ssl_engine_init.c

Checkout Tools
  • last updated 1 hour ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
*) mod_ssl: reverting a 2.4.40 change where a superfluous SSLCertificateChainFile configuration

for a domain managed by mod_md caused a startup error. This happened when mod_md installed

its fallback certificate, before it got the first real certificate from Lets Encrypt.

  1. … 1 more file in changeset.
* moving the openssl related new hooks into mod_ssl_openssl.h

* chaning type parameter to openssl types

* adding explanation of return value in get_stapling_status()

* adding array element description for add_cert_files and add_fallback_cert_files hooks

  1. … 3 more files in changeset.
*) mod_ssl/mod_md:

Adding 2 new hooks for init/get of OCSP stapling status information when

other modules want to provide those. Falls back to own implementation with

same behaviour as before.

  1. … 3 more files in changeset.
*) mod_ssl/mod_md: reversing dependency by letting mod_ssl offer hooks for

adding certificates and keys to a virtual host. An additional hook allows

answering special TLS connections as used in ACME challenges.

  1. … 4 more files in changeset.
After reinstatement of DSO support in APR/APR-util, revert r1837437,

r1837435, r1834553, r1833598, r1833452, r1833383, r1833368.

Undoes the following:

mod_ssl: OpenSSL now initializes fully through APR, use that.

mod_ssl: build with LibreSSL.

LibreSSL seems to be openssl-1.1 API compatible only in version 2.8 (master).

So use that for MODSSL_USE_OPENSSL_PRE_1_1_API instead of 2.7, the two 2.7

compatibility-exceptions are handled explicitely but overall it's simpler.

Regarding CRYPTO_malloc_init vs OPENSSL_malloc_init, libreSSL uses none, the

former used to be a no-op but depends is LIBRESSL_INTERNAL in latest versions,

while the latter has never been (and will never be) defined. So don't call any

with LibreSSL.

Follow up to r1833368: share openssl between modules.

Both libapr[-util], the core PRNG, mod_ssl, mod_crypto and mod_session_crypto

can use the same crypto library (e.g. openssl), use the new APR crypto loading

API so that they can work together and initialize/terminate the lib either once

for all or on demand and reusable by the others.

Follow up to r1833368: apr_crypto_prng_after_fork() now used a PID.

Make use of the new apr_crypto_rng API if available.

  1. … 5 more files in changeset.
mod_ssl: unset FIPS mode only if we set it.

If FIPS mode is set by default per openssl lib/module, we should not

unset it on restart or it might never be set again.

PR 63136

  1. … 1 more file in changeset.
*) mod_ssl: clear *SSL errors before loading certificates and checking

afterwards. Otherwise errors are reported when other SSL using modules

are in play. Fixes PR 62880. [Michael Kaufmann]

  1. … 2 more files in changeset.
* modules/ssl/ssl_engine_init.c: Fix typo in log message.

* modules/ssl/ssl_engine_init.c (ssl_init_ctx_protocol):

Disable AUTO_RETRY mode for OpenSSL 1.1.1, which fixes

post-handshake authentication.

(ssl_init_proxy_certs): Fix proxy client cert support with

TLSv1.3, which is now crippled by default.

mod_ssl: OpenSSL now initializes fully through APR, use that.

Follow up to r1833368 and r1833452.

  1. … 1 more file in changeset.
Hook up PKCS#11 PIN entry through configured passphrase entry method.

* modules/ssl/ssl_engine_pphrase.c: Add wrappers for OpenSSL UI * API

around passphrase entry.

(modssl_load_engine_keypair): Take vhost ID and use above rather than

default OpenSSL UI.

* modules/ssl/ssl_engine_init.c (ssl_init_server_certs): Pass vhost ID.

Submitted by: Anderson Sasaki<ansaski redhat.com>, jorton

  1. … 2 more files in changeset.
mod_ssl: build with LibreSSL.

LibreSSL seems to be openssl-1.1 API compatible only in version 2.8 (master).

So use that for MODSSL_USE_OPENSSL_PRE_1_1_API instead of 2.7, the two 2.7

compatibility-exceptions are handled explicitely but overall it's simpler.

Regarding CRYPTO_malloc_init vs OPENSSL_malloc_init, libreSSL uses none, the

former used to be a no-op but depends is LIBRESSL_INTERNAL in latest versions,

while the latter has never been (and will never be) defined. So don't call any

with LibreSSL.

  1. … 3 more files in changeset.
mod_ssl: use SSL_HAVE_PROTOCOL_TLSV1_3 to check for compiled in TLS 1.3.

More meaningful than SSL_OP_NO_TLSv1_3, hopefully...

  1. … 2 more files in changeset.
* modules/ssl/ssl_engine_init.c (ssl_init_server_certs): Add error

logno. Free EVP_PKEY in engine case. Never try reading ECDH/DH

parameters from engine ids.

mod_ssl: Add support for loading TLS certificates through the PKCS#11

engine.

* modules/ssl/ssl_util.c (modssl_is_engine_id): Renamed

from modssl_is_engine_key.

* modules/ssl/ssl_engine_config.c (ssl_cmd_SSLCertificateKeyFile):

Adjust accordingly.

(ssl_cmd_SSLCertificateFile): Also allow ENGINE cert ids.

* modules/ssl/ssl_engine_pphrase.c (modssl_load_engine_keypair):

Rename from modssl_load_engine_key; load certificate if

cert id is passed.

* modules/ssl/ssl_engine_init.c (ssl_init_server_certs): Optionally

load the certificate from the engine as well.

* docs/manual/: Update manual.

  1. … 7 more files in changeset.
mod_ssl: Add support for loading private keys from ENGINEs. Support

for PKCS#11 URIs only, and PIN entry is not threaded through

SSLPassPhraseDialog config yet.

* modules/ssl/ssl_util.c (modssl_is_engine_key): New function.

* modules/ssl/ssl_engine_config.c (ssl_cmd_SSLCertificateKeyFile):

Use it, skip check for file existence for engine keys.

* modules/ssl/ssl_engine_pphrase.c (modssl_load_engine_pkey):

New function.

* modules/ssl/ssl_engine_init.c (ssl_init_server_certs):

For engine keys, load via modssl_load_engine_pkey.

Submitted by: Anderson Sasaki <ansasaki redhat.com>, jorton

  1. … 7 more files in changeset.
* modules/ssl: Add some missing logno tags.

  1. … 2 more files in changeset.
Follow up to r1828222: fix "defined but not used 'prot'" warning with libressl.

* modules/ssl/ssl_engine_init.c (ssl_init_Module): Don't enable SSL

for a vhost if SSLEnable is not used and no certs are configured,

even if the Listen protocol is "https". Restores behaviour to that

prior to r1809303 for configs which would now otherwise fail at

startup.

COMPAT BREAK: This may change the hash keys used to cache privkeys

across a reload so don't backport this to 2.4. Otherwise it's only

user-visible in logging output.

* modules/ssl/ssl_engine_init.c (ssl_init_Module): Derive the vhost_id

*after* potentially setting sc->enabled to default-on, since the

port used may change if not specified explicitly.

On the trunk:

mod_ssl: proper checks for libressl 2.07/8 and its TLSv1_3 support, see PR 62236.

[Bernard Spil <brnrd@freebsd.org>]

  1. … 4 more files in changeset.
On the trunk:

mod_ssl: guard use of TLS1_3_VERSION with proper #ifdefs

On the trunk:

mod_ssl TLSv1.3 support, removed V1_3 cipher suite directives again and added an optional protocol specifier to the SSLCipherSuite and SSLProxyCipherSuite commands.

  1. … 8 more files in changeset.
On the trunk:

mod_ssl: Added configuration directives for TLSv1.3 cipher suites (which

are separate from previous ones) as SSL(Proxy)CipherSuiteV1_3. A great opportunity

to find a better name.

  1. … 5 more files in changeset.
On the trunk:

mod_ssl: add support for TLSv1.3 (tested with OpenSSL v1.1.1-pre3, other libs may

need more sugar).

  1. … 5 more files in changeset.
On the trunk:

mod_ssl: reverting r1807709 (SSLEngine with addr:port spec) as a "seemed a good idea at the time" thing.

  1. … 5 more files in changeset.
On the trunk:

mod_ssl: heavily simplified SSLPolicy. No more user defines, no propxy policies,

just the basic "modern", "intermediate" and "old" as specified by Mozilla security.

  1. … 7 more files in changeset.
Extend SSLOCSPEnable with mode 'leaf' that only checks the leaf of a certificate chain. PR62112 [Ricardo Martin Camarero <rickyepoderi@yahoo.es>]

  1. … 6 more files in changeset.
Follow-up to r1825120:

* modules/ssl/ssl_engine_init.c (ssl_init_ca_cert_path): Since

SSL_add_file_cert_subjects_to_stack() internally replaces the

comparison callback with one equivalent to

ssl_init_FindCAList_X509NameCmp, there's no point in using that

here.

(ssl_init_FindCAList_X509NameCmp): Removed.

* modules/ssl/ssl_engine_init.c (ssl_init_PushCAList): Remove function.

(ssl_init_ca_cert_path): Use SSL_add_file_cert_subjects_to_stack()

instead.

[Edit: This does change behaviour: the acceptable client CA list is now

always be sent in sorted order rather than configured/file order.

In the case of SSLCACertificatePath and SSLCADNRequestPath, the

order will be stable rather than non-determistic as previously.]