> modssl_X509_getBC

mod_ssl namespacing: Make SSL_ASN1_STRING_to_utf8 a static function inside

ssl_util_ssl.c (no callers outside this file). The new static function name

chosen is convert_asn1_to_utf8, based on the assumption that neither SSL_

nor ASN1_ are safe prefixes to use without potential future overlap.

mod_ssl namespacing: Rename SSL_X509_NAME_ENTRY_to_string to

modssl_X509_NAME_ENTRY_to_string.

mod_ssl namespacing: SSL_X509_NAME_to_string -> modssl_X509_NAME_to_string

mod_ssl namespacing: SSL_X509_getSAN -> modssl_X509_getSAN

mod_ssl namespacing: Make SSL_X509_getIDs a static function inside the

file ssl_util_ssl.c (no outside callers). Rename to just getIDs().

mod_ssl namespacing: SSL_X509_match_name -> modssl_X509_match_name

mod_ssl namespacing: SSL_X509_INFO_load_file -> modssl_X509_INFO_load_file

mod_ssl namespacing: Merge SSL_X509_INFO_load_path() into its only caller

ssl_init_proxy_certs() in ssl_engine_init.c. No functional change.

Review by: kbrand

mod_ssl namespacing: Move modssl_X509_INFO_load_file() into ssl_engine_init.c

and make it a static function called load_x509_info().

mod_ssl namespacing: Move SSL_CTX_use_certificate_chain() into ssl_engine_init.c

and make it a static function called use_certificate_chain().

mod_ssl namespacing: Rename SSL_SESSION_id2sz() to modssl_SSL_SESSION_id2sz().

  1. … 13 more files in changeset.
Merge r1685779 from trunk:

mod_ssl: Remove deprecated SSLCertificateChainFile warning.

Submitted by: ylavic

Reviewed/backported by: jim

  1. … 3 more files in changeset.
Merge r1679032, r1679192, and r1680276 from trunk:

r1679032:

mod_ssl OCSP Stapling: Don't block initial handshakes while refreshing

the OCSP response for a different certificate. mod_ssl has an additional

global mutex, "ssl-stapling-refresh".

Not mentioned in CHANGES:

Stapling no longer uses a mutex when using a stapling cache

implementation which doesn't require it. (A further, unrelated

code change to mod_ssl is required to allow the use of memcache

as a stapling cache, and I haven't tested with distcache; thus

it isn't clear if this helps in practice yet.)

r1679192:

Fix regression in check for cached response

(Essentially) Submitted by: ylavic

r1680276:

OCSP stapling: slight simplification to some internal interfaces,

add a few comments and sanity checks

Submitted by: trawick (with assist from ylavic)

Reviewed by: jim, jorton

  1. … 7 more files in changeset.
fix bld, still SSL_LIBRARY_NAME in this branch.

Merge r1674542, r1675410, r1676842 from trunk:

mod_ssl: Check for RAND_egd() at configure time and only use it if present.

Fixes the build with LibreSSL which does not provide this function.

Submitted by: Bernard Spil <pil.oss gmail com>, stsp

Committed by: stsp

mod_ssl: Make the config parser complain if SSLRandomSeed specifies

the Entropy Gathering Daemon (EGD) as source while the underlying

SSL library does not support EGD (e.g. in case of LibreSSL).

Suggested and reviewed by: kbrand

Follow up to r1674542 and r1675410: CHANGES entry.

Submitted by: stsp, ylavic

Reviewed/backported by: jim

  1. … 5 more files in changeset.
Merge r1676085 from trunk:

consistently output SSLCertificateChainFile deprecation warnings

Submitted by: kbrand

Reviewed/backported by: jim

  1. … 3 more files in changeset.
Merge r1520445, r1672985, r1672989, r1673769 from trunk:

Add a warning if protocol given in SSLProtocol or SSLProxyProtocol will override other parameters given in the same directive.

This could be a missing + or - prefix.

PR 52820

Tweak log message

Add CHANGES entry before backport proposal

Follow-up to r1520445:

Tweak error message for clarity

Submitted by: jailletc36, trawick

Reviewed/backported by: jim

  1. … 3 more files in changeset.
Merge r1653997 from trunk:

mod_ssl: Fix merge problem with SSLProtocol that made SSLProtocol ALL ignored

in virtualhost context (new version of r1653906 reverted by r1653993).

Submitted By: Michael Kaufmann <apache-bugzilla michael-kaufmann.ch>

Committed/modified By: ylavic

Submitted by: ylavic

Reviewed/backported by: jim

  1. … 4 more files in changeset.
Merge r1650310 and r1650320 from trunk:

mod_ssl: Add SSLSessionTickets (on|off).

It controls the use of TLS session tickets (RFC 5077).

Default is unchanged (on).

Using session tickets without restarting the web server with

an appropriate frequency (e.g. daily) compromises perfect forward

secrecy. As long as we do not have a nice key management

there needs to be a way to deactivate the use of session tickets.

Submitted by: rjung

Reviewed by: rjung, covener, ylavic

Backported by: rjung

  1. … 7 more files in changeset.
Merge r1537535 from trunk:

For better compatibility with mod_nss:

* modules/ssl/ssl_engine_config.c (ssl_config_server_new): Default

sc->enabled to UNSET.

* modules/ssl/ssl_engine_init.c (ssl_init_Module): Only override

sc->enabled based on the protocol iff sc->enabled is UNSET; allows

"SSLEngine off" to override the Listen-based default.

Submitted by: jorton

Reviewed/backported by: jim

  1. … 3 more files in changeset.
Merge r1583191, r1584098, r1584665, r1591401 from trunk:

mod_ssl: send OCSP request's nonce according to SSLOCSPUseRequestNonce on/off. PR 56233.

mod_ssl: follow up to r1583191.

New SSLOCSPUseRequestNonce directive's manual and CHANGES.

Non functional code changes (modssl_ctx_t's field ocsp_use_request_nonce

grouped with other OCSP ones, nested if turned to a single AND condition).

Remove SSLOCSPUseRequestNonce OpenSSL-0.9.7 requirement (0.9.8 already required by httpd-2.4) and set availability to 2.5-dev until further notice.

mod_ssl: follow up to r1583191.

Use type BOOL for modssl_ctx_t's field ocsp_use_request_nonce.

Suggested by: kbrand.

Submitted by: ylavic

Reviewed/backported by: jim

  1. … 6 more files in changeset.
restore argument structure for exec-type SSLPassPhraseDialog

programs, and implement a special merging algorithm for

SSLCertificate[Key]File to emulate the behavior in versions <= 2.4.7

  1. … 5 more files in changeset.
Merge r1585919 from trunk:

Reverse the order when merging global and vhost-level config arrays.

Putting the vhost-level elements last allows overriding global settings

(for the deprecated SSLRequire directive, the order is irrelevant,

all of them must be met, cf. ssl_engine_kernel.c:ssl_hook_Access).

Submitted by: kbrand

Reviewed/backported by: jim

  1. … 3 more files in changeset.
Merge r1546804, r1553824, r1554192, r1555463, r1555467, r1563417, r1564760, r1565081 from trunk:

Throw away the myCtxVar{Set,Get} abomination and introduce

a pphrase_cb_arg_t struct instead, for passing stuff between

ssl_pphrase_Handle and ssl_pphrase_Handle_CB. Prefer struct

members instead of using additional local variables, to make

the data flow more transparent. (Doesn't "vastly simplify"

the code yet, but hopefully we'll get there when further

stripping down ssl_pphrase_Handle.)

Remove the hardcoded algorithm-type dependency for the SSLCertificateFile

and SSLCertificateKeyFile directives, and deprecate SSLCertificateChainFile

Splitting the patch into smaller pieces turned out to be infeasible,

unfortunately, due to the heavily intertwined code in ssl_engine_config.c,

ssl_engine_init.c and ssl_engine_pphrase.c, which all depends on the

modssl_pk_server_t data structure. For better comprehensibility,

a detailed listing of the changes follows:

ssl_private.h

- drop the X509 certs and EVP_PKEY keys arrays from modssl_pk_server_t

- use apr_array_header_t for cert_files and key_files

- drop tPublicCert from SSLModConfigRec

- drop the ssl_algo_t struct and the SSL_ALGO_* and SSL_AIDX_* constants

ssl_engine_config.c

- change to apr_array_header_t for SSLCertificate[Key]File

- drop ssl_cmd_check_aidx_max, i.e. allow an arbitrary number of certs

and keys (in theory; currently OpenSSL does not support more than

one cert/key per algorithm type)

- add deprecation warning for SSLCertificateChainFile

ssl_engine_init.c

- configure server certs/keys in ssl_init_server_certs (no longer via

ssl_pphrase_Handle in ssl_init_Module)

- in ssl_init_server_certs, read in certificates and keys with standard

OpenSSL API functions (SSL_CTX_use_*_file), and only fall back to

ssl_load_encrypted_pkey when encountering an encrypted private key

- drop ssl_server_import_cert, ssl_server_import_key, ssl_init_server_check,

and ssl_init_ctx_cleanup_server

- move the "problematic re-initialization" check to ssl_init_server_ctx

ssl_engine_pphrase.c

- use servername:port:index as the key identifier, instead of the

previously used servername:port:algorithm

- ssl_pphrase_Handle overhaul: remove all cert/public-key handling,

make it only load a single (encrypted) private key, and rename

to ssl_load_encrypted_pkey

- in the passphrase prompt message, show the private key file name

instead of the vhost id and the algorithm name

- do no longer supply the algorithm name as an argument to "exec"-type

passphrase prompting programs

ssl_util.c

- drop ssl_util_algotypeof, ssl_util_algotypestr, ssl_asn1_keystr,

and ssl_asn1_table_keyfmt

ssl_util_ssl.{c,h}

- drop SSL_read_X509

- constify the filename arg for SSL_read_PrivateKey

CodeWarrior compiler doesnt allow vars as struct inits.

Remove per-certificate chain handling code (obsoleted by

https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b9fa413a08d436d6b522749b5e808fcd931fd943)

make the ppcb_arg initialization a bit more uniform and easier to read

Followup fix for r1553824:

also pass the file name to ssl_load_encrypted_pkey, to make sure that we

retry with the same filename we used for SSL_CTX_use_PrivateKey_file first

With OpenSSL 1.0.2 or later, enable OCSP stapling in a loop based on

SSL_CTX_set_current_cert(), near the end of ssl_init_server_ctx.

update APLOGNO for r1564760

Submitted by: kbrand, fuankg, kbrand, kbrand, kbrand, kbrand, kbrand

Reviewed/backported by: jim

  1. … 14 more files in changeset.
Backport r1544784 from trunk:

Remove SSLPKCS7CertificateFile support:

- was never documented, so very unlikely that it was ever used

- adds complexity without apparent benefit; PKCS#7 files can

be trivially converted to a file for use with SSLCertificateChainFile

(concatenated X509 CERTIFICATE chunks, openssl pkcs7 -print_certs...)

- only supports PKCS7 files with PEM encoding, i.e. relies on a

non-standardized PEM header (cf. RFC 2315 and draft-josefsson-pkix-textual)

- issues pointed out in http://mail-archives.apache.org/mod_mbox/httpd-dev/200607.mbox/%3C20060723093125.GA19423@redhat.com%3E

were never fully addressed (cf. r424707 and r424735)

- has never worked in vhost context due to a cfgMergeString

call missing from modssl_ctx_cfg_merge

Proposed by: kbrand

Reviewed by: covener, druggeri

  1. … 7 more files in changeset.
merge r1555423 from trunk:

fix typo in error message

  1. … 1 more file in changeset.