ssl_engine_vars.c

Checkout Tools
  • last updated 2 hours ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
Merge r1822931, r1827783 from trunk:

* modules/loggers/mod_logio.c (logio_pre_config): Remove pointless

static in optional fn pointer variable declaration.

* modules/ssl/ssl_engine_vars.c (ssl_var_log_config_register):

Likewise.

Fix a potential compiler warning about uninitialized variable.

PR 59821

Submitted by: jorton, jailletc36

Reviewed by: jailletc36, jorton, ylavic

  1. … 3 more files in changeset.
Merge r1811976 from trunk:

Add optional _RAW suffix to SSL_*_DN_xx attribute names, allowing

users to convert an attribute value without conversion to UTF-8. (A

public CA has issued certs with attributes tagged as the wrong ASN.1

string types.)

* modules/ssl/ssl_util_ssl.c (asn1_string_convert): Rename from

asn1_string_to_utf8; add raw argument. Reimplement _to_utf8 as

macro.

(modssl_X509_NAME_ENTRY_to_string): Add raw argument.

* modules/ssl/ssl_engine_vars.c (ssl_var_lookup_ssl_cert_dn): Use raw

string conversion if _RAW suffix is present in DN component.

Submitted by: jorton

Reviewed by: jorton, jim, ylavic

  1. … 5 more files in changeset.
Merge r1803392, r1803396, r1803398 from trunk:

mod_ssl: we can't use SSL_COMP_free_compression_methods() if OPENSSL_NO_COMP

is defined. PR 61206.

Submitted by: Michael Schlenker <msc contact.de>

mod_ssl, ab: compatibility with LibreSSL. PR 61184.

LibreSSL defines OPENSSL_VERSION_NUMBER = 2.0, but is not compatible with

all of the latest OpenSSL 1.1 API.

Address this by defining MODSSL_USE_OPENSSL_PRE_1_1_API which is true for

anything but OpenSSL >= 1.1 (for now).

Proposed by: Bernard Spil <brnrd freebsd.org>

Reviewed by: ylavic

Follow up to r1803396: CHANGES entry.

Reviewed by: ylavic, jim, covener

  1. … 10 more files in changeset.
Merge ^/httpd/httpd/branches/2.4.x-openssl-1.1.0-compat:

Support OpenSSL 1.1.0

Proposed by: rjung

Reviewed by: wrowe, jorton, covener

  1. … 15 more files in changeset.
Merge r1756038 from trunk:

Fix spelling in comments and text files.

No functional change.

PR 59990

Submitted by: rjung

Reviewed/backported by: jim

  1. … 72 more files in changeset.
Merge r1729930, r1729931 from trunk:

hostname: Test and log useragent_host per-request across various modules,

including the scoreboard, expression and rewrite engines, setenvif,

authz_host, access_compat, custom logging, ssl and REMOTE_HOST variables.

PR55348 [William Rowe]

This is the complete change set which applies cleanly to 2.4.x as well,

the server/scoreboard.c will follow, which does not apply due to drift.

A rather ugly patch since the code was refactored recently to exclude

the simple patch for 2.4.x, illustrated below.

Completes the changeset r1729930 and resolves all 2.4.19-dev corrections,

but other 2.5.0-dev specific changes may still be needed on trunk.

--- server/scoreboard.c (revision 1729907)

+++ server/scoreboard.c (working copy)

@@ -491,9 +491,8 @@

ws->conn_bytes = 0;

}

if (r) {

- const char *client = ap_get_remote_host(c, r->per_dir_config,

- REMOTE_NOLOOKUP, NULL);

- if (!client || !strcmp(client, c->client_ip)) {

+ const char *client;

+ if (!(client = ap_get_useragent_host(r, REMOTE_NOLOOKUP, NULL))) {

apr_cpystrn(ws->client, r->useragent_ip, sizeof(ws->client));

}

else {

Submitted by: wrowe

Reviewed/backported by: jim

  1. … 12 more files in changeset.
Merge r1717958 from trunk:

using c->master for ssl var lookups when c holds no valid SSLConnRec. Fixes PR58666.

Submitted by: icing

Reviewed/backported by: jim

  1. … 3 more files in changeset.
Merge r1708107, r1709587, r1709602, r1709995, r1710231, r1710419, r1710572, r1710583, r1715023 from trunk:

mod_ssl: performing protocol switch directly after ALPN selection, mod_http2: connection hook inits network filters to force TLS handshake, reads input only if H2Direct explicitly enabled, changes H2Direct default to off even for cleartext connections

new ap_is_allowed_protocol() for testing configured protocols, added H2Upgrade on/off directive, changed H2Direct default back to on when h2c is in Protocols

moved ssl handshake trigger from mod_http2 to new process_connection hook in mod_ssl

mod_ssl: check request-server for TLS settings compatible to handshake server, allow request if equal, renegotiation checks: remember last used cipher_suite for optimizations, deny any regnegotiation in presence of master connection

announce protocol choices on first request

fixing compilation issue for older platform

disabling protocol upgrades on slave connections

first request on master connection only reports more preferred protocols in Upgrade header

mod_ssl: follow up to r1709602.

Fix "HTTP spoken on HTTPS port" broken by the SSL handshake trigger moved to

process_connection hook (r1709602) along with H2Direct speculative read.

Submitted by: icing, ylavic

Reviewed/backported by: jim

  1. … 11 more files in changeset.
Extend expression parser registration to support

ssl variables in any expression using

mod_rewrite syntax "%{SSL:VARNAME}" or function

syntax "ssl(VARNAME)".

Backport of r1707002 and r1709596 from trunk.

Committed By: rjung

Backported By: rjung

Reviewed by: rjung, ylavic, sf

  1. … 4 more files in changeset.
merge r1693792 from trunk

Add support for extracting the msUPN and dnsSRV forms

of subjectAltName entries of type "otherName" into

SSL_{CLIENT,SERVER}_SAN_OTHER_{msUPN,dnsSRV}_n environment

variables. Addresses PR 58020.

* docs/manual/mod/mod_ssl.xml: add SSL_*_SAN_OTHER_*_n entries to the

environment variables table

* modules/ssl/ssl_engine_vars.c: add support for retrieving the

SSL_{CLIENT,SERVER}_SAN_OTHER_{msUPN,dnsSRV}_n variables

* modules/ssl/ssl_util_ssl.c: add parse_otherName_value, which

currently recognizes the "msUPN" (1.3.6.1.4.1.311.20.2.3) and

"id-on-dnsSRV" (1.3.6.1.5.5.7.8.7) otherName forms, and

adapt modssl_X509_getSAN to take an optional otherName form

argument for the GEN_OTHERNAME case

* modules/ssl/ssl_util_ssl.h: adapt modssl_X509_getSAN prototype

* modules/ssl/mod_ssl.c: register the id-on-dnsSRV otherName form

OID (1.3.6.1.5.5.7.8.7) in OpenSSL's objects table

Proposed by: kbrand

Reviewed by: ylavic, jorton

  1. … 7 more files in changeset.
merge r1674538, r1677143, r1677144, r1677145, r1677146, r1677149, r1677151,

r1677153, r1677154, r1677155, r1677156, r1677159, r1677830, r1677832,

r1677834, r1677835 from trunk

mod_ssl namespacing

Proposed by: kbrand

Reviewed by: ylavic, jorton

mod_ssl namespacing: Rename ssl_util_ssl.h macros from SSL_foo to MODSSL_foo.

For related discussion, see the dev@ thread starting at:

http://mail-archives.apache.org/mod_mbox/httpd-dev/201504.mbox/%3C20150415163613.GC15209%40fintan.stsp.name%3E

mod_ssl namespacing: Rename SSL_init_app_data2_idx, SSL_get_app_data2,

and SSL_set_app_data2 from SSL_* to modssl_*. Update references in

README.dsov.* files. Rename static variable SSL_app_data2_idx to just

app_data2_idx since the symbol is internal to ssl_util_ssl.c.

mod_ssl namespacing: SSL_read_PrivateKey -> modssl_read_privatekey

mod_ssl namespacing: SSL_smart_shutdown -> modssl_smart_shutdown

mod_ssl namespacing: SSL_X509_getBC -> modssl_X509_getBC

mod_ssl namespacing: Make SSL_ASN1_STRING_to_utf8 a static function inside

ssl_util_ssl.c (no callers outside this file). The new static function name

chosen is convert_asn1_to_utf8, based on the assumption that neither SSL_

nor ASN1_ are safe prefixes to use without potential future overlap.

mod_ssl namespacing: Rename SSL_X509_NAME_ENTRY_to_string to

modssl_X509_NAME_ENTRY_to_string.

mod_ssl namespacing: SSL_X509_NAME_to_string -> modssl_X509_NAME_to_string

mod_ssl namespacing: SSL_X509_getSAN -> modssl_X509_getSAN

mod_ssl namespacing: Make SSL_X509_getIDs a static function inside the

file ssl_util_ssl.c (no outside callers). Rename to just getIDs().

mod_ssl namespacing: SSL_X509_match_name -> modssl_X509_match_name

mod_ssl namespacing: SSL_X509_INFO_load_file -> modssl_X509_INFO_load_file

mod_ssl namespacing: Merge SSL_X509_INFO_load_path() into its only caller

ssl_init_proxy_certs() in ssl_engine_init.c. No functional change.

Review by: kbrand

mod_ssl namespacing: Move modssl_X509_INFO_load_file() into ssl_engine_init.c

and make it a static function called load_x509_info().

mod_ssl namespacing: Move SSL_CTX_use_certificate_chain() into ssl_engine_init.c

and make it a static function called use_certificate_chain().

mod_ssl namespacing: Rename SSL_SESSION_id2sz() to modssl_SSL_SESSION_id2sz().

  1. … 13 more files in changeset.
Merge r1650047 from trunk:

Add support for extracting subjectAltName entries of type

rfc822Name and dNSName into SSL_{CLIENT,SERVER}_SAN_{Email,DNS}_n

variables.

* docs/manual/mod/mod_ssl.xml: add SSL_*_SAN_*_n entries to the

environment variables table

* modules/ssl/ssl_engine_kernel.c: in ssl_hook_Fixup, add extraction

of subjectAltName entries for the "StdEnvVars" case

* modules/ssl/ssl_engine_vars.c: add support for retrieving the

SSL_{CLIENT,SERVER}_SAN_{Email,DNS}_n variables, either with

individual on-demand lookup (ssl_var_lookup_ssl_cert_san),

or with full-list extraction to the environment ("StdEnvVars")

* modules/ssl/ssl_private.h: add modssl_var_extract_san_entries prototype

* modules/ssl/ssl_util_ssl.c: implement SSL_X509_getSAN and

SSL_ASN1_STRING_to_utf8 helper functions, with factoring out common

code from SSL_X509_getIDs and SSL_X509_NAME_ENTRY_to_string where

suitable. Limit SSL_X509_getSAN to the two most common subjectAltName

entry types appearing in user or server certificates (i.e., rfc822Name

and dNSName), for the time being.

* modules/ssl/ssl_util_ssl.h: add SSL_ASN1_STRING_to_utf8

and SSL_X509_getSAN prototypes

Proposed by: kbrand

Reviewed by: ylavic, druggeri

  1. … 9 more files in changeset.
Merge r1661258 from trunk:

mod_ssl: Add the SSL_CLIENT_CERT_RFC4523_CEA variable, which provides

a combination of certificate serialNumber and issuer as defined by

CertificateExactMatch in RFC4523.

Submitted by: minfrin

Reviewed/backported by: jim

  1. … 5 more files in changeset.
Merge r1630947, r1645670 from trunk

* mod_ssl: Check if we are having an SSL connection before looking up SSL

related variables during expression evaluation to avoid a crash.

If not return NULL as ssl_var_lookup_ssl does by default. PR 57070

Submitted by: rpluem

Reviewed by: jailletc36, ylavic, covener

Backported by: jailletc36

  1. … 2 more files in changeset.
Merge r1597642, r1608999, r1605207, r1610366, r1610353, r1611871 from trunk:

Rename module name in doxygen + partly revert r832442 which skipped doxygen doc generation for 'mod_watchdog.h'

s/apr_pstrndup/apr_pstrmemdup/ to save a few cycles

Use ap_remove_input_filter_byhandle instead of duplicating the code.

Remove some 'register' in variable declaration.

Remove some 'register' in variable declaration.

Save a few cycles by calling 'apr_isalnum' instead of 'apr_isalpha' and 'apr_isdigit'.

Do not use deprecated define.

No change in generated code because MODULE_MAGIC_NUMBER is defined as:

#define MODULE_MAGIC_NUMBER MODULE_MAGIC_NUMBER_MAJOR

Submitted by: jailletc36

Reviewed/backported by: jim

  1. … 12 more files in changeset.
Merge r1526168, r1527291, r1527294, r1527295, r1527926 from trunk:

Streamline ephemeral key handling:

- drop support for ephemeral RSA keys (only allowed/needed

for export ciphers)

- drop pTmpKeys from the per-process SSLModConfigRec, and remove

the temp key generation at startup (unnecessary for DHE/ECDHE)

- unconditionally disable null and export-grade ciphers by always

prepending "!aNULL:!eNULL:!EXP:" to any cipher suite string

- do not configure per-connection SSL_tmp_*_callbacks, as it is

sufficient to set them for the SSL_CTX

- set default curve for ECDHE at startup, obviating the need

for a per-handshake callback, for the time being (and also

configure SSL_OP_SINGLE_ECDH_USE, previously left out)

For additional background, see

https://mail-archives.apache.org/mod_mbox/httpd-dev/201309.mbox/%3C52358ED1.2070704@velox.ch%3E

Follow-up fixes for r1526168:

- drop SSL_TMP_KEY_* constants from ssl_private.h, too

- make sure we also disable aNULL, eNULL and EXP ciphers

for per-directory SSLCipherSuite directives

- apply the same treatment to SSLProxyCipherSuite

Increase minimum required OpenSSL version to 0.9.8a (in preparation

for the next mod_ssl commit, which will rely on the get_rfcX_prime_Y

functions added in that release):

- remove obsolete #defines / macros

- in ssl_private.h, regroup definitions based on whether

they depend on TLS extension support or not

- for ECC and SRP support, set HAVE_X and change the rather awkward

#ifndef OPENSSL_NO_X lines accordingly

For the discussion prior to taking this step, see

https://mail-archives.apache.org/mod_mbox/httpd-dev/201309.mbox/%3C524275C7.9060408%40velox.ch%3E

Improve ephemeral key handling (companion to r1526168):

- allow to configure custom DHE or ECDHE parameters via the

SSLCertificateFile directive, and adapt its documentation

accordingly (addresses PR 49559)

- add standardized DH parameters from RFCs 2409 and 3526,

use them based on the length of the certificate's RSA/DSA key,

and add a FAQ entry for clients which limit DH support

to 1024 bits (such as Java 7 and earlier)

- move ssl_dh_GetParamFromFile() from ssl_engine_dh.c to

ssl_util_ssl.c, and add ssl_ec_GetParamFromFile()

- drop ssl_engine_dh.c from mod_ssl

For the standardized DH parameters, OpenSSL version 0.9.8a

or later is required, which was therefore made a new minimum

requirement in r1527294.

PR 55616 (add missing APLOGNO), part 2

Submitted by: kbrand

Reviewed/backported by: jim

  1. … 24 more files in changeset.
Add support for TLS-SRP (Secure Remote Password key exchange

for TLS, RFC 5054).

Including some improvements as suggested by Kaspar

PR: 51075

Submitted by: Quinn Slack <sqs cs stanford edu>, Christophe Renou,

Peter Sylvester

Backported by: sf

Reviewed by: sf, minfrin, rjung

Backports of r1347980 and r1348653 form trunk.

  1. … 11 more files in changeset.
Merge r1337344, r1378178, r1397636, r1398025, r1398040, r1398481, r1407004, r1407006, r1407088, r1407528 from trunk:

* support/suexec.c: Add gcc format-string attributes to logging

functions.

(main): Always print uid/gid as unsigned long, and cast to avoid

warnings (which somewhat defeats the point of the format string

attrs, but is necessary since the size of gid/uid varies).

remove an unnecessary check in a nest loop of ap_create_environment()

s/;;/;/

No need to test for NULL before calling apr_pstrdup.

No need it apr_pcalloc here, the memory is fully initialized the line just after

cppCheck: unreadVariable - 'serviceFlag' is not used in the function, so remove it

Remove unused code. "Next week" hasn't happened in the last 10 years or so.

log client error at level debug, log broken Host header value

remove some more old unused code

remove obsolete comment from 1.3 days

Submitted by: jorton, pqf, jailletc36, jailletc36, jailletc36, jailletc36, sf, sf, sf, sf

Reviewed/backported by: jim

  1. … 16 more files in changeset.
merge r1222917 from trunk:

Set OPENSSL_NO_SSL_INTERN when compiling against OpenSSL 1.0.1

or later, so that mod_ssl retains binary compatibility with future

versions when internal structures are changed. Use API functions

where available, and fall back to direct access for OpenSSL up

to 1.0.0, where needed.

Remove SSL_make_ciphersuite() from ssl_util_ssl.[ch], as it was

never used by any released version of mod_ssl.

  1. … 8 more files in changeset.
Backport:

Further clarify the naming of the entity that originates the request by

calling that entity a useragent instead of a client.

Further clarify the naming of the entity that directly connects to us by

calling that entity a client instead of a peer.

  1. … 26 more files in changeset.
Backport r1209766, r1210252, r1210284:

Add lots of unique tags to error log messages

ssl_util.c: Downgrade some dynamic locking messages from level DEBUG

to TRACE1-3

  1. … 164 more files in changeset.
Backport:

Introduce a per request version of the remote IP address, which can be

optionally modified by a module when the effective IP of the client

is not the same as the real IP of the client (such as a load balancer).

Introduce a per connection "peer_ip" and a per request "client_ip" to

distinguish between the raw IP address of the connection and the effective

IP address of the request.

  1. … 31 more files in changeset.