2 ** _ __ ___ ___ __| | ___ ___| | mod_ssl
3 ** | '_ ` _ \ / _ \ / _` | / __/ __| | Apache Interface to OpenSSL
4 ** | | | | | | (_) | (_| | \__ \__ \ | www.modssl.org
5 ** |_| |_| |_|\___/ \__,_|___|___/___/_| ftp.modssl.org
8 ** Initialization of Servers
11 /* ====================================================================
12 * The Apache Software License, Version 1.1
14 * Copyright (c) 2000-2001 The Apache Software Foundation. All rights
17 * Redistribution and use in source and binary forms, with or without
18 * modification, are permitted provided that the following conditions
21 * 1. Redistributions of source code must retain the above copyright
22 * notice, this list of conditions and the following disclaimer.
24 * 2. Redistributions in binary form must reproduce the above copyright
25 * notice, this list of conditions and the following disclaimer in
26 * the documentation and/or other materials provided with the
29 * 3. The end-user documentation included with the redistribution,
30 * if any, must include the following acknowledgment:
31 * "This product includes software developed by the
32 * Apache Software Foundation (http://www.apache.org/)."
33 * Alternately, this acknowledgment may appear in the software itself,
34 * if and wherever such third-party acknowledgments normally appear.
36 * 4. The names "Apache" and "Apache Software Foundation" must
37 * not be used to endorse or promote products derived from this
38 * software without prior written permission. For written
39 * permission, please contact apache@apache.org.
41 * 5. Products derived from this software may not be called "Apache",
42 * nor may "Apache" appear in their name, without prior written
43 * permission of the Apache Software Foundation.
45 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
46 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
47 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
48 * DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR
49 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
50 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
51 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
52 * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
53 * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
54 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
55 * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
57 * ====================================================================
64 /* _________________________________________________________________
66 ** Module Initialization
67 ** _________________________________________________________________
70 static char * ssl_add_version_component(apr_pool_t *p,
74 char *val = ssl_var_lookup(p, s, NULL, NULL, name);
77 ap_add_version_component(p, val);
83 static char *version_components[] = {
84 "SSL_VERSION_PRODUCT",
85 "SSL_VERSION_INTERFACE",
86 "SSL_VERSION_LIBRARY",
90 static void ssl_add_version_components(apr_pool_t *p,
93 char *vals[sizeof(version_components)/sizeof(char *)];
96 for (i=0; version_components[i]; i++) {
97 vals[i] = ssl_add_version_component(p, s,
98 version_components[i]);
101 ssl_log(s, SSL_LOG_INFO,
102 "Server: %s, Interface: %s, Library: %s",
103 AP_SERVER_BASEVERSION,
104 vals[1], /* SSL_VERSION_INTERFACE */
105 vals[2]); /* SSL_VERSION_LIBRARY */
110 * Initialize SSL library
112 static void ssl_init_SSLLibrary(server_rec *s)
114 ssl_log(s, SSL_LOG_INFO,
115 "Init: Initializing %s library", SSL_LIBRARY_NAME);
117 CRYPTO_malloc_init();
118 SSL_load_error_strings();
123 * Per-module initialization
125 int ssl_init_Module(apr_pool_t *p, apr_pool_t *plog,
127 server_rec *base_server)
129 SSLModConfigRec *mc = myModConfig(base_server);
134 * Let us cleanup on restarts and exists
136 apr_pool_cleanup_register(p, base_server,
138 apr_pool_cleanup_null);
141 * Any init round fixes the global config
143 ssl_config_global_create(base_server); /* just to avoid problems */
144 ssl_config_global_fix(mc);
147 * try to fix the configuration and open the dedicated SSL
148 * logfile as early as possible
150 for (s = base_server; s; s = s->next) {
153 /* Fix up stuff that may not have been set */
154 if (sc->bEnabled == UNSET) {
155 sc->bEnabled = FALSE;
158 if (sc->nVerifyClient == SSL_CVERIFY_UNSET) {
159 sc->nVerifyClient = SSL_CVERIFY_NONE;
162 if (sc->nVerifyDepth == UNSET) {
163 sc->nVerifyDepth = 1;
166 #ifdef SSL_EXPERIMENTAL_PROXY
167 if (sc->nProxyVerifyDepth == UNSET) {
168 sc->nProxyVerifyDepth = 1;
172 if (sc->nSessionCacheTimeout == UNSET) {
173 sc->nSessionCacheTimeout = SSL_SESSION_CACHE_TIMEOUT;
176 if (sc->nPassPhraseDialogType == SSL_PPTYPE_UNSET) {
177 sc->nPassPhraseDialogType = SSL_PPTYPE_BUILTIN;
180 /* Open the dedicated SSL logfile */
181 ssl_log_open(base_server, s, p);
184 ssl_init_SSLLibrary(base_server);
187 ssl_util_thread_setup(base_server, p);
190 ssl_pphrase_Handle(base_server, p);
191 ssl_init_TmpKeysHandle(SSL_TKP_GEN, base_server, p);
194 * SSL external crypto device ("engine") support
196 #ifdef SSL_EXPERIMENTAL_ENGINE
197 ssl_init_Engine(base_server, p);
201 * Warn the user that he should use the session cache.
202 * But we can operate without it, of course.
204 if (mc->nSessionCacheMode == SSL_SCMODE_UNSET) {
205 ssl_log(base_server, SSL_LOG_WARN,
206 "Init: Session Cache is not configured "
207 "[hint: SSLSessionCache]");
208 mc->nSessionCacheMode = SSL_SCMODE_NONE;
212 * initialize the mutex handling
214 if (!ssl_mutex_init(base_server, p)) {
215 return HTTP_INTERNAL_SERVER_ERROR;
219 * initialize session caching
221 ssl_scache_init(base_server, p);
224 * Seed the Pseudo Random Number Generator (PRNG)
226 ssl_rand_seed(base_server, p, SSL_RSCTX_STARTUP, "Init: ");
231 ssl_log(base_server, SSL_LOG_INFO,
232 "Init: Initializing (virtual) servers for SSL");
234 for (s = base_server; s; s = s->next) {
237 * Either now skip this server when SSL is disabled for
238 * it or give out some information about what we're
245 ssl_log(s, SSL_LOG_INFO,
246 "Init: Configuring server %s for SSL protocol",
247 ssl_util_vhostid(p, s));
250 * Read the server certificate and key
252 ssl_init_ConfigureServer(s, p, sc);
256 * Configuration consistency checks
258 ssl_init_CheckServers(base_server, p);
261 * Announce mod_ssl and SSL library in HTTP Server field
262 * as ``mod_ssl/X.X.X OpenSSL/X.X.X''
264 ssl_add_version_components(p, base_server);
266 SSL_init_app_data2_idx(); /* for SSL_get_app_data2() at request time */
272 * Support for external a Crypto Device ("engine"), usually
273 * a hardware accellerator card for crypto operations.
275 #ifdef SSL_EXPERIMENTAL_ENGINE
276 void ssl_init_Engine(server_rec *s, apr_pool_t *p)
278 SSLModConfigRec *mc = myModConfig(s);
281 if (mc->szCryptoDevice) {
282 if (!(e = ENGINE_by_id(mc->szCryptoDevice))) {
283 ssl_log(s, SSL_LOG_ERROR,
284 "Init: Failed to load Crypto Device API `%s'",
289 if (strEQ(mc->szCryptoDevice, "chil")) {
290 ENGINE_ctrl(e, ENGINE_CTRL_CHIL_SET_FORKCHECK, 1, 0, 0);
293 if (!ENGINE_set_default(e, ENGINE_METHOD_ALL)) {
294 ssl_log(s, SSL_LOG_ERROR,
295 "Init: Failed to enable Crypto Device API `%s'",
305 #define MODSSL_TEMP_KEY_FREE(mc, type, idx) \
306 if (mc->pTmpKeys[idx]) { \
307 type##_free((type *)mc->pTmpKeys[idx]); \
308 mc->pTmpKeys[idx] = NULL; \
311 #define MODSSL_TEMP_KEYS_FREE(mc, type) \
312 MODSSL_TEMP_KEY_FREE(mc, type, SSL_TKPIDX_##type##512); \
313 MODSSL_TEMP_KEY_FREE(mc, type, SSL_TKPIDX_##type##1024)
316 * Handle the Temporary RSA Keys and DH Params
318 void ssl_init_TmpKeysHandle(int action, server_rec *s, apr_pool_t *p)
320 SSLModConfigRec *mc = myModConfig(s);
322 if (action == SSL_TKP_GEN) { /* Generate Keys and Params */
324 ssl_rand_seed(s, p, SSL_RSCTX_STARTUP, "Init: ");
326 /* generate 512 bit RSA key */
327 ssl_log(s, SSL_LOG_INFO,
328 "Init: Generating temporary RSA private keys (512/1024 bits)");
330 /* generate 512 bit RSA key */
331 if (!(mc->pTmpKeys[SSL_TKPIDX_RSA512] =
332 RSA_generate_key(512, RSA_F4, NULL, NULL)))
334 ssl_log(s, SSL_LOG_ERROR,
335 "Init: Failed to generate temporary "
336 "512 bit RSA private key");
340 /* generate 1024 bit RSA key */
341 if (!(mc->pTmpKeys[SSL_TKPIDX_RSA1024] =
342 RSA_generate_key(1024, RSA_F4, NULL, NULL)))
344 ssl_log(s, SSL_LOG_ERROR,
345 "Init: Failed to generate temporary "
346 "1024 bit RSA private key");
350 ssl_log(s, SSL_LOG_INFO,
351 "Init: Configuring temporary "
352 "DH parameters (512/1024 bits)");
354 /* generate 512 bit DH param */
355 if (!(mc->pTmpKeys[SSL_TKPIDX_DH512] =
356 ssl_dh_GetTmpParam(512)))
358 ssl_log(s, SSL_LOG_ERROR,
359 "Init: Failed to generate temporary "
360 "512 bit DH parameters");
364 /* generate 1024 bit DH param */
365 if (!(mc->pTmpKeys[SSL_TKPIDX_DH1024] =
366 ssl_dh_GetTmpParam(1024)))
368 ssl_log(s, SSL_LOG_ERROR,
369 "Init: Failed to generate temporary "
370 "1024 bit DH parameters");
374 else if (action == SSL_TKP_FREE) { /* Free Keys and Params */
375 MODSSL_TEMP_KEYS_FREE(mc, RSA);
376 MODSSL_TEMP_KEYS_FREE(mc, DH);
381 * Configure a particular server
383 void ssl_init_ConfigureServer(server_rec *s, apr_pool_t *p,
386 SSLModConfigRec *mc = myModConfig(s);
387 int verify = SSL_VERIFY_NONE;
391 STACK_OF(X509_NAME) *ca_list;
400 * Create the server host:port string because we need it a lot
402 sc->szVHostID = vhost_id = ssl_util_vhostid(p, s);
403 sc->nVHostID_length = strlen(sc->szVHostID);
406 * Now check for important parameters and the
407 * possibility that the user forgot to set them.
409 if (!sc->szPublicCertFile[0]) {
410 ssl_log(s, SSL_LOG_ERROR,
411 "Init: (%s) No SSL Certificate set [hint: SSLCertificateFile]",
417 * Check for problematic re-initializations
419 if (sc->pPublicCert[SSL_AIDX_RSA] ||
420 sc->pPublicCert[SSL_AIDX_DSA])
422 ssl_log(s, SSL_LOG_ERROR,
423 "Init: (%s) Illegal attempt to re-initialise SSL for server "
424 "(theoretically shouldn't happen!)", vhost_id);
429 * Create the new per-server SSL context
431 if (sc->nProtocol == SSL_PROTOCOL_NONE) {
432 ssl_log(s, SSL_LOG_ERROR,
433 "Init: (%s) No SSL protocols available [hint: SSLProtocol]",
439 (sc->nProtocol & SSL_PROTOCOL_SSLV2 ? "SSLv2, " : ""),
440 (sc->nProtocol & SSL_PROTOCOL_SSLV3 ? "SSLv3, " : ""),
441 (sc->nProtocol & SSL_PROTOCOL_TLSV1 ? "TLSv1, " : ""),
443 cp[strlen(cp)-2] = NUL;
445 ssl_log(s, SSL_LOG_TRACE,
446 "Init: (%s) Creating new SSL context (protocols: %s)",
449 if (sc->nProtocol == SSL_PROTOCOL_SSLV2) {
450 ctx = SSL_CTX_new(SSLv2_server_method()); /* only SSLv2 is left */
453 ctx = SSL_CTX_new(SSLv23_server_method()); /* be more flexible */
456 SSL_CTX_set_options(ctx, SSL_OP_ALL);
458 if (!(sc->nProtocol & SSL_PROTOCOL_SSLV2)) {
459 SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
462 if (!(sc->nProtocol & SSL_PROTOCOL_SSLV3)) {
463 SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3);
466 if (!(sc->nProtocol & SSL_PROTOCOL_TLSV1)) {
467 SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1);
470 SSL_CTX_set_app_data(ctx, s);
474 * Configure additional context ingredients
476 SSL_CTX_set_options(ctx, SSL_OP_SINGLE_DH_USE);
478 if (mc->nSessionCacheMode == SSL_SCMODE_NONE) {
479 cache_mode = SSL_SESS_CACHE_OFF;
482 /* SSL_SESS_CACHE_NO_INTERNAL_LOOKUP will force OpenSSL
483 * to ignore process local-caching and
484 * to always get/set/delete sessions using mod_ssl's callbacks.
486 cache_mode = SSL_SESS_CACHE_SERVER|SSL_SESS_CACHE_NO_INTERNAL_LOOKUP;
489 SSL_CTX_set_session_cache_mode(ctx, cache_mode);
492 * Configure callbacks for SSL context
494 if (sc->nVerifyClient == SSL_CVERIFY_REQUIRE) {
495 verify |= SSL_VERIFY_PEER_STRICT;
498 if ((sc->nVerifyClient == SSL_CVERIFY_OPTIONAL) ||
499 (sc->nVerifyClient == SSL_CVERIFY_OPTIONAL_NO_CA))
501 verify |= SSL_VERIFY_PEER;
504 SSL_CTX_set_verify(ctx, verify, ssl_callback_SSLVerify);
506 SSL_CTX_sess_set_new_cb(ctx, ssl_callback_NewSessionCacheEntry);
507 SSL_CTX_sess_set_get_cb(ctx, ssl_callback_GetSessionCacheEntry);
508 SSL_CTX_sess_set_remove_cb(ctx, ssl_callback_DelSessionCacheEntry);
510 SSL_CTX_set_tmp_rsa_callback(ctx, ssl_callback_TmpRSA);
511 SSL_CTX_set_tmp_dh_callback(ctx, ssl_callback_TmpDH);
513 if (sc->nLogLevel >= SSL_LOG_INFO) {
514 /* this callback only logs if SSLLogLevel >= info */
515 SSL_CTX_set_info_callback(ctx, ssl_callback_LogTracingState);
519 * Configure SSL Cipher Suite
521 if (sc->szCipherSuite) {
522 ssl_log(s, SSL_LOG_TRACE,
523 "Init: (%s) Configuring permitted SSL ciphers [%s]",
524 vhost_id, sc->szCipherSuite);
526 if (!SSL_CTX_set_cipher_list(ctx, sc->szCipherSuite)) {
527 ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
528 "Init: (%s) Unable to configure permitted SSL ciphers",
535 * Configure Client Authentication details
537 if (sc->szCACertificateFile || sc->szCACertificatePath) {
538 ssl_log(s, SSL_LOG_TRACE,
539 "Init: (%s) Configuring client authentication", vhost_id);
541 if (!SSL_CTX_load_verify_locations(ctx,
542 sc->szCACertificateFile,
543 sc->szCACertificatePath))
545 ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
546 "Init: (%s) Unable to configure verify locations "
547 "for client authentication", vhost_id);
551 ca_list = ssl_init_FindCAList(s, p,
552 sc->szCACertificateFile,
553 sc->szCACertificatePath);
555 ssl_log(s, SSL_LOG_ERROR,
556 "Init: (%s) Unable to determine list of available "
557 "CA certificates for client authentication",
562 SSL_CTX_set_client_CA_list(sc->pSSLCtx, (STACK *)ca_list);
566 * Configure Certificate Revocation List (CRL) Details
568 if (sc->szCARevocationFile || sc->szCARevocationPath) {
569 ssl_log(s, SSL_LOG_TRACE,
570 "Init: (%s) Configuring certificate revocation facility",
573 sc->pRevocationStore =
574 SSL_X509_STORE_create((char *)sc->szCARevocationFile,
575 (char *)sc->szCARevocationPath);
577 if (!sc->pRevocationStore) {
578 ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
579 "Init: (%s) Unable to configure X.509 CRL storage "
580 "for certificate revocation",
587 * Give a warning when no CAs were configured but client authentication
588 * should take place. This cannot work.
590 if (sc->nVerifyClient == SSL_CVERIFY_REQUIRE) {
591 ca_list = (STACK_OF(X509_NAME) *)SSL_CTX_get_client_CA_list(ctx);
593 if (sk_X509_NAME_num(ca_list) == 0) {
594 ssl_log(s, SSL_LOG_WARN,
595 "Init: Ops, you want to request client authentication, "
596 "but no CAs are known for verification!? "
597 "[Hint: SSLCACertificate*]");
602 * Configure server certificate(s)
604 cp = apr_psprintf(p, "%s:RSA", vhost_id);
606 if ((asn1 = ssl_asn1_table_get(mc->tPublicCert, cp))) {
607 ssl_log(s, SSL_LOG_TRACE,
608 "Init: (%s) Configuring RSA server certificate",
612 if (!(sc->pPublicCert[SSL_AIDX_RSA] =
613 d2i_X509(NULL, &ptr, asn1->nData)))
615 ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
616 "Init: (%s) Unable to import RSA server certificate",
621 if (SSL_CTX_use_certificate(ctx, sc->pPublicCert[SSL_AIDX_RSA]) <= 0) {
622 ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
623 "Init: (%s) Unable to configure RSA server certificate",
631 cp = apr_psprintf(p, "%s:DSA", vhost_id);
633 if ((asn1 = ssl_asn1_table_get(mc->tPublicCert, cp))) {
634 ssl_log(s, SSL_LOG_TRACE,
635 "Init: (%s) Configuring DSA server certificate",
639 if (!(sc->pPublicCert[SSL_AIDX_DSA] =
640 d2i_X509(NULL, &ptr, asn1->nData)))
642 ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
643 "Init: (%s) Unable to import DSA server certificate",
648 if (SSL_CTX_use_certificate(ctx, sc->pPublicCert[SSL_AIDX_DSA]) <= 0) {
649 ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
650 "Init: (%s) Unable to configure DSA server certificate",
659 ssl_log(s, SSL_LOG_ERROR,
660 "Init: (%s) Ops, no RSA or DSA server certificate found?!",
662 ssl_log(s, SSL_LOG_ERROR,
663 "Init: (%s) You have to perform a *full* server restart "
664 "when you added or removed a certificate and/or key file",
670 * Some information about the certificate(s)
672 for (i = 0; i < SSL_AIDX_MAX; i++) {
673 if (sc->pPublicCert[i]) {
674 if (SSL_X509_isSGC(sc->pPublicCert[i])) {
675 ssl_log(s, SSL_LOG_INFO,
676 "Init: (%s) %s server certificate enables "
677 "Server Gated Cryptography (SGC)",
678 vhost_id, (i == SSL_AIDX_RSA ? "RSA" : "DSA"));
681 if (SSL_X509_getBC(sc->pPublicCert[i], &is_ca, &pathlen)) {
683 ssl_log(s, SSL_LOG_WARN,
684 "Init: (%s) %s server certificate "
685 "is a CA certificate "
686 "(BasicConstraints: CA == TRUE !?)",
687 vhost_id, (i == SSL_AIDX_RSA ? "RSA" : "DSA"));
691 ssl_log(s, SSL_LOG_WARN,
692 "Init: (%s) %s server certificate "
693 "is not a leaf certificate "
694 "(BasicConstraints: pathlen == %d > 0 !?)",
695 vhost_id, (i == SSL_AIDX_RSA ? "RSA" : "DSA"),
700 if (SSL_X509_getCN(p, sc->pPublicCert[i], &cp)) {
701 int fnm_flags = FNM_PERIOD|FNM_CASE_BLIND;
703 if (apr_is_fnmatch(cp) &&
704 (apr_fnmatch(cp, s->server_hostname,
705 fnm_flags) == FNM_NOMATCH))
707 ssl_log(s, SSL_LOG_WARN,
708 "Init: (%s) %s server certificate "
709 "wildcard CommonName (CN) `%s' "
710 "does NOT match server name!?",
711 vhost_id, (i == SSL_AIDX_RSA ? "RSA" : "DSA"),
714 else if (strNE(s->server_hostname, cp)) {
715 ssl_log(s, SSL_LOG_WARN,
716 "Init: (%s) %s server certificate "
717 "CommonName (CN) `%s' "
718 "does NOT match server name!?",
719 vhost_id, (i == SSL_AIDX_RSA ? "RSA" : "DSA"),
727 * Configure server private key(s)
730 cp = apr_psprintf(p, "%s:RSA", vhost_id);
732 if ((asn1 = ssl_asn1_table_get(mc->tPrivateKey, cp))) {
733 ssl_log(s, SSL_LOG_TRACE,
734 "Init: (%s) Configuring RSA server private key",
738 if (!(sc->pPrivateKey[SSL_AIDX_RSA] =
739 d2i_PrivateKey(EVP_PKEY_RSA, NULL, &ptr, asn1->nData)))
741 ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
742 "Init: (%s) Unable to import RSA server private key",
747 if (SSL_CTX_use_PrivateKey(ctx, sc->pPrivateKey[SSL_AIDX_RSA]) <= 0) {
748 ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
749 "Init: (%s) Unable to configure RSA server private key",
757 cp = apr_psprintf(p, "%s:DSA", vhost_id);
759 if ((asn1 = ssl_asn1_table_get(mc->tPrivateKey, cp))) {
760 ssl_log(s, SSL_LOG_TRACE,
761 "Init: (%s) Configuring DSA server private key",
765 if (!(sc->pPrivateKey[SSL_AIDX_DSA] =
766 d2i_PrivateKey(EVP_PKEY_DSA, NULL, &ptr, asn1->nData)))
768 ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
769 "Init: (%s) Unable to import DSA server private key",
774 if (SSL_CTX_use_PrivateKey(ctx, sc->pPrivateKey[SSL_AIDX_DSA]) <= 0) {
775 ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
776 "Init: (%s) Unable to configure DSA server private key",
785 ssl_log(s, SSL_LOG_ERROR,
786 "Init: (%s) Ops, no RSA or DSA server private key found?!",
792 * Optionally copy DSA parameters for certificate from private key
793 * (see http://www.psy.uq.edu.au/~ftp/Crypto/ssleay/TODO.html)
795 if (sc->pPublicCert[SSL_AIDX_DSA] &&
796 sc->pPrivateKey[SSL_AIDX_DSA])
798 pkey = X509_get_pubkey(sc->pPublicCert[SSL_AIDX_DSA]);
800 if (pkey && (EVP_PKEY_key_type(pkey) == EVP_PKEY_DSA) &&
801 EVP_PKEY_missing_parameters(pkey))
803 EVP_PKEY_copy_parameters(pkey,
804 sc->pPrivateKey[SSL_AIDX_DSA]);
809 * Optionally configure extra server certificate chain certificates.
810 * This is usually done by OpenSSL automatically when one of the
811 * server cert issuers are found under SSLCACertificatePath or in
812 * SSLCACertificateFile. But because these are intended for client
813 * authentication it can conflict. For instance when you use a
814 * Global ID server certificate you've to send out the intermediate
815 * CA certificate, too. When you would just configure this with
816 * SSLCACertificateFile and also use client authentication mod_ssl
817 * would accept all clients also issued by this CA. Obviously this
818 * isn't what we want in this situation. So this feature here exists
819 * to allow one to explicity configure CA certificates which are
820 * used only for the server certificate chain.
822 if (sc->szCertificateChain) {
823 BOOL skip_first = FALSE;
825 for (i = 0; (i < SSL_AIDX_MAX) && sc->szPublicCertFile[i]; i++) {
826 if (strEQ(sc->szPublicCertFile[i], sc->szCertificateChain)) {
832 n = SSL_CTX_use_certificate_chain(ctx,
833 (char *)sc->szCertificateChain,
836 ssl_log(s, SSL_LOG_ERROR,
837 "Init: (%s) Failed to configure CA certificate chain!",
842 ssl_log(s, SSL_LOG_TRACE,
843 "Init: (%s) Configuring server certificate chain "
844 "(%d CA certificate%s)",
845 vhost_id, n, n == 1 ? "" : "s");
849 void ssl_init_CheckServers(server_rec *base_server, apr_pool_t *p)
856 BOOL conflict = FALSE;
859 * Give out warnings when a server has HTTPS configured
860 * for the HTTP port or vice versa
862 for (s = base_server; s; s = s->next) {
865 if (sc->bEnabled && (s->port == DEFAULT_HTTP_PORT)) {
866 ssl_log(base_server, SSL_LOG_WARN,
867 "Init: (%s) You configured HTTPS(%d) "
868 "on the standard HTTP(%d) port!",
869 ssl_util_vhostid(p, s),
870 DEFAULT_HTTPS_PORT, DEFAULT_HTTP_PORT);
873 if (!sc->bEnabled && (s->port == DEFAULT_HTTPS_PORT)) {
874 ssl_log(base_server, SSL_LOG_WARN,
875 "Init: (%s) You configured HTTP(%d) "
876 "on the standard HTTPS(%d) port!",
877 ssl_util_vhostid(p, s),
878 DEFAULT_HTTP_PORT, DEFAULT_HTTPS_PORT);
883 * Give out warnings when more than one SSL-aware virtual server uses the
884 * same IP:port. This doesn't work because mod_ssl then will always use
885 * just the certificate/keys of one virtual host (which one cannot be said
886 * easily - but that doesn't matter here).
888 apr_pool_create(&subpool, p);
889 table = ssl_ds_table_make(subpool, sizeof(server_rec *));
891 for (s = base_server; s; s = s->next) {
898 key = apr_psprintf(subpool, "%pA:%u",
899 &s->addrs->host_addr, s->addrs->host_port);
901 if ((ps = ssl_ds_table_get(table, key))) {
902 ssl_log(base_server, SSL_LOG_WARN,
903 "Init: SSL server IP/port conflict: "
904 "%s (%s:%d) vs. %s (%s:%d)",
905 ssl_util_vhostid(p, s),
906 (s->defn_name ? s->defn_name : "unknown"),
908 ssl_util_vhostid(p, *ps),
909 ((*ps)->defn_name ? (*ps)->defn_name : "unknown"),
910 (*ps)->defn_line_number);
915 ps = ssl_ds_table_push(table, key);
919 ssl_ds_table_kill(table);
920 /* XXX - It was giving some problem earlier - check it out - TBD */
921 apr_pool_destroy(subpool);
924 ssl_log(base_server, SSL_LOG_WARN,
925 "Init: You should not use name-based "
926 "virtual hosts in conjunction with SSL!!");
930 static int ssl_init_FindCAList_X509NameCmp(X509_NAME **a, X509_NAME **b)
932 return(X509_NAME_cmp(*a, *b));
935 static void ssl_init_PushCAList(STACK_OF(X509_NAME) *ca_list,
936 server_rec *s, const char *file)
939 STACK_OF(X509_NAME) *sk;
941 sk = (STACK_OF(X509_NAME) *)SSL_load_client_CA_file(file);
947 for (n = 0; n < sk_X509_NAME_num(sk); n++) {
949 X509_NAME *name = sk_X509_NAME_value(sk, n);
951 ssl_log(s, SSL_LOG_TRACE,
952 "CA certificate: %s",
953 X509_NAME_oneline(name, name_buf, sizeof(name_buf)));
956 * note that SSL_load_client_CA_file() checks for duplicates,
957 * but since we call it multiple times when reading a directory
958 * we must also check for duplicates ourselves.
961 if (sk_X509_NAME_find(ca_list, name) < 0) {
962 /* this will be freed when ca_list is */
963 sk_X509_NAME_push(ca_list, name);
966 /* need to free this ourselves, else it will leak */
967 X509_NAME_free(name);
971 sk_X509_NAME_free(sk);
974 STACK_OF(X509_NAME) *ssl_init_FindCAList(server_rec *s,
979 STACK_OF(X509_NAME) *ca_list;
983 * Use a subpool so we don't bloat up the server pool which
984 * is remains in memory for the complete operation time of
987 apr_pool_sub_make(&subpool, p, NULL);
990 * Start with a empty stack/list where new
991 * entries get added in sorted order.
993 ca_list = sk_X509_NAME_new(ssl_init_FindCAList_X509NameCmp);
996 * Process CA certificate bundle file
999 ssl_init_PushCAList(ca_list, s, ca_file);
1003 * Process CA certificate path files
1007 apr_finfo_t direntry;
1008 apr_int32_t finfo_flags = APR_FINFO_MIN|APR_FINFO_NAME;
1010 if (apr_dir_open(&dir, ca_path, subpool) != APR_SUCCESS) {
1011 ssl_log(s, SSL_LOG_ERROR|SSL_ADD_ERRNO,
1012 "Init: Failed to open SSLCACertificatePath `%s'",
1017 while ((apr_dir_read(&direntry, finfo_flags, dir)) == APR_SUCCESS) {
1019 if (direntry.filetype == APR_DIR) {
1020 continue; /* don't try to load directories */
1022 file = apr_pstrcat(subpool, ca_path, "/", direntry.name, NULL);
1023 ssl_init_PushCAList(ca_list, s, file);
1032 sk_X509_NAME_set_cmp_func(ca_list, NULL);
1033 apr_pool_destroy(subpool);
1038 void ssl_init_Child(apr_pool_t *p, server_rec *s)
1040 SSLModConfigRec *mc = myModConfig(s);
1041 mc->pid = getpid(); /* only call getpid() once per-process */
1043 /* XXX: there should be an ap_srand() function */
1044 srand((unsigned int)time(NULL));
1046 /* open the mutex lockfile */
1047 ssl_mutex_reinit(s, p);
1050 #define MODSSL_CFG_ITEM_FREE(func, item) \
1056 apr_status_t ssl_init_ModuleKill(void *data)
1058 SSLSrvConfigRec *sc;
1059 server_rec *base_server = (server_rec *)data;
1063 * Drop the session cache and mutex
1065 ssl_scache_kill(base_server);
1068 * Destroy the temporary keys and params
1070 ssl_init_TmpKeysHandle(SSL_TKP_FREE, base_server, NULL);
1073 * Free the non-pool allocated structures
1074 * in the per-server configurations
1076 for (s = base_server; s; s = s->next) {
1078 sc = mySrvConfig(s);
1080 for (i=0; i < SSL_AIDX_MAX; i++) {
1081 MODSSL_CFG_ITEM_FREE(X509_free,
1082 sc->pPublicCert[i]);
1084 MODSSL_CFG_ITEM_FREE(EVP_PKEY_free,
1085 sc->pPrivateKey[i]);
1088 MODSSL_CFG_ITEM_FREE(X509_STORE_free,
1089 sc->pRevocationStore);
1091 MODSSL_CFG_ITEM_FREE(SSL_CTX_free,
1096 * Try to kill the internals of the SSL library.
1099 ERR_remove_state(0);
projects / apache / blob