#include "util_mutex.h"
#include "ap_provider.h"
+#include "mod_proxy.h" /* for proxy_hook_section_post_config() */
+
#include <assert.h>
#if HAVE_VALGRIND
AP_INIT_##args("SSL"#name, ssl_cmd_SSL##name, \
NULL, RSRC_CONF, desc),
+#define SSL_CMD_PXY(name, args, desc) \
+ AP_INIT_##args("SSL"#name, ssl_cmd_SSL##name, \
+ NULL, RSRC_CONF|PROXY_CONF, desc),
+
#define SSL_CMD_DIR(name, type, args, desc) \
AP_INIT_##args("SSL"#name, ssl_cmd_SSL##name, \
NULL, OR_##type, desc),
SSL_CMD_SRV(CARevocationFile, TAKE1,
"SSL CA Certificate Revocation List (CRL) file "
"('/path/to/file' - PEM encoded)")
- SSL_CMD_SRV(CARevocationCheck, TAKE1,
+ SSL_CMD_SRV(CARevocationCheck, RAW_ARGS,
"SSL CA Certificate Revocation List (CRL) checking mode")
SSL_CMD_ALL(VerifyClient, TAKE1,
"SSL Client verify type "
/*
* Proxy configuration for remote SSL connections
*/
- SSL_CMD_SRV(ProxyEngine, FLAG,
+ SSL_CMD_PXY(ProxyEngine, FLAG,
"SSL switch for the proxy protocol engine "
"('on', 'off')")
- SSL_CMD_SRV(ProxyProtocol, RAW_ARGS,
+ SSL_CMD_PXY(ProxyProtocol, RAW_ARGS,
"SSL Proxy: enable or disable SSL protocol flavors "
"('[+-][" SSL_PROTOCOLS "] ...' - see manual)")
- SSL_CMD_SRV(ProxyCipherSuite, TAKE1,
+ SSL_CMD_PXY(ProxyCipherSuite, TAKE1,
"SSL Proxy: colon-delimited list of permitted SSL ciphers "
"('XXX:...:XXX' - see manual)")
- SSL_CMD_SRV(ProxyVerify, TAKE1,
+ SSL_CMD_PXY(ProxyVerify, TAKE1,
"SSL Proxy: whether to verify the remote certificate "
"('on' or 'off')")
- SSL_CMD_SRV(ProxyVerifyDepth, TAKE1,
+ SSL_CMD_PXY(ProxyVerifyDepth, TAKE1,
"SSL Proxy: maximum certificate verification depth "
"('N' - number of intermediate certificates)")
- SSL_CMD_SRV(ProxyCACertificateFile, TAKE1,
+ SSL_CMD_PXY(ProxyCACertificateFile, TAKE1,
"SSL Proxy: file containing server certificates "
"('/path/to/file' - PEM encoded certificates)")
- SSL_CMD_SRV(ProxyCACertificatePath, TAKE1,
+ SSL_CMD_PXY(ProxyCACertificatePath, TAKE1,
"SSL Proxy: directory containing server certificates "
"('/path/to/dir' - contains PEM encoded certificates)")
- SSL_CMD_SRV(ProxyCARevocationPath, TAKE1,
+ SSL_CMD_PXY(ProxyCARevocationPath, TAKE1,
"SSL Proxy: CA Certificate Revocation List (CRL) path "
"('/path/to/dir' - contains PEM encoded files)")
- SSL_CMD_SRV(ProxyCARevocationFile, TAKE1,
+ SSL_CMD_PXY(ProxyCARevocationFile, TAKE1,
"SSL Proxy: CA Certificate Revocation List (CRL) file "
"('/path/to/file' - PEM encoded)")
- SSL_CMD_SRV(ProxyCARevocationCheck, TAKE1,
+ SSL_CMD_PXY(ProxyCARevocationCheck, RAW_ARGS,
"SSL Proxy: CA Certificate Revocation List (CRL) checking mode")
- SSL_CMD_SRV(ProxyMachineCertificateFile, TAKE1,
+ SSL_CMD_PXY(ProxyMachineCertificateFile, TAKE1,
"SSL Proxy: file containing client certificates "
"('/path/to/file' - PEM encoded certificates)")
- SSL_CMD_SRV(ProxyMachineCertificatePath, TAKE1,
+ SSL_CMD_PXY(ProxyMachineCertificatePath, TAKE1,
"SSL Proxy: directory containing client certificates "
"('/path/to/dir' - contains PEM encoded certificates)")
- SSL_CMD_SRV(ProxyMachineCertificateChainFile, TAKE1,
+ SSL_CMD_PXY(ProxyMachineCertificateChainFile, TAKE1,
"SSL Proxy: file containing issuing certificates "
"of the client certificate "
"(`/path/to/file' - PEM encoded certificates)")
- SSL_CMD_SRV(ProxyCheckPeerExpire, FLAG,
+ SSL_CMD_PXY(ProxyCheckPeerExpire, FLAG,
"SSL Proxy: check the peer certificate's expiration date")
- SSL_CMD_SRV(ProxyCheckPeerCN, FLAG,
+ SSL_CMD_PXY(ProxyCheckPeerCN, FLAG,
"SSL Proxy: check the peer certificate's CN")
- SSL_CMD_SRV(ProxyCheckPeerName, FLAG,
+ SSL_CMD_PXY(ProxyCheckPeerName, FLAG,
"SSL Proxy: check the peer certificate's name "
"(must be present in subjectAltName extension or CN")
"OCSP responder query timeout")
SSL_CMD_SRV(OCSPUseRequestNonce, FLAG,
"Whether OCSP queries use a nonce or not ('on', 'off')")
+ SSL_CMD_SRV(OCSPProxyURL, TAKE1,
+ "Proxy URL to use for OCSP requests")
#ifdef HAVE_OCSP_STAPLING
/*
ENGINE_cleanup();
#endif
#if OPENSSL_VERSION_NUMBER >= 0x1000000fL
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
ERR_remove_thread_state(NULL);
+#else
+ ERR_remove_thread_state();
+#endif
#else
ERR_remove_state(0);
#endif
/* We must register the library in full, to ensure our configuration
* code can successfully test the SSL environment.
*/
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
CRYPTO_malloc_init();
+#else
+ OPENSSL_malloc_init();
+#endif
ERR_load_crypto_strings();
SSL_load_error_strings();
SSL_library_init();
return OK;
}
-static SSLConnRec *ssl_init_connection_ctx(conn_rec *c)
+static SSLConnRec *ssl_init_connection_ctx(conn_rec *c,
+ ap_conf_vector_t *per_dir_config)
{
SSLConnRec *sslconn = myConnConfig(c);
SSLSrvConfigRec *sc;
sslconn = apr_pcalloc(c->pool, sizeof(*sslconn));
+ if (per_dir_config) {
+ sslconn->dc = ap_get_module_config(per_dir_config, &ssl_module);
+ }
+ else {
+ sslconn->dc = ap_get_module_config(c->base_server->lookup_defaults,
+ &ssl_module);
+ }
+
sslconn->server = c->base_server;
sslconn->verify_depth = UNSET;
sc = mySrvConfig(c->base_server);
return sslconn;
}
-static int ssl_proxy_enable(conn_rec *c)
+static int ssl_engine_status(conn_rec *c, SSLConnRec *sslconn)
{
- SSLSrvConfigRec *sc;
-
- SSLConnRec *sslconn = ssl_init_connection_ctx(c);
- sc = mySrvConfig(sslconn->server);
-
- if (!sc->proxy_enabled) {
- ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(01961)
- "SSL Proxy requested for %s but not enabled "
- "[Hint: SSLProxyEngine]", sc->vhost_id);
-
- return 0;
+ if (c->master) {
+ return DECLINED;
}
-
- sslconn->is_proxy = 1;
- sslconn->disabled = 0;
-
- return 1;
+ if (sslconn) {
+ if (sslconn->disabled) {
+ return SUSPENDED;
+ }
+ if (sslconn->is_proxy) {
+ if (!sslconn->dc->proxy_enabled) {
+ return DECLINED;
+ }
+ }
+ else {
+ if (mySrvConfig(sslconn->server)->enabled != SSL_ENABLED_TRUE) {
+ return DECLINED;
+ }
+ }
+ }
+ else {
+ if (mySrvConfig(c->base_server)->enabled != SSL_ENABLED_TRUE) {
+ return DECLINED;
+ }
+ }
+ return OK;
}
-static int ssl_engine_disable(conn_rec *c)
+static int ssl_engine_set(conn_rec *c,
+ ap_conf_vector_t *per_dir_config,
+ int proxy, int enable)
{
- SSLSrvConfigRec *sc;
-
- SSLConnRec *sslconn = myConnConfig(c);
-
- if (sslconn) {
- sc = mySrvConfig(sslconn->server);
+ SSLConnRec *sslconn;
+ int status;
+
+ if (proxy) {
+ sslconn = ssl_init_connection_ctx(c, per_dir_config);
+ sslconn->is_proxy = 1;
}
else {
- sc = mySrvConfig(c->base_server);
+ sslconn = myConnConfig(c);
}
- if (sc->enabled == SSL_ENABLED_FALSE) {
- return 0;
+
+ status = ssl_engine_status(c, sslconn);
+
+ if (proxy && status == DECLINED) {
+ if (enable) {
+ SSLSrvConfigRec *sc = mySrvConfig(sslconn->server);
+ ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(01961)
+ "SSL Proxy requested for %s but not enabled "
+ "[Hint: SSLProxyEngine]", sc->vhost_id);
+ }
+ sslconn->disabled = 1;
+ }
+ else if (sslconn) {
+ sslconn->disabled = !enable;
}
- sslconn = ssl_init_connection_ctx(c);
+ return status != DECLINED;
+}
- sslconn->disabled = 1;
+static int ssl_proxy_enable(conn_rec *c)
+{
+ return ssl_engine_set(c, NULL, 1, 1);
+}
- return 1;
+static int ssl_engine_disable(conn_rec *c)
+{
+ return ssl_engine_set(c, NULL, 0, 0);
}
int ssl_init_ssl_connection(conn_rec *c, request_rec *r)
{
SSLSrvConfigRec *sc;
SSL *ssl;
- SSLConnRec *sslconn = myConnConfig(c);
+ SSLConnRec *sslconn;
char *vhost_md5;
int rc;
modssl_ctx_t *mctx;
server_rec *server;
- if (!sslconn) {
- sslconn = ssl_init_connection_ctx(c);
- }
+ /*
+ * Create or retrieve SSL context
+ */
+ sslconn = ssl_init_connection_ctx(c, r ? r->per_dir_config : NULL);
server = sslconn->server;
sc = mySrvConfig(server);
/*
* Seed the Pseudo Random Number Generator (PRNG)
*/
- ssl_rand_seed(server, c->pool, SSL_RSCTX_CONNECT, "");
+ ssl_rand_seed(server, c->pool, SSL_RSCTX_CONNECT,
+ sslconn->is_proxy ? "Proxy: " : "Server: ");
- mctx = sslconn->is_proxy ? sc->proxy : sc->server;
+ mctx = myCtxConfig(sslconn, sc);
/*
* Create a new SSL connection with the configured server SSL context and
* attach this to the socket. Additionally we register this attachment
* so we can detach later.
*/
- if (!(ssl = SSL_new(mctx->ssl_ctx))) {
+ if (!(sslconn->ssl = ssl = SSL_new(mctx->ssl_ctx))) {
ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(01962)
"Unable to create a new SSL connection from the SSL "
"context");
SSL_set_app_data(ssl, c);
modssl_set_app_data2(ssl, NULL); /* will be request_rec */
- sslconn->ssl = ssl;
-
SSL_set_verify_result(ssl, X509_V_OK);
ssl_io_filter_init(c, r, ssl);
static int ssl_hook_pre_connection(conn_rec *c, void *csd)
{
-
SSLSrvConfigRec *sc;
SSLConnRec *sslconn = myConnConfig(c);
- if (sslconn) {
- sc = mySrvConfig(sslconn->server);
- }
- else {
- sc = mySrvConfig(c->base_server);
- }
/*
* Immediately stop processing if SSL is disabled for this connection
*/
- if (c->master || !(sc && (sc->enabled == SSL_ENABLED_TRUE ||
- (sslconn && sslconn->is_proxy))))
- {
+ if (ssl_engine_status(c, sslconn) != OK) {
return DECLINED;
}
- /*
- * Create SSL context
- */
- if (!sslconn) {
- sslconn = ssl_init_connection_ctx(c);
+ if (sslconn) {
+ sc = mySrvConfig(sslconn->server);
}
-
- if (sslconn->disabled) {
- return DECLINED;
+ else {
+ sc = mySrvConfig(c->base_server);
}
/*
/* ssl_hook_ReadReq needs to use the BrowserMatch settings so must
* run after mod_setenvif's post_read_request hook. */
static const char *pre_prr[] = { "mod_setenvif.c", NULL };
+ /* The ssl_init_Module post_config hook should run before mod_proxy's
+ * for the ssl proxy main configs to be merged with vhosts' before being
+ * themselves merged with mod_proxy's in proxy_hook_section_post_config.
+ */
+ static const char *b_pc[] = { "mod_proxy.c", NULL};
+
ssl_io_filter_register(p);
ap_hook_process_connection(ssl_hook_process_connection,
NULL, NULL, APR_HOOK_MIDDLE);
ap_hook_test_config (ssl_hook_ConfigTest, NULL,NULL, APR_HOOK_MIDDLE);
- ap_hook_post_config (ssl_init_Module, NULL,NULL, APR_HOOK_MIDDLE);
+ ap_hook_post_config (ssl_init_Module, NULL,b_pc, APR_HOOK_MIDDLE);
ap_hook_http_scheme (ssl_hook_http_scheme, NULL,NULL, APR_HOOK_MIDDLE);
ap_hook_default_port (ssl_hook_default_port, NULL,NULL, APR_HOOK_MIDDLE);
ap_hook_pre_config (ssl_hook_pre_config, NULL,NULL, APR_HOOK_MIDDLE);
ap_hook_child_init (ssl_init_Child, NULL,NULL, APR_HOOK_MIDDLE);
- ap_hook_check_authn (ssl_hook_UserCheck, NULL,NULL, APR_HOOK_FIRST,
- AP_AUTH_INTERNAL_PER_CONF);
- ap_hook_fixups (ssl_hook_Fixup, NULL,NULL, APR_HOOK_MIDDLE);
+ ap_hook_post_read_request(ssl_hook_ReadReq, pre_prr,NULL, APR_HOOK_MIDDLE);
ap_hook_check_access (ssl_hook_Access, NULL,NULL, APR_HOOK_MIDDLE,
AP_AUTH_INTERNAL_PER_CONF);
+ ap_hook_check_authn (ssl_hook_UserCheck, NULL,NULL, APR_HOOK_FIRST,
+ AP_AUTH_INTERNAL_PER_CONF);
ap_hook_check_authz (ssl_hook_Auth, NULL,NULL, APR_HOOK_MIDDLE,
AP_AUTH_INTERNAL_PER_CONF);
- ap_hook_post_read_request(ssl_hook_ReadReq, pre_prr,NULL, APR_HOOK_MIDDLE);
+ ap_hook_fixups (ssl_hook_Fixup, NULL,NULL, APR_HOOK_MIDDLE);
+
+ APR_OPTIONAL_HOOK(proxy, section_post_config,
+ ssl_proxy_section_post_config, NULL, NULL,
+ APR_HOOK_MIDDLE);
ssl_var_register(p);
APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable);
APR_REGISTER_OPTIONAL_FN(ssl_engine_disable);
+ APR_REGISTER_OPTIONAL_FN(ssl_engine_set);
ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "ssl",
AUTHZ_PROVIDER_VERSION,
AUTHZ_PROVIDER_VERSION,
&ssl_authz_provider_verify_client,
AP_AUTH_INTERNAL_PER_CONF);
-
}
module AP_MODULE_DECLARE_DATA ssl_module = {