ssl_engine_vars.c

Checkout Tools
  • last updated 4 hours ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
* modules/loggers/mod_logio.c (logio_pre_config): Remove pointless

static in optional fn pointer variable declaration.

* modules/ssl/ssl_engine_vars.c (ssl_var_log_config_register):

Likewise.

  1. … 1 more file in changeset.
Add optional _RAW suffix to SSL_*_DN_xx attribute names, allowing

users to convert an attribute value without conversion to UTF-8. (A

public CA has issued certs with attributes tagged as the wrong ASN.1

string types.)

* modules/ssl/ssl_util_ssl.c (asn1_string_convert): Rename from

asn1_string_to_utf8; add raw argument. Reimplement _to_utf8 as

macro.

(modssl_X509_NAME_ENTRY_to_string): Add raw argument.

* modules/ssl/ssl_engine_vars.c (ssl_var_lookup_ssl_cert_dn): Use raw

string conversion if _RAW suffix is present in DN component.

  1. … 3 more files in changeset.
mod_ssl, ab: compatibility with LibreSSL. PR 61184.

LibreSSL defines OPENSSL_VERSION_NUMBER = 2.0, but is not compatible with

all of the latest OpenSSL 1.1 API.

Address this by defining MODSSL_USE_OPENSSL_PRE_1_1_API which is true for

anything but OpenSSL >= 1.1 (for now).

Proposed by: Bernard Spil <brnrd freebsd.org>

Reviewed by: ylavic

  1. … 9 more files in changeset.
On the trunk:

mod_ssl: treat SSLConnRecs as const during var lookups.

* modules/ssl/ssl_engine_vars.c (ssl_var_lookup_ssl_cert): Use const

ASN1_OBJECT for X509_ALGOR_get0() for OpenSSL >= 1.1.0 per

https://github.com/openssl/openssl/commit/ac4e257747075958d37665f327bdf685dd2478ab

Fix spelling in comments and text files.

No functional change.

PR 59990

  1. … 69 more files in changeset.
Support for OpenSSL 1.1.0:

- The callback function passed to

SSL_CTX_sess_set_get_cb() now needs the

session id argument to be const.

So constify the session id.

  1. … 5 more files in changeset.
Support OpenSSL 1.1.0.

- use common code for OpenSSL pre-1.1.0 and

1.1.0 where possible.

  1. … 7 more files in changeset.
hostname: Test and log useragent_host per-request across various modules,

including the scoreboard, expression and rewrite engines, setenvif,

authz_host, access_compat, custom logging, ssl and REMOTE_HOST variables.

PR55348 [William Rowe]

This is the complete change set which applies cleanly to 2.4.x as well,

the server/scoreboard.c will follow, which does not apply due to drift.

  1. … 9 more files in changeset.
Restore line deleted in error in r1728909.

Support for OpenSSL 1.1.0:

- mod_ssl

Look out for "XXX: OpenSSL 1.1.0:" for a few

open problems.

Not tested with test suite yet.

  1. … 7 more files in changeset.
using c->master for ssl var lookups when c holds no valid SSLConnRec. Fixes PR58666.
  1. … 1 more file in changeset.
mod_ssl: check request-server for TLS settings compatible to handshake server, allow request if equal, renegotiation checks: remember last used cipher_suite for optimizations, deny any regnegotiation in presence of master connection
  1. … 3 more files in changeset.
mod_ssl: Extend expression parser registration

to support ssl variables in any expression

using mod_rewrite syntax "%{SSL:VARNAME}" or

function syntax "ssl(VARIABLE)".

  1. … 2 more files in changeset.
Add support for extracting the msUPN and dnsSRV forms

of subjectAltName entries of type "otherName" into

SSL_{CLIENT,SERVER}_SAN_OTHER_{msUPN,dnsSRV}_n environment

variables. Addresses PR 58020.

* docs/manual/mod/mod_ssl.xml: add SSL_*_SAN_OTHER_*_n entries to the

environment variables table

* modules/ssl/ssl_engine_vars.c: add support for retrieving the

SSL_{CLIENT,SERVER}_SAN_OTHER_{msUPN,dnsSRV}_n variables

* modules/ssl/ssl_util_ssl.c: add parse_otherName_value, which

currently recognizes the "msUPN" (1.3.6.1.4.1.311.20.2.3) and

"id-on-dnsSRV" (1.3.6.1.5.5.7.8.7) otherName forms, and

adapt modssl_X509_getSAN to take an optional otherName form

argument for the GEN_OTHERNAME case

* modules/ssl/ssl_util_ssl.h: adapt modssl_X509_getSAN prototype

* modules/ssl/mod_ssl.c: register the id-on-dnsSRV otherName form

OID (1.3.6.1.5.5.7.8.7) in OpenSSL's objects table

  1. … 5 more files in changeset.
mod_ssl namespacing: Rename SSL_SESSION_id2sz() to modssl_SSL_SESSION_id2sz().

  1. … 3 more files in changeset.
mod_ssl namespacing: SSL_X509_getSAN -> modssl_X509_getSAN

  1. … 2 more files in changeset.
mod_ssl namespacing: SSL_X509_NAME_to_string -> modssl_X509_NAME_to_string

  1. … 4 more files in changeset.
mod_ssl namespacing: Rename SSL_X509_NAME_ENTRY_to_string to

modssl_X509_NAME_ENTRY_to_string.

  1. … 2 more files in changeset.
mod_ssl namespacing: Rename ssl_util_ssl.h macros from SSL_foo to MODSSL_foo.

For related discussion, see the dev@ thread starting at:

http://mail-archives.apache.org/mod_mbox/httpd-dev/201504.mbox/%3C20150415163613.GC15209%40fintan.stsp.name%3E

  1. … 5 more files in changeset.
mod_ssl: Add the SSL_CLIENT_CERT_RFC4523_CEA variable, which provides

a combination of certificate serialNumber and issuer as defined by

CertificateExactMatch in RFC4523.

  1. … 3 more files in changeset.
Add support for extracting subjectAltName entries of type

rfc822Name and dNSName into SSL_{CLIENT,SERVER}_SAN_{Email,DNS}_n

variables.

* docs/manual/mod/mod_ssl.xml: add SSL_*_SAN_*_n entries to the

environment variables table

* modules/ssl/ssl_engine_kernel.c: in ssl_hook_Fixup, add extraction

of subjectAltName entries for the "StdEnvVars" case

* modules/ssl/ssl_engine_vars.c: add support for retrieving the

SSL_{CLIENT,SERVER}_SAN_{Email,DNS}_n variables, either with

individual on-demand lookup (ssl_var_lookup_ssl_cert_san),

or with full-list extraction to the environment ("StdEnvVars")

* modules/ssl/ssl_private.h: add modssl_var_extract_san_entries prototype

* modules/ssl/ssl_util_ssl.c: implement SSL_X509_getSAN and

SSL_ASN1_STRING_to_utf8 helper functions, with factoring out common

code from SSL_X509_getIDs and SSL_X509_NAME_ENTRY_to_string where

suitable. Limit SSL_X509_getSAN to the two most common subjectAltName

entry types appearing in user or server certificates (i.e., rfc822Name

and dNSName), for the time being.

* modules/ssl/ssl_util_ssl.h: add SSL_ASN1_STRING_to_utf8

and SSL_X509_getSAN prototypes

  1. … 6 more files in changeset.
* Return NULL instead of an empty string as ssl_var_lookup_ssl does by default. Thanks for the pointer Christophe
* Check if we are having an SSL connection before looking up SSL related

variables during expression evaluation to avoid a crash. If not return

an empty string.

PR: 57070

  1. … 1 more file in changeset.
Add API to support TLS channel bindings with mod_ssl.

* modules/ssl/mod_ssl.h: Define ssl_get_tls_cb.

* modules/ssl/ssl_engine_vars.c (ssl_get_tls_cb): New function.

Submitted by: Simo Sorce <simo redhat.com>

  1. … 1 more file in changeset.
Do not use deprecated define.

No change in generated code because MODULE_MAGIC_NUMBER is defined as:

#define MODULE_MAGIC_NUMBER MODULE_MAGIC_NUMBER_MAJOR

  1. … 2 more files in changeset.
Increase minimum required OpenSSL version to 0.9.8a (in preparation

for the next mod_ssl commit, which will rely on the get_rfcX_prime_Y

functions added in that release):

- remove obsolete #defines / macros

- in ssl_private.h, regroup definitions based on whether

they depend on TLS extension support or not

- for ECC and SRP support, set HAVE_X and change the rather awkward

#ifndef OPENSSL_NO_X lines accordingly

For the discussion prior to taking this step, see

https://mail-archives.apache.org/mod_mbox/httpd-dev/201309.mbox/%3C524275C7.9060408%40velox.ch%3E

  1. … 11 more files in changeset.
No need to test for NULL before calling apr_pstrdup.
  1. … 3 more files in changeset.
Add support for TLS-SRP (Secure Remote Password key exchange

for TLS, RFC 5054).

PR: 51075

Submitted by: Quinn Slack <sqs cs stanford edu>, Christophe Renou,

Peter Sylvester

  1. … 10 more files in changeset.
Set OPENSSL_NO_SSL_INTERN when compiling against OpenSSL 1.0.1

or later, so that mod_ssl retains binary compatibility with future

versions when internal structures are changed. Use API functions

where available, and fall back to direct access for OpenSSL up

to 1.0.0, where needed.

Remove SSL_make_ciphersuite() from ssl_util_ssl.[ch], as it was

never used by any released version of mod_ssl.

  1. … 6 more files in changeset.