ssl_engine_init.c

Checkout Tools
  • last updated 30 mins ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
Merged /httpd/httpd/trunk:r1864428 from trunk

*) mod_ssl: reverting a 2.4.40 change where a superfluous SSLCertificateChainFile configuration

  1. … 2 more files in changeset.
Merged /httpd/httpd/trunk:r1851621,1852128,1862075

*) mod_ssl/mod_md: reversing dependency by letting mod_ssl offer hooks for

adding certificates and keys to a virtual host. An additional hook allows

answering special TLS connections as used in ACME challenges.

Adding 2 new hooks for init/get of OCSP stapling status information when

other modules want to provide those. Falls back to own implementation with

same behaviour as before.

  1. … 6 more files in changeset.
Merge of r1853133,r1853166 from trunk:

mod_ssl: Don't unset FIPS mode on restart unless it's forced by

configuration (SSLFIPS on) and not active by default in OpenSSL. PR 63136.

  1. … 3 more files in changeset.
Merge r1830816, r1830836, r1842882, r1842884 from trunk:

* modules/ssl: Add some missing logno tags.

* modules/ssl/ssl_engine_pphrase.c (ssl_load_encrypted_pkey):

Simplify code, no functional change.

* modules/slotmem/mod_slotmem_shm.c (restore_slotmem): Remove

redundant assignment (clang warning), the apr_file_eof(fp)=>APR_EOF

case assigns rv to APR_EOF and then to APR_SUCCESS after already.

* modules/mappers/mod_negotiation.c (set_language_quality): Remove

redundant branch (warning from Coverity).

Submitted by: jorton

Reviewed by: jailletc36, icing, jorton, jim

  1. … 6 more files in changeset.
mod_ssl: Fixes PR 62880 where certificate loading fails bc SSL ERRs are

not cleared beforehand.

+1: icing, jim, minfrin

  1. … 4 more files in changeset.
  1. … 8 more files in changeset.
mod_ssl: follow up to 2.4.x's r1666363.

Add missing bits from previous backport of r1666363.

Reviewed by: jailletc36, ylavic, rpluem

Merge r1826995, r1827001 from trunk:

Extend SSLOCSPEnable with mode 'leaf' that only checks the leaf of a

certificate chain. PR62112 [Ricardo Martin Camarero <rickyepoderi yahoo.es>]

Fixed OCSPEnable to keep accepting "off", not "none".

Submitted by: icing

Reviewedby: icing, ylavic, rpluem

  1. … 8 more files in changeset.
Merge r1829513 from trunk:

* modules/ssl/ssl_engine_init.c (ssl_init_Module): Don't enable SSL

for a vhost if SSLEnable is not used and no certs are configured,

even if the Listen protocol is "https". Restores behaviour to that

prior to r1809303 for configs which would now otherwise fail at

startup.

Submitted by: jorton

Reviewed by: jorton, jim, ylavic

  1. … 2 more files in changeset.
  1. … 30 more files in changeset.
On the 2.4.x branch:

Merged /httpd/httpd/branches/2.4.x-mod_md:r1816423-1821089

Merged /httpd/httpd/trunk:r1804530-1804531,1804542,1804545,1804671,1804759,1804787,1804975,1805180,1805192,1805194,1805256,1805294,1805373,1806939,1807228,1807347,1807577,1807593,1807774,1807777,1808005,1808092,1808100,1808241-1808243,1808249,1808444,1809719,1809888,1810723,1811082,1811812,1812193,1812517-1812518,1812999,1813642,1814720,1814939,1815005,1815078,1815264,1815370,1815483,1816055,1816154,1816156,1816552,1816558,1816970,1817023,1817777,1817785,1818120,1818122,1818308,1818725,1818792,1818849

Merged mod_md from trunk via 2.4.x-mod_md branch.

  1. … 14 more files in changeset.
On the 2.4.x branch:

merge of 1804530,1804531,1805186,1806939,1807232,1808122 from trunk.

Backport of mod_md support in mod_ssl.

  1. … 5 more files in changeset.
Merge r1803392, r1803396, r1803398 from trunk:

mod_ssl: we can't use SSL_COMP_free_compression_methods() if OPENSSL_NO_COMP

is defined. PR 61206.

Submitted by: Michael Schlenker <msc contact.de>

mod_ssl, ab: compatibility with LibreSSL. PR 61184.

LibreSSL defines OPENSSL_VERSION_NUMBER = 2.0, but is not compatible with

all of the latest OpenSSL 1.1 API.

Address this by defining MODSSL_USE_OPENSSL_PRE_1_1_API which is true for

anything but OpenSSL >= 1.1 (for now).

Proposed by: Bernard Spil <brnrd freebsd.org>

Reviewed by: ylavic

Follow up to r1803396: CHANGES entry.

Reviewed by: ylavic, jim, covener

  1. … 10 more files in changeset.
Merge r1781575, r1781577, r1781580, r1781687, r1783305 from trunk:

Add Configuration for trusted OCSP responder certificates

Fix for PR 46037

Add back the file I removed in r1781575.

Add missing documentation for r1781575

Fix for PR 46037

Remove unused variable

Fix OpenSSL 1.1.0 breakage in r1781575; BIO_s_file_internal() is gone.

Submitted by: jfclere, druggeri, wrowe

Reviewed by: jfclere, jim, ylavic

Merge r1788430 from trunk:

mod_ssl: follow up to r1781575

Fix SSLOCSPNoVerify merging, and while at it capitalize Verify as suggested

by wrowe.

Submitted by: ylavic

Reviewed by: jfclere, jim, ylavic

  1. … 10 more files in changeset.
Merge r1781187, r1781190, r1781312 from trunk:

mod_ssl: work around leaks on (graceful) restart.

Tested with valgrind and --with-ssl shared/static.

mod_ssl: follow up to r1781187.

The ssl_util_thread_*() functions are not necessary with openssl-1.1+

mod_ssl: follow up to r1781187.

Address SSL_CTX leak in (merged) proxy_ctx.

Reviewed by: ylavic, jim, wrowe

  1. … 7 more files in changeset.
Merge ^/httpd/httpd/branches/2.4.x-openssl-1.1.0-compat:

Support OpenSSL 1.1.0

Proposed by: rjung

Reviewed by: wrowe, jorton, covener

  1. … 15 more files in changeset.
Merge r1756038 from trunk:

Fix spelling in comments and text files.

No functional change.

PR 59990

Submitted by: rjung

Reviewed/backported by: jim

  1. … 72 more files in changeset.
mod_ssl: Don't enable CRL checks/flags by default.

(follow up/fix to r1748338 committed in 2.4.21)

Submitted by: ylavic

Reviewed by: icing, minfrin

  1. … 2 more files in changeset.
mod_ssl: Add "no_crl_for_cert_ok" flag to SSLCARevocationCheck directive

to opt-in previous behaviour (2.2) with CRLs verification when checking

certificate(s) with no corresponding CRL.

Submitted by: ylavic

Reviewed by: icing, minfrin

  1. … 8 more files in changeset.
Merge r1587607, r1588868 from trunk:

mod_ssl: Add hooks to allow other modules to perform processing at

several stages of initialization and connection handling. See

mod_ssl_openssl.h.

This is enough to allow implementation of Certificate Transparency

outside of mod_ssl.

Initialize post_handshake_rc for case where a failure has

already occurred (doesn't change execution but avoids warning

with some levels of gcc).

Pointed out by: kbrand

Submitted by: trawick

Reviewed/backported by: jim

  1. … 12 more files in changeset.
Merge r1720129, r1723295, r1733088, r1733089 from trunk:

* mod_ssl: Free dhparams when getting DH params. This fixes issue when

SSLCryptoDevice does not get unregistered because of non-zero refcount

during the mod_ssl unload happening on httpd startup.

mod_ssl: follow up to r1720129.

Free ecparams read from certificate file(s) on startup.

Follow up to r1720129 and r1723295: CHANGES entry.

Rephrase r1733088 since leaking means horrible things in cryptography.

This is not a security fix :p

Submitted by: jkaluza, ylavic, ylavic, ylavic

Reviewed/backported by: jim

  1. … 3 more files in changeset.
Add APLOGNO, first chunk (those that were

detected by coccinelle).

There are some more but they are easier to

backport once these here are applied.

Backport of r1725392, r1725394, r1725395

and r1725468 from trunk.

Submitted by: rjung

Reviewed by: jim, ylavic

  1. … 38 more files in changeset.
merge r1703952 from trunk

Support compilation against libssl built with OPENSSL_NO_SSL3,

and change the compiled-in default for SSL[Proxy]Protocol to "all -SSLv3",

in accordance with RFC 7568. PR 58349, PR 57120.

Proposed by: kbrand

Reviewed by: ylavic, jorton

  1. … 8 more files in changeset.
merge r1702643 from trunk

Append :!aNULL:!eNULL:!EXP to the cipher string settings,

instead of prepending !aNULL:!eNULL:!EXP: (as was the case in 2.4.7

and later). Enables support for configuring the SUITEB* cipher

strings introduced in OpenSSL 1.0.2. PR 58213.

Apply the same treatment to the "SSLOpenSSLConfCmd CipherString ..." directive.

Proposed by: kbrand

Reviewed by: ylavic, jorton

  1. … 5 more files in changeset.
merge r1674538, r1677143, r1677144, r1677145, r1677146, r1677149, r1677151,

r1677153, r1677154, r1677155, r1677156, r1677159, r1677830, r1677832,

r1677834, r1677835 from trunk

mod_ssl namespacing

Proposed by: kbrand

Reviewed by: ylavic, jorton

mod_ssl namespacing: Rename ssl_util_ssl.h macros from SSL_foo to MODSSL_foo.

For related discussion, see the dev@ thread starting at:

http://mail-archives.apache.org/mod_mbox/httpd-dev/201504.mbox/%3C20150415163613.GC15209%40fintan.stsp.name%3E

mod_ssl namespacing: Rename SSL_init_app_data2_idx, SSL_get_app_data2,

and SSL_set_app_data2 from SSL_* to modssl_*. Update references in

README.dsov.* files. Rename static variable SSL_app_data2_idx to just

app_data2_idx since the symbol is internal to ssl_util_ssl.c.

mod_ssl namespacing: SSL_read_PrivateKey -> modssl_read_privatekey

mod_ssl namespacing: SSL_smart_shutdown -> modssl_smart_shutdown

mod_ssl namespacing: SSL_X509_getBC -> modssl_X509_getBC

mod_ssl namespacing: Make SSL_ASN1_STRING_to_utf8 a static function inside

ssl_util_ssl.c (no callers outside this file). The new static function name

chosen is convert_asn1_to_utf8, based on the assumption that neither SSL_

nor ASN1_ are safe prefixes to use without potential future overlap.

mod_ssl namespacing: Rename SSL_X509_NAME_ENTRY_to_string to

modssl_X509_NAME_ENTRY_to_string.

mod_ssl namespacing: SSL_X509_NAME_to_string -> modssl_X509_NAME_to_string

mod_ssl namespacing: SSL_X509_getSAN -> modssl_X509_getSAN

mod_ssl namespacing: Make SSL_X509_getIDs a static function inside the

file ssl_util_ssl.c (no outside callers). Rename to just getIDs().

mod_ssl namespacing: SSL_X509_match_name -> modssl_X509_match_name

mod_ssl namespacing: SSL_X509_INFO_load_file -> modssl_X509_INFO_load_file

mod_ssl namespacing: Merge SSL_X509_INFO_load_path() into its only caller

ssl_init_proxy_certs() in ssl_engine_init.c. No functional change.

Review by: kbrand

mod_ssl namespacing: Move modssl_X509_INFO_load_file() into ssl_engine_init.c

and make it a static function called load_x509_info().

mod_ssl namespacing: Move SSL_CTX_use_certificate_chain() into ssl_engine_init.c

and make it a static function called use_certificate_chain().

mod_ssl namespacing: Rename SSL_SESSION_id2sz() to modssl_SSL_SESSION_id2sz().

  1. … 13 more files in changeset.
Merge r1697855, r1697339, r1696428, r1696266, r1696264, r1695874, r1695727, r1692516, r1692486, r1610674, r1685069, r1693918, r1698116, r1698133, r1694950, r1700968, r1701005, r1701145, r1701178 from trunk:

adding ap_get_protocol(c) which safeguards against NULL returns, for use instead of direct calling ap_run_protocol_get

changed Protocols to let vhosts override servers, removed old H2Engine example from readme

creating ap_array_index in util, forwarding scheme into request processing, enabling SSL vars only when scheme is not http:, delayed connection creation until task worker assignment

removed unnecessary lingering_close and sbh update on end of protocol upgrade handling

introducing ap_array_index in util, used in protocol and mod_h2

fixes existing protocol missing in selection if not explicitly proposed

new directive ProtocolsHonorOrder, added documentation for Protocols feature, changed preference selection and config merging

removed accidental code

new Protocols directive and core API changes to enable protocol switching on HTTP Upgrade or ALPN, implemented in mod_ssl and mod_h2

SECURITY (CVE-2014-0117): Fix a crash in mod_proxy. In a reverse

proxy configuration, a remote attacker could send a carefully crafted

request which could crash a server process, resulting in denial of

service.

Thanks to Marek Kroemeke working with HP's Zero Day Initiative for

reporting this issue.

* server/util.c (ap_parse_token_list_strict): New function.

* modules/proxy/proxy_util.c (find_conn_headers): Use it here.

* modules/proxy/mod_proxy_http.c (ap_proxy_http_process_response):

Send a 400 for a malformed Connection header.

Submitted by: Edward Lu, breser, covener

http, mod_ssl: Introduce and return the 421 (Misdirected Request) status code

for clients requesting a hostname on a reused connection whose SNI (from the

TLS handshake) does not match.

PR 5802.

This allows HTTP/2 clients to fall back to a new connection as per:

https://tools.ietf.org/html/rfc7540#section-9.1.2

Proposed by: Stefan Eissing <stefan eissing.org>

Reviewed by: ylavic

c89

Allowing protocol_propose hooks to be called with offers=NULL, clarifying semantics as proposed by chaosed0@gmail.com

giving ap_array_index a start parameter, adding ap_array_contains

ap_process_request needs exportation for use in mod_h2 on Windows

final final change to the new ap_array_str_* functions after review

changed Protocols default to http/1.1 only, updated documentation, changed ap_select_protocol() to return NULL when no protocol could be agreed upon

mod_ssl: fix compiler warning (bad cast).

improvements in ap_select_protocol(), supplied by yann ylavic

Submitted by: icing, jorton, ylavic, covener, icing, icing, gsmith, icing, icing, ylavic, icing

Reviewed/backported by: jim

  1. … 16 more files in changeset.
mod_ssl: fix small memory leak in ssl_init_server_certs when ECDH is used.

SSL_CTX_set_tmp_ecdh increases reference count, so we have to call

EC_KEY_free, otherwise eckey will not be freed.

Backports: r1666363

Author: jkaluza

Reviewed by: rjung, ylavic, wrowe

  1. … 2 more files in changeset.
Merge r1679470 from trunk:

mod_ssl: follow up to r1527291.

Always prepend "!aNULL:!eNULL:" to SSL_DEFAULT_CIPHER_LIST (default for

SSL[Proxy]CipherSuite) since we support OpenSSL versions where this was

not yet included by default.

Submitted by: ylavic

Reviewed/backported by: jim

  1. … 2 more files in changeset.
Merge r1673455 from trunk:

mod_ssl: Protect ENGINE_CTRL_CHIL_SET_FORKCHECK macro with a

featue check for libressl.

Submitted by: Stuart Henderson <sthen openbsd.org>

Reviewed by: covener, trawick, ylavic

  1. … 3 more files in changeset.
Merge r1650310 and r1650320 from trunk:

mod_ssl: Add SSLSessionTickets (on|off).

It controls the use of TLS session tickets (RFC 5077).

Default is unchanged (on).

Using session tickets without restarting the web server with

an appropriate frequency (e.g. daily) compromises perfect forward

secrecy. As long as we do not have a nice key management

there needs to be a way to deactivate the use of session tickets.

Submitted by: rjung

Reviewed by: rjung, covener, ylavic

Backported by: rjung

  1. … 7 more files in changeset.