mod_proxy, mod_ssl: Handle SSLProxy* directives in <Proxy> sections,

[apache] / modules / ssl / mod_ssl.c
diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c

index 603a00e7c7009d6704b299d1ca00fd445ca4ceda..46db8637567f9b072d8617e950feb2eeb9384db9 100644 (file)
--- a/modules/ssl/mod_ssl.c
+++ b/modules/ssl/mod_ssl.c
@@ -26,12 +26,24 @@
  
  #include "ssl_private.h"
  #include "mod_ssl.h"
+#include "mod_ssl_openssl.h"
  #include "util_md5.h"
  #include "util_mutex.h"
  #include "ap_provider.h"
  
+#include "mod_proxy.h" /* for proxy_hook_section_post_config() */
+
  #include <assert.h>
  
+#if HAVE_VALGRIND
+#include <valgrind.h>
+int ssl_running_on_valgrind = 0;
+#endif
+
+APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ssl, SSL, int, pre_handshake,
+                                    (conn_rec *c,SSL *ssl,int is_proxy),
+                                    (c,ssl,is_proxy), OK, DECLINED);
+
  /*
   *  the table of configuration directives we provide
   */
@@ -44,6 +56,10 @@
          AP_INIT_##args("SSL"#name, ssl_cmd_SSL##name, \
                         NULL, RSRC_CONF, desc),
  
+#define SSL_CMD_PXY(name, args, desc) \
+        AP_INIT_##args("SSL"#name, ssl_cmd_SSL##name, \
+                       NULL, RSRC_CONF|PROXY_CONF, desc),
+
  #define SSL_CMD_DIR(name, type, args, desc) \
          AP_INIT_##args("SSL"#name, ssl_cmd_SSL##name, \
                         NULL, OR_##type, desc),
@@ -91,9 +107,11 @@ static const command_rec ssl_config_cmds[] = {
      SSL_CMD_SRV(CertificateChainFile, TAKE1,
                  "SSL Server CA Certificate Chain file "
                  "('/path/to/file' - PEM encoded)")
-    SSL_CMD_SRV(PKCS7CertificateFile, TAKE1,
-                "PKCS#7 file containing server certificate and chain"
-                " certificates ('/path/to/file' - PEM encoded)")
+#ifdef HAVE_TLS_SESSION_TICKETS
+    SSL_CMD_SRV(SessionTicketKeyFile, TAKE1,
+                "TLS session ticket encryption/decryption key file (RFC 5077) "
+                "('/path/to/file' - file with 48 bytes of random data)")
+#endif
      SSL_CMD_ALL(CACertificatePath, TAKE1,
                  "SSL CA Certificate path "
                  "('/path/to/dir' - contains PEM encoded files)")
@@ -112,6 +130,8 @@ static const command_rec ssl_config_cmds[] = {
      SSL_CMD_SRV(CARevocationFile, TAKE1,
                  "SSL CA Certificate Revocation List (CRL) file "
                  "('/path/to/file' - PEM encoded)")
+    SSL_CMD_SRV(CARevocationCheck, RAW_ARGS,
+                "SSL CA Certificate Revocation List (CRL) checking mode")
      SSL_CMD_ALL(VerifyClient, TAKE1,
                  "SSL Client verify type "
                  "('none', 'optional', 'require', 'optional_no_ca')")
@@ -121,11 +141,27 @@ static const command_rec ssl_config_cmds[] = {
      SSL_CMD_SRV(SessionCacheTimeout, TAKE1,
                  "SSL Session Cache object lifetime "
                  "('N' - number of seconds)")
+#ifdef OPENSSL_NO_SSL3
+#define SSLv3_PROTO_PREFIX ""
+#else
+#define SSLv3_PROTO_PREFIX "SSLv3|"
+#endif
+#ifdef HAVE_TLSV1_X
+#define SSL_PROTOCOLS SSLv3_PROTO_PREFIX "TLSv1|TLSv1.1|TLSv1.2"
+#else
+#define SSL_PROTOCOLS SSLv3_PROTO_PREFIX "TLSv1"
+#endif
      SSL_CMD_SRV(Protocol, RAW_ARGS,
-                "Enable or disable various SSL protocols"
-                "('[+-][SSLv2|SSLv3|TLSv1] ...' - see manual)")
+                "Enable or disable various SSL protocols "
+                "('[+-][" SSL_PROTOCOLS "] ...' - see manual)")
      SSL_CMD_SRV(HonorCipherOrder, FLAG,
                  "Use the server's cipher ordering preference")
+    SSL_CMD_SRV(Compression, FLAG,
+                "Enable SSL level compression "
+                "(`on', `off')")
+    SSL_CMD_SRV(SessionTickets, FLAG,
+                "Enable or disable TLS session tickets"
+                "(`on', `off')")
      SSL_CMD_SRV(InsecureRenegotiation, FLAG,
                  "Enable support for insecure renegotiation")
      SSL_CMD_ALL(UserName, TAKE1,
@@ -133,46 +169,64 @@ static const command_rec ssl_config_cmds[] = {
      SSL_CMD_SRV(StrictSNIVHostCheck, FLAG,
                  "Strict SNI virtual host checking")
  
+#ifdef HAVE_SRP
+    SSL_CMD_SRV(SRPVerifierFile, TAKE1,
+                "SRP verifier file "
+                "('/path/to/file' - created by srptool)")
+    SSL_CMD_SRV(SRPUnknownUserSeed, TAKE1,
+                "SRP seed for unknown users (to avoid leaking a user's existence) "
+                "('some secret text')")
+#endif
+
      /*
       * Proxy configuration for remote SSL connections
       */
-    SSL_CMD_SRV(ProxyEngine, FLAG,
+    SSL_CMD_PXY(ProxyEngine, FLAG,
                  "SSL switch for the proxy protocol engine "
                  "('on', 'off')")
-    SSL_CMD_SRV(ProxyProtocol, RAW_ARGS,
+    SSL_CMD_PXY(ProxyProtocol, RAW_ARGS,
                 "SSL Proxy: enable or disable SSL protocol flavors "
-               "('[+-][SSLv2|SSLv3|TLSv1] ...' - see manual)")
-    SSL_CMD_SRV(ProxyCipherSuite, TAKE1,
+                "('[+-][" SSL_PROTOCOLS "] ...' - see manual)")
+    SSL_CMD_PXY(ProxyCipherSuite, TAKE1,
                 "SSL Proxy: colon-delimited list of permitted SSL ciphers "
                 "('XXX:...:XXX' - see manual)")
-    SSL_CMD_SRV(ProxyVerify, TAKE1,
+    SSL_CMD_PXY(ProxyVerify, TAKE1,
                 "SSL Proxy: whether to verify the remote certificate "
                 "('on' or 'off')")
-    SSL_CMD_SRV(ProxyVerifyDepth, TAKE1,
+    SSL_CMD_PXY(ProxyVerifyDepth, TAKE1,
                 "SSL Proxy: maximum certificate verification depth "
                 "('N' - number of intermediate certificates)")
-    SSL_CMD_SRV(ProxyCACertificateFile, TAKE1,
+    SSL_CMD_PXY(ProxyCACertificateFile, TAKE1,
                 "SSL Proxy: file containing server certificates "
                 "('/path/to/file' - PEM encoded certificates)")
-    SSL_CMD_SRV(ProxyCACertificatePath, TAKE1,
+    SSL_CMD_PXY(ProxyCACertificatePath, TAKE1,
                 "SSL Proxy: directory containing server certificates "
                 "('/path/to/dir' - contains PEM encoded certificates)")
-    SSL_CMD_SRV(ProxyCARevocationPath, TAKE1,
+    SSL_CMD_PXY(ProxyCARevocationPath, TAKE1,
                  "SSL Proxy: CA Certificate Revocation List (CRL) path "
                  "('/path/to/dir' - contains PEM encoded files)")
-    SSL_CMD_SRV(ProxyCARevocationFile, TAKE1,
+    SSL_CMD_PXY(ProxyCARevocationFile, TAKE1,
                  "SSL Proxy: CA Certificate Revocation List (CRL) file "
                  "('/path/to/file' - PEM encoded)")
-    SSL_CMD_SRV(ProxyMachineCertificateFile, TAKE1,
+    SSL_CMD_PXY(ProxyCARevocationCheck, RAW_ARGS,
+                "SSL Proxy: CA Certificate Revocation List (CRL) checking mode")
+    SSL_CMD_PXY(ProxyMachineCertificateFile, TAKE1,
                 "SSL Proxy: file containing client certificates "
                 "('/path/to/file' - PEM encoded certificates)")
-    SSL_CMD_SRV(ProxyMachineCertificatePath, TAKE1,
+    SSL_CMD_PXY(ProxyMachineCertificatePath, TAKE1,
                 "SSL Proxy: directory containing client certificates "
                 "('/path/to/dir' - contains PEM encoded certificates)")
-    SSL_CMD_SRV(ProxyCheckPeerExpire, FLAG,
-                "SSL Proxy: check the peers certificate expiration date")
-    SSL_CMD_SRV(ProxyCheckPeerCN, FLAG,
-                "SSL Proxy: check the peers certificate CN")
+    SSL_CMD_PXY(ProxyMachineCertificateChainFile, TAKE1,
+               "SSL Proxy: file containing issuing certificates "
+               "of the client certificate "
+               "(`/path/to/file' - PEM encoded certificates)")
+    SSL_CMD_PXY(ProxyCheckPeerExpire, FLAG,
+                "SSL Proxy: check the peer certificate's expiration date")
+    SSL_CMD_PXY(ProxyCheckPeerCN, FLAG,
+                "SSL Proxy: check the peer certificate's CN")
+    SSL_CMD_PXY(ProxyCheckPeerName, FLAG,
+                "SSL Proxy: check the peer certificate's name "
+                "(must be present in subjectAltName extension or CN")
  
      /*
       * Per-directory context configuration directives
@@ -197,6 +251,16 @@ static const command_rec ssl_config_cmds[] = {
                 "URL of the default OCSP Responder")
      SSL_CMD_SRV(OCSPOverrideResponder, FLAG,
                 "Force use of the default responder URL ('on', 'off')")
+    SSL_CMD_SRV(OCSPResponseTimeSkew, TAKE1,
+                "Maximum time difference in OCSP responses")
+    SSL_CMD_SRV(OCSPResponseMaxAge, TAKE1,
+                "Maximum age of OCSP responses")
+    SSL_CMD_SRV(OCSPResponderTimeout, TAKE1,
+                "OCSP responder query timeout")
+    SSL_CMD_SRV(OCSPUseRequestNonce, FLAG,
+                "Whether OCSP queries use a nonce or not ('on', 'off')")
+    SSL_CMD_SRV(OCSPProxyURL, TAKE1,
+                "Proxy URL to use for OCSP requests")
  
  #ifdef HAVE_OCSP_STAPLING
      /*
@@ -217,16 +281,21 @@ static const command_rec ssl_config_cmds[] = {
                  "SSL stapling option for normal OCSP Response Cache Lifetime")
      SSL_CMD_SRV(StaplingReturnResponderErrors, FLAG,
                  "SSL stapling switch to return Status Errors Back to Client"
-               "(`on', `off')")
+                "(`on', `off')")
      SSL_CMD_SRV(StaplingFakeTryLater, FLAG,
                  "SSL stapling switch to send tryLater response to client on error "
-               "(`on', `off')")
+                "(`on', `off')")
      SSL_CMD_SRV(StaplingErrorCacheTimeout, TAKE1,
                  "SSL stapling option for OCSP Response Error Cache Lifetime")
      SSL_CMD_SRV(StaplingForceURL, TAKE1,
                  "SSL stapling option to Force the OCSP Stapling URL")
  #endif
  
+#ifdef HAVE_SSL_CONF_CMD
+    SSL_CMD_SRV(OpenSSLConfCmd, TAKE2,
+                "OpenSSL configuration command")
+#endif
+
      /* Deprecated directives. */
      AP_INIT_RAW_ARGS("SSLLog", ap_set_deprecated, NULL, OR_ALL,
        "SSLLog directive is no longer supported - use ErrorLog."),
@@ -244,25 +313,32 @@ static apr_status_t ssl_cleanup_pre_config(void *data)
      /*
       * Try to kill the internals of the SSL library.
       */
-#ifdef HAVE_OPENSSL
-#if OPENSSL_VERSION_NUMBER >= 0x00907001
      /* Corresponds to OPENSSL_load_builtin_modules():
       * XXX: borrowed from apps.h, but why not CONF_modules_free()
       * which also invokes CONF_modules_finish()?
       */
      CONF_modules_unload(1);
-#endif
-#endif
      /* Corresponds to SSL_library_init: */
      EVP_cleanup();
  #if HAVE_ENGINE_LOAD_BUILTIN_ENGINES
      ENGINE_cleanup();
  #endif
+#if OPENSSL_VERSION_NUMBER >= 0x1000000fL
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+    ERR_remove_thread_state(NULL);
+#else
+    ERR_remove_thread_state();
+#endif
+#else
      ERR_remove_state(0);
+#endif
  
-    /* Don't call ERR_free_strings here; ERR_load_*_strings only
-     * actually load the error strings once per process due to static
+    /* Don't call ERR_free_strings in earlier versions, ERR_load_*_strings only
+     * actually loaded the error strings once per process due to static
       * variable abuse in OpenSSL. */
+#if (OPENSSL_VERSION_NUMBER >= 0x00090805f)
+    ERR_free_strings();
+#endif
  
      /* Also don't call CRYPTO_cleanup_all_ex_data here; any registered
       * ex_data indices may have been cached in static variables in
@@ -282,24 +358,32 @@ static int ssl_hook_pre_config(apr_pool_t *pconf,
                                 apr_pool_t *plog,
                                 apr_pool_t *ptemp)
  {
+
+#if HAVE_VALGRIND
+     ssl_running_on_valgrind = RUNNING_ON_VALGRIND;
+#endif
+
      /* We must register the library in full, to ensure our configuration
       * code can successfully test the SSL environment.
       */
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
      CRYPTO_malloc_init();
-#ifdef HAVE_OPENSSL
-    ERR_load_crypto_strings();
+#else
+    OPENSSL_malloc_init();
  #endif
+    ERR_load_crypto_strings();
      SSL_load_error_strings();
      SSL_library_init();
  #if HAVE_ENGINE_LOAD_BUILTIN_ENGINES
      ENGINE_load_builtin_engines();
  #endif
-#ifdef HAVE_OPENSSL
      OpenSSL_add_all_algorithms();
-#if OPENSSL_VERSION_NUMBER >= 0x00907001
      OPENSSL_load_builtin_modules();
-#endif
-#endif
+
+    if (OBJ_txt2nid("id-on-dnsSRV") == NID_undef) {
+        (void)OBJ_create("1.3.6.1.5.5.7.8.7", "id-on-dnsSRV",
+                         "SRVName otherName form");
+    }
  
      /*
       * Let us cleanup the ssl library when the module is unloaded
@@ -316,15 +400,20 @@ static int ssl_hook_pre_config(apr_pool_t *pconf,
      /* Register mutex type names so they can be configured with Mutex */
      ap_mutex_register(pconf, SSL_CACHE_MUTEX_TYPE, NULL, APR_LOCK_DEFAULT, 0);
  #ifdef HAVE_OCSP_STAPLING
-    ap_mutex_register(pconf, SSL_STAPLING_MUTEX_TYPE, NULL, APR_LOCK_DEFAULT, 0);
+    ap_mutex_register(pconf, SSL_STAPLING_CACHE_MUTEX_TYPE, NULL,
+                      APR_LOCK_DEFAULT, 0);
+    ap_mutex_register(pconf, SSL_STAPLING_REFRESH_MUTEX_TYPE, NULL,
+                      APR_LOCK_DEFAULT, 0);
  #endif
  
      return OK;
  }
  
-static SSLConnRec *ssl_init_connection_ctx(conn_rec *c)
+static SSLConnRec *ssl_init_connection_ctx(conn_rec *c,
+                                           ap_conf_vector_t *per_dir_config)
  {
      SSLConnRec *sslconn = myConnConfig(c);
+    SSLSrvConfigRec *sc;
  
      if (sslconn) {
          return sslconn;
@@ -332,86 +421,127 @@ static SSLConnRec *ssl_init_connection_ctx(conn_rec *c)
  
      sslconn = apr_pcalloc(c->pool, sizeof(*sslconn));
  
+    if (per_dir_config) {
+        sslconn->dc = ap_get_module_config(per_dir_config, &ssl_module);
+    }
+    else {
+        sslconn->dc = ap_get_module_config(c->base_server->lookup_defaults,
+                                           &ssl_module);
+    }
+
      sslconn->server = c->base_server;
+    sslconn->verify_depth = UNSET;
+    sc = mySrvConfig(c->base_server);
+    sslconn->cipher_suite = sc->server->auth.cipher_suite;
  
      myConnConfigSet(c, sslconn);
  
      return sslconn;
  }
  
-int ssl_proxy_enable(conn_rec *c)
+static int ssl_engine_status(conn_rec *c, SSLConnRec *sslconn)
  {
-    SSLSrvConfigRec *sc;
-
-    SSLConnRec *sslconn = ssl_init_connection_ctx(c);
-    sc = mySrvConfig(sslconn->server);
-
-    if (!sc->proxy_enabled) {
-        ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
-                      "SSL Proxy requested for %s but not enabled "
-                      "[Hint: SSLProxyEngine]", sc->vhost_id);
-
-        return 0;
+    if (c->master) {
+        return DECLINED;
      }
-
-    sslconn->is_proxy = 1;
-    sslconn->disabled = 0;
-
-    return 1;
+    if (sslconn) {
+        if (sslconn->disabled) {
+            return SUSPENDED;
+        }
+        if (sslconn->is_proxy) {
+            if (!sslconn->dc->proxy_enabled) {
+                return DECLINED;
+            }
+        }
+        else {
+            if (mySrvConfig(sslconn->server)->enabled != SSL_ENABLED_TRUE) {
+                return DECLINED;
+            }
+        }
+    }
+    else {
+        if (mySrvConfig(c->base_server)->enabled != SSL_ENABLED_TRUE) {
+            return DECLINED;
+        }
+    }
+    return OK;
  }
  
-int ssl_engine_disable(conn_rec *c)
+static int ssl_engine_set(conn_rec *c,
+                          ap_conf_vector_t *per_dir_config,
+                          int proxy, int enable)
  {
-    SSLSrvConfigRec *sc;
-
-    SSLConnRec *sslconn = myConnConfig(c);
-
-    if (sslconn) {
-        sc = mySrvConfig(sslconn->server);
+    SSLConnRec *sslconn;
+    int status;
+    
+    if (proxy) {
+        sslconn = ssl_init_connection_ctx(c, per_dir_config);
+        sslconn->is_proxy = 1;
      }
      else {
-        sc = mySrvConfig(c->base_server);
+        sslconn = myConnConfig(c);
      }
-    if (sc->enabled == SSL_ENABLED_FALSE) {
-        return 0;
+
+    status = ssl_engine_status(c, sslconn);
+
+    if (proxy && status == DECLINED) {
+        if (enable) {
+            SSLSrvConfigRec *sc = mySrvConfig(sslconn->server);
+            ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(01961)
+                          "SSL Proxy requested for %s but not enabled "
+                          "[Hint: SSLProxyEngine]", sc->vhost_id);
+        }
+        sslconn->disabled = 1;
+    }
+    else if (sslconn) {
+        sslconn->disabled = !enable;
      }
  
-    sslconn = ssl_init_connection_ctx(c);
+    return status != DECLINED;
+}
  
-    sslconn->disabled = 1;
+static int ssl_proxy_enable(conn_rec *c)
+{
+    return ssl_engine_set(c, NULL, 1, 1);
+}
  
-    return 1;
+static int ssl_engine_disable(conn_rec *c)
+{
+    return ssl_engine_set(c, NULL, 0, 0);
  }
  
  int ssl_init_ssl_connection(conn_rec *c, request_rec *r)
  {
      SSLSrvConfigRec *sc;
      SSL *ssl;
-    SSLConnRec *sslconn = myConnConfig(c);
+    SSLConnRec *sslconn;
      char *vhost_md5;
+    int rc;
      modssl_ctx_t *mctx;
      server_rec *server;
  
-    if (!sslconn) {
-        sslconn = ssl_init_connection_ctx(c);
-    }
+    /*
+     * Create or retrieve SSL context
+     */
+    sslconn = ssl_init_connection_ctx(c, r ? r->per_dir_config : NULL);
      server = sslconn->server;
      sc = mySrvConfig(server);
  
      /*
       * Seed the Pseudo Random Number Generator (PRNG)
       */
-    ssl_rand_seed(server, c->pool, SSL_RSCTX_CONNECT, "");
+    ssl_rand_seed(server, c->pool, SSL_RSCTX_CONNECT,
+                  sslconn->is_proxy ? "Proxy: " : "Server: ");
  
-    mctx = sslconn->is_proxy ? sc->proxy : sc->server;
+    mctx = myCtxConfig(sslconn, sc);
  
      /*
       * Create a new SSL connection with the configured server SSL context and
       * attach this to the socket. Additionally we register this attachment
       * so we can detach later.
       */
-    if (!(ssl = SSL_new(mctx->ssl_ctx))) {
-        ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
+    if (!(sslconn->ssl = ssl = SSL_new(mctx->ssl_ctx))) {
+        ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(01962)
                        "Unable to create a new SSL connection from the SSL "
                        "context");
          ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, server);
@@ -421,13 +551,18 @@ int ssl_init_ssl_connection(conn_rec *c, request_rec *r)
          return DECLINED; /* XXX */
      }
  
+    rc = ssl_run_pre_handshake(c, ssl, sslconn->is_proxy ? 1 : 0);
+    if (rc != OK && rc != DECLINED) {
+        return rc;
+    }
+
      vhost_md5 = ap_md5_binary(c->pool, (unsigned char *)sc->vhost_id,
                                sc->vhost_id_len);
  
      if (!SSL_set_session_id_context(ssl, (unsigned char *)vhost_md5,
                                      APR_MD5_DIGESTSIZE*2))
      {
-        ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
+        ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(01963)
                        "Unable to set session id context to '%s'", vhost_md5);
          ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, server);
  
@@ -437,18 +572,7 @@ int ssl_init_ssl_connection(conn_rec *c, request_rec *r)
      }
  
      SSL_set_app_data(ssl, c);
-    SSL_set_app_data2(ssl, NULL); /* will be request_rec */
-
-    sslconn->ssl = ssl;
-
-    /*
-     *  Configure callbacks for SSL connection
-     */
-    SSL_set_tmp_rsa_callback(ssl, ssl_callback_TmpRSA);
-    SSL_set_tmp_dh_callback(ssl,  ssl_callback_TmpDH);
-#ifndef OPENSSL_NO_EC
-    SSL_set_tmp_ecdh_callback(ssl, ssl_callback_TmpECDH);
-#endif
+    modssl_set_app_data2(ssl, NULL); /* will be request_rec */
  
      SSL_set_verify_result(ssl, X509_V_OK);
  
@@ -484,30 +608,18 @@ static int ssl_hook_pre_connection(conn_rec *c, void *csd)
      SSLSrvConfigRec *sc;
      SSLConnRec *sslconn = myConnConfig(c);
  
-    if (sslconn) {
-        sc = mySrvConfig(sslconn->server);
-    }
-    else {
-        sc = mySrvConfig(c->base_server);
-    }
      /*
       * Immediately stop processing if SSL is disabled for this connection
       */
-    if (!(sc && (sc->enabled == SSL_ENABLED_TRUE ||
-                 (sslconn && sslconn->is_proxy))))
-    {
+    if (ssl_engine_status(c, sslconn) != OK) {
          return DECLINED;
      }
  
-    /*
-     * Create SSL context
-     */
-    if (!sslconn) {
-        sslconn = ssl_init_connection_ctx(c);
+    if (sslconn) {
+        sc = mySrvConfig(sslconn->server);
      }
-
-    if (sslconn->disabled) {
-        return DECLINED;
+    else {
+        sc = mySrvConfig(c->base_server);
      }
  
      /*
@@ -515,13 +627,33 @@ static int ssl_hook_pre_connection(conn_rec *c, void *csd)
       * later access inside callback functions
       */
  
-    ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c,
+    ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c, APLOGNO(01964)
                    "Connection to child %ld established "
                    "(server %s)", c->id, sc->vhost_id);
  
      return ssl_init_ssl_connection(c, NULL);
  }
  
+static int ssl_hook_process_connection(conn_rec* c)
+{
+    SSLConnRec *sslconn = myConnConfig(c);
+
+    if (sslconn && !sslconn->disabled) {
+        /* On an active SSL connection, let the input filters initialize
+         * themselves which triggers the handshake, which again triggers
+         * all kinds of useful things such as SNI and ALPN.
+         */
+        apr_bucket_brigade* temp;
+
+        temp = apr_brigade_create(c->pool, c->bucket_alloc);
+        ap_get_brigade(c->input_filters, temp,
+                       AP_MODE_INIT, APR_BLOCK_READ, 0);
+        apr_brigade_destroy(temp);
+    }
+    
+    return DECLINED;
+}
+
  /*
   *  the module registration phase
   */
@@ -531,29 +663,52 @@ static void ssl_register_hooks(apr_pool_t *p)
      /* ssl_hook_ReadReq needs to use the BrowserMatch settings so must
       * run after mod_setenvif's post_read_request hook. */
      static const char *pre_prr[] = { "mod_setenvif.c", NULL };
+    /* The ssl_init_Module post_config hook should run before mod_proxy's
+     * for the ssl proxy main configs to be merged with vhosts' before being
+     * themselves merged with mod_proxy's in proxy_hook_section_post_config.
+     */
+    static const char *b_pc[] = { "mod_proxy.c", NULL};
+
  
      ssl_io_filter_register(p);
  
      ap_hook_pre_connection(ssl_hook_pre_connection,NULL,NULL, APR_HOOK_MIDDLE);
+    ap_hook_process_connection(ssl_hook_process_connection, 
+                                                   NULL, NULL, APR_HOOK_MIDDLE);
      ap_hook_test_config   (ssl_hook_ConfigTest,    NULL,NULL, APR_HOOK_MIDDLE);
-    ap_hook_post_config   (ssl_init_Module,        NULL,NULL, APR_HOOK_MIDDLE);
+    ap_hook_post_config   (ssl_init_Module,        NULL,b_pc, APR_HOOK_MIDDLE);
      ap_hook_http_scheme   (ssl_hook_http_scheme,   NULL,NULL, APR_HOOK_MIDDLE);
      ap_hook_default_port  (ssl_hook_default_port,  NULL,NULL, APR_HOOK_MIDDLE);
      ap_hook_pre_config    (ssl_hook_pre_config,    NULL,NULL, APR_HOOK_MIDDLE);
      ap_hook_child_init    (ssl_init_Child,         NULL,NULL, APR_HOOK_MIDDLE);
-    ap_hook_check_authn   (ssl_hook_UserCheck,     NULL,NULL, APR_HOOK_FIRST,
-                           AP_AUTH_INTERNAL_PER_CONF);
-    ap_hook_fixups        (ssl_hook_Fixup,         NULL,NULL, APR_HOOK_MIDDLE);
+    ap_hook_post_read_request(ssl_hook_ReadReq, pre_prr,NULL, APR_HOOK_MIDDLE);
      ap_hook_check_access  (ssl_hook_Access,        NULL,NULL, APR_HOOK_MIDDLE,
                             AP_AUTH_INTERNAL_PER_CONF);
+    ap_hook_check_authn   (ssl_hook_UserCheck,     NULL,NULL, APR_HOOK_FIRST,
+                           AP_AUTH_INTERNAL_PER_CONF);
      ap_hook_check_authz   (ssl_hook_Auth,          NULL,NULL, APR_HOOK_MIDDLE,
                             AP_AUTH_INTERNAL_PER_CONF);
-    ap_hook_post_read_request(ssl_hook_ReadReq, pre_prr,NULL, APR_HOOK_MIDDLE);
+    ap_hook_fixups        (ssl_hook_Fixup,         NULL,NULL, APR_HOOK_MIDDLE);
+
+    APR_OPTIONAL_HOOK(proxy, section_post_config,
+                      ssl_proxy_section_post_config, NULL, NULL,
+                      APR_HOOK_MIDDLE);
  
      ssl_var_register(p);
  
      APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable);
      APR_REGISTER_OPTIONAL_FN(ssl_engine_disable);
+    APR_REGISTER_OPTIONAL_FN(ssl_engine_set);
+
+    ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "ssl",
+                              AUTHZ_PROVIDER_VERSION,
+                              &ssl_authz_provider_require_ssl,
+                              AP_AUTH_INTERNAL_PER_CONF);
+
+    ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "ssl-verify-client",
+                              AUTHZ_PROVIDER_VERSION,
+                              &ssl_authz_provider_verify_client,
+                              AP_AUTH_INTERNAL_PER_CONF);
  }
  
  module AP_MODULE_DECLARE_DATA ssl_module = {