2 ** _ __ ___ ___ __| | ___ ___| | mod_ssl
3 ** | '_ ` _ \ / _ \ / _` | / __/ __| | Apache Interface to OpenSSL
4 ** | | | | | | (_) | (_| | \__ \__ \ | www.modssl.org
5 ** |_| |_| |_|\___/ \__,_|___|___/___/_| ftp.modssl.org
8 ** Apache Configuration Directives
11 /* ====================================================================
12 * The Apache Software License, Version 1.1
14 * Copyright (c) 2000-2001 The Apache Software Foundation. All rights
17 * Redistribution and use in source and binary forms, with or without
18 * modification, are permitted provided that the following conditions
21 * 1. Redistributions of source code must retain the above copyright
22 * notice, this list of conditions and the following disclaimer.
24 * 2. Redistributions in binary form must reproduce the above copyright
25 * notice, this list of conditions and the following disclaimer in
26 * the documentation and/or other materials provided with the
29 * 3. The end-user documentation included with the redistribution,
30 * if any, must include the following acknowledgment:
31 * "This product includes software developed by the
32 * Apache Software Foundation (http://www.apache.org/)."
33 * Alternately, this acknowledgment may appear in the software itself,
34 * if and wherever such third-party acknowledgments normally appear.
36 * 4. The names "Apache" and "Apache Software Foundation" must
37 * not be used to endorse or promote products derived from this
38 * software without prior written permission. For written
39 * permission, please contact apache@apache.org.
41 * 5. Products derived from this software may not be called "Apache",
42 * nor may "Apache" appear in their name, without prior written
43 * permission of the Apache Software Foundation.
45 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
46 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
47 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
48 * DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR
49 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
50 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
51 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
52 * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
53 * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
54 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
55 * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
57 * ====================================================================
60 /* ``Damned if you do,
61 damned if you don't.''
67 /* _________________________________________________________________
69 ** Support for Global Configuration
70 ** _________________________________________________________________
73 void ssl_hook_AddModule(module *m)
75 if (m == &ssl_module) {
77 * Link ourself into the Apache kernel
86 void ssl_hook_RemoveModule(module *m)
88 if (m == &ssl_module) {
90 * Unlink ourself from the Apache kernel
99 void ssl_config_global_create(void)
104 mc = ap_ctx_get(ap_global_ctx, "ssl_module");
107 * allocate an own subpool which survives server restarts
109 pPool = ap_make_sub_pool(NULL);
110 mc = (SSLModConfigRec *)ap_palloc(pPool, sizeof(SSLModConfigRec));
115 * initialize per-module configuration
118 mc->nSessionCacheMode = SSL_SCMODE_UNSET;
119 mc->szSessionCacheDataFile = NULL;
120 mc->nSessionCacheDataSize = 0;
121 mc->pSessionCacheDataMM = NULL;
122 mc->tSessionCacheDataTable = NULL;
123 mc->nMutexMode = SSL_MUTEXMODE_UNSET;
124 mc->szMutexFile = NULL;
126 mc->nMutexSEMID = -1;
127 mc->aRandSeed = ap_make_array(pPool, 4, sizeof(ssl_randseed_t));
128 mc->tPrivateKey = ssl_ds_table_make(pPool, sizeof(ssl_asn1_t));
129 mc->tPublicCert = ssl_ds_table_make(pPool, sizeof(ssl_asn1_t));
130 mc->tTmpKeys = ssl_ds_table_make(pPool, sizeof(ssl_asn1_t));
131 #ifdef SSL_EXPERIMENTAL_ENGINE
132 mc->szCryptoDevice = NULL;
135 (void)memset(mc->pTmpKeys, 0, SSL_TKPIDX_MAX*sizeof(void *));
138 * And push it into Apache's global context
140 ap_ctx_set(ap_global_ctx, "ssl_module", mc);
145 void ssl_config_global_fix(void)
147 SSLModConfigRec *mc = myModConfig();
152 BOOL ssl_config_global_isfixed(void)
154 SSLModConfigRec *mc = myModConfig();
159 /* _________________________________________________________________
161 ** Configuration handling
162 ** _________________________________________________________________
166 * Create per-server SSL configuration
168 void *ssl_config_server_create(pool *p, server_rec *s)
172 ssl_config_global_create();
174 sc = ap_palloc(p, sizeof(SSLSrvConfigRec));
175 sc->bEnabled = UNSET;
176 sc->szCACertificatePath = NULL;
177 sc->szCACertificateFile = NULL;
178 sc->szCertificateChain = NULL;
179 sc->szLogFile = NULL;
180 sc->szCipherSuite = NULL;
181 sc->nLogLevel = SSL_LOG_NONE;
182 sc->nVerifyDepth = UNSET;
183 sc->nVerifyClient = SSL_CVERIFY_UNSET;
184 sc->nSessionCacheTimeout = UNSET;
185 sc->nPassPhraseDialogType = SSL_PPTYPE_UNSET;
186 sc->szPassPhraseDialogPath = NULL;
187 sc->nProtocol = SSL_PROTOCOL_ALL;
188 sc->fileLogFile = NULL;
190 sc->szCARevocationPath = NULL;
191 sc->szCARevocationFile = NULL;
192 sc->pRevocationStore = NULL;
194 #ifdef SSL_EXPERIMENTAL_PROXY
195 sc->nProxyVerifyDepth = UNSET;
196 sc->szProxyCACertificatePath = NULL;
197 sc->szProxyCACertificateFile = NULL;
198 sc->szProxyClientCertificateFile = NULL;
199 sc->szProxyClientCertificatePath = NULL;
200 sc->szProxyCipherSuite = NULL;
201 sc->nProxyProtocol = SSL_PROTOCOL_ALL & ~SSL_PROTOCOL_TLSV1;
202 sc->bProxyVerify = UNSET;
203 sc->pSSLProxyCtx = NULL;
206 (void)memset(sc->szPublicCertFile, 0, SSL_AIDX_MAX*sizeof(char *));
207 (void)memset(sc->szPrivateKeyFile, 0, SSL_AIDX_MAX*sizeof(char *));
208 (void)memset(sc->pPublicCert, 0, SSL_AIDX_MAX*sizeof(X509 *));
209 (void)memset(sc->pPrivateKey, 0, SSL_AIDX_MAX*sizeof(EVP_PKEY *));
215 * Merge per-server SSL configurations
217 void *ssl_config_server_merge(pool *p, void *basev, void *addv)
219 SSLSrvConfigRec *base = (SSLSrvConfigRec *)basev;
220 SSLSrvConfigRec *add = (SSLSrvConfigRec *)addv;
221 SSLSrvConfigRec *new = (SSLSrvConfigRec *)ap_palloc(p, sizeof(SSLSrvConfigRec));
224 cfgMergeBool(bEnabled);
225 cfgMergeString(szCACertificatePath);
226 cfgMergeString(szCACertificateFile);
227 cfgMergeString(szCertificateChain);
228 cfgMergeString(szLogFile);
229 cfgMergeString(szCipherSuite);
230 cfgMerge(nLogLevel, SSL_LOG_NONE);
231 cfgMergeInt(nVerifyDepth);
232 cfgMerge(nVerifyClient, SSL_CVERIFY_UNSET);
233 cfgMergeInt(nSessionCacheTimeout);
234 cfgMerge(nPassPhraseDialogType, SSL_PPTYPE_UNSET);
235 cfgMergeString(szPassPhraseDialogPath);
236 cfgMerge(nProtocol, SSL_PROTOCOL_ALL);
237 cfgMerge(fileLogFile, NULL);
238 cfgMerge(pSSLCtx, NULL);
239 cfgMerge(szCARevocationPath, NULL);
240 cfgMerge(szCARevocationFile, NULL);
241 cfgMerge(pRevocationStore, NULL);
243 for (i = 0; i < SSL_AIDX_MAX; i++) {
244 cfgMergeString(szPublicCertFile[i]);
245 cfgMergeString(szPrivateKeyFile[i]);
246 cfgMerge(pPublicCert[i], NULL);
247 cfgMerge(pPrivateKey[i], NULL);
250 #ifdef SSL_EXPERIMENTAL_PROXY
251 cfgMergeInt(nProxyVerifyDepth);
252 cfgMergeString(szProxyCACertificatePath);
253 cfgMergeString(szProxyCACertificateFile);
254 cfgMergeString(szProxyClientCertificateFile);
255 cfgMergeString(szProxyClientCertificatePath);
256 cfgMergeString(szProxyCipherSuite);
257 cfgMerge(nProxyProtocol, (SSL_PROTOCOL_ALL & ~SSL_PROTOCOL_TLSV1));
258 cfgMergeBool(bProxyVerify);
259 cfgMerge(pSSLProxyCtx, NULL);
266 * Create per-directory SSL configuration
268 void *ssl_config_perdir_create(pool *p, char *dir)
270 SSLDirConfigRec *dc = ap_palloc(p, sizeof(SSLDirConfigRec));
272 dc->bSSLRequired = FALSE;
273 dc->aRequirement = ap_make_array(p, 4, sizeof(ssl_require_t));
274 dc->nOptions = SSL_OPT_NONE|SSL_OPT_RELSET;
275 dc->nOptionsAdd = SSL_OPT_NONE;
276 dc->nOptionsDel = SSL_OPT_NONE;
278 dc->szCipherSuite = NULL;
279 dc->nVerifyClient = SSL_CVERIFY_UNSET;
280 dc->nVerifyDepth = UNSET;
281 #ifdef SSL_EXPERIMENTAL_PERDIRCA
282 dc->szCACertificatePath = NULL;
283 dc->szCACertificateFile = NULL;
290 * Merge per-directory SSL configurations
292 void *ssl_config_perdir_merge(pool *p, void *basev, void *addv)
294 SSLDirConfigRec *base = (SSLDirConfigRec *)basev;
295 SSLDirConfigRec *add = (SSLDirConfigRec *)addv;
296 SSLDirConfigRec *new = (SSLDirConfigRec *)ap_palloc(p,
297 sizeof(SSLDirConfigRec));
299 cfgMerge(bSSLRequired, FALSE);
300 cfgMergeArray(aRequirement);
302 if (add->nOptions & SSL_OPT_RELSET) {
303 new->nOptionsAdd = (base->nOptionsAdd & ~(add->nOptionsDel)) | add->nOptionsAdd;
304 new->nOptionsDel = (base->nOptionsDel & ~(add->nOptionsAdd)) | add->nOptionsDel;
305 new->nOptions = (base->nOptions & ~(new->nOptionsDel)) | new->nOptionsAdd;
308 new->nOptions = add->nOptions;
309 new->nOptionsAdd = add->nOptionsAdd;
310 new->nOptionsDel = add->nOptionsDel;
313 cfgMergeString(szCipherSuite);
314 cfgMerge(nVerifyClient, SSL_CVERIFY_UNSET);
315 cfgMergeInt(nVerifyDepth);
316 #ifdef SSL_EXPERIMENTAL_PERDIRCA
317 cfgMergeString(szCACertificatePath);
318 cfgMergeString(szCACertificateFile);
327 * Configuration functions for particular directives
330 const char *ssl_cmd_SSLMutex(
331 cmd_parms *cmd, char *struct_ptr, char *arg)
335 SSLModConfigRec *mc = myModConfig();
337 if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY)) != NULL)
339 if (ssl_config_global_isfixed())
341 if (strcEQ(arg, "none")) {
342 mc->nMutexMode = SSL_MUTEXMODE_NONE;
344 else if (strlen(arg) > 5 && strcEQn(arg, "file:", 5)) {
345 mc->nMutexMode = SSL_MUTEXMODE_FILE;
346 mc->szMutexFile = ap_psprintf(mc->pPool, "%s.%lu",
347 ap_server_root_relative(cmd->pool, "mutex", arg+5),
348 (unsigned long)getpid());
350 else if (strcEQ(arg, "sem")) {
351 #ifdef SSL_CAN_USE_SEM
352 mc->nMutexMode = SSL_MUTEXMODE_SEM;
354 return "SSLMutex: Semaphores not available on this platform";
358 return "SSLMutex: Invalid argument";
363 const char *ssl_cmd_SSLPassPhraseDialog(
364 cmd_parms *cmd, char *struct_ptr, char *arg)
367 SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
370 if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY)) != NULL)
372 if (strcEQ(arg, "builtin")) {
373 sc->nPassPhraseDialogType = SSL_PPTYPE_BUILTIN;
374 sc->szPassPhraseDialogPath = NULL;
376 else if (strlen(arg) > 5 && strEQn(arg, "exec:", 5)) {
377 sc->nPassPhraseDialogType = SSL_PPTYPE_FILTER;
378 sc->szPassPhraseDialogPath = ap_server_root_relative(cmd->pool, "dialog", arg+5);
379 if (!ssl_util_path_check(SSL_PCM_EXISTS, sc->szPassPhraseDialogPath))
380 return ap_pstrcat(cmd->pool, "SSLPassPhraseDialog: file '",
381 sc->szPassPhraseDialogPath, "' not exists", NULL);
384 return "SSLPassPhraseDialog: Invalid argument";
389 #ifdef SSL_EXPERIMENTAL_ENGINE
390 const char *ssl_cmd_SSLCryptoDevice(
391 cmd_parms *cmd, char *struct_ptr, char *arg)
394 SSLModConfigRec *mc = myModConfig();
397 #if SSL_LIBRARY_VERSION >= 0x00907000
398 static int loaded_engines = FALSE;
400 /* early loading to make sure the engines are already
401 available for ENGINE_by_id() above... */
402 if (!loaded_engines) {
403 ENGINE_load_builtin_engines();
404 loaded_engines = TRUE;
407 if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY)) != NULL)
409 if (strcEQ(arg, "builtin")) {
410 mc->szCryptoDevice = NULL;
412 else if ((e = ENGINE_by_id(arg)) != NULL) {
413 mc->szCryptoDevice = arg;
417 return "SSLCryptoDevice: Invalid argument";
423 const char *ssl_cmd_SSLRandomSeed(
424 cmd_parms *cmd, char *struct_ptr, char *arg1, char *arg2, char *arg3)
427 SSLModConfigRec *mc = myModConfig();
431 if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY)) != NULL)
433 if (ssl_config_global_isfixed())
435 pRS = ap_push_array(mc->aRandSeed);
436 if (strcEQ(arg1, "startup"))
437 pRS->nCtx = SSL_RSCTX_STARTUP;
438 else if (strcEQ(arg1, "connect"))
439 pRS->nCtx = SSL_RSCTX_CONNECT;
441 return ap_pstrcat(cmd->pool, "SSLRandomSeed: "
442 "invalid context: `", arg1, "'");
443 if (strlen(arg2) > 5 && strEQn(arg2, "file:", 5)) {
444 pRS->nSrc = SSL_RSSRC_FILE;
445 pRS->cpPath = ap_pstrdup(mc->pPool, ap_server_root_relative(cmd->pool, "random", arg2+5));
447 else if (strlen(arg2) > 5 && strEQn(arg2, "exec:", 5)) {
448 pRS->nSrc = SSL_RSSRC_EXEC;
449 pRS->cpPath = ap_pstrdup(mc->pPool, ap_server_root_relative(cmd->pool, "random", arg2+5));
451 #if SSL_LIBRARY_VERSION >= 0x00905100
452 else if (strlen(arg2) > 4 && strEQn(arg2, "egd:", 4)) {
453 pRS->nSrc = SSL_RSSRC_EGD;
454 pRS->cpPath = ap_pstrdup(mc->pPool, ap_server_root_relative(cmd->pool, "random", arg2+4));
457 else if (strcEQ(arg2, "builtin")) {
458 pRS->nSrc = SSL_RSSRC_BUILTIN;
462 pRS->nSrc = SSL_RSSRC_FILE;
463 pRS->cpPath = ap_pstrdup(mc->pPool, ap_server_root_relative(cmd->pool, "random", arg2));
465 if (pRS->nSrc != SSL_RSSRC_BUILTIN)
466 if (!ssl_util_path_check(SSL_PCM_EXISTS, pRS->cpPath))
467 return ap_pstrcat(cmd->pool, "SSLRandomSeed: source path '",
468 pRS->cpPath, "' not exists", NULL);
470 pRS->nBytes = 0; /* read whole file */
472 if (pRS->nSrc == SSL_RSSRC_BUILTIN)
473 return "SSLRandomSeed: byte specification not "
474 "allowed for builtin seed source";
475 pRS->nBytes = atoi(arg3);
477 return "SSLRandomSeed: invalid number of bytes specified";
483 const char *ssl_cmd_SSLEngine(
484 cmd_parms *cmd, char *struct_ptr, int flag)
487 SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
489 sc->bEnabled = (flag ? TRUE : FALSE);
494 const char *ssl_cmd_SSLCipherSuite(
495 cmd_parms *cmd, SSLDirConfigRec *dc, char *arg)
498 SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
500 if (cmd->path == NULL || dc == NULL)
501 sc->szCipherSuite = arg;
503 dc->szCipherSuite = arg;
508 const char *ssl_cmd_SSLCertificateFile(
509 cmd_parms *cmd, char *struct_ptr, char *arg)
512 SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
516 cpPath = ap_server_root_relative(cmd->pool, "certkey", arg);
517 if (!ssl_util_path_check(SSL_PCM_EXISTS|SSL_PCM_ISREG|SSL_PCM_ISNONZERO, cpPath))
518 return ap_pstrcat(cmd->pool, "SSLCertificateFile: file '",
519 cpPath, "' not exists or empty", NULL);
520 for (i = 0; i < SSL_AIDX_MAX && sc->szPublicCertFile[i] != NULL; i++)
522 if (i == SSL_AIDX_MAX)
523 return ap_psprintf(cmd->pool, "SSLCertificateFile: only up to %d "
524 "different certificates per virtual host allowed",
526 sc->szPublicCertFile[i] = cpPath;
531 const char *ssl_cmd_SSLCertificateKeyFile(
532 cmd_parms *cmd, char *struct_ptr, char *arg)
535 SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
539 cpPath = ap_server_root_relative(cmd->pool, "certkey", arg);
540 if (!ssl_util_path_check(SSL_PCM_EXISTS|SSL_PCM_ISREG|SSL_PCM_ISNONZERO, cpPath))
541 return ap_pstrcat(cmd->pool, "SSLCertificateKeyFile: file '",
542 cpPath, "' not exists or empty", NULL);
543 for (i = 0; i < SSL_AIDX_MAX && sc->szPrivateKeyFile[i] != NULL; i++)
545 if (i == SSL_AIDX_MAX)
546 return ap_psprintf(cmd->pool, "SSLCertificateKeyFile: only up to %d "
547 "different private keys per virtual host allowed",
549 sc->szPrivateKeyFile[i] = cpPath;
554 const char *ssl_cmd_SSLCertificateChainFile(
555 cmd_parms *cmd, char *struct_ptr, char *arg)
558 SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
561 cpPath = ap_server_root_relative(cmd->pool, "certkey", arg);
562 if (!ssl_util_path_check(SSL_PCM_EXISTS|SSL_PCM_ISREG|SSL_PCM_ISNONZERO, cpPath))
563 return ap_pstrcat(cmd->pool, "SSLCertificateChainFile: file '",
564 cpPath, "' not exists or empty", NULL);
565 sc->szCertificateChain = cpPath;
570 const char *ssl_cmd_SSLCACertificatePath(
571 cmd_parms *cmd, SSLDirConfigRec *dc, char *arg)
574 SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
577 cpPath = ap_server_root_relative(cmd->pool, "certkey", arg);
578 if (!ssl_util_path_check(SSL_PCM_EXISTS|SSL_PCM_ISDIR, cpPath))
579 return ap_pstrcat(cmd->pool, "SSLCACertificatePath: directory '",
580 cpPath, "' not exists", NULL);
581 #ifdef SSL_EXPERIMENTAL_PERDIRCA
582 if (cmd->path == NULL || dc == NULL)
583 sc->szCACertificatePath = cpPath;
585 dc->szCACertificatePath = cpPath;
587 sc->szCACertificatePath = cpPath;
593 const char *ssl_cmd_SSLCACertificateFile(
594 cmd_parms *cmd, SSLDirConfigRec *dc, char *arg)
597 SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
600 cpPath = ap_server_root_relative(cmd->pool, "certkey", arg);
601 if (!ssl_util_path_check(SSL_PCM_EXISTS|SSL_PCM_ISREG|SSL_PCM_ISNONZERO, cpPath))
602 return ap_pstrcat(cmd->pool, "SSLCACertificateFile: file '",
603 cpPath, "' not exists or empty", NULL);
604 #ifdef SSL_EXPERIMENTAL_PERDIRCA
605 if (cmd->path == NULL || dc == NULL)
606 sc->szCACertificateFile = cpPath;
608 dc->szCACertificateFile = cpPath;
610 sc->szCACertificateFile = cpPath;
616 const char *ssl_cmd_SSLCARevocationPath(
617 cmd_parms *cmd, SSLDirConfigRec *dc, char *arg)
620 SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
623 cpPath = ap_server_root_relative(cmd->pool, "certkey", arg);
624 if (!ssl_util_path_check(SSL_PCM_EXISTS|SSL_PCM_ISDIR, cpPath))
625 return ap_pstrcat(cmd->pool, "SSLCARecocationPath: directory '",
626 cpPath, "' not exists", NULL);
627 sc->szCARevocationPath = cpPath;
632 const char *ssl_cmd_SSLCARevocationFile(
633 cmd_parms *cmd, SSLDirConfigRec *dc, char *arg)
636 SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
639 cpPath = ap_server_root_relative(cmd->pool, "certkey", arg);
640 if (!ssl_util_path_check(SSL_PCM_EXISTS|SSL_PCM_ISREG|SSL_PCM_ISNONZERO, cpPath))
641 return ap_pstrcat(cmd->pool, "SSLCARevocationFile: file '",
642 cpPath, "' not exists or empty", NULL);
643 sc->szCARevocationFile = cpPath;
648 const char *ssl_cmd_SSLVerifyClient(
649 cmd_parms *cmd, SSLDirConfigRec *dc, char *level)
652 SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
655 if (strEQ(level, "0") || strcEQ(level, "none"))
656 id = SSL_CVERIFY_NONE;
657 else if (strEQ(level, "1") || strcEQ(level, "optional"))
658 id = SSL_CVERIFY_OPTIONAL;
659 else if (strEQ(level, "2") || strcEQ(level, "require"))
660 id = SSL_CVERIFY_REQUIRE;
661 else if (strEQ(level, "3") || strcEQ(level, "optional_no_ca"))
662 id = SSL_CVERIFY_OPTIONAL_NO_CA;
664 return "SSLVerifyClient: Invalid argument";
665 if (cmd->path == NULL || dc == NULL)
666 sc->nVerifyClient = id;
668 dc->nVerifyClient = id;
673 const char *ssl_cmd_SSLVerifyDepth(
674 cmd_parms *cmd, SSLDirConfigRec *dc, char *arg)
677 SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
682 return "SSLVerifyDepth: Invalid argument";
683 if (cmd->path == NULL || dc == NULL)
684 sc->nVerifyDepth = d;
686 dc->nVerifyDepth = d;
691 const char *ssl_cmd_SSLSessionCache(
692 cmd_parms *cmd, char *struct_ptr, char *arg)
696 SSLModConfigRec *mc = myModConfig();
700 if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY)) != NULL)
702 if (ssl_config_global_isfixed())
704 if (strcEQ(arg, "none")) {
705 mc->nSessionCacheMode = SSL_SCMODE_NONE;
706 mc->szSessionCacheDataFile = NULL;
708 else if (strlen(arg) > 4 && strcEQn(arg, "dbm:", 4)) {
709 mc->nSessionCacheMode = SSL_SCMODE_DBM;
710 mc->szSessionCacheDataFile = ap_pstrdup(mc->pPool,
711 ap_server_root_relative(cmd->pool, "scache", arg+4));
713 else if ( (strlen(arg) > 4 && strcEQn(arg, "shm:", 4))
714 || (strlen(arg) > 6 && strcEQn(arg, "shmht:", 6))) {
715 if (!ap_mm_useable())
716 return "SSLSessionCache: shared memory cache not useable on this platform";
717 mc->nSessionCacheMode = SSL_SCMODE_SHMHT;
718 cp = strchr(arg, ':');
719 mc->szSessionCacheDataFile = ap_pstrdup(mc->pPool,
720 ap_server_root_relative(cmd->pool, "scache", cp+1));
721 mc->tSessionCacheDataTable = NULL;
722 mc->nSessionCacheDataSize = 1024*512; /* 512KB */
723 if ((cp = strchr(mc->szSessionCacheDataFile, '(')) != NULL) {
725 if ((cp2 = strchr(cp, ')')) == NULL)
726 return "SSLSessionCache: Invalid argument: no closing parenthesis";
728 mc->nSessionCacheDataSize = atoi(cp);
729 if (mc->nSessionCacheDataSize <= 8192)
730 return "SSLSessionCache: Invalid argument: size has to be >= 8192 bytes";
731 maxsize = ap_mm_core_maxsegsize();
732 if (mc->nSessionCacheDataSize >= maxsize)
733 return ap_psprintf(cmd->pool, "SSLSessionCache: Invalid argument: "
734 "size has to be < %d bytes on this platform", maxsize);
737 else if (strlen(arg) > 6 && strcEQn(arg, "shmcb:", 6)) {
738 if (!ap_mm_useable())
739 return "SSLSessionCache: shared memory cache not useable on this platform";
740 mc->nSessionCacheMode = SSL_SCMODE_SHMCB;
741 mc->szSessionCacheDataFile = ap_pstrdup(mc->pPool,
742 ap_server_root_relative(cmd->pool, arg+6));
743 mc->tSessionCacheDataTable = NULL;
744 mc->nSessionCacheDataSize = 1024*512; /* 512KB */
745 if ((cp = strchr(mc->szSessionCacheDataFile, '(')) != NULL) {
747 if ((cp2 = strchr(cp, ')')) == NULL)
748 return "SSLSessionCache: Invalid argument: no closing parenthesis";
750 mc->nSessionCacheDataSize = atoi(cp);
751 if (mc->nSessionCacheDataSize <= 8192)
752 return "SSLSessionCache: Invalid argument: size has to be >= 8192 bytes";
753 maxsize = ap_mm_core_maxsegsize();
754 if (mc->nSessionCacheDataSize >= maxsize)
755 return ap_psprintf(cmd->pool, "SSLSessionCache: Invalid argument: "
756 "size has to be < %d bytes on this platform", maxsize);
760 return "SSLSessionCache: Invalid argument";
765 const char *ssl_cmd_SSLSessionCacheTimeout(
766 cmd_parms *cmd, char *struct_ptr, char *arg)
769 SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
771 sc->nSessionCacheTimeout = atoi(arg);
772 if (sc->nSessionCacheTimeout < 0)
773 return "SSLSessionCacheTimeout: Invalid argument";
778 const char *ssl_cmd_SSLLog(
779 cmd_parms *cmd, char *struct_ptr, char *arg)
782 SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
785 if ((err = ap_check_cmd_context(cmd, NOT_IN_LIMIT|NOT_IN_DIRECTORY
786 |NOT_IN_LOCATION|NOT_IN_FILES )) != NULL)
793 const char *ssl_cmd_SSLLogLevel(
794 cmd_parms *cmd, char *struct_ptr, char *level)
797 SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
800 if ((err = ap_check_cmd_context(cmd, NOT_IN_LIMIT|NOT_IN_DIRECTORY
801 |NOT_IN_LOCATION|NOT_IN_FILES )) != NULL)
803 if (strcEQ(level, "none"))
804 sc->nLogLevel = SSL_LOG_NONE;
805 else if (strcEQ(level, "error"))
806 sc->nLogLevel = SSL_LOG_ERROR;
807 else if (strcEQ(level, "warn"))
808 sc->nLogLevel = SSL_LOG_WARN;
809 else if (strcEQ(level, "info"))
810 sc->nLogLevel = SSL_LOG_INFO;
811 else if (strcEQ(level, "trace"))
812 sc->nLogLevel = SSL_LOG_TRACE;
813 else if (strcEQ(level, "debug"))
814 sc->nLogLevel = SSL_LOG_DEBUG;
816 return "SSLLogLevel: Invalid argument";
821 const char *ssl_cmd_SSLOptions(
822 cmd_parms *cmd, SSLDirConfigRec *dc, const char *cpLine)
831 while (cpLine[0] != NUL) {
832 w = ap_getword_conf(cmd->pool, &cpLine);
835 if (*w == '+' || *w == '-') {
839 dc->nOptions = SSL_OPT_NONE;
843 if (strcEQ(w, "StdEnvVars"))
844 opt = SSL_OPT_STDENVVARS;
845 else if (strcEQ(w, "CompatEnvVars"))
846 opt = SSL_OPT_COMPATENVVARS;
847 else if (strcEQ(w, "ExportCertData"))
848 opt = SSL_OPT_EXPORTCERTDATA;
849 else if (strcEQ(w, "FakeBasicAuth"))
850 opt = SSL_OPT_FAKEBASICAUTH;
851 else if (strcEQ(w, "StrictRequire"))
852 opt = SSL_OPT_STRICTREQUIRE;
853 else if (strcEQ(w, "OptRenegotiate"))
854 opt = SSL_OPT_OPTRENEGOTIATE;
856 return ap_pstrcat(cmd->pool, "SSLOptions: Illegal option '", w, "'", NULL);
859 dc->nOptionsAdd &= ~opt;
860 dc->nOptionsDel |= opt;
861 dc->nOptions &= ~opt;
863 else if (action == '+') {
864 dc->nOptionsAdd |= opt;
865 dc->nOptionsDel &= ~opt;
870 dc->nOptionsAdd = opt;
871 dc->nOptionsDel = SSL_OPT_NONE;
878 const char *ssl_cmd_SSLRequireSSL(
879 cmd_parms *cmd, SSLDirConfigRec *dc, char *cipher)
882 dc->bSSLRequired = TRUE;
887 const char *ssl_cmd_SSLRequire(
888 cmd_parms *cmd, SSLDirConfigRec *dc, char *cpExpr)
892 ssl_require_t *pReqRec;
894 if ((mpExpr = ssl_expr_comp(cmd->pool, cpExpr)) == NULL)
895 return ap_pstrcat(cmd->pool, "SSLRequire: ", ssl_expr_get_error(), NULL);
896 pReqRec = ap_push_array(dc->aRequirement);
897 pReqRec->cpExpr = ap_pstrdup(cmd->pool, cpExpr);
898 pReqRec->mpExpr = mpExpr;
903 const char *ssl_cmd_SSLProtocol(
904 cmd_parms *cmd, char *struct_ptr, const char *opt)
908 ssl_proto_t options, thisopt;
912 sc = mySrvConfig(cmd->server);
913 options = SSL_PROTOCOL_NONE;
914 while (opt[0] != NUL) {
915 w = ap_getword_conf(cmd->pool, &opt);
918 if (*w == '+' || *w == '-')
921 if (strcEQ(w, "SSLv2"))
922 thisopt = SSL_PROTOCOL_SSLV2;
923 else if (strcEQ(w, "SSLv3"))
924 thisopt = SSL_PROTOCOL_SSLV3;
925 else if (strcEQ(w, "TLSv1"))
926 thisopt = SSL_PROTOCOL_TLSV1;
927 else if (strcEQ(w, "all"))
928 thisopt = SSL_PROTOCOL_ALL;
930 return ap_pstrcat(cmd->pool, "SSLProtocol: Illegal protocol '", w, "'", NULL);
934 else if (action == '+')
939 sc->nProtocol = options;
944 #ifdef SSL_EXPERIMENTAL_PROXY
946 const char *ssl_cmd_SSLProxyProtocol(
947 cmd_parms *cmd, char *struct_ptr, const char *opt)
951 ssl_proto_t options, thisopt;
955 sc = mySrvConfig(cmd->server);
956 options = SSL_PROTOCOL_NONE;
957 while (opt[0] != NUL) {
958 w = ap_getword_conf(cmd->pool, &opt);
961 if (*w == '+' || *w == '-')
964 if (strcEQ(w, "SSLv2"))
965 thisopt = SSL_PROTOCOL_SSLV2;
966 else if (strcEQ(w, "SSLv3"))
967 thisopt = SSL_PROTOCOL_SSLV3;
968 else if (strcEQ(w, "TLSv1"))
969 thisopt = SSL_PROTOCOL_TLSV1;
970 else if (strcEQ(w, "all"))
971 thisopt = SSL_PROTOCOL_ALL;
973 return ap_pstrcat(cmd->pool, "SSLProxyProtocol: "
974 "Illegal protocol '", w, "'", NULL);
977 else if (action == '+')
982 sc->nProxyProtocol = options;
987 const char *ssl_cmd_SSLProxyCipherSuite(
988 cmd_parms *cmd, char *struct_ptr, char *arg)
991 SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
993 sc->szProxyCipherSuite = arg;
998 const char *ssl_cmd_SSLProxyVerify(
999 cmd_parms *cmd, char *struct_ptr, int flag)
1002 SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
1004 sc->bProxyVerify = (flag ? TRUE : FALSE);
1009 const char *ssl_cmd_SSLProxyVerifyDepth(
1010 cmd_parms *cmd, char *struct_ptr, char *arg)
1013 SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
1018 return "SSLProxyVerifyDepth: Invalid argument";
1019 sc->nProxyVerifyDepth = d;
1024 const char *ssl_cmd_SSLProxyCACertificateFile(
1025 cmd_parms *cmd, char *struct_ptr, char *arg)
1028 SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
1031 cpPath = ap_server_root_relative(cmd->pool, "certkey", arg);
1032 if (!ssl_util_path_check(SSL_PCM_EXISTS|SSL_PCM_ISREG|SSL_PCM_ISNONZERO, cpPath))
1033 return ap_pstrcat(cmd->pool, "SSLProxyCACertificateFile: file '",
1034 cpPath, "' not exists or empty", NULL);
1035 sc->szProxyCACertificateFile = cpPath;
1040 const char *ssl_cmd_SSLProxyCACertificatePath(
1041 cmd_parms *cmd, char *struct_ptr, char *arg)
1044 SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
1047 cpPath = ap_server_root_relative(cmd->pool, "certkey", arg);
1048 if (!ssl_util_path_check(SSL_PCM_EXISTS|SSL_PCM_ISDIR, cpPath))
1049 return ap_pstrcat(cmd->pool, "SSLProxyCACertificatePath: directory '",
1050 cpPath, "' does not exists", NULL);
1051 sc->szProxyCACertificatePath = cpPath;
1056 const char *ssl_cmd_SSLProxyMachineCertificateFile(
1057 cmd_parms *cmd, char *struct_ptr, char *arg)
1060 SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
1063 cpPath = ap_server_root_relative(cmd->pool, "certkey", arg);
1064 if (!ssl_util_path_check(SSL_PCM_EXISTS|SSL_PCM_ISREG|SSL_PCM_ISNONZERO, cpPath))
1065 return ap_pstrcat(cmd->pool, "SSLProxyMachineCertFile: file '",
1066 cpPath, "' not exists or empty", NULL);
1067 sc->szProxyClientCertificateFile = cpPath;
1072 const char *ssl_cmd_SSLProxyMachineCertificatePath(
1073 cmd_parms *cmd, char *struct_ptr, char *arg)
1076 SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
1079 cpPath = ap_server_root_relative(cmd->pool, "certkey", arg);
1080 if (!ssl_util_path_check(SSL_PCM_EXISTS|SSL_PCM_ISDIR, cpPath))
1081 return ap_pstrcat(cmd->pool, "SSLProxyMachineCertPath: directory '",
1082 cpPath, "' does not exists", NULL);
1083 sc->szProxyClientCertificatePath = cpPath;
1088 #endif /* SSL_EXPERIMENTAL_PROXY */