ssl_engine_config.c

Checkout Tools
  • last updated 3 hours ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
mod_ssl: Log private key material to file set by $SSLKEYLOGFILE in the

environment, using the standard format which can be parsed by (e.g.)

wireshark for decoding SSL/TLS traffic; supported from OpenSSL 1.1.1.

* modules/ssl/ssl_private.h: Add keylog_file to SSLModConfigRec.

* modules/ssl/ssl_engine_init.c (ssl_init_Module): Open log file if

SSLKEYLOGFILE is set in the environment.

(ssl_init_ctx_protocol): Register the keylog callback with OpenSSL.

* modules/ssl/ssl_engine_kernel.c (modssl_callback_keylog):

New function.

PR: 63391

Github: closes #74

  1. … 5 more files in changeset.
mod_ssl: follow up to r1868645 and r1868929.

Merge ->protocol_set.

* modules/ssl/ssl_engine_config.c (ssl_cmd_check_file):

If dumping the config, don't validate the paths. Allows

e.g. "httpd -L" to work w/ certs configured but not present,

doesn't affect "httpd -t".

* Correctly merge configurations that have client certificates set

by SSLProxyMachineCertificate{File|Path}.

The certificates and keys loaded during configuration time got lost during

runtime if e.g. SSLProxyMachineCertificate{File|Path} was set on virtual host

level and there was an SSL directive at directory level, e.g. SSLRequire.

This fixes a regression likely introduced in r1740928.

  1. … 1 more file in changeset.
mod_ssl: use SSL_HAVE_PROTOCOL_TLSV1_3 to check for compiled in TLS 1.3.

More meaningful than SSL_OP_NO_TLSv1_3, hopefully...

  1. … 2 more files in changeset.
mod_ssl: after code review, changed:

* eliminated SSLPolicyRec as name no longer used

* eliminated some left over parameters in internal functions due to policy def removal

* reverted a NULL test, necessary before

  1. … 1 more file in changeset.
* modules/ssl/ssl_engine_config.c: Fix typos, but isn't this first TODO

actually done?

mod_ssl: Add support for loading TLS certificates through the PKCS#11

engine.

* modules/ssl/ssl_util.c (modssl_is_engine_id): Renamed

from modssl_is_engine_key.

* modules/ssl/ssl_engine_config.c (ssl_cmd_SSLCertificateKeyFile):

Adjust accordingly.

(ssl_cmd_SSLCertificateFile): Also allow ENGINE cert ids.

* modules/ssl/ssl_engine_pphrase.c (modssl_load_engine_keypair):

Rename from modssl_load_engine_key; load certificate if

cert id is passed.

* modules/ssl/ssl_engine_init.c (ssl_init_server_certs): Optionally

load the certificate from the engine as well.

* docs/manual/: Update manual.

  1. … 7 more files in changeset.
mod_ssl: Add support for loading private keys from ENGINEs. Support

for PKCS#11 URIs only, and PIN entry is not threaded through

SSLPassPhraseDialog config yet.

* modules/ssl/ssl_util.c (modssl_is_engine_key): New function.

* modules/ssl/ssl_engine_config.c (ssl_cmd_SSLCertificateKeyFile):

Use it, skip check for file existence for engine keys.

* modules/ssl/ssl_engine_pphrase.c (modssl_load_engine_pkey):

New function.

* modules/ssl/ssl_engine_init.c (ssl_init_server_certs):

For engine keys, load via modssl_load_engine_pkey.

Submitted by: Anderson Sasaki <ansasaki redhat.com>, jorton

  1. … 7 more files in changeset.
mod_ssl: Fix merging of proxy SSL context outside <Proxy> sections.

Regression introduced in 2.4.30. PR 62232.

The proxy SSL_CTX was not inherited from the vhost (the only available in

2.4.29) in/for any directory context besides <Proxy>...

Mostly debugged and fixed by Rainer, thanks!

  1. … 1 more file in changeset.
On the trunk:

mod_ssl TLSv1.3 support, removed V1_3 cipher suite directives again and added an optional protocol specifier to the SSLCipherSuite and SSLProxyCipherSuite commands.

  1. … 8 more files in changeset.
On the trunk:

mod_ssl: Added configuration directives for TLSv1.3 cipher suites (which

are separate from previous ones) as SSL(Proxy)CipherSuiteV1_3. A great opportunity

to find a better name.

  1. … 5 more files in changeset.
On the trunk:

mod_ssl: add support for TLSv1.3 (tested with OpenSSL v1.1.1-pre3, other libs may

need more sugar).

  1. … 5 more files in changeset.
On the trunk:

mod_ssl: reverting r1807709 (SSLEngine with addr:port spec) as a "seemed a good idea at the time" thing.

  1. … 5 more files in changeset.
On the trunk:

mod_ssl: heavily simplified SSLPolicy. No more user defines, no propxy policies,

just the basic "modern", "intermediate" and "old" as specified by Mozilla security.

  1. … 7 more files in changeset.
Fixed OCSPEnable to keep accepting "off", not "none".

Extend SSLOCSPEnable with mode 'leaf' that only checks the leaf of a certificate chain. PR62112 [Ricardo Martin Camarero <rickyepoderi@yahoo.es>]

  1. … 6 more files in changeset.
On the trunk:

mod_ssl: fixed orphaned code path in ssl policy lookup after review by rpluem

On the trunk:

mod_ssl: renamed section <SSLPolicy to <SSLPolicyDefine. Fixed behaviour

for new server config merge flag. Denying global, only once used directives

inside a SSLPolicyDefine.

  1. … 6 more files in changeset.
mod_ssl: fix add_policy() w.r.t. OPENSSL_NO_COMP. PR 61592.

Proposed by: Bernard Spil <brnrd freebsd.org>

Reviewed by: ylavic

On the trunk:

mod_ssl: adding ssl_policies.h[.in] for policy cipher/protocol definitions. Use

update_policies.py to update manually from Mozilla JSON definitions at

https://statics.tls.security.mozilla.org/server-side-tls-conf.json

  1. … 5 more files in changeset.
* We need i if we have HAVE_SSL_CONF_CMD defined
* Silence compiler warning and remove unused variable
On the trunk:

mod_ssl: Extending SSLEngine to alternatively get a list of add:port spec as used in VirtualHost.

  1. … 5 more files in changeset.
On the trunk:

mod_ssl: not using SSLV3 constant that would define what we mean by SSL version 3 if openssl does not know about SSL version 3. Then we pretend to not know about it either.

On the trunk:

mod_ssl: adding SSLPolicy and SSLProxyPolicy directives plus documentation.

  1. … 6 more files in changeset.
mod_ssl: follow up to r1781575

Fix SSLOCSPNoVerify merging, and while at it capitalize Verify as suggested

by wrowe.

  1. … 3 more files in changeset.
Add Configuration for trusted OCSP responder certificates

Fix for PR 46037

  1. … 6 more files in changeset.
mod_ssl: follow up to r1781187.

Address SSL_CTX leak in (merged) proxy_ctx.

  1. … 1 more file in changeset.
mod_ssl: revert r1781299 r1781188.

Need to separate follow up related to r1740928 and co from the one related to

r1781187.

  1. … 1 more file in changeset.