ssl_engine_kernel.c

Checkout Tools
  • last updated 2 hours ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
Merged /httpd/httpd/trunk:r1851621,1852128,1862075

*) mod_ssl/mod_md: reversing dependency by letting mod_ssl offer hooks for

adding certificates and keys to a virtual host. An additional hook allows

answering special TLS connections as used in ACME challenges.

Adding 2 new hooks for init/get of OCSP stapling status information when

other modules want to provide those. Falls back to own implementation with

same behaviour as before.

  1. … 6 more files in changeset.
Merge r1855849 from trunk:

* modules/ssl/ssl_engine_kernel.c (ssl_hook_Access_modern): Correctly

restore SSL verify state after PHA failure in TLSv1.3.

Submitted by: Michael Kaufmann <mail michael-kaufmann.ch>

Reviewed by: jorton, covener, jim

  1. … 2 more files in changeset.
Merge r1855349 from trunk:

mod_ssl: AH10129 from ERR to DEBUG level.

No error here, just debug information.

Submitted by: ylavic

Reviewed by: ylavic, rpluem, jorton

  1. … 1 more file in changeset.
Merge r1830816, r1830836, r1842882, r1842884 from trunk:

* modules/ssl: Add some missing logno tags.

* modules/ssl/ssl_engine_pphrase.c (ssl_load_encrypted_pkey):

Simplify code, no functional change.

* modules/slotmem/mod_slotmem_shm.c (restore_slotmem): Remove

redundant assignment (clang warning), the apr_file_eof(fp)=>APR_EOF

case assigns rv to APR_EOF and then to APR_SUCCESS after already.

* modules/mappers/mod_negotiation.c (set_language_quality): Remove

redundant branch (warning from Coverity).

Submitted by: jorton

Reviewed by: jailletc36, icing, jorton, jim

  1. … 6 more files in changeset.
*) mod_ssl: Fixes PR 62654 where "require ssl" did not work on HTTP/2

connections, and PR 61519 where $HTTPS was incorrect for the

"SSLEngine optional" case.

+1: jorton, jim, minfrin

  1. … 6 more files in changeset.
mod_ssl: We need to get the SSL_CTX for further processing

down below.

This fixes a crash during SSL renegotiation with OptRenegotiate set,

when client certificates are available from the original handshake

but were originally not verified and should get verified now.

This is a regression in 2.4.36 (unreleased).

Backport of r1828793 from trunk.

Submitted by: rjung

Reviewed by: rjung, rpluem, jorton

  1. … 2 more files in changeset.
Merge r1842540 from trunk:

* Pickup the proxy related configuration for verify mode and verify depth and

not the configuration settings for frontend connections in case of

connections by the proxy to the backend.

PR: 62769

  1. … 3 more files in changeset.

*) mod_ssl: downgrade logging of requests without SNI when SSLStrictSNIVHostCheck is on

(just a quality of life improvement for log-reading admins):

trunk: http://svn.apache.org/r1841446

trunk: http://svn.apache.org/r1841455

2.4.x branch: svn merge -c 1841446,1841455 ^/httpd/httpd/trunk .

+1: icing, minfrin, jim

  1. … 2 more files in changeset.
  1. … 8 more files in changeset.
Merge r1418761, r1418765, r1510295, r1757147, r1805163, r1818924, r1827374, r1831772, r1832351, r1832951, r1815004 from trunk:

Don't claim "BIO dump follows" if it is not logged due to log level config.

make ssl_io_data_dump respect per-conn loglevel

add high trace level log messages for debugging buffering and write completion

* modules/ssl/ssl_engine_kernel.c (ssl_callback_SessionTicket): Fail

if RAND_bytes() fails; possible per API, although not in practice

with the OpenSSL implementation.

Fix typo in log message.

ap_add_common_vars(): use apr_pstrmemdup().

This avoids a transient replacement/restore of '?' by '\0' in r->filename.

Use 'ap_request_has_body()' instead of duplicating its implemenation.

The logic in 'ap_request_has_body()' is:

has_body = (!r->header_only

&& (r->kept_body

|| apr_table_get(r->headers_in, "Transfer-Encoding")

|| ( (cls = apr_table_get(r->headers_in, "Content-Length"))

&& (apr_strtoff(&cl, cls, &estr, 10) == APR_SUCCESS)

&& (!*estr)

&& (cl > 0) )

)

);

So the test is slighly different from the original code. (but this looks fine to me)

This also has the advantage to avoid a redundant call to 'apr_table_get()' and to improve readability.

While at it, move the test '!r->expecting_100' a few lines above because it is cheap.

PR62368: Print the unparsed URI in AH03454

... to include r->args and get otherwise get as close to possible to

what came in over the wire.

Submitted By: Hank Ibell <hwibell gmail.com>

Committed By: covener

All error handling paths of this function call 'apr_brigade_destroy()' , except this one.

So add it here too.

Probably spotted with the help of the Coccinelle software (Thx Julia for the patch and for Coccinelle)

See PR 53016

* modules/proxy/proxy_util.c (ap_proxy_share_worker): Skip creating subpool

for debugging unless debug-level logging is enabled. No functional change.

mod_watchdog: Correct some log messages and fix

compiler warning

"'rv' may be used uninitialized in this function".

Follow up to r1722154.

Submitted by: sf, jorton, jorton, ylavic, jailletc36, covener, jailletc36, jorton, rjung

Reviewed by: jailletc36, jim, jorton

  1. … 10 more files in changeset.
Merge r1826995, r1827001 from trunk:

Extend SSLOCSPEnable with mode 'leaf' that only checks the leaf of a

certificate chain. PR62112 [Ricardo Martin Camarero <rickyepoderi yahoo.es>]

Fixed OCSPEnable to keep accepting "off", not "none".

Submitted by: icing

Reviewedby: icing, ylavic, rpluem

  1. … 8 more files in changeset.
fix a potential NULL dereference spotted by gcc 8.1.0

*) mod_ssl: fix a potential NULL dereference spotted by gcc 8.1.0

mod_http2: silence gcc strncpy warnings which break compilation in

maintainer mode with gcc 8.1.0

trunk patch: http://svn.apache.org/r1831231

http://svn.apache.org/r1831591

http://svn.apache.org/r1832934

http://svn.apache.org/r1832937

2.4.x patch: svn merge -c 1831231,1831591,1832934,1832937 ^/httpd/httpd/trunk .

+1: ylavic, icing, jailletc36 (by inspection)

  1. … 3 more files in changeset.
Merge r1827865 from trunk:

Use 'ap_log_rerror()' instead of 'ap_log_error()' consistently

Submitted by: jailletc36

Reviewed by: jailletc36, jorton, ylavic

  1. … 2 more files in changeset.
  1. … 30 more files in changeset.
On the 2.4.x branch:

merge of 1804530,1804531,1805186,1806939,1807232,1808122 from trunk.

Backport of mod_md support in mod_ssl.

  1. … 5 more files in changeset.
Merge r1736186 from trunk:

mod_ssl: return non ambiguous value in ssl_callback_SessionTicket() for

encryption mode (we used to return 0, OpenSSL documents returning 1 instead).

Practically this does not change anything since OpenSSL will only check for

>= 0 return value (non error) for encryption mode (the other possible return

values are only relevant for decryption mode).

However the OpenSSL documentation for SSL_CTX_set_tlsext_ticket_key_cb()

states:

"

The return value of the cb function is used by OpenSSL to determine what

further processing will occur. The following return values have meaning:

2

This indicates that the ctx and hctx have been set and the session can

continue on those parameters. Additionally it indicates that the session

ticket is in a renewal period and should be replaced. The OpenSSL library

will call cb again with an enc argument of 1 to set the new ticket (see

RFC5077 3.3 paragraph 2).

1

This indicates that the ctx and hctx have been set and the session can

continue on those parameters.

0

This indicates that it was not possible to set/retrieve a session ticket

and the SSL/TLS session will continue by by negotiating a set of

cryptographic parameters or using the alternate SSL/TLS resumption

mechanism, session ids.

If called with enc equal to 0 the library will call the cb again to get a

new set of parameters.

less than 0

This indicates an error.

"

So 0 is not appropriate in our code, 1 is what we really want (and it won't

break if OpenSSL later changes its checks on the callback return value).

Reported/Proposed by: oknet on github, pull request #18.

Reviewed by: jorton, ylavic, wrowe

[Closes #18]

  1. … 3 more files in changeset.
Merge r1803392, r1803396, r1803398 from trunk:

mod_ssl: we can't use SSL_COMP_free_compression_methods() if OPENSSL_NO_COMP

is defined. PR 61206.

Submitted by: Michael Schlenker <msc contact.de>

mod_ssl, ab: compatibility with LibreSSL. PR 61184.

LibreSSL defines OPENSSL_VERSION_NUMBER = 2.0, but is not compatible with

all of the latest OpenSSL 1.1 API.

Address this by defining MODSSL_USE_OPENSSL_PRE_1_1_API which is true for

anything but OpenSSL >= 1.1 (for now).

Proposed by: Bernard Spil <brnrd freebsd.org>

Reviewed by: ylavic

Follow up to r1803396: CHANGES entry.

Reviewed by: ylavic, jim, covener

  1. … 10 more files in changeset.
Merge r1788032, r1788033, r1783764, r1707512, r1783770 from trunk:

Save a few bytes in the conf pool.

'push_item' and 'add_alt' already duplicate their parameters, so we can safely use the temp_pool here.

Use 'ap_cstr_casecmp' to simplify code.

Remove useless case. We know that to can not be NULL at this point.

Follow up to r1772812: update APLOGNO().

* modules/ssl/ssl_engine_kernel.c: Constify the ssl_hook_Fixup_vars array itself.

winnt/service: each log message should use its own APLOGNO.

Submitted by: jailletc36, ylavic, jorton, ylavic

Reviewed by: jailletc36, covener, jim

  1. … 5 more files in changeset.
Merge ^/httpd/httpd/branches/2.4.x-openssl-1.1.0-compat:

Support OpenSSL 1.1.0

Proposed by: rjung

Reviewed by: wrowe, jorton, covener

  1. … 15 more files in changeset.
Merge r1756542 from trunk:

mod_ssl: Fix quick renegotiation (OptRenegotiaton) with no intermediate

in the client certificate chain. PR 55786.

This is done by handling an empty cert chain as no/NULL chain.

Submitted by: ylavic

Reviewed/backported by: jim

  1. … 3 more files in changeset.
Merge r1756038 from trunk:

Fix spelling in comments and text files.

No functional change.

PR 59990

Submitted by: rjung

Reviewed/backported by: jim

  1. … 72 more files in changeset.
Merge r1750779 from trunk:

modssl: reset client-verify state when renegotiation is aborted

Submitted by: icing

Reviewed/backported by: jim

  1. … 3 more files in changeset.
mod_ssl: Add "no_crl_for_cert_ok" flag to SSLCARevocationCheck directive

to opt-in previous behaviour (2.2) with CRLs verification when checking

certificate(s) with no corresponding CRL.

Submitted by: ylavic

Reviewed by: icing, minfrin

  1. … 8 more files in changeset.
Merge r1684171 from trunk:

mod_ssl: when SSLVerify is disabled (NONE), don't force a renegotiation if

the SSLVerifyDepth applied with the default/handshaken vhost differs from

the one applicable with the finally selected vhost.

Submitted by: ylavic

Reviewed/backported by: jim

  1. … 3 more files in changeset.
merging pre_close_connection hook, prep_lingering_close and ap_update_child() additions from trunk
  1. … 8 more files in changeset.
Merge r1717816 from trunk:

Fix missing Upgrade headers on OPTION * requests, PR58688

Submitted by: wrowe

Reviewed/backported by: jim

  1. … 2 more files in changeset.
Merge r1715255 from trunk:

Reviewed/backported by: jim

  1. … 2 more files in changeset.
Merge r1708107, r1709587, r1709602, r1709995, r1710231, r1710419, r1710572, r1710583, r1715023 from trunk:

mod_ssl: performing protocol switch directly after ALPN selection, mod_http2: connection hook inits network filters to force TLS handshake, reads input only if H2Direct explicitly enabled, changes H2Direct default to off even for cleartext connections

new ap_is_allowed_protocol() for testing configured protocols, added H2Upgrade on/off directive, changed H2Direct default back to on when h2c is in Protocols

moved ssl handshake trigger from mod_http2 to new process_connection hook in mod_ssl

mod_ssl: check request-server for TLS settings compatible to handshake server, allow request if equal, renegotiation checks: remember last used cipher_suite for optimizations, deny any regnegotiation in presence of master connection

announce protocol choices on first request

fixing compilation issue for older platform

disabling protocol upgrades on slave connections

first request on master connection only reports more preferred protocols in Upgrade header

mod_ssl: follow up to r1709602.

Fix "HTTP spoken on HTTPS port" broken by the SSL handshake trigger moved to

process_connection hook (r1709602) along with H2Direct speculative read.

Submitted by: icing, ylavic

Reviewed/backported by: jim

  1. … 11 more files in changeset.
merge r1674538, r1677143, r1677144, r1677145, r1677146, r1677149, r1677151,

r1677153, r1677154, r1677155, r1677156, r1677159, r1677830, r1677832,

r1677834, r1677835 from trunk

mod_ssl namespacing

Proposed by: kbrand

Reviewed by: ylavic, jorton

mod_ssl namespacing: Rename ssl_util_ssl.h macros from SSL_foo to MODSSL_foo.

For related discussion, see the dev@ thread starting at:

http://mail-archives.apache.org/mod_mbox/httpd-dev/201504.mbox/%3C20150415163613.GC15209%40fintan.stsp.name%3E

mod_ssl namespacing: Rename SSL_init_app_data2_idx, SSL_get_app_data2,

and SSL_set_app_data2 from SSL_* to modssl_*. Update references in

README.dsov.* files. Rename static variable SSL_app_data2_idx to just

app_data2_idx since the symbol is internal to ssl_util_ssl.c.

mod_ssl namespacing: SSL_read_PrivateKey -> modssl_read_privatekey

mod_ssl namespacing: SSL_smart_shutdown -> modssl_smart_shutdown

mod_ssl namespacing: SSL_X509_getBC -> modssl_X509_getBC

mod_ssl namespacing: Make SSL_ASN1_STRING_to_utf8 a static function inside

ssl_util_ssl.c (no callers outside this file). The new static function name

chosen is convert_asn1_to_utf8, based on the assumption that neither SSL_

nor ASN1_ are safe prefixes to use without potential future overlap.

mod_ssl namespacing: Rename SSL_X509_NAME_ENTRY_to_string to

modssl_X509_NAME_ENTRY_to_string.

mod_ssl namespacing: SSL_X509_NAME_to_string -> modssl_X509_NAME_to_string

mod_ssl namespacing: SSL_X509_getSAN -> modssl_X509_getSAN

mod_ssl namespacing: Make SSL_X509_getIDs a static function inside the

file ssl_util_ssl.c (no outside callers). Rename to just getIDs().

mod_ssl namespacing: SSL_X509_match_name -> modssl_X509_match_name

mod_ssl namespacing: SSL_X509_INFO_load_file -> modssl_X509_INFO_load_file

mod_ssl namespacing: Merge SSL_X509_INFO_load_path() into its only caller

ssl_init_proxy_certs() in ssl_engine_init.c. No functional change.

Review by: kbrand

mod_ssl namespacing: Move modssl_X509_INFO_load_file() into ssl_engine_init.c

and make it a static function called load_x509_info().

mod_ssl namespacing: Move SSL_CTX_use_certificate_chain() into ssl_engine_init.c

and make it a static function called use_certificate_chain().

mod_ssl namespacing: Rename SSL_SESSION_id2sz() to modssl_SSL_SESSION_id2sz().

  1. … 13 more files in changeset.
Follow up to r1705672.

Backport changes that somehow missed the backport process.

  1. … 4 more files in changeset.