1 /* Licensed to the Apache Software Foundation (ASF) under one or more
2 * contributor license agreements. See the NOTICE file distributed with
3 * this work for additional information regarding copyright ownership.
4 * The ASF licenses this file to You under the Apache License, Version 2.0
5 * (the "License"); you may not use this file except in compliance with
6 * the License. You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
18 * _ __ ___ ___ __| | ___ ___| | mod_ssl
19 * | '_ ` _ \ / _ \ / _` | / __/ __| | Apache Interface to OpenSSL
20 * | | | | | | (_) | (_| | \__ \__ \ |
21 * |_| |_| |_|\___/ \__,_|___|___/___/_|
24 * The SSL engine kernel
26 /* ``It took me fifteen years to discover
27 I had no talent for programming, but
28 I couldn't give it up because by that
29 time I was too famous.''
31 #include "ssl_private.h"
35 static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn);
37 static int ssl_find_vhost(void *servername, conn_rec *c, server_rec *s);
40 #define SWITCH_STATUS_LINE "HTTP/1.1 101 Switching Protocols"
41 #define UPGRADE_HEADER "Upgrade: TLS/1.0, HTTP/1.1"
42 #define CONNECTION_HEADER "Connection: Upgrade"
44 /* Perform an upgrade-to-TLS for the given request, per RFC 2817. */
45 static apr_status_t upgrade_connection(request_rec *r)
47 struct conn_rec *conn = r->connection;
48 apr_bucket_brigade *bb;
53 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(02028)
54 "upgrading connection to TLS");
56 bb = apr_brigade_create(r->pool, conn->bucket_alloc);
58 rv = ap_fputstrs(conn->output_filters, bb, SWITCH_STATUS_LINE, CRLF,
59 UPGRADE_HEADER, CRLF, CONNECTION_HEADER, CRLF, CRLF, NULL);
60 if (rv == APR_SUCCESS) {
61 APR_BRIGADE_INSERT_TAIL(bb,
62 apr_bucket_flush_create(conn->bucket_alloc));
63 rv = ap_pass_brigade(conn->output_filters, bb);
67 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02029)
68 "failed to send 101 interim response for connection "
73 ssl_init_ssl_connection(conn, r);
75 sslconn = myConnConfig(conn);
78 /* Perform initial SSL handshake. */
79 SSL_set_accept_state(ssl);
80 SSL_do_handshake(ssl);
82 if (SSL_get_state(ssl) != SSL_ST_OK) {
83 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02030)
84 "TLS upgrade handshake failed: not accepted by client!?");
86 return APR_ECONNABORTED;
92 /* Perform a speculative (and non-blocking) read from the connection
93 * filters for the given request, to determine whether there is any
94 * pending data to read. Return non-zero if there is, else zero. */
95 static int has_buffered_data(request_rec *r)
97 apr_bucket_brigade *bb;
102 bb = apr_brigade_create(r->pool, r->connection->bucket_alloc);
104 rv = ap_get_brigade(r->connection->input_filters, bb, AP_MODE_SPECULATIVE,
105 APR_NONBLOCK_READ, 1);
106 result = rv == APR_SUCCESS
107 && apr_brigade_length(bb, 1, &len) == APR_SUCCESS
110 apr_brigade_destroy(bb);
116 * Post Read Request Handler
118 int ssl_hook_ReadReq(request_rec *r)
120 SSLSrvConfigRec *sc = mySrvConfig(r->server);
124 const char *servername;
128 /* Perform TLS upgrade here if "SSLEngine optional" is configured,
129 * SSL is not already set up for this connection, and the client
130 * has sent a suitable Upgrade header. */
131 if (sc->enabled == SSL_ENABLED_OPTIONAL && !myConnConfig(r->connection)
132 && (upgrade = apr_table_get(r->headers_in, "Upgrade")) != NULL
133 && ap_find_token(r->pool, upgrade, "TLS/1.0")) {
134 if (upgrade_connection(r)) {
135 return HTTP_INTERNAL_SERVER_ERROR;
139 sslconn = myConnConfig(r->connection);
144 if (sslconn->non_ssl_request == NON_SSL_SET_ERROR_MSG) {
145 apr_table_setn(r->notes, "error-notes",
146 "Reason: You're speaking plain HTTP to an SSL-enabled "
147 "server port.<br />\n Instead use the HTTPS scheme to "
148 "access this URL, please.<br />\n");
150 /* Now that we have caught this error, forget it. we are done
151 * with using SSL on this request.
153 sslconn->non_ssl_request = NON_SSL_OK;
155 return HTTP_BAD_REQUEST;
159 * Get the SSL connection structure and perform the
160 * delayed interlinking from SSL back to request_rec
167 if (r->proxyreq != PROXYREQ_PROXY) {
168 if ((servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) {
169 char *host, *scope_id;
174 * The SNI extension supplied a hostname. So don't accept requests
175 * with either no hostname or a different hostname as this could
176 * cause us to end up in a different virtual host as the one that
177 * was used for the handshake causing different SSL parameters to
178 * be applied as SSLProtocol, SSLCACertificateFile/Path and
179 * SSLCADNRequestFile/Path cannot be renegotiated (SSLCA* due
180 * to current limitations in OpenSSL, see
181 * http://mail-archives.apache.org/mod_mbox/httpd-dev/200806.mbox/%3C48592955.2090303@velox.ch%3E
183 * http://mail-archives.apache.org/mod_mbox/httpd-dev/201312.mbox/%3CCAKQ1sVNpOrdiBm-UPw1hEdSN7YQXRRjeaT-MCWbW_7mN%3DuFiOw%40mail.gmail.com%3E
187 ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, APLOGNO(02031)
188 "Hostname %s provided via SNI, but no hostname"
189 " provided in HTTP request", servername);
190 return HTTP_BAD_REQUEST;
192 rv = apr_parse_addr_port(&host, &scope_id, &port, r->hostname, r->pool);
193 if (rv != APR_SUCCESS || scope_id) {
194 return HTTP_BAD_REQUEST;
196 if (strcasecmp(host, servername)) {
197 ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, APLOGNO(02032)
198 "Hostname %s provided via SNI and hostname %s provided"
199 " via HTTP are different", servername, host);
200 return HTTP_BAD_REQUEST;
203 else if (((sc->strict_sni_vhost_check == SSL_ENABLED_TRUE)
204 || (mySrvConfig(sslconn->server))->strict_sni_vhost_check
206 && r->connection->vhost_lookup_data) {
208 * We are using a name based configuration here, but no hostname was
209 * provided via SNI. Don't allow that if are requested to do strict
210 * checking. Check whether this strict checking was set up either in the
211 * server config we used for handshaking or in our current server.
212 * This should avoid insecure configuration by accident.
214 ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, APLOGNO(02033)
215 "No hostname was provided via SNI for a name based"
217 return HTTP_FORBIDDEN;
221 SSL_set_app_data2(ssl, r);
224 * Log information about incoming HTTPS requests
226 if (APLOGrinfo(r) && ap_is_initial_req(r)) {
227 ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02034)
228 "%s HTTPS request received for child %ld (server %s)",
229 (r->connection->keepalives <= 0 ?
231 apr_psprintf(r->pool, "Subsequent (No.%d)",
232 r->connection->keepalives+1)),
234 ssl_util_vhostid(r->pool, r->server));
237 /* SetEnvIf ssl-*-shutdown flags can only be per-server,
238 * so they won't change across keepalive requests
240 if (sslconn->shutdown_type == SSL_SHUTDOWN_TYPE_UNSET) {
241 ssl_configure_env(r, sslconn);
248 * Move SetEnvIf information from request_rec to conn_rec/BUFF
249 * to allow the close connection handler to use them.
252 static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn)
255 const apr_array_header_t *arr = apr_table_elts(r->subprocess_env);
256 const apr_table_entry_t *elts = (const apr_table_entry_t *)arr->elts;
258 sslconn->shutdown_type = SSL_SHUTDOWN_TYPE_STANDARD;
260 for (i = 0; i < arr->nelts; i++) {
261 const char *key = elts[i].key;
265 /* being case-sensitive here.
266 * and not checking for the -shutdown since these are the only
267 * SetEnvIf "flags" we support
269 if (!strncmp(key+1, "sl-", 3)) {
271 if (!strncmp(key, "unclean", 7)) {
272 sslconn->shutdown_type = SSL_SHUTDOWN_TYPE_UNCLEAN;
274 else if (!strncmp(key, "accurate", 8)) {
275 sslconn->shutdown_type = SSL_SHUTDOWN_TYPE_ACCURATE;
277 return; /* should only ever be one ssl-*-shutdown */
287 int ssl_hook_Access(request_rec *r)
289 SSLDirConfigRec *dc = myDirConfig(r);
290 SSLSrvConfigRec *sc = mySrvConfig(r->server);
291 SSLConnRec *sslconn = myConnConfig(r->connection);
292 SSL *ssl = sslconn ? sslconn->ssl : NULL;
293 server_rec *handshakeserver = sslconn ? sslconn->server : NULL;
295 apr_array_header_t *requires;
296 ssl_require_t *ssl_requires;
298 BOOL renegotiate = FALSE, renegotiate_quick = FALSE;
301 X509_STORE *cert_store = NULL;
302 X509_STORE_CTX cert_store_ctx;
303 STACK_OF(SSL_CIPHER) *cipher_list_old = NULL, *cipher_list = NULL;
304 const SSL_CIPHER *cipher = NULL;
305 int depth, verify_old, verify, n;
308 ctx = SSL_get_SSL_CTX(ssl);
312 * Support for SSLRequireSSL directive
314 if (dc->bSSLRequired && !ssl) {
315 if (sc->enabled == SSL_ENABLED_OPTIONAL) {
316 /* This vhost was configured for optional SSL, just tell the
317 * client that we need to upgrade.
319 apr_table_setn(r->err_headers_out, "Upgrade", "TLS/1.0, HTTP/1.1");
320 apr_table_setn(r->err_headers_out, "Connection", "Upgrade");
322 return HTTP_UPGRADE_REQUIRED;
325 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02219)
326 "access to %s failed, reason: %s",
327 r->filename, "SSL connection required");
329 /* remember forbidden access for strict require option */
330 apr_table_setn(r->notes, "ssl-access-forbidden", "1");
332 return HTTP_FORBIDDEN;
336 * Check to see whether SSL is in use; if it's not, then no
337 * further access control checks are relevant. (the test for
338 * sc->enabled is probably strictly unnecessary)
340 if (sc->enabled == SSL_ENABLED_FALSE || !ssl) {
346 * Support for per-directory reconfigured SSL connection parameters
348 * We do not force any renegotiation if the user is already authenticated
352 if (SSL_get_srp_username(ssl)) {
358 * Support for per-directory reconfigured SSL connection parameters.
360 * This is implemented by forcing an SSL renegotiation with the
361 * reconfigured parameter suite. But Apache's internal API processing
362 * makes our life very hard here, because when internal sub-requests occur
363 * we nevertheless should avoid multiple unnecessary SSL handshakes (they
364 * require extra network I/O and especially time to perform).
366 * But the optimization for filtering out the unnecessary handshakes isn't
367 * obvious and trivial. Especially because while Apache is in its
368 * sub-request processing the client could force additional handshakes,
369 * too. And these take place perhaps without our notice. So the only
370 * possibility is to explicitly _ask_ OpenSSL whether the renegotiation
371 * has to be performed or not. It has to performed when some parameters
372 * which were previously known (by us) are not those we've now
373 * reconfigured (as known by OpenSSL) or (in optimized way) at least when
374 * the reconfigured parameter suite is stronger (more restrictions) than
375 * the currently active one.
379 * Override of SSLCipherSuite
381 * We provide two options here:
383 * o The paranoid and default approach where we force a renegotiation when
384 * the cipher suite changed in _any_ way (which is straight-forward but
385 * often forces renegotiations too often and is perhaps not what the
386 * user actually wanted).
388 * o The optimized and still secure way where we force a renegotiation
389 * only if the currently active cipher is no longer contained in the
390 * reconfigured/new cipher suite. Any other changes are not important
391 * because it's the servers choice to select a cipher from the ones the
392 * client supports. So as long as the current cipher is still in the new
393 * cipher suite we're happy. Because we can assume we would have
394 * selected it again even when other (better) ciphers exists now in the
395 * new cipher suite. This approach is fine because the user explicitly
396 * has to enable this via ``SSLOptions +OptRenegotiate''. So we do no
397 * implicit optimizations.
399 if (dc->szCipherSuite || (r->server != handshakeserver)) {
400 /* remember old state */
402 if (dc->nOptions & SSL_OPT_OPTRENEGOTIATE) {
403 cipher = SSL_get_current_cipher(ssl);
406 cipher_list_old = (STACK_OF(SSL_CIPHER) *)SSL_get_ciphers(ssl);
408 if (cipher_list_old) {
409 cipher_list_old = sk_SSL_CIPHER_dup(cipher_list_old);
413 /* configure new state */
414 if ((dc->szCipherSuite || sc->server->auth.cipher_suite) &&
415 !SSL_set_cipher_list(ssl, dc->szCipherSuite ?
417 sc->server->auth.cipher_suite)) {
418 ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(02253)
419 "Unable to reconfigure (per-directory) "
420 "permitted SSL ciphers");
421 ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server);
423 if (cipher_list_old) {
424 sk_SSL_CIPHER_free(cipher_list_old);
427 return HTTP_FORBIDDEN;
430 /* determine whether a renegotiation has to be forced */
431 cipher_list = (STACK_OF(SSL_CIPHER) *)SSL_get_ciphers(ssl);
433 if (dc->nOptions & SSL_OPT_OPTRENEGOTIATE) {
435 if ((!cipher && cipher_list) ||
436 (cipher && !cipher_list))
440 else if (cipher && cipher_list &&
441 (sk_SSL_CIPHER_find(cipher_list, cipher) < 0))
448 if ((!cipher_list_old && cipher_list) ||
449 (cipher_list_old && !cipher_list))
453 else if (cipher_list_old && cipher_list) {
455 !renegotiate && (n < sk_SSL_CIPHER_num(cipher_list));
458 SSL_CIPHER *value = sk_SSL_CIPHER_value(cipher_list, n);
460 if (sk_SSL_CIPHER_find(cipher_list_old, value) < 0) {
466 !renegotiate && (n < sk_SSL_CIPHER_num(cipher_list_old));
469 SSL_CIPHER *value = sk_SSL_CIPHER_value(cipher_list_old, n);
471 if (sk_SSL_CIPHER_find(cipher_list, value) < 0) {
479 if (cipher_list_old) {
480 sk_SSL_CIPHER_free(cipher_list_old);
484 #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
485 if (sc->cipher_server_pref == TRUE) {
486 SSL_set_options(ssl, SSL_OP_CIPHER_SERVER_PREFERENCE);
490 ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02220)
491 "Reconfigured cipher suite will force renegotiation");
496 * override of SSLVerifyDepth
498 * The depth checks are handled by us manually inside the verify callback
499 * function and not by OpenSSL internally (and our function is aware of
500 * both the per-server and per-directory contexts). So we cannot ask
501 * OpenSSL about the currently verify depth. Instead we remember it in our
502 * SSLConnRec attached to the SSL* of OpenSSL. We've to force the
503 * renegotiation if the reconfigured/new verify depth is less than the
504 * currently active/remembered verify depth (because this means more
505 * restriction on the certificate chain).
507 n = (sslconn->verify_depth != UNSET) ?
508 sslconn->verify_depth :
509 (mySrvConfig(handshakeserver))->server->auth.verify_depth;
510 /* determine the new depth */
511 sslconn->verify_depth = (dc->nVerifyDepth != UNSET) ?
512 dc->nVerifyDepth : sc->server->auth.verify_depth;
513 if (sslconn->verify_depth < n) {
515 ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02254)
516 "Reduced client verification depth will force "
521 * override of SSLVerifyClient
523 * We force a renegotiation if the reconfigured/new verify type is
524 * stronger than the currently active verify type.
526 * The order is: none << optional_no_ca << optional << require
528 * Additionally the following optimization is possible here: When the
529 * currently active verify type is "none" but a client certificate is
530 * already known/present, it's enough to manually force a client
531 * verification but at least skip the I/O-intensive renegotiation
534 if ((dc->nVerifyClient != SSL_CVERIFY_UNSET) ||
535 (sc->server->auth.verify_mode != SSL_CVERIFY_UNSET)) {
536 /* remember old state */
537 verify_old = SSL_get_verify_mode(ssl);
538 /* configure new state */
539 verify = SSL_VERIFY_NONE;
541 if ((dc->nVerifyClient == SSL_CVERIFY_REQUIRE) ||
542 (sc->server->auth.verify_mode == SSL_CVERIFY_REQUIRE)) {
543 verify |= SSL_VERIFY_PEER_STRICT;
546 if ((dc->nVerifyClient == SSL_CVERIFY_OPTIONAL) ||
547 (dc->nVerifyClient == SSL_CVERIFY_OPTIONAL_NO_CA) ||
548 (sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL) ||
549 (sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA))
551 verify |= SSL_VERIFY_PEER;
554 SSL_set_verify(ssl, verify, ssl_callback_SSLVerify);
555 SSL_set_verify_result(ssl, X509_V_OK);
557 /* determine whether we've to force a renegotiation */
558 if (!renegotiate && verify != verify_old) {
559 if (((verify_old == SSL_VERIFY_NONE) &&
560 (verify != SSL_VERIFY_NONE)) ||
562 (!(verify_old & SSL_VERIFY_PEER) &&
563 (verify & SSL_VERIFY_PEER)) ||
565 (!(verify_old & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) &&
566 (verify & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)))
571 if ((dc->nOptions & SSL_OPT_OPTRENEGOTIATE) &&
572 (verify_old == SSL_VERIFY_NONE) &&
573 ((peercert = SSL_get_peer_certificate(ssl)) != NULL))
575 renegotiate_quick = TRUE;
579 ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02255)
580 "Changed client verification type will force "
582 renegotiate_quick ? "quick " : "");
585 /* If we're handling a request for a vhost other than the default one,
586 * then we need to make sure that client authentication is properly
587 * enforced. For clients supplying an SNI extension, the peer
588 * certificate verification has happened in the handshake already
589 * (and r->server == handshakeserver). For non-SNI requests,
590 * an additional check is needed here. If client authentication
591 * is configured as mandatory, then we can only proceed if the
592 * CA list doesn't have to be changed (OpenSSL doesn't provide
593 * an option to change the list for an existing session).
595 if ((r->server != handshakeserver)
597 && ((verify & SSL_VERIFY_PEER) ||
598 (verify & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))) {
599 SSLSrvConfigRec *hssc = mySrvConfig(handshakeserver);
601 #define MODSSL_CFG_CA_NE(f, sc1, sc2) \
602 (sc1->server->auth.f && \
603 (!sc2->server->auth.f || \
604 strNE(sc1->server->auth.f, sc2->server->auth.f)))
606 if (MODSSL_CFG_CA_NE(ca_cert_file, sc, hssc) ||
607 MODSSL_CFG_CA_NE(ca_cert_path, sc, hssc)) {
608 if (verify & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) {
609 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(02256)
610 "Non-default virtual host with SSLVerify set to "
611 "'require' and VirtualHost-specific CA certificate "
612 "list is only available to clients with TLS server "
613 "name indication (SNI) support");
614 SSL_set_verify(ssl, verify_old, NULL);
615 return HTTP_FORBIDDEN;
617 /* let it pass, possibly with an "incorrect" peer cert,
618 * so make sure the SSL_CLIENT_VERIFY environment variable
619 * will indicate partial success only, later on.
621 sslconn->verify_info = "GENEROUS";
626 /* If a renegotiation is now required for this location, and the
627 * request includes a message body (and the client has not
628 * requested a "100 Continue" response), then the client will be
629 * streaming the request body over the wire already. In that
630 * case, it is not possible to stop and perform a new SSL
631 * handshake immediately; once the SSL library moves to the
632 * "accept" state, it will reject the SSL packets which the client
633 * is sending for the request body.
635 * To allow authentication to complete in this auth hook, the
636 * solution used here is to fill a (bounded) buffer with the
637 * request body, and then to reinject that request body later.
639 if (renegotiate && !renegotiate_quick
640 && (apr_table_get(r->headers_in, "transfer-encoding")
641 || (apr_table_get(r->headers_in, "content-length")
642 && strcmp(apr_table_get(r->headers_in, "content-length"), "0")))
643 && !r->expecting_100) {
647 rsize = dc->nRenegBufferSize == UNSET ? DEFAULT_RENEG_BUFFER_SIZE :
648 dc->nRenegBufferSize;
650 /* Fill the I/O buffer with the request body if possible. */
651 rv = ssl_io_buffer_fill(r, rsize);
654 /* If the reneg buffer size is set to zero, just fail. */
655 rv = HTTP_REQUEST_ENTITY_TOO_LARGE;
659 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02257)
660 "could not buffer message body to allow "
661 "SSL renegotiation to proceed");
667 * now do the renegotiation if anything was actually reconfigured
671 * Now we force the SSL renegotiation by sending the Hello Request
672 * message to the client. Here we have to do a workaround: Actually
673 * OpenSSL returns immediately after sending the Hello Request (the
674 * intent AFAIK is because the SSL/TLS protocol says it's not a must
675 * that the client replies to a Hello Request). But because we insist
676 * on a reply (anything else is an error for us) we have to go to the
677 * ACCEPT state manually. Using SSL_set_accept_state() doesn't work
678 * here because it resets too much of the connection. So we set the
679 * state explicitly and continue the handshake manually.
681 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(02221)
682 "Requesting connection re-negotiation");
684 if (renegotiate_quick) {
685 STACK_OF(X509) *cert_stack;
687 /* perform just a manual re-verification of the peer */
688 ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02258)
689 "Performing quick renegotiation: "
690 "just re-verifying the peer");
692 cert_stack = (STACK_OF(X509) *)SSL_get_peer_cert_chain(ssl);
694 cert = SSL_get_peer_certificate(ssl);
696 if (!cert_stack && cert) {
697 /* client cert is in the session cache, but there is
698 * no chain, since ssl3_get_client_certificate()
699 * sk_X509_shift-ed the peer cert out of the chain.
700 * we put it back here for the purpose of quick_renegotiation.
702 cert_stack = sk_X509_new_null();
703 sk_X509_push(cert_stack, cert);
706 if (!cert_stack || (sk_X509_num(cert_stack) == 0)) {
707 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02222)
708 "Cannot find peer certificate chain");
710 return HTTP_FORBIDDEN;
714 (cert_store = SSL_CTX_get_cert_store(ctx))))
716 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02223)
717 "Cannot find certificate storage");
719 return HTTP_FORBIDDEN;
723 cert = sk_X509_value(cert_stack, 0);
726 X509_STORE_CTX_init(&cert_store_ctx, cert_store, cert, cert_stack);
727 depth = SSL_get_verify_depth(ssl);
730 X509_STORE_CTX_set_depth(&cert_store_ctx, depth);
733 X509_STORE_CTX_set_ex_data(&cert_store_ctx,
734 SSL_get_ex_data_X509_STORE_CTX_idx(),
737 if (!X509_verify_cert(&cert_store_ctx)) {
738 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02224)
739 "Re-negotiation verification step failed");
740 ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server);
743 SSL_set_verify_result(ssl, cert_store_ctx.error);
744 X509_STORE_CTX_cleanup(&cert_store_ctx);
746 if (cert_stack != SSL_get_peer_cert_chain(ssl)) {
747 /* we created this ourselves, so free it */
748 sk_X509_pop_free(cert_stack, X509_free);
752 const char *reneg_support;
753 request_rec *id = r->main ? r->main : r;
755 /* Additional mitigation for CVE-2009-3555: At this point,
756 * before renegotiating, an (entire) request has been read
757 * from the connection. An attacker may have sent further
758 * data to "prefix" any subsequent request by the victim's
759 * client after the renegotiation; this data may already
760 * have been read and buffered. Forcing a connection
761 * closure after the response ensures such data will be
762 * discarded. Legimately pipelined HTTP requests will be
763 * retried anyway with this approach. */
764 if (has_buffered_data(r)) {
765 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02259)
766 "insecure SSL re-negotiation required, but "
767 "a pipelined request is present; keepalive "
769 r->connection->keepalive = AP_CONN_CLOSE;
772 #if defined(SSL_get_secure_renegotiation_support)
773 reneg_support = SSL_get_secure_renegotiation_support(ssl) ?
774 "client does" : "client does not";
776 reneg_support = "server does not";
778 /* Perform a full renegotiation. */
779 ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02260)
780 "Performing full renegotiation: complete handshake "
781 "protocol (%s support secure renegotiation)",
784 SSL_set_session_id_context(ssl,
785 (unsigned char *)&id,
788 /* Toggle the renegotiation state to allow the new
789 * handshake to proceed. */
790 sslconn->reneg_state = RENEG_ALLOW;
792 SSL_renegotiate(ssl);
793 SSL_do_handshake(ssl);
795 if (SSL_get_state(ssl) != SSL_ST_OK) {
796 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02225)
797 "Re-negotiation request failed");
798 ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server);
800 r->connection->keepalive = AP_CONN_CLOSE;
801 return HTTP_FORBIDDEN;
804 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(02226)
805 "Awaiting re-negotiation handshake");
807 /* XXX: Should replace setting state with SSL_renegotiate(ssl);
808 * However, this causes failures in perl-framework currently,
809 * perhaps pre-test if we have already negotiated?
811 #ifdef OPENSSL_NO_SSL_INTERN
812 SSL_set_state(ssl, SSL_ST_ACCEPT);
814 ssl->state = SSL_ST_ACCEPT;
816 SSL_do_handshake(ssl);
818 sslconn->reneg_state = RENEG_REJECT;
820 if (SSL_get_state(ssl) != SSL_ST_OK) {
821 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02261)
822 "Re-negotiation handshake failed: "
823 "Not accepted by client!?");
825 r->connection->keepalive = AP_CONN_CLOSE;
826 return HTTP_FORBIDDEN;
831 * Remember the peer certificate's DN
833 if ((cert = SSL_get_peer_certificate(ssl))) {
834 if (sslconn->client_cert) {
835 X509_free(sslconn->client_cert);
837 sslconn->client_cert = cert;
838 sslconn->client_dn = NULL;
842 * Finally check for acceptable renegotiation results
844 if ((dc->nVerifyClient != SSL_CVERIFY_NONE) ||
845 (sc->server->auth.verify_mode != SSL_CVERIFY_NONE)) {
846 BOOL do_verify = ((dc->nVerifyClient == SSL_CVERIFY_REQUIRE) ||
847 (sc->server->auth.verify_mode == SSL_CVERIFY_REQUIRE));
849 if (do_verify && (SSL_get_verify_result(ssl) != X509_V_OK)) {
850 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02262)
851 "Re-negotiation handshake failed: "
852 "Client verification failed");
854 return HTTP_FORBIDDEN;
858 if ((peercert = SSL_get_peer_certificate(ssl)) == NULL) {
859 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02263)
860 "Re-negotiation handshake failed: "
861 "Client certificate missing");
863 return HTTP_FORBIDDEN;
871 * Also check that SSLCipherSuite has been enforced as expected.
874 cipher = SSL_get_current_cipher(ssl);
875 if (sk_SSL_CIPHER_find(cipher_list, cipher) < 0) {
876 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02264)
877 "SSL cipher suite not renegotiated: "
878 "access to %s denied using cipher %s",
880 SSL_CIPHER_get_name(cipher));
881 return HTTP_FORBIDDEN;
886 /* If we're trying to have the user name set from a client
887 * certificate then we need to set it here. This should be safe as
888 * the user name probably isn't important from an auth checking point
889 * of view as the certificate supplied acts in that capacity.
890 * However, if FakeAuth is being used then this isn't the case so
891 * we need to postpone setting the username until later.
893 if ((dc->nOptions & SSL_OPT_FAKEBASICAUTH) == 0 && dc->szUserName) {
894 char *val = ssl_var_lookup(r->pool, r->server, r->connection,
895 r, (char *)dc->szUserName);
899 ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(02227)
900 "Failed to set r->user to '%s'", dc->szUserName);
904 * Check SSLRequire boolean expressions
906 requires = dc->aRequirement;
907 ssl_requires = (ssl_require_t *)requires->elts;
909 for (i = 0; i < requires->nelts; i++) {
910 ssl_require_t *req = &ssl_requires[i];
911 const char *errstring;
912 ok = ap_expr_exec(r, req->mpExpr, &errstring);
915 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02265)
916 "access to %s failed, reason: Failed to execute "
917 "SSL requirement expression: %s",
918 r->filename, errstring);
920 /* remember forbidden access for strict require option */
921 apr_table_setn(r->notes, "ssl-access-forbidden", "1");
923 return HTTP_FORBIDDEN;
927 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(02266)
928 "Access to %s denied for %s "
929 "(requirement expression not fulfilled)",
930 r->filename, r->useragent_ip);
932 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(02228)
933 "Failed expression: %s", req->cpExpr);
935 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02229)
936 "access to %s failed, reason: %s",
938 "SSL requirement expression not fulfilled");
940 /* remember forbidden access for strict require option */
941 apr_table_setn(r->notes, "ssl-access-forbidden", "1");
943 return HTTP_FORBIDDEN;
948 * Else access is granted from our point of view (except vendor
949 * handlers override). But we have to return DECLINED here instead
950 * of OK, because mod_auth and other modules still might want to
958 * Authentication Handler:
959 * Fake a Basic authentication from the X509 client certificate.
961 * This must be run fairly early on to prevent a real authentication from
962 * occuring, in particular it must be run before anything else that
963 * authenticates a user. This means that the Module statement for this
964 * module should be LAST in the Configuration file.
966 int ssl_hook_UserCheck(request_rec *r)
968 SSLConnRec *sslconn = myConnConfig(r->connection);
969 SSLSrvConfigRec *sc = mySrvConfig(r->server);
970 SSLDirConfigRec *dc = myDirConfig(r);
972 const char *auth_line, *username, *password;
975 * Additionally forbid access (again)
976 * when strict require option is used.
978 if ((dc->nOptions & SSL_OPT_STRICTREQUIRE) &&
979 (apr_table_get(r->notes, "ssl-access-forbidden")))
981 return HTTP_FORBIDDEN;
985 * We decline when we are in a subrequest. The Authorization header
986 * would already be present if it was added in the main request.
988 if (!ap_is_initial_req(r)) {
993 * Make sure the user is not able to fake the client certificate
994 * based authentication by just entering an X.509 Subject DN
995 * ("/XX=YYY/XX=YYY/..") as the username and "password" as the
998 if ((auth_line = apr_table_get(r->headers_in, "Authorization"))) {
999 if (strcEQ(ap_getword(r->pool, &auth_line, ' '), "Basic")) {
1000 while ((*auth_line == ' ') || (*auth_line == '\t')) {
1004 auth_line = ap_pbase64decode(r->pool, auth_line);
1005 username = ap_getword_nulls(r->pool, &auth_line, ':');
1006 password = auth_line;
1008 if ((username[0] == '/') && strEQ(password, "password")) {
1009 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02035)
1010 "Encountered FakeBasicAuth spoof: %s", username);
1011 return HTTP_FORBIDDEN;
1017 * We decline operation in various situations...
1018 * - SSLOptions +FakeBasicAuth not configured
1019 * - r->user already authenticated
1021 * - client did not present a certificate
1023 if (!((sc->enabled == SSL_ENABLED_TRUE || sc->enabled == SSL_ENABLED_OPTIONAL)
1024 && sslconn && sslconn->ssl && sslconn->client_cert) ||
1025 !(dc->nOptions & SSL_OPT_FAKEBASICAUTH) || r->user)
1030 if (!sslconn->client_dn) {
1031 X509_NAME *name = X509_get_subject_name(sslconn->client_cert);
1032 char *cp = X509_NAME_oneline(name, NULL, 0);
1033 sslconn->client_dn = apr_pstrdup(r->connection->pool, cp);
1037 /* use SSLUserName if defined, otherwise use the full client DN */
1038 if (dc->szUserName) {
1039 user = ssl_var_lookup(r->pool, r->server, r->connection,
1040 r, (char *)dc->szUserName);
1041 if (!user || !user[0]) {
1043 APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(02434) "Failed to set FakeBasicAuth username to '%s', did not exist in certificate", dc->szUserName);
1048 user = (char *)sslconn->client_dn;
1052 * Fake a password - which one would be immaterial, as, it seems, an empty
1053 * password in the users file would match ALL incoming passwords, if only
1054 * we were using the standard crypt library routine. Unfortunately, OpenSSL
1055 * "fixes" a "bug" in crypt and thus prevents blank passwords from
1056 * working. (IMHO what they really fix is a bug in the users of the code
1057 * - failing to program correctly for shadow passwords). We need,
1058 * therefore, to provide a password. This password can be matched by
1059 * adding the string "xxj31ZMTZzkVA" as the password in the user file.
1060 * This is just the crypted variant of the word "password" ;-)
1062 auth_line = apr_pstrcat(r->pool, "Basic ",
1063 ap_pbase64encode(r->pool,
1064 apr_pstrcat(r->pool, user,
1065 ":password", NULL)),
1067 apr_table_setn(r->headers_in, "Authorization", auth_line);
1069 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(02036)
1070 "Faking HTTP Basic Auth header: \"Authorization: %s\"",
1076 /* authorization phase */
1077 int ssl_hook_Auth(request_rec *r)
1079 SSLDirConfigRec *dc = myDirConfig(r);
1082 * Additionally forbid access (again)
1083 * when strict require option is used.
1085 if ((dc->nOptions & SSL_OPT_STRICTREQUIRE) &&
1086 (apr_table_get(r->notes, "ssl-access-forbidden")))
1088 return HTTP_FORBIDDEN;
1098 static const char *ssl_hook_Fixup_vars[] = {
1099 "SSL_VERSION_INTERFACE",
1100 "SSL_VERSION_LIBRARY",
1103 "SSL_COMPRESS_METHOD",
1105 "SSL_CIPHER_EXPORT",
1106 "SSL_CIPHER_USEKEYSIZE",
1107 "SSL_CIPHER_ALGKEYSIZE",
1108 "SSL_CLIENT_VERIFY",
1109 "SSL_CLIENT_M_VERSION",
1110 "SSL_CLIENT_M_SERIAL",
1111 "SSL_CLIENT_V_START",
1113 "SSL_CLIENT_V_REMAIN",
1118 "SSL_SERVER_M_VERSION",
1119 "SSL_SERVER_M_SERIAL",
1120 "SSL_SERVER_V_START",
1127 "SSL_SESSION_RESUMED",
1135 int ssl_hook_Fixup(request_rec *r)
1137 SSLConnRec *sslconn = myConnConfig(r->connection);
1138 SSLSrvConfigRec *sc = mySrvConfig(r->server);
1139 SSLDirConfigRec *dc = myDirConfig(r);
1140 apr_table_t *env = r->subprocess_env;
1141 char *var, *val = "";
1143 const char *servername;
1145 STACK_OF(X509) *peer_certs;
1149 /* If "SSLEngine optional" is configured, this is not an SSL
1150 * connection, and this isn't a subrequest, send an Upgrade
1151 * response header. */
1152 if (sc->enabled == SSL_ENABLED_OPTIONAL && !(sslconn && sslconn->ssl)
1154 apr_table_setn(r->headers_out, "Upgrade", "TLS/1.0, HTTP/1.1");
1155 apr_table_mergen(r->headers_out, "Connection", "upgrade");
1159 * Check to see if SSL is on
1161 if (!(((sc->enabled == SSL_ENABLED_TRUE) || (sc->enabled == SSL_ENABLED_OPTIONAL)) && sslconn && (ssl = sslconn->ssl))) {
1166 * Annotate the SSI/CGI environment with standard SSL information
1168 /* the always present HTTPS (=HTTP over SSL) flag! */
1169 apr_table_setn(env, "HTTPS", "on");
1172 /* add content of SNI TLS extension (if supplied with ClientHello) */
1173 if ((servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) {
1174 apr_table_set(env, "SSL_TLS_SNI", servername);
1178 /* standard SSL environment variables */
1179 if (dc->nOptions & SSL_OPT_STDENVVARS) {
1180 modssl_var_extract_dns(env, sslconn->ssl, r->pool);
1182 for (i = 0; ssl_hook_Fixup_vars[i]; i++) {
1183 var = (char *)ssl_hook_Fixup_vars[i];
1184 val = ssl_var_lookup(r->pool, r->server, r->connection, r, var);
1185 if (!strIsEmpty(val)) {
1186 apr_table_setn(env, var, val);
1192 * On-demand bloat up the SSI/CGI environment with certificate data
1194 if (dc->nOptions & SSL_OPT_EXPORTCERTDATA) {
1195 val = ssl_var_lookup(r->pool, r->server, r->connection,
1196 r, "SSL_SERVER_CERT");
1198 apr_table_setn(env, "SSL_SERVER_CERT", val);
1200 val = ssl_var_lookup(r->pool, r->server, r->connection,
1201 r, "SSL_CLIENT_CERT");
1203 apr_table_setn(env, "SSL_CLIENT_CERT", val);
1205 if ((peer_certs = (STACK_OF(X509) *)SSL_get_peer_cert_chain(ssl))) {
1206 for (i = 0; i < sk_X509_num(peer_certs); i++) {
1207 var = apr_psprintf(r->pool, "SSL_CLIENT_CERT_CHAIN_%d", i);
1208 val = ssl_var_lookup(r->pool, r->server, r->connection,
1211 apr_table_setn(env, var, val);
1218 #ifdef SSL_get_secure_renegotiation_support
1219 apr_table_setn(r->notes, "ssl-secure-reneg",
1220 SSL_get_secure_renegotiation_support(ssl) ? "1" : "0");
1226 /* _________________________________________________________________
1228 ** Authz providers for use with mod_authz_core
1229 ** _________________________________________________________________
1232 static authz_status ssl_authz_require_ssl_check(request_rec *r,
1233 const char *require_line,
1236 SSLConnRec *sslconn = myConnConfig(r->connection);
1237 SSL *ssl = sslconn ? sslconn->ssl : NULL;
1240 return AUTHZ_GRANTED;
1242 return AUTHZ_DENIED;
1245 static const char *ssl_authz_require_ssl_parse(cmd_parms *cmd,
1246 const char *require_line,
1247 const void **parsed)
1249 if (require_line && require_line[0])
1250 return "'Require ssl' does not take arguments";
1255 const authz_provider ssl_authz_provider_require_ssl =
1257 &ssl_authz_require_ssl_check,
1258 &ssl_authz_require_ssl_parse,
1261 static authz_status ssl_authz_verify_client_check(request_rec *r,
1262 const char *require_line,
1265 SSLConnRec *sslconn = myConnConfig(r->connection);
1266 SSL *ssl = sslconn ? sslconn->ssl : NULL;
1269 return AUTHZ_DENIED;
1271 if (sslconn->verify_error == NULL &&
1272 sslconn->verify_info == NULL &&
1273 SSL_get_verify_result(ssl) == X509_V_OK)
1275 X509 *xs = SSL_get_peer_certificate(ssl);
1279 return AUTHZ_GRANTED;
1286 return AUTHZ_DENIED;
1289 static const char *ssl_authz_verify_client_parse(cmd_parms *cmd,
1290 const char *require_line,
1291 const void **parsed)
1293 if (require_line && require_line[0])
1294 return "'Require ssl-verify-client' does not take arguments";
1299 const authz_provider ssl_authz_provider_verify_client =
1301 &ssl_authz_verify_client_check,
1302 &ssl_authz_verify_client_parse,
1307 /* _________________________________________________________________
1309 ** OpenSSL Callback Functions
1310 ** _________________________________________________________________
1314 * Grab well-defined DH parameters from OpenSSL, see <openssl/bn.h>
1315 * (get_rfc*) for all available primes.
1317 #define make_get_dh(rfc,size,gen) \
1318 static DH *get_dh##size(void) \
1321 if (!(dh = DH_new())) { \
1324 dh->p = get_##rfc##_prime_##size(NULL); \
1325 BN_dec2bn(&dh->g, #gen); \
1326 if (!dh->p || !dh->g) { \
1334 * Prepare DH parameters from 1024 to 4096 bits, in 1024-bit increments
1336 make_get_dh(rfc2409, 1024, 2)
1337 make_get_dh(rfc3526, 2048, 2)
1338 make_get_dh(rfc3526, 3072, 2)
1339 make_get_dh(rfc3526, 4096, 2)
1342 * Hand out standard DH parameters, based on the authentication strength
1344 DH *ssl_callback_TmpDH(SSL *ssl, int export, int keylen)
1346 conn_rec *c = (conn_rec *)SSL_get_app_data(ssl);
1350 #ifdef SSL_CERT_SET_SERVER
1352 * When multiple certs/keys are configured for the SSL_CTX: make sure
1353 * that we get the private key which is indeed used for the current
1354 * SSL connection (available in OpenSSL 1.0.2 or later only)
1356 SSL_set_current_cert(ssl, SSL_CERT_SET_SERVER);
1358 pkey = SSL_get_privatekey(ssl);
1359 type = pkey ? EVP_PKEY_type(pkey->type) : EVP_PKEY_NONE;
1362 * OpenSSL will call us with either keylen == 512 or keylen == 1024
1363 * (see the definition of SSL_EXPORT_PKEYLENGTH in ssl_locl.h).
1364 * Adjust the DH parameter length according to the size of the
1365 * RSA/DSA private key used for the current connection, and always
1366 * use at least 1024-bit parameters.
1367 * Note: This may cause interoperability issues with implementations
1368 * which limit their DH support to 1024 bit - e.g. Java 7 and earlier.
1369 * In this case, SSLCertificateFile can be used to specify fixed
1370 * 1024-bit DH parameters (with the effect that OpenSSL skips this
1373 if ((type == EVP_PKEY_RSA) || (type == EVP_PKEY_DSA)) {
1374 keylen = EVP_PKEY_bits(pkey);
1377 ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c,
1378 "handing out built-in DH parameters for %d-bit authenticated connection", keylen);
1381 return get_dh4096();
1382 else if (keylen >= 3072)
1383 return get_dh3072();
1384 else if (keylen >= 2048)
1385 return get_dh2048();
1387 return get_dh1024();
1391 * This OpenSSL callback function is called when OpenSSL
1392 * does client authentication and verifies the certificate chain.
1394 int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx)
1396 /* Get Apache context back through OpenSSL context */
1397 SSL *ssl = X509_STORE_CTX_get_ex_data(ctx,
1398 SSL_get_ex_data_X509_STORE_CTX_idx());
1399 conn_rec *conn = (conn_rec *)SSL_get_app_data(ssl);
1400 request_rec *r = (request_rec *)SSL_get_app_data2(ssl);
1401 server_rec *s = r ? r->server : mySrvFromConn(conn);
1403 SSLSrvConfigRec *sc = mySrvConfig(s);
1404 SSLDirConfigRec *dc = r ? myDirConfig(r) : NULL;
1405 SSLConnRec *sslconn = myConnConfig(conn);
1406 modssl_ctx_t *mctx = myCtxConfig(sslconn, sc);
1408 /* Get verify ingredients */
1409 int errnum = X509_STORE_CTX_get_error(ctx);
1410 int errdepth = X509_STORE_CTX_get_error_depth(ctx);
1414 * Log verification information
1416 ssl_log_cxerror(SSLLOG_MARK, APLOG_DEBUG, 0, conn,
1417 X509_STORE_CTX_get_current_cert(ctx), APLOGNO(02275)
1418 "Certificate Verification, depth %d, "
1419 "CRL checking mode: %s", errdepth,
1420 mctx->crl_check_mode == SSL_CRLCHECK_CHAIN ?
1421 "chain" : (mctx->crl_check_mode == SSL_CRLCHECK_LEAF ?
1425 * Check for optionally acceptable non-verifiable issuer situation
1427 if (dc && (dc->nVerifyClient != SSL_CVERIFY_UNSET)) {
1428 verify = dc->nVerifyClient;
1431 verify = mctx->auth.verify_mode;
1434 if (verify == SSL_CVERIFY_NONE) {
1436 * SSLProxyVerify is either not configured or set to "none".
1437 * (this callback doesn't happen in the server context if SSLVerify
1438 * is not configured or set to "none")
1443 if (ssl_verify_error_is_optional(errnum) &&
1444 (verify == SSL_CVERIFY_OPTIONAL_NO_CA))
1446 ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, conn, APLOGNO(02037)
1447 "Certificate Verification: Verifiable Issuer is "
1448 "configured as optional, therefore we're accepting "
1451 sslconn->verify_info = "GENEROUS";
1456 * Expired certificates vs. "expired" CRLs: by default, OpenSSL
1457 * turns X509_V_ERR_CRL_HAS_EXPIRED into a "certificate_expired(45)"
1458 * SSL alert, but that's not really the message we should convey to the
1459 * peer (at the very least, it's confusing, and in many cases, it's also
1460 * inaccurate, as the certificate itself may very well not have expired
1461 * yet). We set the X509_STORE_CTX error to something which OpenSSL's
1462 * s3_both.c:ssl_verify_alarm_type() maps to SSL_AD_CERTIFICATE_UNKNOWN,
1463 * i.e. the peer will receive a "certificate_unknown(46)" alert.
1464 * We do not touch errnum, though, so that later on we will still log
1465 * the "real" error, as returned by OpenSSL.
1467 if (!ok && errnum == X509_V_ERR_CRL_HAS_EXPIRED) {
1468 X509_STORE_CTX_set_error(ctx, -1);
1471 #ifndef OPENSSL_NO_OCSP
1473 * Perform OCSP-based revocation checks
1475 if (ok && sc->server->ocsp_enabled == TRUE) {
1476 /* If there was an optional verification error, it's not
1477 * possible to perform OCSP validation since the issuer may be
1478 * missing/untrusted. Fail in that case. */
1479 if (ssl_verify_error_is_optional(errnum)) {
1480 X509_STORE_CTX_set_error(ctx, X509_V_ERR_APPLICATION_VERIFICATION);
1481 errnum = X509_V_ERR_APPLICATION_VERIFICATION;
1482 ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, conn, APLOGNO(02038)
1483 "cannot perform OCSP validation for cert "
1484 "if issuer has not been verified "
1485 "(optional_no_ca configured)");
1488 ok = modssl_verify_ocsp(ctx, sc, s, conn, conn->pool);
1490 errnum = X509_STORE_CTX_get_error(ctx);
1497 * If we already know it's not ok, log the real reason
1500 if (APLOGcinfo(conn)) {
1501 ssl_log_cxerror(SSLLOG_MARK, APLOG_INFO, 0, conn,
1502 X509_STORE_CTX_get_current_cert(ctx), APLOGNO(02276)
1503 "Certificate Verification: Error (%d): %s",
1504 errnum, X509_verify_cert_error_string(errnum));
1506 ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, conn, APLOGNO(02039)
1507 "Certificate Verification: Error (%d): %s",
1508 errnum, X509_verify_cert_error_string(errnum));
1511 if (sslconn->client_cert) {
1512 X509_free(sslconn->client_cert);
1513 sslconn->client_cert = NULL;
1515 sslconn->client_dn = NULL;
1516 sslconn->verify_error = X509_verify_cert_error_string(errnum);
1520 * Finally check the depth of the certificate verification
1522 if (dc && (dc->nVerifyDepth != UNSET)) {
1523 depth = dc->nVerifyDepth;
1526 depth = mctx->auth.verify_depth;
1529 if (errdepth > depth) {
1530 ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, conn, APLOGNO(02040)
1531 "Certificate Verification: Certificate Chain too long "
1532 "(chain has %d certificates, but maximum allowed are "
1536 errnum = X509_V_ERR_CERT_CHAIN_TOO_LONG;
1537 sslconn->verify_error = X509_verify_cert_error_string(errnum);
1543 * And finally signal OpenSSL the (perhaps changed) state
1548 #define SSLPROXY_CERT_CB_LOG_FMT \
1549 "Proxy client certificate callback: (%s) "
1551 static void modssl_proxy_info_log(conn_rec *c,
1555 ssl_log_cxerror(SSLLOG_MARK, APLOG_DEBUG, 0, c, info->x509, APLOGNO(02277)
1556 SSLPROXY_CERT_CB_LOG_FMT "%s, sending",
1557 (mySrvConfigFromConn(c))->vhost_id, msg);
1561 * caller will decrement the cert and key reference
1562 * so we need to increment here to prevent them from
1565 #define modssl_set_cert_info(info, cert, pkey) \
1566 *cert = info->x509; \
1567 CRYPTO_add(&(*cert)->references, +1, CRYPTO_LOCK_X509); \
1568 *pkey = info->x_pkey->dec_pkey; \
1569 CRYPTO_add(&(*pkey)->references, +1, CRYPTO_LOCK_X509_PKEY)
1571 int ssl_callback_proxy_cert(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
1573 conn_rec *c = (conn_rec *)SSL_get_app_data(ssl);
1574 server_rec *s = mySrvFromConn(c);
1575 SSLSrvConfigRec *sc = mySrvConfig(s);
1576 X509_NAME *ca_name, *issuer, *ca_issuer;
1579 STACK_OF(X509_NAME) *ca_list;
1580 STACK_OF(X509_INFO) *certs = sc->proxy->pkp->certs;
1581 STACK_OF(X509) *ca_certs;
1582 STACK_OF(X509) **ca_cert_chains;
1585 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02267)
1586 SSLPROXY_CERT_CB_LOG_FMT "entered",
1589 if (!certs || (sk_X509_INFO_num(certs) <= 0)) {
1590 ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, APLOGNO(02268)
1591 SSLPROXY_CERT_CB_LOG_FMT
1592 "downstream server wanted client certificate "
1593 "but none are configured", sc->vhost_id);
1597 ca_list = SSL_get_client_CA_list(ssl);
1599 if (!ca_list || (sk_X509_NAME_num(ca_list) <= 0)) {
1601 * downstream server didn't send us a list of acceptable CA certs,
1602 * so we send the first client cert in the list.
1604 info = sk_X509_INFO_value(certs, 0);
1606 modssl_proxy_info_log(c, info, APLOGNO(02278) "no acceptable CA list");
1608 modssl_set_cert_info(info, x509, pkey);
1613 ca_cert_chains = sc->proxy->pkp->ca_certs;
1614 for (i = 0; i < sk_X509_NAME_num(ca_list); i++) {
1615 ca_name = sk_X509_NAME_value(ca_list, i);
1617 for (j = 0; j < sk_X509_INFO_num(certs); j++) {
1618 info = sk_X509_INFO_value(certs, j);
1619 issuer = X509_get_issuer_name(info->x509);
1621 /* Search certs (by issuer name) one by one*/
1622 if (X509_NAME_cmp(issuer, ca_name) == 0) {
1623 modssl_proxy_info_log(c, info, APLOGNO(02279)
1624 "found acceptable cert");
1626 modssl_set_cert_info(info, x509, pkey);
1631 if (ca_cert_chains) {
1633 * Failed to find direct issuer - search intermediates
1634 * (by issuer name), if provided.
1636 ca_certs = ca_cert_chains[j];
1637 for (k = 0; k < sk_X509_num(ca_certs); k++) {
1638 ca_cert = sk_X509_value(ca_certs, k);
1639 ca_issuer = X509_get_issuer_name(ca_cert);
1641 if(X509_NAME_cmp(ca_issuer, ca_name) == 0 ) {
1642 modssl_proxy_info_log(c, info, APLOGNO(02280)
1643 "found acceptable cert by intermediate CA");
1645 modssl_set_cert_info(info, x509, pkey);
1649 } /* end loop through chained certs */
1651 } /* end loop through available certs */
1654 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02269)
1655 SSLPROXY_CERT_CB_LOG_FMT
1656 "no client certificate found!?", sc->vhost_id);
1661 static void ssl_session_log(server_rec *s,
1662 const char *request,
1669 char buf[SSL_SESSION_ID_STRING_LEN];
1670 char timeout_str[56] = {'\0'};
1672 if (!APLOGdebug(s)) {
1677 apr_snprintf(timeout_str, sizeof(timeout_str),
1678 "timeout=%lds ", timeout);
1681 ap_log_error(APLOG_MARK, APLOG_TRACE2, 0, s,
1682 "Inter-Process Session Cache: "
1683 "request=%s status=%s id=%s %s(session %s)",
1685 SSL_SESSION_id2sz(id, idlen, buf, sizeof(buf)),
1686 timeout_str, result);
1690 * This callback function is executed by OpenSSL whenever a new SSL_SESSION is
1691 * added to the internal OpenSSL session cache. We use this hook to spread the
1692 * SSL_SESSION also to the inter-process disk-cache to make share it with our
1693 * other Apache pre-forked server processes.
1695 int ssl_callback_NewSessionCacheEntry(SSL *ssl, SSL_SESSION *session)
1697 /* Get Apache context back through OpenSSL context */
1698 conn_rec *conn = (conn_rec *)SSL_get_app_data(ssl);
1699 server_rec *s = mySrvFromConn(conn);
1700 SSLSrvConfigRec *sc = mySrvConfig(s);
1701 long timeout = sc->session_cache_timeout;
1707 * Set the timeout also for the internal OpenSSL cache, because this way
1708 * our inter-process cache is consulted only when it's really necessary.
1710 SSL_set_timeout(session, timeout);
1713 * Store the SSL_SESSION in the inter-process cache with the
1714 * same expire time, so it expires automatically there, too.
1716 #ifdef OPENSSL_NO_SSL_INTERN
1717 id = (unsigned char *)SSL_SESSION_get_id(session, &idlen);
1719 id = session->session_id;
1720 idlen = session->session_id_length;
1723 rc = ssl_scache_store(s, id, idlen,
1724 apr_time_from_sec(SSL_SESSION_get_time(session)
1726 session, conn->pool);
1728 ssl_session_log(s, "SET", id, idlen,
1729 rc == TRUE ? "OK" : "BAD",
1730 "caching", timeout);
1733 * return 0 which means to OpenSSL that the session is still
1734 * valid and was not freed by us with SSL_SESSION_free().
1740 * This callback function is executed by OpenSSL whenever a
1741 * SSL_SESSION is looked up in the internal OpenSSL cache and it
1742 * was not found. We use this to lookup the SSL_SESSION in the
1743 * inter-process disk-cache where it was perhaps stored by one
1744 * of our other Apache pre-forked server processes.
1746 SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *ssl,
1748 int idlen, int *do_copy)
1750 /* Get Apache context back through OpenSSL context */
1751 conn_rec *conn = (conn_rec *)SSL_get_app_data(ssl);
1752 server_rec *s = mySrvFromConn(conn);
1753 SSL_SESSION *session;
1756 * Try to retrieve the SSL_SESSION from the inter-process cache
1758 session = ssl_scache_retrieve(s, id, idlen, conn->pool);
1760 ssl_session_log(s, "GET", id, idlen,
1761 session ? "FOUND" : "MISSED",
1762 session ? "reuse" : "renewal", 0);
1765 * Return NULL or the retrieved SSL_SESSION. But indicate (by
1766 * setting do_copy to 0) that the reference count on the
1767 * SSL_SESSION should not be incremented by the SSL library,
1768 * because we will no longer hold a reference to it ourself.
1776 * This callback function is executed by OpenSSL whenever a
1777 * SSL_SESSION is removed from the the internal OpenSSL cache.
1778 * We use this to remove the SSL_SESSION in the inter-process
1781 void ssl_callback_DelSessionCacheEntry(SSL_CTX *ctx,
1782 SSL_SESSION *session)
1785 SSLSrvConfigRec *sc;
1790 * Get Apache context back through OpenSSL context
1792 if (!(s = (server_rec *)SSL_CTX_get_app_data(ctx))) {
1793 return; /* on server shutdown Apache is already gone */
1796 sc = mySrvConfig(s);
1799 * Remove the SSL_SESSION from the inter-process cache
1801 #ifdef OPENSSL_NO_SSL_INTERN
1802 id = (unsigned char *)SSL_SESSION_get_id(session, &idlen);
1804 id = session->session_id;
1805 idlen = session->session_id_length;
1808 /* TODO: Do we need a temp pool here, or are we always shutting down? */
1809 ssl_scache_remove(s, id, idlen, sc->mc->pPool);
1811 ssl_session_log(s, "REM", id, idlen,
1817 /* Dump debugginfo trace to the log file. */
1818 static void log_tracing_state(const SSL *ssl, conn_rec *c,
1819 server_rec *s, int where, int rc)
1822 * create the various trace messages
1824 if (where & SSL_CB_HANDSHAKE_START) {
1825 ap_log_cerror(APLOG_MARK, APLOG_TRACE3, 0, c,
1826 "%s: Handshake: start", SSL_LIBRARY_NAME);
1828 else if (where & SSL_CB_HANDSHAKE_DONE) {
1829 ap_log_cerror(APLOG_MARK, APLOG_TRACE3, 0, c,
1830 "%s: Handshake: done", SSL_LIBRARY_NAME);
1832 else if (where & SSL_CB_LOOP) {
1833 ap_log_cerror(APLOG_MARK, APLOG_TRACE3, 0, c,
1835 SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
1837 else if (where & SSL_CB_READ) {
1838 ap_log_cerror(APLOG_MARK, APLOG_TRACE3, 0, c,
1840 SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
1842 else if (where & SSL_CB_WRITE) {
1843 ap_log_cerror(APLOG_MARK, APLOG_TRACE3, 0, c,
1845 SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
1847 else if (where & SSL_CB_ALERT) {
1848 char *str = (where & SSL_CB_READ) ? "read" : "write";
1849 ap_log_cerror(APLOG_MARK, APLOG_TRACE3, 0, c,
1850 "%s: Alert: %s:%s:%s",
1851 SSL_LIBRARY_NAME, str,
1852 SSL_alert_type_string_long(rc),
1853 SSL_alert_desc_string_long(rc));
1855 else if (where & SSL_CB_EXIT) {
1857 ap_log_cerror(APLOG_MARK, APLOG_TRACE3, 0, c,
1858 "%s: Exit: failed in %s",
1859 SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
1862 ap_log_cerror(APLOG_MARK, APLOG_TRACE3, 0, c,
1863 "%s: Exit: error in %s",
1864 SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
1869 * Because SSL renegotiations can happen at any time (not only after
1870 * SSL_accept()), the best way to log the current connection details is
1871 * right after a finished handshake.
1873 if (where & SSL_CB_HANDSHAKE_DONE) {
1874 ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(02041)
1875 "Protocol: %s, Cipher: %s (%s/%s bits)",
1876 ssl_var_lookup(NULL, s, c, NULL, "SSL_PROTOCOL"),
1877 ssl_var_lookup(NULL, s, c, NULL, "SSL_CIPHER"),
1878 ssl_var_lookup(NULL, s, c, NULL, "SSL_CIPHER_USEKEYSIZE"),
1879 ssl_var_lookup(NULL, s, c, NULL, "SSL_CIPHER_ALGKEYSIZE"));
1884 * This callback function is executed while OpenSSL processes the SSL
1885 * handshake and does SSL record layer stuff. It's used to trap
1886 * client-initiated renegotiations, and for dumping everything to the
1889 void ssl_callback_Info(const SSL *ssl, int where, int rc)
1895 /* Retrieve the conn_rec and the associated SSLConnRec. */
1896 if ((c = (conn_rec *)SSL_get_app_data((SSL *)ssl)) == NULL) {
1900 if ((scr = myConnConfig(c)) == NULL) {
1904 /* If the reneg state is to reject renegotiations, check the SSL
1905 * state machine and move to ABORT if a Client Hello is being
1907 if ((where & SSL_CB_ACCEPT_LOOP) && scr->reneg_state == RENEG_REJECT) {
1908 int state = SSL_get_state((SSL *)ssl);
1910 if (state == SSL3_ST_SR_CLNT_HELLO_A
1911 || state == SSL23_ST_SR_CLNT_HELLO_A) {
1912 scr->reneg_state = RENEG_ABORT;
1913 ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(02042)
1914 "rejecting client initiated renegotiation");
1917 /* If the first handshake is complete, change state to reject any
1918 * subsequent client-initiated renegotiation. */
1919 else if ((where & SSL_CB_HANDSHAKE_DONE) && scr->reneg_state == RENEG_INIT) {
1920 scr->reneg_state = RENEG_REJECT;
1923 s = mySrvFromConn(c);
1924 if (s && APLOGdebug(s)) {
1925 log_tracing_state(ssl, c, s, where, rc);
1931 * This callback function is executed when OpenSSL encounters an extended
1932 * client hello with a server name indication extension ("SNI", cf. RFC 6066).
1934 int ssl_callback_ServerNameIndication(SSL *ssl, int *al, modssl_ctx_t *mctx)
1936 const char *servername =
1937 SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
1940 conn_rec *c = (conn_rec *)SSL_get_app_data(ssl);
1942 if (ap_vhost_iterate_given_conn(c, ssl_find_vhost,
1943 (void *)servername)) {
1944 ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(02043)
1945 "SSL virtual host for servername %s found",
1947 return SSL_TLSEXT_ERR_OK;
1950 ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(02044)
1951 "No matching SSL virtual host for servername "
1952 "%s found (using default/first virtual host)",
1955 * RFC 6066 section 3 says "It is NOT RECOMMENDED to send
1956 * a warning-level unrecognized_name(112) alert, because
1957 * the client's behavior in response to warning-level alerts
1958 * is unpredictable."
1960 * To maintain backwards compatibility in mod_ssl, we
1961 * no longer send any alert (neither warning- nor fatal-level),
1962 * i.e. we take the second action suggested in RFC 6066:
1963 * "If the server understood the ClientHello extension but
1964 * does not recognize the server name, the server SHOULD take
1965 * one of two actions: either abort the handshake by sending
1966 * a fatal-level unrecognized_name(112) alert or continue
1973 return SSL_TLSEXT_ERR_NOACK;
1977 * Find a (name-based) SSL virtual host where either the ServerName
1978 * or one of the ServerAliases matches the supplied name (to be used
1979 * with ap_vhost_iterate_given_conn())
1981 static int ssl_find_vhost(void *servername, conn_rec *c, server_rec *s)
1983 SSLSrvConfigRec *sc;
1986 apr_array_header_t *names;
1990 /* check ServerName */
1991 if (!strcasecmp(servername, s->server_hostname)) {
1996 * if not matched yet, check ServerAlias entries
1997 * (adapted from vhost.c:matches_aliases())
2002 char **name = (char **)names->elts;
2003 for (i = 0; i < names->nelts; ++i) {
2006 if (!strcasecmp(servername, name[i])) {
2014 /* if still no match, check ServerAlias entries with wildcards */
2016 names = s->wild_names;
2018 char **name = (char **)names->elts;
2019 for (i = 0; i < names->nelts; ++i) {
2022 if (!ap_strcasecmp_match(servername, name[i])) {
2030 /* set SSL_CTX (if matched) */
2031 sslcon = myConnConfig(c);
2032 if (found && (ssl = sslcon->ssl) &&
2033 (sc = mySrvConfig(s))) {
2034 SSL_CTX *ctx = SSL_set_SSL_CTX(ssl, sc->server->ssl_ctx);
2036 * SSL_set_SSL_CTX() only deals with the server cert,
2037 * so we need to duplicate a few additional settings
2038 * from the ctx by hand
2040 SSL_set_options(ssl, SSL_CTX_get_options(ctx));
2041 if ((SSL_get_verify_mode(ssl) == SSL_VERIFY_NONE) ||
2042 (SSL_num_renegotiations(ssl) == 0)) {
2044 * Only initialize the verification settings from the ctx
2045 * if they are not yet set, or if we're called when a new
2046 * SSL connection is set up (num_renegotiations == 0).
2047 * Otherwise, we would possibly reset a per-directory
2048 * configuration which was put into effect by ssl_hook_Access.
2050 SSL_set_verify(ssl, SSL_CTX_get_verify_mode(ctx),
2051 SSL_CTX_get_verify_callback(ctx));
2055 * Adjust the session id context. ssl_init_ssl_connection()
2056 * always picks the configuration of the first vhost when
2057 * calling SSL_new(), but we want to tie the session to the
2058 * vhost we have just switched to. Again, we have to make sure
2059 * that we're not overwriting a session id context which was
2060 * possibly set in ssl_hook_Access(), before triggering
2063 if (SSL_num_renegotiations(ssl) == 0) {
2064 unsigned char *sid_ctx =
2065 (unsigned char *)ap_md5_binary(c->pool,
2066 (unsigned char *)sc->vhost_id,
2068 SSL_set_session_id_context(ssl, sid_ctx, APR_MD5_DIGESTSIZE*2);
2072 * Save the found server into our SSLConnRec for later
2078 * There is one special filter callback, which is set
2079 * very early depending on the base_server's log level.
2080 * If this is not the first vhost we're now selecting
2081 * (and the first vhost doesn't use APLOG_TRACE4), then
2082 * we need to set that callback here.
2084 if (APLOGtrace4(s)) {
2085 BIO_set_callback(SSL_get_rbio(ssl), ssl_io_data_cb);
2086 BIO_set_callback_arg(SSL_get_rbio(ssl), (void *)ssl);
2094 #endif /* HAVE_TLSEXT */
2096 #ifdef HAVE_TLS_SESSION_TICKETS
2098 * This callback function is executed when OpenSSL needs a key for encrypting/
2099 * decrypting a TLS session ticket (RFC 5077) and a ticket key file has been
2100 * configured through SSLSessionTicketKeyFile.
2102 int ssl_callback_SessionTicket(SSL *ssl,
2103 unsigned char *keyname,
2105 EVP_CIPHER_CTX *cipher_ctx,
2109 conn_rec *c = (conn_rec *)SSL_get_app_data(ssl);
2110 server_rec *s = mySrvFromConn(c);
2111 SSLSrvConfigRec *sc = mySrvConfig(s);
2112 SSLConnRec *sslconn = myConnConfig(c);
2113 modssl_ctx_t *mctx = myCtxConfig(sslconn, sc);
2114 modssl_ticket_key_t *ticket_key = mctx->ticket_key;
2118 * OpenSSL is asking for a key for encrypting a ticket,
2119 * see s3_srvr.c:ssl3_send_newsession_ticket()
2122 if (ticket_key == NULL) {
2123 /* should never happen, but better safe than sorry */
2127 memcpy(keyname, ticket_key->key_name, 16);
2128 RAND_pseudo_bytes(iv, EVP_MAX_IV_LENGTH);
2129 EVP_EncryptInit_ex(cipher_ctx, EVP_aes_128_cbc(), NULL,
2130 ticket_key->aes_key, iv);
2131 HMAC_Init_ex(hctx, ticket_key->hmac_secret, 16, tlsext_tick_md(), NULL);
2133 ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(02289)
2134 "TLS session ticket key for %s successfully set, "
2135 "creating new session ticket", sc->vhost_id);
2139 else if (mode == 0) {
2141 * OpenSSL is asking for the decryption key,
2142 * see t1_lib.c:tls_decrypt_ticket()
2145 /* check key name */
2146 if (ticket_key == NULL || memcmp(keyname, ticket_key->key_name, 16)) {
2150 EVP_DecryptInit_ex(cipher_ctx, EVP_aes_128_cbc(), NULL,
2151 ticket_key->aes_key, iv);
2152 HMAC_Init_ex(hctx, ticket_key->hmac_secret, 16, tlsext_tick_md(), NULL);
2154 ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(02290)
2155 "TLS session ticket key for %s successfully set, "
2156 "decrypting existing session ticket", sc->vhost_id);
2161 /* OpenSSL is not expected to call us with modes other than 1 or 0 */
2164 #endif /* HAVE_TLS_SESSION_TICKETS */
2168 * This callback function is executed when SSL needs to decide what protocols
2169 * to advertise during Next Protocol Negotiation (NPN). It must produce a
2170 * string in wire format -- a sequence of length-prefixed strings -- indicating
2171 * the advertised protocols. Refer to SSL_CTX_set_next_protos_advertised_cb
2172 * in OpenSSL for reference.
2174 int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data_out,
2175 unsigned int *size_out, void *arg)
2177 conn_rec *c = (conn_rec*)SSL_get_app_data(ssl);
2178 SSLConnRec *sslconn = myConnConfig(c);
2179 apr_array_header_t *protos;
2183 unsigned char *data;
2184 unsigned char *start;
2189 /* If the connection object is not available, or there are no NPN
2190 * hooks registered, then there's nothing for us to do. */
2191 if (c == NULL || sslconn->npn_advertfns == NULL) {
2192 return SSL_TLSEXT_ERR_OK;
2195 /* Invoke our npn_advertise_protos hook, giving other modules a chance to
2196 * add alternate protocol names to advertise. */
2197 protos = apr_array_make(c->pool, 0, sizeof(char *));
2198 for (i = 0; i < sslconn->npn_advertfns->nelts; i++) {
2199 ssl_npn_advertise_protos fn =
2200 APR_ARRAY_IDX(sslconn->npn_advertfns, i, ssl_npn_advertise_protos);
2202 if (fn(c, protos) == DONE)
2205 num_protos = protos->nelts;
2207 /* We now have a list of null-terminated strings; we need to concatenate
2208 * them together into a single string, where each protocol name is prefixed
2209 * by its length. First, calculate how long that string will be. */
2211 for (i = 0; i < num_protos; ++i) {
2212 const char *string = APR_ARRAY_IDX(protos, i, const char*);
2213 unsigned int length = strlen(string);
2214 /* If the protocol name is too long (the length must fit in one byte),
2215 * then log an error and skip it. */
2217 ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(02307)
2218 "SSL NPN protocol name too long (length=%u): %s",
2222 /* Leave room for the length prefix (one byte) plus the protocol name
2227 /* If there is nothing to advertise (either because no modules added
2228 * anything to the protos array, or because all strings added to the array
2229 * were skipped), then we're done. */
2231 return SSL_TLSEXT_ERR_OK;
2234 /* Now we can build the string. Copy each protocol name string into the
2235 * larger string, prefixed by its length. */
2236 data = apr_palloc(c->pool, size * sizeof(unsigned char));
2238 for (i = 0; i < num_protos; ++i) {
2239 const char *string = APR_ARRAY_IDX(protos, i, const char*);
2240 apr_size_t length = strlen(string);
2243 *start = (unsigned char)length;
2245 memcpy(start, string, length * sizeof(unsigned char));
2252 return SSL_TLSEXT_ERR_OK;
2255 #endif /* HAVE_TLS_NPN */
2259 int ssl_callback_SRPServerParams(SSL *ssl, int *ad, void *arg)
2261 modssl_ctx_t *mctx = (modssl_ctx_t *)arg;
2262 char *username = SSL_get_srp_username(ssl);
2265 if (username == NULL
2266 || (u = SRP_VBASE_get_by_user(mctx->srp_vbase, username)) == NULL) {
2267 *ad = SSL_AD_UNKNOWN_PSK_IDENTITY;
2268 return SSL3_AL_FATAL;
2271 if (SSL_set_srp_server_param(ssl, u->N, u->g, u->s, u->v, u->info) < 0) {
2272 *ad = SSL_AD_INTERNAL_ERROR;
2273 return SSL3_AL_FATAL;
2276 /* reset all other options */
2277 SSL_set_verify(ssl, SSL_VERIFY_NONE, ssl_callback_SSLVerify);
2278 return SSL_ERROR_NONE;
2281 #endif /* HAVE_SRP */