Checkout Tools
  • last updated 6 hours ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
Add module mod_ssl_ct, which provides an implementation of Certificate

Transparency (RFC 6962) for httpd.

mod_ssl_ct requires OpenSSL 1.0.2 (in beta) and must be explicitly

enabled via configure.

Note that support/ctauditscts is purposefully not installed; it

does not properly function due to a dependency on a

certificate-transparency open source project tool which itself is

not sufficiently complete at this time.

  1. … 13 more files in changeset.
Improve ephemeral key handling (companion to r1526168):

- allow to configure custom DHE or ECDHE parameters via the

SSLCertificateFile directive, and adapt its documentation

accordingly (addresses PR 49559)

- add standardized DH parameters from RFCs 2409 and 3526,

use them based on the length of the certificate's RSA/DSA key,

and add a FAQ entry for clients which limit DH support

to 1024 bits (such as Java 7 and earlier)

- move ssl_dh_GetParamFromFile() from ssl_engine_dh.c to

ssl_util_ssl.c, and add ssl_ec_GetParamFromFile()

- drop ssl_engine_dh.c from mod_ssl

For the standardized DH parameters, OpenSSL version 0.9.8a

or later is required, which was therefore made a new minimum

requirement in r1527294.

  1. … 11 more files in changeset.
switch back to MOD_SSL_LDADD, as suggested by jorton
Spin off module-specific build options into separate build vars.

[second try, supersedes r1385214]

Add MOD_CFLAGS, MOD_LDFLAGS variables etc. to the build commands,

which are available to modules for customization on a per-subdir

basis (by adding definitions to modules.mk). Reduces the risk

of side-effects when a module needs to add CFLAGS, LDFLAGS etc.

and these would be added to the global settings (ALL_CFLAGS etc.).

Adapt build settings for mod_ssl, mod_socache_dc, mod_deflate,

mod_xml2enc, mod_proxy_html, and mod_lua to use the new MOD_xxx

build variables.

Change PICFLAGS, SHLTCFLAGS and LTCFLAGS into config vars, instead

of AC_SUBSTing them in build/rules.mk.in. For support/ab, introduce

ab_CFLAGS and ab_LDFLAGS, and define explicit make targets where

they appear at the proper position in the build commands.

Consistently use "--with-xxx=PATH" in configure help strings which

are used to specify a path to the installation directory of an

auxiliary package.

  1. … 7 more files in changeset.
revert r1385214, as I inadvertently left out acinclude.m4.

  1. … 6 more files in changeset.
Spin off module-specific build options into separate build vars.

Add MOD_CFLAGS, MOD_LDFLAGS variables etc. to the build commands,

which are available to modules for customization on a per-subdir

basis (by adding definitions to modules.mk). Reduces the risk

of side-effects when a module needs to add CFLAGS, LDFLAGS etc.

and these would be added to the global settings (ALL_CFLAGS etc.).

Adapt build settings for mod_ssl, mod_socache_dc, mod_deflate,

mod_xml2enc, mod_proxy_html, and mod_lua to use the new MOD_xxx

build variables.

Change PICFLAGS, SHLTCFLAGS and LTCFLAGS into config vars, instead

of AC_SUBSTing them in build/rules.mk.in. For support/ab, introduce

ab_CFLAGS and ab_LDFLAGS, and define explicit make targets where

they appear at the proper position in the build commands.

Consistently use "--with-xxx=PATH" in configure help strings which

are used to specify a path to the installation directory of an

auxiliary package.

  1. … 6 more files in changeset.
Enforce OpenSSL 0.9.7 as a minimum requirement in configure, and

remove #ifdef'ed code which was relevant for earlier versions only.

  1. … 11 more files in changeset.
Drop support for the RSA BSAFE SSL-C toolkit from configure,

and remove #ifdef'ed code from mod_ssl and ab where applicable.

Consensus for dropping support for SSL/TLS toolkits other

than OpenSSL was reached on dev@httpd in June 2010 (message

with ID <20100602162310.GA11156@redhat.com> and follow-ups).

  1. … 15 more files in changeset.
enable mod_ssl at level 'most'

Let's assume that if a system has the openssl dev headers installed in

the default location, it is very unlikely that crypto is forbidden in

the country that the system is located in.

If no ssl toolkit is found, disable mod_ssl instead of aborting.

The actual change is small, use 'diff -b' to review

  1. … 1 more file in changeset.
Allow to specify module specific custom linker flags

via the MOD_XXX_LDADD variables.

Use APR_ADDTO instead of APR_SETVAR or direct

variable assignment.

This is especially useful when building mod_lua

or mod_deflate against a lua resp. libz which

are installed in non-standard locations.

One can add "-R ..." to MOD_LUA_LDADD and

MOD_DEFLATE_LDADD before configure to fix

the RPATH/RUNPATH of those modules.

  1. … 7 more files in changeset.
Replace ap_expr with a parser derived from mod_ssl's parser. Make mod_ssl use

the new parser. Rework ap_expr's public interface and provide hooks for modules

to add variables and functions.

The Netware and Windows build files still need to be adjusted

  1. … 34 more files in changeset.
Add support for OCSP "stapling":

* modules/ssl/ssl_util_stapling.c: New file.

* modules/ssl/config.m4, modules/ssl/mod_ssl.dsp: Build it.

* modules/ssl/ssl_toolkit_compat.h: Define HAVE_OCSP_STAPLING if

OpenSSL is of suitable version (>= 0.9.8g) and capability (TLS

extension support enabled).

* modules/ssl/mod_ssl.c: Add config directives.

* modules/ssl/ssl_private.h: Add prototypes for new functions.

(SSLModConfigRec): Add fields for stapling socache instance and

associated mutex.

(modssl_ctx_t): Add config fields for stapling.

* modules/ssl/ssl_engine_init.c (ssl_init_Module, ssl_init_Child):

Call the stapling initialization functions.

* modules/ssl/ssl_engine_config.c: Add config hooks.

* modules/ssl/ssl_scache.c: Create, initialize and destroy the socache

instance for OCSP responses.

Submitted by: Dr Stephen Henson <shenson oss-institute.org>

  1. … 9 more files in changeset.
Session cache interface redesign, Part 9:

Switch mod_ssl to use the ap_socache interface.

* modules/ssl/ssl_scache_shmcb.c, modules/ssl/ssl_scache_memcache.c,

modules/ssl/ssl_scache_dc.c, modules/ssl/ssl_scache_dbm.c: Remove

files.

* modules/ssl/mod_ssl.c (modssl_register_scache): Remove function.

* modules/ssl/ssl_private.h: Remove modssl_sesscache_provider etc.

(SSLModConfigRec): Switch to using socache types.

* modules/ssl/ssl_engine_config.c (ssl_cmd_SSLSessionCache): Switch to

use socache provider.

* modules/ssl/ssl_engine_mutex.c, modules/ssl/ssl_scache.c: Switch to

using socache constants.

* modules/ssl/config.m4: Drop distache/memcache configuration, remove

old objects.

  1. … 9 more files in changeset.
mod_ssl: Add support for OCSP validation of client certificates:

* modules/ssl/ssl_engine_config.c (modssl_ctx_init,

modssl_ctx_cfg_merge): Initialize and merge OCSP config options.

(ssl_cmd_SSLOCSPOverrideResponder, ssl_cmd_SSLOCSPDefaultResponder,

ssl_cmd_SSLOCSPEnable): Add functions.

* modules/ssl/mod_ssl.c (ssl_config_cmds): Add config options.

* modules/ssl/ssl_private.h: Add prototypes, config options to

modssl_ctx_t.

* modules/ssl/ssl_util_ocsp.c: New file, utility interface for

dispatching OCSP requests.

* modules/ssl/ssl_engine_ocsp.c: New file, interface for performing

OCSP validation.

* modules/ssl/ssl_engine_kernel.c (ssl_callback_SSLVerify): Perform

OCSP validation if configured, and the cert is so-far verified to be

trusted. Fail if OCSP validation is configured an the optional-no-ca

check tripped.

* modules/ssl/config.m4: Check for OCSP support, build new files.

* modules/ssl/mod_ssl.dsp: Build new files.

* modules/ssl/ssl_toolkit_compat.h: Include headers for OCSP

interfaces.

PR: 41123

Submitted by: Marc Stern <marc.stern approach.be>, Joe Orton

Reviewed by: Steve Henson <steve openssl.org>

  1. … 9 more files in changeset.
Remove unneeded -I in apr_memcache test, since _INCLUDES already includes them on the paths

Fix VPATH builds of httpd with the apr_memcache backend for ssl sessions, when APR and APR-Util are also in a VPATH. This is caused by APR_INCLUDEDIR actually having multiple paths in a VPATH builds, so we need to use _INCLUDES instead.

  1. … 1 more file in changeset.
Add support for distributed caching of SSL Sessions inside memcached, using apr_memcache, which is present in APR-Util 1.3/trunk.

This was originally written at ApacheCon US 2005 (San Diego), and was sent to the list:

http://mail-archives.apache.org/mod_mbox/httpd-dev/200512.mbox/%3C439C6C07.9030904@force-elite.com%3E

This version is slightly cleaned up, and of course, uses the now bundled apr_memcache, rather than an external dependency.

  1. … 5 more files in changeset.
update license header text
update license header text
  1. … 33 more files in changeset.
Update the last year of copyright.

  1. … 350 more files in changeset.
Update remaining 2004 copyright notices.

  1. … 27 more files in changeset.
general property cleanup

  1. … 712 more files in changeset.
* modules/ssl/config.m4: Use libtool's -export-symbols-regex flag to

hide all global symbols defined by mod_ssl other than the module

structure (where possible).

Fix use of mod_ssl as a DSO linked against static SSL libraries; also

stop linking all of support/* against the SSL libraries:

* acinclude.m4 (APACHE_MODULE): Define MOD_FOO_LDADD which each

module .la library will be linked against.

(APACHE_MODPATH_ADD): Link static modules against the provided libraries.

(APACHE_CHECK_SSL_TOOLKIT): Put SSL libraries in SSL_LIBS and export

that to config_vars.mk.

* support/Makefile.in: Link ab against SSL_LIBS.

* modules/ssl/config.m4: Add SSL_LIBS and distcache libraries to

MOD_SSL_LDADD.

PR: 17217

  1. … 2 more files in changeset.
Move mod_ssl-internal interfaces into ssl_private.h; allow mod_ssl.h

to be included even when mod_ssl is not enabled.

* Makefile.in (install-include): Only install mod_ssl.h.

* modules/ssl/ssl_private.h: New file.

* modules/ssl/mod_ssl.h: Move everything apart from than the optional

hook definitions into ssl_private.h.

* modules/ssl/*.c: Include ssl_private.h not mod_ssl.h

* modules/ssl/config.m4: Always add the mod_ssl directory to the

include path so other modules can find mod_ssl.h.

* modules/proxy/mod_proxy.c: Include mod_ssl.h to pick up the optional

hook definitions rather than copy'n'pasting them.

  1. … 28 more files in changeset.
Relicense.

  1. … 1 more file in changeset.
We need the SSL module dir in our path in order to compile mod_ssl.

Otherwise, we can't find mod_ssl.h.

Add support to mod_ssl for a distributed session cache using

distcache.

* LAYOUT: Update for removal of scache_shmht and addition of scache_dc.

* modules/ssl/config.m4: Check for libdistcache; build ssl_scache_dc.lo.

* modules/ssl/mod_ssl.dsp: Build ssl_scache_dc (with luck).

* modules/ssl/mod_ssl.h: Add SSL_SCMODE_DC and scache_dc_* prototypes.

* modules/ssl/ssl_engine_config.c (ssl_cmd_SSLSessionCache): Allow

use of dc: argument.

* modules/ssl/ssl_scache_dc.c: New file.

* modules/ssl/ssl_scache.c (ssl_scache_init, ssl_scache_kill,

ssl_scache_store, ssl_scache_retrieve, ssl_scache_remove,

ssl_ext_status_hook): Hook into scache_dc.

Submitted by: Geoff Thorpe <geoff@geoffthorpe.net>

  1. … 7 more files in changeset.
Remove shmht session cache in favour of shmcb; shmht has had

data corruption bugs since being apr_rmm'ified.

* config.m4, mod_ssl.dsp: Don't build ssl_util_table and

ssl_scache_shmht.

* ssl_util_table.h, ssl_util_table.c, ssl_scache_shmht.c: Removed

files.

* mod_ssl.h (SSLModConfigRec): Use a void * pointer for storing

the scache-specific data.

* ssl_engine_config.c (ssl_cmd_SSLSessionCache): Treat shmht: as

shmcb:.

* ssl_scache.c: Remove shmht hooks throughout.

* ssl_scache_shmcb.c: Remove casts to use the table_t * pointer as a

void *.

  1. … 9 more files in changeset.

These tests now exist in acinclude.m4