1 /* Licensed to the Apache Software Foundation (ASF) under one or more
2 * contributor license agreements. See the NOTICE file distributed with
3 * this work for additional information regarding copyright ownership.
4 * The ASF licenses this file to You under the Apache License, Version 2.0
5 * (the "License"); you may not use this file except in compliance with
6 * the License. You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
18 * _ __ ___ ___ __| | ___ ___| | mod_ssl
19 * | '_ ` _ \ / _ \ / _` | / __/ __| | Apache Interface to OpenSSL
20 * | | | | | | (_) | (_| | \__ \__ \ |
21 * |_| |_| |_|\___/ \__,_|___|___/___/_|
24 * Apache API interface structures
27 #include "ssl_private.h"
29 #include "mod_ssl_openssl.h"
31 #include "util_mutex.h"
32 #include "ap_provider.h"
38 int ssl_running_on_valgrind = 0;
41 APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ssl, SSL, int, pre_handshake,
42 (conn_rec *c,SSL *ssl,int is_proxy),
43 (c,ssl,is_proxy), OK, DECLINED);
46 * the table of configuration directives we provide
49 #define SSL_CMD_ALL(name, args, desc) \
50 AP_INIT_##args("SSL"#name, ssl_cmd_SSL##name, \
51 NULL, RSRC_CONF|OR_AUTHCFG, desc),
53 #define SSL_CMD_SRV(name, args, desc) \
54 AP_INIT_##args("SSL"#name, ssl_cmd_SSL##name, \
55 NULL, RSRC_CONF, desc),
57 #define SSL_CMD_DIR(name, type, args, desc) \
58 AP_INIT_##args("SSL"#name, ssl_cmd_SSL##name, \
59 NULL, OR_##type, desc),
61 #define AP_END_CMD { NULL }
63 static const command_rec ssl_config_cmds[] = {
65 * Global (main-server) context configuration directives
67 SSL_CMD_SRV(PassPhraseDialog, TAKE1,
68 "SSL dialog mechanism for the pass phrase query "
69 "('builtin', '|/path/to/pipe_program', "
70 "or 'exec:/path/to/cgi_program')")
71 SSL_CMD_SRV(SessionCache, TAKE1,
72 "SSL Session Cache storage "
73 "('none', 'nonenotnull', 'dbm:/path/to/file')")
74 #if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
75 SSL_CMD_SRV(CryptoDevice, TAKE1,
76 "SSL external Crypto Device usage "
79 SSL_CMD_SRV(RandomSeed, TAKE23,
80 "SSL Pseudo Random Number Generator (PRNG) seeding source "
81 "('startup|connect builtin|file:/path|exec:/path [bytes]')")
84 * Per-server context configuration directives
86 SSL_CMD_SRV(Engine, TAKE1,
87 "SSL switch for the protocol engine "
89 SSL_CMD_SRV(FIPS, FLAG,
90 "Enable FIPS-140 mode "
92 SSL_CMD_ALL(CipherSuite, TAKE1,
93 "Colon-delimited list of permitted SSL Ciphers "
94 "('XXX:...:XXX' - see manual)")
95 SSL_CMD_SRV(CertificateFile, TAKE1,
96 "SSL Server Certificate file "
97 "('/path/to/file' - PEM or DER encoded)")
98 SSL_CMD_SRV(CertificateKeyFile, TAKE1,
99 "SSL Server Private Key file "
100 "('/path/to/file' - PEM or DER encoded)")
101 SSL_CMD_SRV(CertificateChainFile, TAKE1,
102 "SSL Server CA Certificate Chain file "
103 "('/path/to/file' - PEM encoded)")
104 #ifdef HAVE_TLS_SESSION_TICKETS
105 SSL_CMD_SRV(SessionTicketKeyFile, TAKE1,
106 "TLS session ticket encryption/decryption key file (RFC 5077) "
107 "('/path/to/file' - file with 48 bytes of random data)")
109 SSL_CMD_ALL(CACertificatePath, TAKE1,
110 "SSL CA Certificate path "
111 "('/path/to/dir' - contains PEM encoded files)")
112 SSL_CMD_ALL(CACertificateFile, TAKE1,
113 "SSL CA Certificate file "
114 "('/path/to/file' - PEM encoded)")
115 SSL_CMD_SRV(CADNRequestPath, TAKE1,
116 "SSL CA Distinguished Name path "
117 "('/path/to/dir' - symlink hashes to PEM of acceptable CA names to request)")
118 SSL_CMD_SRV(CADNRequestFile, TAKE1,
119 "SSL CA Distinguished Name file "
120 "('/path/to/file' - PEM encoded to derive acceptable CA names to request)")
121 SSL_CMD_SRV(CARevocationPath, TAKE1,
122 "SSL CA Certificate Revocation List (CRL) path "
123 "('/path/to/dir' - contains PEM encoded files)")
124 SSL_CMD_SRV(CARevocationFile, TAKE1,
125 "SSL CA Certificate Revocation List (CRL) file "
126 "('/path/to/file' - PEM encoded)")
127 SSL_CMD_SRV(CARevocationCheck, TAKE1,
128 "SSL CA Certificate Revocation List (CRL) checking mode")
129 SSL_CMD_ALL(VerifyClient, TAKE1,
130 "SSL Client verify type "
131 "('none', 'optional', 'require', 'optional_no_ca')")
132 SSL_CMD_ALL(VerifyDepth, TAKE1,
133 "SSL Client verify depth "
134 "('N' - number of intermediate certificates)")
135 SSL_CMD_SRV(SessionCacheTimeout, TAKE1,
136 "SSL Session Cache object lifetime "
137 "('N' - number of seconds)")
138 #ifdef OPENSSL_NO_SSL3
139 #define SSLv3_PROTO_PREFIX ""
141 #define SSLv3_PROTO_PREFIX "SSLv3|"
144 #define SSL_PROTOCOLS SSLv3_PROTO_PREFIX "TLSv1|TLSv1.1|TLSv1.2"
146 #define SSL_PROTOCOLS SSLv3_PROTO_PREFIX "TLSv1"
148 SSL_CMD_SRV(Protocol, RAW_ARGS,
149 "Enable or disable various SSL protocols "
150 "('[+-][" SSL_PROTOCOLS "] ...' - see manual)")
151 SSL_CMD_SRV(HonorCipherOrder, FLAG,
152 "Use the server's cipher ordering preference")
153 SSL_CMD_SRV(Compression, FLAG,
154 "Enable SSL level compression "
156 SSL_CMD_SRV(SessionTickets, FLAG,
157 "Enable or disable TLS session tickets"
159 SSL_CMD_SRV(InsecureRenegotiation, FLAG,
160 "Enable support for insecure renegotiation")
161 SSL_CMD_ALL(UserName, TAKE1,
162 "Set user name to SSL variable value")
163 SSL_CMD_SRV(StrictSNIVHostCheck, FLAG,
164 "Strict SNI virtual host checking")
167 SSL_CMD_SRV(SRPVerifierFile, TAKE1,
169 "('/path/to/file' - created by srptool)")
170 SSL_CMD_SRV(SRPUnknownUserSeed, TAKE1,
171 "SRP seed for unknown users (to avoid leaking a user's existence) "
172 "('some secret text')")
176 * Proxy configuration for remote SSL connections
178 SSL_CMD_SRV(ProxyEngine, FLAG,
179 "SSL switch for the proxy protocol engine "
181 SSL_CMD_SRV(ProxyProtocol, RAW_ARGS,
182 "SSL Proxy: enable or disable SSL protocol flavors "
183 "('[+-][" SSL_PROTOCOLS "] ...' - see manual)")
184 SSL_CMD_SRV(ProxyCipherSuite, TAKE1,
185 "SSL Proxy: colon-delimited list of permitted SSL ciphers "
186 "('XXX:...:XXX' - see manual)")
187 SSL_CMD_SRV(ProxyVerify, TAKE1,
188 "SSL Proxy: whether to verify the remote certificate "
190 SSL_CMD_SRV(ProxyVerifyDepth, TAKE1,
191 "SSL Proxy: maximum certificate verification depth "
192 "('N' - number of intermediate certificates)")
193 SSL_CMD_SRV(ProxyCACertificateFile, TAKE1,
194 "SSL Proxy: file containing server certificates "
195 "('/path/to/file' - PEM encoded certificates)")
196 SSL_CMD_SRV(ProxyCACertificatePath, TAKE1,
197 "SSL Proxy: directory containing server certificates "
198 "('/path/to/dir' - contains PEM encoded certificates)")
199 SSL_CMD_SRV(ProxyCARevocationPath, TAKE1,
200 "SSL Proxy: CA Certificate Revocation List (CRL) path "
201 "('/path/to/dir' - contains PEM encoded files)")
202 SSL_CMD_SRV(ProxyCARevocationFile, TAKE1,
203 "SSL Proxy: CA Certificate Revocation List (CRL) file "
204 "('/path/to/file' - PEM encoded)")
205 SSL_CMD_SRV(ProxyCARevocationCheck, TAKE1,
206 "SSL Proxy: CA Certificate Revocation List (CRL) checking mode")
207 SSL_CMD_SRV(ProxyMachineCertificateFile, TAKE1,
208 "SSL Proxy: file containing client certificates "
209 "('/path/to/file' - PEM encoded certificates)")
210 SSL_CMD_SRV(ProxyMachineCertificatePath, TAKE1,
211 "SSL Proxy: directory containing client certificates "
212 "('/path/to/dir' - contains PEM encoded certificates)")
213 SSL_CMD_SRV(ProxyMachineCertificateChainFile, TAKE1,
214 "SSL Proxy: file containing issuing certificates "
215 "of the client certificate "
216 "(`/path/to/file' - PEM encoded certificates)")
217 SSL_CMD_SRV(ProxyCheckPeerExpire, FLAG,
218 "SSL Proxy: check the peer certificate's expiration date")
219 SSL_CMD_SRV(ProxyCheckPeerCN, FLAG,
220 "SSL Proxy: check the peer certificate's CN")
221 SSL_CMD_SRV(ProxyCheckPeerName, FLAG,
222 "SSL Proxy: check the peer certificate's name "
223 "(must be present in subjectAltName extension or CN")
226 * Per-directory context configuration directives
228 SSL_CMD_DIR(Options, OPTIONS, RAW_ARGS,
229 "Set one or more options to configure the SSL engine"
230 "('[+-]option[=value] ...' - see manual)")
231 SSL_CMD_DIR(RequireSSL, AUTHCFG, NO_ARGS,
232 "Require the SSL protocol for the per-directory context "
234 SSL_CMD_DIR(Require, AUTHCFG, RAW_ARGS,
235 "Require a boolean expression to evaluate to true for granting access"
236 "(arbitrary complex boolean expression - see manual)")
237 SSL_CMD_DIR(RenegBufferSize, AUTHCFG, TAKE1,
238 "Configure the amount of memory that will be used for buffering the "
239 "request body if a per-location SSL renegotiation is required due to "
240 "changed access control requirements")
242 SSL_CMD_SRV(OCSPEnable, FLAG,
243 "Enable use of OCSP to verify certificate revocation ('on', 'off')")
244 SSL_CMD_SRV(OCSPDefaultResponder, TAKE1,
245 "URL of the default OCSP Responder")
246 SSL_CMD_SRV(OCSPOverrideResponder, FLAG,
247 "Force use of the default responder URL ('on', 'off')")
248 SSL_CMD_SRV(OCSPResponseTimeSkew, TAKE1,
249 "Maximum time difference in OCSP responses")
250 SSL_CMD_SRV(OCSPResponseMaxAge, TAKE1,
251 "Maximum age of OCSP responses")
252 SSL_CMD_SRV(OCSPResponderTimeout, TAKE1,
253 "OCSP responder query timeout")
254 SSL_CMD_SRV(OCSPUseRequestNonce, FLAG,
255 "Whether OCSP queries use a nonce or not ('on', 'off')")
256 SSL_CMD_SRV(OCSPProxyURL, TAKE1,
257 "Proxy URL to use for OCSP requests")
259 #ifdef HAVE_OCSP_STAPLING
261 * OCSP Stapling options
263 SSL_CMD_SRV(StaplingCache, TAKE1,
264 "SSL Stapling Response Cache storage "
265 "(`dbm:/path/to/file')")
266 SSL_CMD_SRV(UseStapling, FLAG,
267 "SSL switch for the OCSP Stapling protocol " "(`on', `off')")
268 SSL_CMD_SRV(StaplingResponseTimeSkew, TAKE1,
269 "SSL stapling option for maximum time difference in OCSP responses")
270 SSL_CMD_SRV(StaplingResponderTimeout, TAKE1,
271 "SSL stapling option for OCSP responder timeout")
272 SSL_CMD_SRV(StaplingResponseMaxAge, TAKE1,
273 "SSL stapling option for maximum age of OCSP responses")
274 SSL_CMD_SRV(StaplingStandardCacheTimeout, TAKE1,
275 "SSL stapling option for normal OCSP Response Cache Lifetime")
276 SSL_CMD_SRV(StaplingReturnResponderErrors, FLAG,
277 "SSL stapling switch to return Status Errors Back to Client"
279 SSL_CMD_SRV(StaplingFakeTryLater, FLAG,
280 "SSL stapling switch to send tryLater response to client on error "
282 SSL_CMD_SRV(StaplingErrorCacheTimeout, TAKE1,
283 "SSL stapling option for OCSP Response Error Cache Lifetime")
284 SSL_CMD_SRV(StaplingForceURL, TAKE1,
285 "SSL stapling option to Force the OCSP Stapling URL")
288 #ifdef HAVE_SSL_CONF_CMD
289 SSL_CMD_SRV(OpenSSLConfCmd, TAKE2,
290 "OpenSSL configuration command")
293 /* Deprecated directives. */
294 AP_INIT_RAW_ARGS("SSLLog", ap_set_deprecated, NULL, OR_ALL,
295 "SSLLog directive is no longer supported - use ErrorLog."),
296 AP_INIT_RAW_ARGS("SSLLogLevel", ap_set_deprecated, NULL, OR_ALL,
297 "SSLLogLevel directive is no longer supported - use LogLevel."),
303 * the various processing hooks
305 static apr_status_t ssl_cleanup_pre_config(void *data)
308 * Try to kill the internals of the SSL library.
310 /* Corresponds to OPENSSL_load_builtin_modules():
311 * XXX: borrowed from apps.h, but why not CONF_modules_free()
312 * which also invokes CONF_modules_finish()?
314 CONF_modules_unload(1);
315 /* Corresponds to SSL_library_init: */
317 #if HAVE_ENGINE_LOAD_BUILTIN_ENGINES
320 #if OPENSSL_VERSION_NUMBER >= 0x1000000fL
321 ERR_remove_thread_state(NULL);
326 /* Don't call ERR_free_strings in earlier versions, ERR_load_*_strings only
327 * actually loaded the error strings once per process due to static
328 * variable abuse in OpenSSL. */
329 #if (OPENSSL_VERSION_NUMBER >= 0x00090805f)
333 /* Also don't call CRYPTO_cleanup_all_ex_data here; any registered
334 * ex_data indices may have been cached in static variables in
335 * OpenSSL; removing them may cause havoc. Notably, with OpenSSL
336 * versions >= 0.9.8f, COMP_CTX cleanups would not be run, which
337 * could result in a per-connection memory leak (!). */
340 * TODO: determine somewhere we can safely shove out diagnostics
341 * (when enabled) at this late stage in the game:
342 * CRYPTO_mem_leaks_fp(stderr);
347 static int ssl_hook_pre_config(apr_pool_t *pconf,
353 ssl_running_on_valgrind = RUNNING_ON_VALGRIND;
356 /* We must register the library in full, to ensure our configuration
357 * code can successfully test the SSL environment.
359 CRYPTO_malloc_init();
360 ERR_load_crypto_strings();
361 SSL_load_error_strings();
363 #if HAVE_ENGINE_LOAD_BUILTIN_ENGINES
364 ENGINE_load_builtin_engines();
366 OpenSSL_add_all_algorithms();
367 OPENSSL_load_builtin_modules();
369 if (OBJ_txt2nid("id-on-dnsSRV") == NID_undef) {
370 (void)OBJ_create("1.3.6.1.5.5.7.8.7", "id-on-dnsSRV",
371 "SRVName otherName form");
375 * Let us cleanup the ssl library when the module is unloaded
377 apr_pool_cleanup_register(pconf, NULL, ssl_cleanup_pre_config,
378 apr_pool_cleanup_null);
380 /* Register us to handle mod_log_config %c/%x variables */
381 ssl_var_log_config_register(pconf);
383 /* Register to handle mod_status status page generation */
384 ssl_scache_status_register(pconf);
386 /* Register mutex type names so they can be configured with Mutex */
387 ap_mutex_register(pconf, SSL_CACHE_MUTEX_TYPE, NULL, APR_LOCK_DEFAULT, 0);
388 #ifdef HAVE_OCSP_STAPLING
389 ap_mutex_register(pconf, SSL_STAPLING_CACHE_MUTEX_TYPE, NULL,
390 APR_LOCK_DEFAULT, 0);
391 ap_mutex_register(pconf, SSL_STAPLING_REFRESH_MUTEX_TYPE, NULL,
392 APR_LOCK_DEFAULT, 0);
398 static SSLConnRec *ssl_init_connection_ctx(conn_rec *c)
400 SSLConnRec *sslconn = myConnConfig(c);
407 sslconn = apr_pcalloc(c->pool, sizeof(*sslconn));
409 sslconn->server = c->base_server;
410 sslconn->verify_depth = UNSET;
411 sc = mySrvConfig(c->base_server);
412 sslconn->cipher_suite = sc->server->auth.cipher_suite;
414 myConnConfigSet(c, sslconn);
419 static int ssl_proxy_enable(conn_rec *c)
423 SSLConnRec *sslconn = ssl_init_connection_ctx(c);
424 sc = mySrvConfig(sslconn->server);
426 if (!sc->proxy_enabled) {
427 ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(01961)
428 "SSL Proxy requested for %s but not enabled "
429 "[Hint: SSLProxyEngine]", sc->vhost_id);
434 sslconn->is_proxy = 1;
435 sslconn->disabled = 0;
440 static int ssl_engine_disable(conn_rec *c)
444 SSLConnRec *sslconn = myConnConfig(c);
447 sc = mySrvConfig(sslconn->server);
450 sc = mySrvConfig(c->base_server);
452 if (sc->enabled == SSL_ENABLED_FALSE) {
456 sslconn = ssl_init_connection_ctx(c);
458 sslconn->disabled = 1;
463 int ssl_init_ssl_connection(conn_rec *c, request_rec *r)
467 SSLConnRec *sslconn = myConnConfig(c);
474 sslconn = ssl_init_connection_ctx(c);
476 server = sslconn->server;
477 sc = mySrvConfig(server);
480 * Seed the Pseudo Random Number Generator (PRNG)
482 ssl_rand_seed(server, c->pool, SSL_RSCTX_CONNECT, "");
484 mctx = sslconn->is_proxy ? sc->proxy : sc->server;
487 * Create a new SSL connection with the configured server SSL context and
488 * attach this to the socket. Additionally we register this attachment
489 * so we can detach later.
491 if (!(ssl = SSL_new(mctx->ssl_ctx))) {
492 ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(01962)
493 "Unable to create a new SSL connection from the SSL "
495 ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, server);
499 return DECLINED; /* XXX */
502 rc = ssl_run_pre_handshake(c, ssl, sslconn->is_proxy ? 1 : 0);
503 if (rc != OK && rc != DECLINED) {
507 vhost_md5 = ap_md5_binary(c->pool, (unsigned char *)sc->vhost_id,
510 if (!SSL_set_session_id_context(ssl, (unsigned char *)vhost_md5,
511 APR_MD5_DIGESTSIZE*2))
513 ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(01963)
514 "Unable to set session id context to '%s'", vhost_md5);
515 ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, server);
519 return DECLINED; /* XXX */
522 SSL_set_app_data(ssl, c);
523 modssl_set_app_data2(ssl, NULL); /* will be request_rec */
527 SSL_set_verify_result(ssl, X509_V_OK);
529 ssl_io_filter_init(c, r, ssl);
534 static const char *ssl_hook_http_scheme(const request_rec *r)
536 SSLSrvConfigRec *sc = mySrvConfig(r->server);
538 if (sc->enabled == SSL_ENABLED_FALSE || sc->enabled == SSL_ENABLED_OPTIONAL) {
545 static apr_port_t ssl_hook_default_port(const request_rec *r)
547 SSLSrvConfigRec *sc = mySrvConfig(r->server);
549 if (sc->enabled == SSL_ENABLED_FALSE || sc->enabled == SSL_ENABLED_OPTIONAL) {
556 static int ssl_hook_pre_connection(conn_rec *c, void *csd)
560 SSLConnRec *sslconn = myConnConfig(c);
563 sc = mySrvConfig(sslconn->server);
566 sc = mySrvConfig(c->base_server);
569 * Immediately stop processing if SSL is disabled for this connection
571 if (c->master || !(sc && (sc->enabled == SSL_ENABLED_TRUE ||
572 (sslconn && sslconn->is_proxy))))
581 sslconn = ssl_init_connection_ctx(c);
584 if (sslconn->disabled) {
589 * Remember the connection information for
590 * later access inside callback functions
593 ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c, APLOGNO(01964)
594 "Connection to child %ld established "
595 "(server %s)", c->id, sc->vhost_id);
597 return ssl_init_ssl_connection(c, NULL);
600 static int ssl_hook_process_connection(conn_rec* c)
602 SSLConnRec *sslconn = myConnConfig(c);
604 if (sslconn && !sslconn->disabled) {
605 /* On an active SSL connection, let the input filters initialize
606 * themselves which triggers the handshake, which again triggers
607 * all kinds of useful things such as SNI and ALPN.
609 apr_bucket_brigade* temp;
611 temp = apr_brigade_create(c->pool, c->bucket_alloc);
612 ap_get_brigade(c->input_filters, temp,
613 AP_MODE_INIT, APR_BLOCK_READ, 0);
614 apr_brigade_destroy(temp);
621 * the module registration phase
624 static void ssl_register_hooks(apr_pool_t *p)
626 /* ssl_hook_ReadReq needs to use the BrowserMatch settings so must
627 * run after mod_setenvif's post_read_request hook. */
628 static const char *pre_prr[] = { "mod_setenvif.c", NULL };
630 ssl_io_filter_register(p);
632 ap_hook_pre_connection(ssl_hook_pre_connection,NULL,NULL, APR_HOOK_MIDDLE);
633 ap_hook_process_connection(ssl_hook_process_connection,
634 NULL, NULL, APR_HOOK_MIDDLE);
635 ap_hook_test_config (ssl_hook_ConfigTest, NULL,NULL, APR_HOOK_MIDDLE);
636 ap_hook_post_config (ssl_init_Module, NULL,NULL, APR_HOOK_MIDDLE);
637 ap_hook_http_scheme (ssl_hook_http_scheme, NULL,NULL, APR_HOOK_MIDDLE);
638 ap_hook_default_port (ssl_hook_default_port, NULL,NULL, APR_HOOK_MIDDLE);
639 ap_hook_pre_config (ssl_hook_pre_config, NULL,NULL, APR_HOOK_MIDDLE);
640 ap_hook_child_init (ssl_init_Child, NULL,NULL, APR_HOOK_MIDDLE);
641 ap_hook_post_read_request(ssl_hook_ReadReq, pre_prr,NULL, APR_HOOK_MIDDLE);
642 ap_hook_check_access (ssl_hook_Access, NULL,NULL, APR_HOOK_MIDDLE,
643 AP_AUTH_INTERNAL_PER_CONF);
644 ap_hook_check_authn (ssl_hook_UserCheck, NULL,NULL, APR_HOOK_FIRST,
645 AP_AUTH_INTERNAL_PER_CONF);
646 ap_hook_check_authz (ssl_hook_Auth, NULL,NULL, APR_HOOK_MIDDLE,
647 AP_AUTH_INTERNAL_PER_CONF);
648 ap_hook_fixups (ssl_hook_Fixup, NULL,NULL, APR_HOOK_MIDDLE);
652 APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable);
653 APR_REGISTER_OPTIONAL_FN(ssl_engine_disable);
655 ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "ssl",
656 AUTHZ_PROVIDER_VERSION,
657 &ssl_authz_provider_require_ssl,
658 AP_AUTH_INTERNAL_PER_CONF);
660 ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "ssl-verify-client",
661 AUTHZ_PROVIDER_VERSION,
662 &ssl_authz_provider_verify_client,
663 AP_AUTH_INTERNAL_PER_CONF);
667 module AP_MODULE_DECLARE_DATA ssl_module = {
668 STANDARD20_MODULE_STUFF,
669 ssl_config_perdir_create, /* create per-dir config structures */
670 ssl_config_perdir_merge, /* merge per-dir config structures */
671 ssl_config_server_create, /* create per-server config structures */
672 ssl_config_server_merge, /* merge per-server config structures */
673 ssl_config_cmds, /* table of configuration directives */
674 ssl_register_hooks /* register hooks */