ssl_util_stapling.c

Checkout Tools
  • last updated 3 hours ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
stapling logno

Merged /httpd/httpd/trunk:r1851621,1852128,1862075

*) mod_ssl/mod_md: reversing dependency by letting mod_ssl offer hooks for

adding certificates and keys to a virtual host. An additional hook allows

answering special TLS connections as used in ACME challenges.

Adding 2 new hooks for init/get of OCSP stapling status information when

other modules want to provide those. Falls back to own implementation with

same behaviour as before.

  1. … 6 more files in changeset.
Merge ^/httpd/httpd/branches/2.4.x-openssl-1.1.0-compat:

Support OpenSSL 1.1.0

Proposed by: rjung

Reviewed by: wrowe, jorton, covener

  1. … 15 more files in changeset.
Merge r1775173 from trunk:

Silence compiler warning:

"686: warning: 'ok' may be used uninitialized in

this function"

This is a false positive, because the value of "ok"

will only be used if stapling_get_cached_response()

sets "rsp" to non-NULL in which case it will always

have set "ok".

Submitted by: rjung

Reviewed/backported by: jim

  1. … 2 more files in changeset.
Merge r1725485 from trunk:

Added many log numbers to log statements that

had none.

Those were not detected by the coccinelle script.

Submitted by: rjung

Reviewed/backported by: jim

  1. … 34 more files in changeset.
Add APLOGNO, first chunk (those that were

detected by coccinelle).

There are some more but they are easier to

backport once these here are applied.

Backport of r1725392, r1725394, r1725395

and r1725468 from trunk.

Submitted by: rjung

Reviewed by: jim, ylavic

  1. … 38 more files in changeset.
Merge r1711728, r1713209 from trunk:

For the "SSLStaplingReturnResponderErrors off" case, make sure to only

staple responses with certificate status "good". Also avoids including

inaccurate responses when the OCSP responder is not completely up

to date in terms of the CA-issued certificates (and provides interim

"unknown" or "extended revoked" [RFC 6960] status replies).

Log a certificate status other than "good" in stapling_check_response().

Propagate the "ok" status from stapling_check_response() back via both

stapling_renew_response() and get_and_check_cached_response() to the

callback code in stapling_cb(), enabling the decision whether to include

or skip the response.

insert missing LOGNO in ssl_util_stapling.c

Submitted by: kbrand

Reviewed/backported by: jim

  1. … 4 more files in changeset.
Merge r1679032, r1679192, and r1680276 from trunk:

r1679032:

mod_ssl OCSP Stapling: Don't block initial handshakes while refreshing

the OCSP response for a different certificate. mod_ssl has an additional

global mutex, "ssl-stapling-refresh".

Not mentioned in CHANGES:

Stapling no longer uses a mutex when using a stapling cache

implementation which doesn't require it. (A further, unrelated

code change to mod_ssl is required to allow the use of memcache

as a stapling cache, and I haven't tested with distcache; thus

it isn't clear if this helps in practice yet.)

r1679192:

Fix regression in check for cached response

(Essentially) Submitted by: ylavic

r1680276:

OCSP stapling: slight simplification to some internal interfaces,

add a few comments and sanity checks

Submitted by: trawick (with assist from ylavic)

Reviewed by: jim, jorton

  1. … 7 more files in changeset.
Merge r1641077, r1641095 from trunk:

mod_ssl: Fix recognition of OCSP stapling responses that are encoded

improperly or too large.

The one byte "ok" flag stored with the response was accounted for in

the wrong condition.

follow up to r1641077:

one bug was traded for another in r1641077; track the response

length and the cached object length separately to avoid such

confusion

Submitted by: trawick

Reviewed/backported by: jim

  1. … 2 more files in changeset.
Merge r1629372, r1629485, r1629519 from trunk:

Move OCSP stapling information from a per-certificate store

(ex_data attached to an X509 *) to a per-server hash which is

allocated from the pconf pool. Fixes PR 54357, PR 56919 and

a leak with the certinfo_free cleanup function (missing

OCSP_CERTID_free).

* modules/ssl/ssl_util_stapling.c: drop certinfo_free, and add

ssl_stapling_certid_free (used with apr_pool_cleanup_register).

Switch to a stapling_certinfo hash which is keyed by the SHA-1

digest of the certificate's DER encoding, rework ssl_stapling_init_cert

to only store info once per certificate (allocated from the pconf

to the extent possible) and extend the logging.

* modules/ssl/ssl_private.h: adjust prototype for

ssl_stapling_init_cert, replace ssl_stapling_ex_init with

ssl_stapling_certinfo_hash_init

* modules/ssl/ssl_engine_init.c: adjust ssl_stapling_* calls

Based on initial work by Alex Bligh <alex alex.org.uk>

Follow up to r1629372: ensure compatibily with OpenSSL < 1.0 (sk_OPENSSL_STRING_value).

Follow up to r1629372 and r1629485: ensure compatibily with OpenSSL < 1.0 (sk_OPENSSL_STRING_[num|value|pop] macros).

Submitted by: kbrand, ylavic, ylavic

Reviewed/backported by: jim

  1. … 6 more files in changeset.
Merge r1588853 from trunk:

ssl_stapling_init_cert: do not return success when no responder URI is found

stapling_renew_response: abort early (before apr_uri_parse) if ocspuri is empty

Submitted by: kbrand

Reviewed/backported by: jim

  1. … 2 more files in changeset.
Merge r1544774, r1544812 from trunk:

Address a todo listed in

https://mail-archives.apache.org/mod_mbox/httpd-dev/200205.mbox/%3CPine.LNX.4.33.0205292300380.27841-100000%40mako.covalent.net%3E

"init functions should return status code rather than ssl_die()"

For diagnostic purposes, ssl_die() is still there, but instead

of abruptly exit(1)ing, it will return APR_EGENERAL to the

ssl_init_* callers in ssl_engine_init.c, and these will propagate

the status back to ssl_init_Module.

Followup to r1544774: do not ignore failures from ssl_server_import_{cert,key}

in ssl_init_server_certs

Submitted by: kbrand

Reviewed/backported by: jim

  1. … 12 more files in changeset.
Merge r1454888:

Typo

No code change

  1. … 1 more file in changeset.
mod_ssl: Pass the server_rec to ssl_die() and use it to log a message to

the main error log, pointing to the appropriate virtual host error log.

Backport of r1348660 from trunk.

Submitted by: sf

Reviewed by: rjung, covener

Backported by: rjung

  1. … 9 more files in changeset.
merge r1222917 from trunk:

Set OPENSSL_NO_SSL_INTERN when compiling against OpenSSL 1.0.1

or later, so that mod_ssl retains binary compatibility with future

versions when internal structures are changed. Use API functions

where available, and fall back to direct access for OpenSSL up

to 1.0.0, where needed.

Remove SSL_make_ciphersuite() from ssl_util_ssl.[ch], as it was

never used by any released version of mod_ssl.

  1. … 8 more files in changeset.
Backport r1209766, r1210252, r1210284:

Add lots of unique tags to error log messages

ssl_util.c: Downgrade some dynamic locking messages from level DEBUG

to TRACE1-3

  1. … 164 more files in changeset.