Checkout Tools
  • last updated 6 hours ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates

Changeset 1837435 is being indexed.

mod_ssl: OpenSSL now initializes fully through APR, use that.

Follow up to r1833368 and r1833452.

  1. … 1 more file in changeset.
mod_ssl: build with LibreSSL.

LibreSSL seems to be openssl-1.1 API compatible only in version 2.8 (master).

So use that for MODSSL_USE_OPENSSL_PRE_1_1_API instead of 2.7, the two 2.7

compatibility-exceptions are handled explicitely but overall it's simpler.

Regarding CRYPTO_malloc_init vs OPENSSL_malloc_init, libreSSL uses none, the

former used to be a no-op but depends is LIBRESSL_INTERNAL in latest versions,

while the latter has never been (and will never be) defined. So don't call any

with LibreSSL.

  1. … 3 more files in changeset.
Follow up to r1833368: share openssl between modules.

Both libapr[-util], the core PRNG, mod_ssl, mod_crypto and mod_session_crypto

can use the same crypto library (e.g. openssl), use the new APR crypto loading

API so that they can work together and initialize/terminate the lib either once

for all or on demand and reusable by the others.

  1. … 3 more files in changeset.
Factor out logic to determine if request is using SSL/TLS and use it

consistently.

* modules/ssl/ssl_util.c (modssl_request_is_tls): New function.

* modules/ssl/ssl_engine_kernel.c (ssl_hook_Fixup): Use it.

* modules/ssl/mod_ssl.c (ssl_hook_http_scheme, ssl_hook_default_port):

Use it.

PR: 61519

  1. … 3 more files in changeset.
On the trunk:

mod_ssl: proper checks for libressl 2.07/8 and its TLSv1_3 support, see PR 62236.

[Bernard Spil <brnrd@freebsd.org>]

  1. … 4 more files in changeset.
On the trunk:

mod_ssl TLSv1.3 support, removed V1_3 cipher suite directives again and added an optional protocol specifier to the SSLCipherSuite and SSLProxyCipherSuite commands.

  1. … 8 more files in changeset.
On the trunk:

mod_ssl: Added configuration directives for TLSv1.3 cipher suites (which

are separate from previous ones) as SSL(Proxy)CipherSuiteV1_3. A great opportunity

to find a better name.

  1. … 5 more files in changeset.
On the trunk:

mod_ssl: reverting r1807709 (SSLEngine with addr:port spec) as a "seemed a good idea at the time" thing.

  1. … 5 more files in changeset.
On the trunk:

mod_ssl: heavily simplified SSLPolicy. No more user defines, no propxy policies,

just the basic "modern", "intermediate" and "old" as specified by Mozilla security.

  1. … 7 more files in changeset.
Extend SSLOCSPEnable with mode 'leaf' that only checks the leaf of a certificate chain. PR62112 [Ricardo Martin Camarero <rickyepoderi@yahoo.es>]

  1. … 6 more files in changeset.
On the trunk:

mod_ssl: renamed section <SSLPolicy to <SSLPolicyDefine. Fixed behaviour

for new server config merge flag. Denying global, only once used directives

inside a SSLPolicyDefine.

  1. … 6 more files in changeset.
On the trunk:

mod_ssl: make the new module flag used.

mod_ssl: follow up to r1809302.

Make use of AP_MODULE_FLAG_ALWAYS_MERGE.

  1. … 1 more file in changeset.
On the trunk:

mod_ssl: Extending SSLEngine to alternatively get a list of add:port spec as used in VirtualHost.

  1. … 5 more files in changeset.
On the trunk:

mod_ssl: adding SSLPolicy and SSLProxyPolicy directives plus documentation.

  1. … 6 more files in changeset.
mod_ssl, ab: compatibility with LibreSSL. PR 61184.

LibreSSL defines OPENSSL_VERSION_NUMBER = 2.0, but is not compatible with

all of the latest OpenSSL 1.1 API.

Address this by defining MODSSL_USE_OPENSSL_PRE_1_1_API which is true for

anything but OpenSSL >= 1.1 (for now).

Proposed by: Bernard Spil <brnrd freebsd.org>

Reviewed by: ylavic

  1. … 9 more files in changeset.
mod_ssl: we can't use SSL_COMP_free_compression_methods() if OPENSSL_NO_COMP

is defined. PR 61206.

Submitted by: Michael Schlenker <msc contact.de>

mod_ssl: follow up to r1781575

Fix SSLOCSPNoVerify merging, and while at it capitalize Verify as suggested

by wrowe.

  1. … 3 more files in changeset.
Add Configuration for trusted OCSP responder certificates

Fix for PR 46037

  1. … 6 more files in changeset.
mod_ssl: follow up to r1781187.

The ssl_util_thread_*() functions are not necessary with openssl-1.1+

  1. … 1 more file in changeset.
mod_ssl: work around leaks on (graceful) restart.

Tested with valgrind and --with-ssl shared/static.

  1. … 3 more files in changeset.
Remove calling ERR_remove_thread_state when

using OpenSSL 1.1.0.

This API is now a no-op in OpenSSL 1.1.0 and

deprecated.

Compatibility with OpenSSL 1.1.0 pre6.

mod_proxy, mod_ssl: Handle SSLProxy* directives in <Proxy> sections,

allowing per backend TLS configuration.

  1. … 19 more files in changeset.
Support for OpenSSL 1.1.0:

- ERR_remove_thread_state() no longer has an

argument.

mod_ssl: Add no_crl_for_cert_ok flag to SSLCARevocationCheck directive

to opt-in previous behaviour (2.2) with CRLs verification when checking

certificate(s) with no corresponding CRL.

  1. … 6 more files in changeset.
mod_ssl: Don't lose track of the SSL context if the ssl_run_pre_handshake()

hook returns an error.

  1. … 1 more file in changeset.
Support for OpenSSL 1.1.0:

- mod_ssl

Look out for "XXX: OpenSSL 1.1.0:" for a few

open problems.

Not tested with test suite yet.

  1. … 7 more files in changeset.
* Introduce SSLOCSPProxyURL in order to do OCSP requests via a HTTP proxy.

Documentation to follow.

  1. … 3 more files in changeset.
Better illustrate the ordering of hook processing