Checkout Tools
  • last updated 6 hours ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
Fix a typo
mod_ssl: use OPENSSL_init_ssl() to initialise OpenSSL on versions 1.1+.

Reference: http://openssl.6102.n7.nabble.com/Shutting-down-openssl-is-the-correct-thing-to-do-nothing-td76857.html#a76862

  1. … 2 more files in changeset.
After reinstatement of DSO support in APR/APR-util, revert r1837437,

r1837435, r1834553, r1833598, r1833452, r1833383, r1833368.

Undoes the following:

mod_ssl: OpenSSL now initializes fully through APR, use that.

mod_ssl: build with LibreSSL.

LibreSSL seems to be openssl-1.1 API compatible only in version 2.8 (master).

So use that for MODSSL_USE_OPENSSL_PRE_1_1_API instead of 2.7, the two 2.7

compatibility-exceptions are handled explicitely but overall it's simpler.

Regarding CRYPTO_malloc_init vs OPENSSL_malloc_init, libreSSL uses none, the

former used to be a no-op but depends is LIBRESSL_INTERNAL in latest versions,

while the latter has never been (and will never be) defined. So don't call any

with LibreSSL.

Follow up to r1833368: share openssl between modules.

Both libapr[-util], the core PRNG, mod_ssl, mod_crypto and mod_session_crypto

can use the same crypto library (e.g. openssl), use the new APR crypto loading

API so that they can work together and initialize/terminate the lib either once

for all or on demand and reusable by the others.

Follow up to r1833368: apr_crypto_prng_after_fork() now used a PID.

Make use of the new apr_crypto_rng API if available.

  1. … 5 more files in changeset.
mod_proxy/ssl: Proxy SSL client certificate

configuration and other proxy SSL configurations

broken inside <Proxy> context.

PR 63430

Triggered by r1855646+r1855748.

Patch from rpluem (proxy) and ylavic (ssl).

  1. … 2 more files in changeset.
* Solve a chicken and egg problem here:

We need to have sslconn->dc set correctly when we want to

init sslconn, but we need to allocate memory for it first.

* Revert r1855741 which committed other stuff as well.
  1. … 2 more files in changeset.
* Play safe in case we get no name

Reverted by r1855742.

  1. … 2 more files in changeset.
mod_proxy/ssl: cleanup per-request SSL configuration for recycled proxy conns.

The SSL dir config of proxy/backend connections is stored in r->per_dir_config

but those connections have a lifetime independent of the requests they handle.

So we need to allow the external ssl_engine_set() function to reset mod_ssl's

dir config in between proxy requests, or the first sslconn->dc could be used

after free for the next requests.

mod_proxy can then reset/reinit the request config when recycling its backend

connections.

PR 63256.

  1. … 2 more files in changeset.
mod_ssl: unset FIPS mode only if we set it.

If FIPS mode is set by default per openssl lib/module, we should not

unset it on restart or it might never be set again.

PR 63136

  1. … 1 more file in changeset.
rollback 1844001.

  1. … 2 more files in changeset.
And a way to custom modules to guess and extract ssl variable.

See https://github.com/jfclere/JBCSP-17 for example...

  1. … 2 more files in changeset.
Follow up to r1833368 and r1837435: update APLOGNO.

  1. … 1 more file in changeset.
mod_ssl: OpenSSL now initializes fully through APR, use that.

Follow up to r1833368 and r1833452.

  1. … 1 more file in changeset.
mod_ssl: build with LibreSSL.

LibreSSL seems to be openssl-1.1 API compatible only in version 2.8 (master).

So use that for MODSSL_USE_OPENSSL_PRE_1_1_API instead of 2.7, the two 2.7

compatibility-exceptions are handled explicitely but overall it's simpler.

Regarding CRYPTO_malloc_init vs OPENSSL_malloc_init, libreSSL uses none, the

former used to be a no-op but depends is LIBRESSL_INTERNAL in latest versions,

while the latter has never been (and will never be) defined. So don't call any

with LibreSSL.

  1. … 3 more files in changeset.
Follow up to r1833368: share openssl between modules.

Both libapr[-util], the core PRNG, mod_ssl, mod_crypto and mod_session_crypto

can use the same crypto library (e.g. openssl), use the new APR crypto loading

API so that they can work together and initialize/terminate the lib either once

for all or on demand and reusable by the others.

  1. … 3 more files in changeset.
Factor out logic to determine if request is using SSL/TLS and use it

consistently.

* modules/ssl/ssl_util.c (modssl_request_is_tls): New function.

* modules/ssl/ssl_engine_kernel.c (ssl_hook_Fixup): Use it.

* modules/ssl/mod_ssl.c (ssl_hook_http_scheme, ssl_hook_default_port):

Use it.

PR: 61519

  1. … 3 more files in changeset.
On the trunk:

mod_ssl: proper checks for libressl 2.07/8 and its TLSv1_3 support, see PR 62236.

[Bernard Spil <brnrd@freebsd.org>]

  1. … 4 more files in changeset.
On the trunk:

mod_ssl TLSv1.3 support, removed V1_3 cipher suite directives again and added an optional protocol specifier to the SSLCipherSuite and SSLProxyCipherSuite commands.

  1. … 8 more files in changeset.
On the trunk:

mod_ssl: Added configuration directives for TLSv1.3 cipher suites (which

are separate from previous ones) as SSL(Proxy)CipherSuiteV1_3. A great opportunity

to find a better name.

  1. … 5 more files in changeset.
On the trunk:

mod_ssl: reverting r1807709 (SSLEngine with addr:port spec) as a "seemed a good idea at the time" thing.

  1. … 5 more files in changeset.
On the trunk:

mod_ssl: heavily simplified SSLPolicy. No more user defines, no propxy policies,

just the basic "modern", "intermediate" and "old" as specified by Mozilla security.

  1. … 7 more files in changeset.
Extend SSLOCSPEnable with mode 'leaf' that only checks the leaf of a certificate chain. PR62112 [Ricardo Martin Camarero <rickyepoderi@yahoo.es>]

  1. … 6 more files in changeset.
On the trunk:

mod_ssl: renamed section <SSLPolicy to <SSLPolicyDefine. Fixed behaviour

for new server config merge flag. Denying global, only once used directives

inside a SSLPolicyDefine.

  1. … 6 more files in changeset.
On the trunk:

mod_ssl: make the new module flag used.

mod_ssl: follow up to r1809302.

Make use of AP_MODULE_FLAG_ALWAYS_MERGE.

  1. … 1 more file in changeset.
On the trunk:

mod_ssl: Extending SSLEngine to alternatively get a list of add:port spec as used in VirtualHost.

  1. … 5 more files in changeset.
On the trunk:

mod_ssl: adding SSLPolicy and SSLProxyPolicy directives plus documentation.

  1. … 6 more files in changeset.
mod_ssl, ab: compatibility with LibreSSL. PR 61184.

LibreSSL defines OPENSSL_VERSION_NUMBER = 2.0, but is not compatible with

all of the latest OpenSSL 1.1 API.

Address this by defining MODSSL_USE_OPENSSL_PRE_1_1_API which is true for

anything but OpenSSL >= 1.1 (for now).

Proposed by: Bernard Spil <brnrd freebsd.org>

Reviewed by: ylavic

  1. … 9 more files in changeset.
mod_ssl: we can't use SSL_COMP_free_compression_methods() if OPENSSL_NO_COMP

is defined. PR 61206.

Submitted by: Michael Schlenker <msc contact.de>

mod_ssl: follow up to r1781575

Fix SSLOCSPNoVerify merging, and while at it capitalize Verify as suggested

by wrowe.

  1. … 3 more files in changeset.