Checkout Tools
  • last updated 4 hours ago
Constraints: committers
Constraints: files
Constraints: dates
mod_ssl: Add support for loading TLS certificates through the PKCS#11


* modules/ssl/ssl_util.c (modssl_is_engine_id): Renamed

from modssl_is_engine_key.

* modules/ssl/ssl_engine_config.c (ssl_cmd_SSLCertificateKeyFile):

Adjust accordingly.

(ssl_cmd_SSLCertificateFile): Also allow ENGINE cert ids.

* modules/ssl/ssl_engine_pphrase.c (modssl_load_engine_keypair):

Rename from modssl_load_engine_key; load certificate if

cert id is passed.

* modules/ssl/ssl_engine_init.c (ssl_init_server_certs): Optionally

load the certificate from the engine as well.

* docs/manual/: Update manual.

  1. … 7 more files in changeset.
Simplify the ssl_asn1_table API, remove abstraction (it is used only

to cache serialized EVP_PKEYs not any char * blobs), and document.

* modules/ssl/ssl_util.c (ssl_asn1_table_set): Take the EVP_PKEY and

serialize internally. Use ap_realloc. Return the ssl_asn1_t *

pointer. Don't call apr_hash_set() for unchanged pointer case.

* modules/ssl/ssl_engine_pphrase.c (ssl_load_encrypted_pkey):

Adjust for the above.

* modules/ssl/ssl_private.h: Adjust as above, add docs.

  1. … 2 more files in changeset.
mod_ssl: Add support for loading private keys from ENGINEs. Support

for PKCS#11 URIs only, and PIN entry is not threaded through

SSLPassPhraseDialog config yet.

* modules/ssl/ssl_util.c (modssl_is_engine_key): New function.

* modules/ssl/ssl_engine_config.c (ssl_cmd_SSLCertificateKeyFile):

Use it, skip check for file existence for engine keys.

* modules/ssl/ssl_engine_pphrase.c (modssl_load_engine_pkey):

New function.

* modules/ssl/ssl_engine_init.c (ssl_init_server_certs):

For engine keys, load via modssl_load_engine_pkey.

Submitted by: Anderson Sasaki <ansasaki>, jorton

  1. … 7 more files in changeset.
* modules/ssl/ssl_util.c (modssl_request_is_tls): Adjust

to take SSLConnRec * out parameter rather than SSL *.

* modules/ssl/ssl_engine_kernel.c (ssl_hook_UserCheck): Use it here.

(ssl_hook_Fixup): Adjust use.

  1. … 2 more files in changeset.
Factor out logic to determine if request is using SSL/TLS and use it


* modules/ssl/ssl_util.c (modssl_request_is_tls): New function.

* modules/ssl/ssl_engine_kernel.c (ssl_hook_Fixup): Use it.

* modules/ssl/mod_ssl.c (ssl_hook_http_scheme, ssl_hook_default_port):

Use it.

PR: 61519

  1. … 3 more files in changeset.
* modules/ssl/ssl_util.c (ssl_util_vhostid): Simplify code,

no functional change.

mod_ssl, ab: compatibility with LibreSSL. PR 61184.

LibreSSL defines OPENSSL_VERSION_NUMBER = 2.0, but is not compatible with

all of the latest OpenSSL 1.1 API.

Address this by defining MODSSL_USE_OPENSSL_PRE_1_1_API which is true for

anything but OpenSSL >= 1.1 (for now).

Proposed by: Bernard Spil <brnrd>

Reviewed by: ylavic

  1. … 9 more files in changeset.
Merge fix branch for PR60947.
  1. … 4 more files in changeset.
mod_ssl: work around leaks on (graceful) restart.

Tested with valgrind and --with-ssl shared/static.

  1. … 3 more files in changeset.
Clarify some z/OS mysteries via code comments.

Followup to r1421305.

PR 56210

Support for OpenSSL 1.1.0:

- remove thread locking. It is now builtin

for OpenSSL 1.1.0

first stab at a better SNI vs. request name matching, by accounting for serveralias and wildcards
  1. … 2 more files in changeset.
Remove the hardcoded algorithm-type dependency for the SSLCertificateFile

and SSLCertificateKeyFile directives, and deprecate SSLCertificateChainFile

Splitting the patch into smaller pieces turned out to be infeasible,

unfortunately, due to the heavily intertwined code in ssl_engine_config.c,

ssl_engine_init.c and ssl_engine_pphrase.c, which all depends on the

modssl_pk_server_t data structure. For better comprehensibility,

a detailed listing of the changes follows:


- drop the X509 certs and EVP_PKEY keys arrays from modssl_pk_server_t

- use apr_array_header_t for cert_files and key_files

- drop tPublicCert from SSLModConfigRec

- drop the ssl_algo_t struct and the SSL_ALGO_* and SSL_AIDX_* constants


- change to apr_array_header_t for SSLCertificate[Key]File

- drop ssl_cmd_check_aidx_max, i.e. allow an arbitrary number of certs

and keys (in theory; currently OpenSSL does not support more than

one cert/key per algorithm type)

- add deprecation warning for SSLCertificateChainFile


- configure server certs/keys in ssl_init_server_certs (no longer via

ssl_pphrase_Handle in ssl_init_Module)

- in ssl_init_server_certs, read in certificates and keys with standard

OpenSSL API functions (SSL_CTX_use_*_file), and only fall back to

ssl_load_encrypted_pkey when encountering an encrypted private key

- drop ssl_server_import_cert, ssl_server_import_key, ssl_init_server_check,

and ssl_init_ctx_cleanup_server

- move the "problematic re-initialization" check to ssl_init_server_ctx


- use servername:port:index as the key identifier, instead of the

previously used servername:port:algorithm

- ssl_pphrase_Handle overhaul: remove all cert/public-key handling,

make it only load a single (encrypted) private key, and rename

to ssl_load_encrypted_pkey

- in the passphrase prompt message, show the private key file name

instead of the vhost id and the algorithm name

- do no longer supply the algorithm name as an argument to "exec"-type

passphrase prompting programs


- drop ssl_util_algotypeof, ssl_util_algotypestr, ssl_asn1_keystr,

and ssl_asn1_table_keyfmt


- drop SSL_read_X509

- constify the filename arg for SSL_read_PrivateKey

  1. … 9 more files in changeset.
Remove SSLPKCS7CertificateFile support:

- was never documented, so very unlikely that it was ever used

- adds complexity without apparent benefit; PKCS#7 files can

be trivially converted to a file for use with SSLCertificateChainFile

(concatenated X509 CERTIFICATE chunks, openssl pkcs7 -print_certs...)

- only supports PKCS7 files with PEM encoding, i.e. relies on a

non-standardized PEM header (cf. RFC 2315 and draft-josefsson-pkix-textual)

- issues pointed out in

were never fully addressed (cf. r424707 and r424735)

- has never worked in vhost context due to a cfgMergeString

call missing from modssl_ctx_cfg_merge

  1. … 6 more files in changeset.
Address a todo listed in

"init functions should return status code rather than ssl_die()"

For diagnostic purposes, ssl_die() is still there, but instead

of abruptly exit(1)ing, it will return APR_EGENERAL to the

ssl_init_* callers in ssl_engine_init.c, and these will propagate

the status back to ssl_init_Module.

  1. … 7 more files in changeset.
Increase minimum required OpenSSL version to 0.9.8a (in preparation

for the next mod_ssl commit, which will rely on the get_rfcX_prime_Y

functions added in that release):

- remove obsolete #defines / macros

- in ssl_private.h, regroup definitions based on whether

they depend on TLS extension support or not

- for ECC and SRP support, set HAVE_X and change the rather awkward

#ifndef OPENSSL_NO_X lines accordingly

For the discussion prior to taking this step, see

  1. … 11 more files in changeset.
Avoid use of deprecated functions for OpenSSL version >= 1.0

  1. … 1 more file in changeset.
Remove some checking for out-of-mem conditions that cannot be hit

because apr_pcalloc/apr_pool_create will call abort() anyway.

Pass the server_rec to ssl_die() and use it to log a message to the main error

log, pointing to the appropriate virtual host error log

  1. … 8 more files in changeset.
Various fixes for log message tags:

- Remove tags in ssl_log_ssl_error() and ssl_log_cert_error()

- Instead add tags to various ssl_log_xerror, ssl_log_cxerror

calls (ssl_log_rxerror is unused).

- likewise for modssl_proxy_info_log()

- Fix spelling of APLOG_NOERRNO in coccinelle script

- add support for ssl_log_*error and ap_log_cserror

- add some more tags missing due to APLOG_NOERRNO spelling error

- Remove tags from example modules (we don't want people to blindly copy


  1. … 10 more files in changeset.
Remove usage of APLOG_NOERRNO. It has been a no-op since at least 2.0.x

  1. … 5 more files in changeset.
Add some more log message tags

Remove some log message tags from ap_log_* calls that log lots of

different error messages, in particular the config parsing errors.

Not sure how we should handle those.

ssl_util.c: Downgrade some dynamic locking messages from level DEBUG

to TRACE1-3

  1. … 12 more files in changeset.
Add another AP_DEBUG_ASSERT to document some assumptions in the code,

for the benefit of code analyzers.

Cleanup effort in prep for GA push:

Trim trailing whitespace... no func change

  1. … 118 more files in changeset.
Add wrappers for malloc, calloc, realloc that check for out of memory

situations. Use them in most places where malloc, and friends are used.

This results in clean error messages in an out of memory situation instead of

segfaulting or silently malfunctioning. In some places, it just allows to

remove some logging code.

PR 51568, PR 51569, PR 51571.

  1. … 17 more files in changeset.
Remove the ssl_toolkit_compat layer, which is no longer needed

after support for non-OpenSSL toolkits has been dropped.

Replace macros by their value proper where feasible, and keep

those definitions in ssl_private.h which depend on specific

OpenSSL versions.

  1. … 12 more files in changeset.
Drop support for the RSA BSAFE SSL-C toolkit from configure,

and remove #ifdef'ed code from mod_ssl and ab where applicable.

Consensus for dropping support for SSL/TLS toolkits other

than OpenSSL was reached on dev@httpd in June 2010 (message

with ID <> and follow-ups).

  1. … 15 more files in changeset.
Consistently use loglevel emerg before ssl_die()

  1. … 4 more files in changeset.
Fix some modules to make them compile with per-module loglevels.

  1. … 5 more files in changeset.
Introduce SSLLOG_MARK for use with ssl_log_ssl_error(). This will allow to

redefine APLOG_MARK later.

  1. … 8 more files in changeset.