ssl_engine_io.c

Checkout Tools
  • last updated 6 hours ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates

Changeset 1542327 is being indexed.

Merge r1526168, r1527291, r1527294, r1527295, r1527926 from trunk:

Streamline ephemeral key handling:

- drop support for ephemeral RSA keys (only allowed/needed

for export ciphers)

- drop pTmpKeys from the per-process SSLModConfigRec, and remove

the temp key generation at startup (unnecessary for DHE/ECDHE)

- unconditionally disable null and export-grade ciphers by always

prepending "!aNULL:!eNULL:!EXP:" to any cipher suite string

- do not configure per-connection SSL_tmp_*_callbacks, as it is

sufficient to set them for the SSL_CTX

- set default curve for ECDHE at startup, obviating the need

for a per-handshake callback, for the time being (and also

configure SSL_OP_SINGLE_ECDH_USE, previously left out)

For additional background, see

https://mail-archives.apache.org/mod_mbox/httpd-dev/201309.mbox/%3C52358ED1.2070704@velox.ch%3E

Follow-up fixes for r1526168:

- drop SSL_TMP_KEY_* constants from ssl_private.h, too

- make sure we also disable aNULL, eNULL and EXP ciphers

for per-directory SSLCipherSuite directives

- apply the same treatment to SSLProxyCipherSuite

Increase minimum required OpenSSL version to 0.9.8a (in preparation

for the next mod_ssl commit, which will rely on the get_rfcX_prime_Y

functions added in that release):

- remove obsolete #defines / macros

- in ssl_private.h, regroup definitions based on whether

they depend on TLS extension support or not

- for ECC and SRP support, set HAVE_X and change the rather awkward

#ifndef OPENSSL_NO_X lines accordingly

For the discussion prior to taking this step, see

https://mail-archives.apache.org/mod_mbox/httpd-dev/201309.mbox/%3C524275C7.9060408%40velox.ch%3E

Improve ephemeral key handling (companion to r1526168):

- allow to configure custom DHE or ECDHE parameters via the

SSLCertificateFile directive, and adapt its documentation

accordingly (addresses PR 49559)

- add standardized DH parameters from RFCs 2409 and 3526,

use them based on the length of the certificate's RSA/DSA key,

and add a FAQ entry for clients which limit DH support

to 1024 bits (such as Java 7 and earlier)

- move ssl_dh_GetParamFromFile() from ssl_engine_dh.c to

ssl_util_ssl.c, and add ssl_ec_GetParamFromFile()

- drop ssl_engine_dh.c from mod_ssl

For the standardized DH parameters, OpenSSL version 0.9.8a

or later is required, which was therefore made a new minimum

requirement in r1527294.

PR 55616 (add missing APLOGNO), part 2

Submitted by: kbrand

Reviewed/backported by: jim

  1. … 24 more files in changeset.
Merge r1470679, r1477094 from trunk:

core, mod_ssl: Lift the restriction that prevents mod_ssl taking

full advantage of the event MPM. Enable the ability for a module

to reverse the sense of a poll event from a read to a write or vice

versa.

Update the docs to note that SSL now works with the event MPM as per r1470679.

Submitted by: minfrin

Reviewed/backported by: jim

  1. … 11 more files in changeset.
Merge r1425874, r1426850 from trunk:

mod_ssl: add support for subjectAltName-based host name checking in proxy mode

(PR 54030)

factor out code from ssl_engine_init.c:ssl_check_public_cert()

to ssl_util_ssl.c:SSL_X509_match_name()

introduce new SSLProxyCheckPeerName directive, which should eventually

obsolete SSLProxyCheckPeerCN

ssl_engine_io.c:ssl_io_filter_handshake(): avoid code duplication

when aborting with HTTP_BAD_GATEWAY

Fix warning about discarding 'const' qualifier from pointer

Submitted by: kbrand, sf

Reviewed/backported by: jim

  1. … 12 more files in changeset.
Merge r1375584 from trunk:

* modules/ssl/ssl_engine_io.c (ssl_io_filter_handshake): Add a

wildcard common name match.

PR: 53006

Submitted by: jorton

Reviewed/backported by: jim

  1. … 2 more files in changeset.
Merge r1328325, r1328326:

When receiving http on https, send the error response with http 1.0

It is important that we send a proper error status, or search engines

may index the error message.

Remove the link in the speaking-http-on-https error message.

With SNI, the link will usually be wrong. So better send no link at all.

PR: 50823

Reviewed by: sf, jorton, trawick

  1. … 5 more files in changeset.
Backport r1209766, r1210252, r1210284:

Add lots of unique tags to error log messages

ssl_util.c: Downgrade some dynamic locking messages from level DEBUG

to TRACE1-3

  1. … 164 more files in changeset.
merge r1203491 from trunk:

drop SSLv2 support (set SSL_OP_NO_SSLv2 for any new SSL_CTX)

  1. … 6 more files in changeset.