Checkout Tools
  • last updated 3 hours ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates

Changeset 1573360 is being indexed.

Merge r1546804, r1553824, r1554192, r1555463, r1555467, r1563417, r1564760, r1565081 from trunk:

Throw away the myCtxVar{Set,Get} abomination and introduce

a pphrase_cb_arg_t struct instead, for passing stuff between

ssl_pphrase_Handle and ssl_pphrase_Handle_CB. Prefer struct

members instead of using additional local variables, to make

the data flow more transparent. (Doesn't "vastly simplify"

the code yet, but hopefully we'll get there when further

stripping down ssl_pphrase_Handle.)

Remove the hardcoded algorithm-type dependency for the SSLCertificateFile

and SSLCertificateKeyFile directives, and deprecate SSLCertificateChainFile

Splitting the patch into smaller pieces turned out to be infeasible,

unfortunately, due to the heavily intertwined code in ssl_engine_config.c,

ssl_engine_init.c and ssl_engine_pphrase.c, which all depends on the

modssl_pk_server_t data structure. For better comprehensibility,

a detailed listing of the changes follows:

ssl_private.h

- drop the X509 certs and EVP_PKEY keys arrays from modssl_pk_server_t

- use apr_array_header_t for cert_files and key_files

- drop tPublicCert from SSLModConfigRec

- drop the ssl_algo_t struct and the SSL_ALGO_* and SSL_AIDX_* constants

ssl_engine_config.c

- change to apr_array_header_t for SSLCertificate[Key]File

- drop ssl_cmd_check_aidx_max, i.e. allow an arbitrary number of certs

and keys (in theory; currently OpenSSL does not support more than

one cert/key per algorithm type)

- add deprecation warning for SSLCertificateChainFile

ssl_engine_init.c

- configure server certs/keys in ssl_init_server_certs (no longer via

ssl_pphrase_Handle in ssl_init_Module)

- in ssl_init_server_certs, read in certificates and keys with standard

OpenSSL API functions (SSL_CTX_use_*_file), and only fall back to

ssl_load_encrypted_pkey when encountering an encrypted private key

- drop ssl_server_import_cert, ssl_server_import_key, ssl_init_server_check,

and ssl_init_ctx_cleanup_server

- move the "problematic re-initialization" check to ssl_init_server_ctx

ssl_engine_pphrase.c

- use servername:port:index as the key identifier, instead of the

previously used servername:port:algorithm

- ssl_pphrase_Handle overhaul: remove all cert/public-key handling,

make it only load a single (encrypted) private key, and rename

to ssl_load_encrypted_pkey

- in the passphrase prompt message, show the private key file name

instead of the vhost id and the algorithm name

- do no longer supply the algorithm name as an argument to "exec"-type

passphrase prompting programs

ssl_util.c

- drop ssl_util_algotypeof, ssl_util_algotypestr, ssl_asn1_keystr,

and ssl_asn1_table_keyfmt

ssl_util_ssl.{c,h}

- drop SSL_read_X509

- constify the filename arg for SSL_read_PrivateKey

CodeWarrior compiler doesnt allow vars as struct inits.

Remove per-certificate chain handling code (obsoleted by

https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b9fa413a08d436d6b522749b5e808fcd931fd943)

make the ppcb_arg initialization a bit more uniform and easier to read

Followup fix for r1553824:

also pass the file name to ssl_load_encrypted_pkey, to make sure that we

retry with the same filename we used for SSL_CTX_use_PrivateKey_file first

With OpenSSL 1.0.2 or later, enable OCSP stapling in a loop based on

SSL_CTX_set_current_cert(), near the end of ssl_init_server_ctx.

update APLOGNO for r1564760

Submitted by: kbrand, fuankg, kbrand, kbrand, kbrand, kbrand, kbrand

Reviewed/backported by: jim

  1. … 14 more files in changeset.
Backport r1544784 from trunk:

Remove SSLPKCS7CertificateFile support:

- was never documented, so very unlikely that it was ever used

- adds complexity without apparent benefit; PKCS#7 files can

be trivially converted to a file for use with SSLCertificateChainFile

(concatenated X509 CERTIFICATE chunks, openssl pkcs7 -print_certs...)

- only supports PKCS7 files with PEM encoding, i.e. relies on a

non-standardized PEM header (cf. RFC 2315 and draft-josefsson-pkix-textual)

- issues pointed out in http://mail-archives.apache.org/mod_mbox/httpd-dev/200607.mbox/%3C20060723093125.GA19423@redhat.com%3E

were never fully addressed (cf. r424707 and r424735)

- has never worked in vhost context due to a cfgMergeString

call missing from modssl_ctx_cfg_merge

Proposed by: kbrand

Reviewed by: covener, druggeri

  1. … 7 more files in changeset.
Merge r1526168, r1527291, r1527294, r1527295, r1527926 from trunk:

Streamline ephemeral key handling:

- drop support for ephemeral RSA keys (only allowed/needed

for export ciphers)

- drop pTmpKeys from the per-process SSLModConfigRec, and remove

the temp key generation at startup (unnecessary for DHE/ECDHE)

- unconditionally disable null and export-grade ciphers by always

prepending "!aNULL:!eNULL:!EXP:" to any cipher suite string

- do not configure per-connection SSL_tmp_*_callbacks, as it is

sufficient to set them for the SSL_CTX

- set default curve for ECDHE at startup, obviating the need

for a per-handshake callback, for the time being (and also

configure SSL_OP_SINGLE_ECDH_USE, previously left out)

For additional background, see

https://mail-archives.apache.org/mod_mbox/httpd-dev/201309.mbox/%3C52358ED1.2070704@velox.ch%3E

Follow-up fixes for r1526168:

- drop SSL_TMP_KEY_* constants from ssl_private.h, too

- make sure we also disable aNULL, eNULL and EXP ciphers

for per-directory SSLCipherSuite directives

- apply the same treatment to SSLProxyCipherSuite

Increase minimum required OpenSSL version to 0.9.8a (in preparation

for the next mod_ssl commit, which will rely on the get_rfcX_prime_Y

functions added in that release):

- remove obsolete #defines / macros

- in ssl_private.h, regroup definitions based on whether

they depend on TLS extension support or not

- for ECC and SRP support, set HAVE_X and change the rather awkward

#ifndef OPENSSL_NO_X lines accordingly

For the discussion prior to taking this step, see

https://mail-archives.apache.org/mod_mbox/httpd-dev/201309.mbox/%3C524275C7.9060408%40velox.ch%3E

Improve ephemeral key handling (companion to r1526168):

- allow to configure custom DHE or ECDHE parameters via the

SSLCertificateFile directive, and adapt its documentation

accordingly (addresses PR 49559)

- add standardized DH parameters from RFCs 2409 and 3526,

use them based on the length of the certificate's RSA/DSA key,

and add a FAQ entry for clients which limit DH support

to 1024 bits (such as Java 7 and earlier)

- move ssl_dh_GetParamFromFile() from ssl_engine_dh.c to

ssl_util_ssl.c, and add ssl_ec_GetParamFromFile()

- drop ssl_engine_dh.c from mod_ssl

For the standardized DH parameters, OpenSSL version 0.9.8a

or later is required, which was therefore made a new minimum

requirement in r1527294.

PR 55616 (add missing APLOGNO), part 2

Submitted by: kbrand

Reviewed/backported by: jim

  1. … 24 more files in changeset.
mod_ssl: Pass the server_rec to ssl_die() and use it to log a message to

the main error log, pointing to the appropriate virtual host error log.

Backport of r1348660 from trunk.

Submitted by: sf

Reviewed by: rjung, covener

Backported by: rjung

  1. … 9 more files in changeset.
Merge r1361792 from trunk:

Remove some checking for out-of-mem conditions that cannot be hit

because apr_pcalloc/apr_pool_create will call abort() anyway.

Submitted by: sf

Reviewed/backported by: jim

  1. … 1 more file in changeset.
Merge r1211680:

Various fixes for log message tags:

- Remove tags in ssl_log_ssl_error() and ssl_log_cert_error()

- Instead add tags to various ssl_log_xerror, ssl_log_cxerror

calls (ssl_log_rxerror is unused).

- likewise for modssl_proxy_info_log()

- Fix spelling of APLOG_NOERRNO in coccinelle script

- add support for ssl_log_*error and ap_log_cserror

- add some more tags missing due to APLOG_NOERRNO spelling error

- Remove tags from example modules (we don't want people to blindly copy

those)

  1. … 9 more files in changeset.
Merge r1211663:

Remove usage of APLOG_NOERRNO. It has been a no-op since at least 2.0.x

  1. … 6 more files in changeset.
Backport r1209766, r1210252, r1210284:

Add lots of unique tags to error log messages

ssl_util.c: Downgrade some dynamic locking messages from level DEBUG

to TRACE1-3

  1. … 164 more files in changeset.