#include "ssl_private.h"
#include "mod_ssl.h"
+#include "mod_ssl_openssl.h"
#include "util_md5.h"
#include "util_mutex.h"
#include "ap_provider.h"
+#include "http_config.h"
+
+#include "mod_proxy.h" /* for proxy_hook_section_post_config() */
#include <assert.h>
+#if HAVE_VALGRIND
+#include <valgrind.h>
+int ssl_running_on_valgrind = 0;
+#endif
+static int modssl_running_statically = 0;
+
+APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ssl, SSL, int, pre_handshake,
+ (conn_rec *c,SSL *ssl,int is_proxy),
+ (c,ssl,is_proxy), OK, DECLINED);
+
/*
* the table of configuration directives we provide
*/
AP_INIT_##args("SSL"#name, ssl_cmd_SSL##name, \
NULL, RSRC_CONF, desc),
+#define SSL_CMD_PXY(name, args, desc) \
+ AP_INIT_##args("SSL"#name, ssl_cmd_SSL##name, \
+ NULL, RSRC_CONF|PROXY_CONF, desc),
+
#define SSL_CMD_DIR(name, type, args, desc) \
AP_INIT_##args("SSL"#name, ssl_cmd_SSL##name, \
NULL, OR_##type, desc),
/*
* Global (main-server) context configuration directives
*/
- SSL_CMD_SRV(Mutex, TAKE1, AP_ALL_AVAILABLE_MUTEXES_STRING)
SSL_CMD_SRV(PassPhraseDialog, TAKE1,
"SSL dialog mechanism for the pass phrase query "
- "(`builtin', `|/path/to/pipe_program`, "
- "or `exec:/path/to/cgi_program')")
+ "('builtin', '|/path/to/pipe_program', "
+ "or 'exec:/path/to/cgi_program')")
SSL_CMD_SRV(SessionCache, TAKE1,
"SSL Session Cache storage "
- "(`none', `nonenotnull', `dbm:/path/to/file')")
+ "('none', 'nonenotnull', 'dbm:/path/to/file')")
#if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
SSL_CMD_SRV(CryptoDevice, TAKE1,
"SSL external Crypto Device usage "
- "(`builtin', `...')")
+ "('builtin', '...')")
#endif
SSL_CMD_SRV(RandomSeed, TAKE23,
"SSL Pseudo Random Number Generator (PRNG) seeding source "
- "(`startup|connect builtin|file:/path|exec:/path [bytes]')")
+ "('startup|connect builtin|file:/path|exec:/path [bytes]')")
/*
* Per-server context configuration directives
*/
- SSL_CMD_SRV(Engine, TAKE1,
+ SSL_CMD_SRV(Engine, RAW_ARGS,
"SSL switch for the protocol engine "
+ "('on', 'off')")
+ SSL_CMD_SRV(FIPS, FLAG,
+ "Enable FIPS-140 mode "
"(`on', `off')")
SSL_CMD_ALL(CipherSuite, TAKE1,
"Colon-delimited list of permitted SSL Ciphers "
- "(`XXX:...:XXX' - see manual)")
+ "('XXX:...:XXX' - see manual)")
SSL_CMD_SRV(CertificateFile, TAKE1,
"SSL Server Certificate file "
- "(`/path/to/file' - PEM or DER encoded)")
+ "('/path/to/file' - PEM or DER encoded)")
SSL_CMD_SRV(CertificateKeyFile, TAKE1,
"SSL Server Private Key file "
- "(`/path/to/file' - PEM or DER encoded)")
+ "('/path/to/file' - PEM or DER encoded)")
SSL_CMD_SRV(CertificateChainFile, TAKE1,
"SSL Server CA Certificate Chain file "
- "(`/path/to/file' - PEM encoded)")
- SSL_CMD_SRV(PKCS7CertificateFile, TAKE1,
- "PKCS#7 file containing server certificate and chain"
- " certificates (`/path/to/file' - PEM encoded)")
+ "('/path/to/file' - PEM encoded)")
+#ifdef HAVE_TLS_SESSION_TICKETS
+ SSL_CMD_SRV(SessionTicketKeyFile, TAKE1,
+ "TLS session ticket encryption/decryption key file (RFC 5077) "
+ "('/path/to/file' - file with 48 bytes of random data)")
+#endif
SSL_CMD_ALL(CACertificatePath, TAKE1,
"SSL CA Certificate path "
- "(`/path/to/dir' - contains PEM encoded files)")
+ "('/path/to/dir' - contains PEM encoded files)")
SSL_CMD_ALL(CACertificateFile, TAKE1,
"SSL CA Certificate file "
- "(`/path/to/file' - PEM encoded)")
+ "('/path/to/file' - PEM encoded)")
SSL_CMD_SRV(CADNRequestPath, TAKE1,
"SSL CA Distinguished Name path "
- "(`/path/to/dir' - symlink hashes to PEM of acceptable CA names to request)")
+ "('/path/to/dir' - symlink hashes to PEM of acceptable CA names to request)")
SSL_CMD_SRV(CADNRequestFile, TAKE1,
"SSL CA Distinguished Name file "
- "(`/path/to/file' - PEM encoded to derive acceptable CA names to request)")
+ "('/path/to/file' - PEM encoded to derive acceptable CA names to request)")
SSL_CMD_SRV(CARevocationPath, TAKE1,
"SSL CA Certificate Revocation List (CRL) path "
- "(`/path/to/dir' - contains PEM encoded files)")
+ "('/path/to/dir' - contains PEM encoded files)")
SSL_CMD_SRV(CARevocationFile, TAKE1,
"SSL CA Certificate Revocation List (CRL) file "
- "(`/path/to/file' - PEM encoded)")
+ "('/path/to/file' - PEM encoded)")
+ SSL_CMD_SRV(CARevocationCheck, RAW_ARGS,
+ "SSL CA Certificate Revocation List (CRL) checking mode")
SSL_CMD_ALL(VerifyClient, TAKE1,
"SSL Client verify type "
- "(`none', `optional', `require', `optional_no_ca')")
+ "('none', 'optional', 'require', 'optional_no_ca')")
SSL_CMD_ALL(VerifyDepth, TAKE1,
"SSL Client verify depth "
- "(`N' - number of intermediate certificates)")
+ "('N' - number of intermediate certificates)")
SSL_CMD_SRV(SessionCacheTimeout, TAKE1,
"SSL Session Cache object lifetime "
- "(`N' - number of seconds)")
+ "('N' - number of seconds)")
+#ifdef OPENSSL_NO_SSL3
+#define SSLv3_PROTO_PREFIX ""
+#else
+#define SSLv3_PROTO_PREFIX "SSLv3|"
+#endif
+#ifdef HAVE_TLSV1_X
+#define SSL_PROTOCOLS SSLv3_PROTO_PREFIX "TLSv1|TLSv1.1|TLSv1.2"
+#else
+#define SSL_PROTOCOLS SSLv3_PROTO_PREFIX "TLSv1"
+#endif
SSL_CMD_SRV(Protocol, RAW_ARGS,
- "Enable or disable various SSL protocols"
- "(`[+-][SSLv2|SSLv3|TLSv1] ...' - see manual)")
+ "Enable or disable various SSL protocols "
+ "('[+-][" SSL_PROTOCOLS "] ...' - see manual)")
SSL_CMD_SRV(HonorCipherOrder, FLAG,
"Use the server's cipher ordering preference")
+ SSL_CMD_SRV(Compression, FLAG,
+ "Enable SSL level compression "
+ "(`on', `off')")
+ SSL_CMD_SRV(SessionTickets, FLAG,
+ "Enable or disable TLS session tickets"
+ "(`on', `off')")
+ SSL_CMD_SRV(InsecureRenegotiation, FLAG,
+ "Enable support for insecure renegotiation")
SSL_CMD_ALL(UserName, TAKE1,
"Set user name to SSL variable value")
- SSL_CMD_SRV(LogLevelDebugDump, TAKE1,
- "Include I/O Dump when LogLevel is set to Debug "
- "([ None (default) | IO (not bytes) | Bytes ])")
+ SSL_CMD_SRV(StrictSNIVHostCheck, FLAG,
+ "Strict SNI virtual host checking")
+
+#ifdef HAVE_SRP
+ SSL_CMD_SRV(SRPVerifierFile, TAKE1,
+ "SRP verifier file "
+ "('/path/to/file' - created by srptool)")
+ SSL_CMD_SRV(SRPUnknownUserSeed, TAKE1,
+ "SRP seed for unknown users (to avoid leaking a user's existence) "
+ "('some secret text')")
+#endif
/*
* Proxy configuration for remote SSL connections
*/
- SSL_CMD_SRV(ProxyEngine, FLAG,
+ SSL_CMD_PXY(ProxyEngine, FLAG,
"SSL switch for the proxy protocol engine "
- "(`on', `off')")
- SSL_CMD_SRV(ProxyProtocol, RAW_ARGS,
+ "('on', 'off')")
+ SSL_CMD_PXY(ProxyProtocol, RAW_ARGS,
"SSL Proxy: enable or disable SSL protocol flavors "
- "(`[+-][SSLv2|SSLv3|TLSv1] ...' - see manual)")
- SSL_CMD_SRV(ProxyCipherSuite, TAKE1,
+ "('[+-][" SSL_PROTOCOLS "] ...' - see manual)")
+ SSL_CMD_PXY(ProxyCipherSuite, TAKE1,
"SSL Proxy: colon-delimited list of permitted SSL ciphers "
- "(`XXX:...:XXX' - see manual)")
- SSL_CMD_SRV(ProxyVerify, TAKE1,
+ "('XXX:...:XXX' - see manual)")
+ SSL_CMD_PXY(ProxyVerify, TAKE1,
"SSL Proxy: whether to verify the remote certificate "
- "(`on' or `off')")
- SSL_CMD_SRV(ProxyVerifyDepth, TAKE1,
+ "('on' or 'off')")
+ SSL_CMD_PXY(ProxyVerifyDepth, TAKE1,
"SSL Proxy: maximum certificate verification depth "
- "(`N' - number of intermediate certificates)")
- SSL_CMD_SRV(ProxyCACertificateFile, TAKE1,
+ "('N' - number of intermediate certificates)")
+ SSL_CMD_PXY(ProxyCACertificateFile, TAKE1,
"SSL Proxy: file containing server certificates "
- "(`/path/to/file' - PEM encoded certificates)")
- SSL_CMD_SRV(ProxyCACertificatePath, TAKE1,
+ "('/path/to/file' - PEM encoded certificates)")
+ SSL_CMD_PXY(ProxyCACertificatePath, TAKE1,
"SSL Proxy: directory containing server certificates "
- "(`/path/to/dir' - contains PEM encoded certificates)")
- SSL_CMD_SRV(ProxyCARevocationPath, TAKE1,
+ "('/path/to/dir' - contains PEM encoded certificates)")
+ SSL_CMD_PXY(ProxyCARevocationPath, TAKE1,
"SSL Proxy: CA Certificate Revocation List (CRL) path "
- "(`/path/to/dir' - contains PEM encoded files)")
- SSL_CMD_SRV(ProxyCARevocationFile, TAKE1,
+ "('/path/to/dir' - contains PEM encoded files)")
+ SSL_CMD_PXY(ProxyCARevocationFile, TAKE1,
"SSL Proxy: CA Certificate Revocation List (CRL) file "
- "(`/path/to/file' - PEM encoded)")
- SSL_CMD_SRV(ProxyMachineCertificateFile, TAKE1,
+ "('/path/to/file' - PEM encoded)")
+ SSL_CMD_PXY(ProxyCARevocationCheck, RAW_ARGS,
+ "SSL Proxy: CA Certificate Revocation List (CRL) checking mode")
+ SSL_CMD_PXY(ProxyMachineCertificateFile, TAKE1,
"SSL Proxy: file containing client certificates "
- "(`/path/to/file' - PEM encoded certificates)")
- SSL_CMD_SRV(ProxyMachineCertificatePath, TAKE1,
+ "('/path/to/file' - PEM encoded certificates)")
+ SSL_CMD_PXY(ProxyMachineCertificatePath, TAKE1,
"SSL Proxy: directory containing client certificates "
- "(`/path/to/dir' - contains PEM encoded certificates)")
+ "('/path/to/dir' - contains PEM encoded certificates)")
+ SSL_CMD_PXY(ProxyMachineCertificateChainFile, TAKE1,
+ "SSL Proxy: file containing issuing certificates "
+ "of the client certificate "
+ "(`/path/to/file' - PEM encoded certificates)")
+ SSL_CMD_PXY(ProxyCheckPeerExpire, FLAG,
+ "SSL Proxy: check the peer certificate's expiration date")
+ SSL_CMD_PXY(ProxyCheckPeerCN, FLAG,
+ "SSL Proxy: check the peer certificate's CN")
+ SSL_CMD_PXY(ProxyCheckPeerName, FLAG,
+ "SSL Proxy: check the peer certificate's name "
+ "(must be present in subjectAltName extension or CN")
/*
* Per-directory context configuration directives
*/
SSL_CMD_DIR(Options, OPTIONS, RAW_ARGS,
"Set one or more options to configure the SSL engine"
- "(`[+-]option[=value] ...' - see manual)")
+ "('[+-]option[=value] ...' - see manual)")
SSL_CMD_DIR(RequireSSL, AUTHCFG, NO_ARGS,
"Require the SSL protocol for the per-directory context "
"(no arguments)")
SSL_CMD_DIR(Require, AUTHCFG, RAW_ARGS,
"Require a boolean expression to evaluate to true for granting access"
"(arbitrary complex boolean expression - see manual)")
+ SSL_CMD_DIR(RenegBufferSize, AUTHCFG, TAKE1,
+ "Configure the amount of memory that will be used for buffering the "
+ "request body if a per-location SSL renegotiation is required due to "
+ "changed access control requirements")
- SSL_CMD_SRV(OCSPEnable, FLAG,
- "Enable use of OCSP to verify certificate revocation (`on', `off')")
+ SSL_CMD_SRV(OCSPEnable, RAW_ARGS,
+ "Enable use of OCSP to verify certificate revocation mode ('on', 'leaf', 'off')")
SSL_CMD_SRV(OCSPDefaultResponder, TAKE1,
"URL of the default OCSP Responder")
SSL_CMD_SRV(OCSPOverrideResponder, FLAG,
- "Force use of the default responder URL (`on', `off')")
+ "Force use of the default responder URL ('on', 'off')")
+ SSL_CMD_SRV(OCSPResponseTimeSkew, TAKE1,
+ "Maximum time difference in OCSP responses")
+ SSL_CMD_SRV(OCSPResponseMaxAge, TAKE1,
+ "Maximum age of OCSP responses")
+ SSL_CMD_SRV(OCSPResponderTimeout, TAKE1,
+ "OCSP responder query timeout")
+ SSL_CMD_SRV(OCSPUseRequestNonce, FLAG,
+ "Whether OCSP queries use a nonce or not ('on', 'off')")
+ SSL_CMD_SRV(OCSPProxyURL, TAKE1,
+ "Proxy URL to use for OCSP requests")
+
+/* Define OCSP Responder Certificate Verification Directive */
+ SSL_CMD_SRV(OCSPNoVerify, FLAG,
+ "Do not verify OCSP Responder certificate ('on', 'off')")
+/* Define OCSP Responder File Configuration Directive */
+ SSL_CMD_SRV(OCSPResponderCertificateFile, TAKE1,
+ "Trusted OCSP responder certificates"
+ "(`/path/to/file' - PEM encoded certificates)")
+
+#ifdef HAVE_OCSP_STAPLING
+ /*
+ * OCSP Stapling options
+ */
+ SSL_CMD_SRV(StaplingCache, TAKE1,
+ "SSL Stapling Response Cache storage "
+ "(`dbm:/path/to/file')")
+ SSL_CMD_SRV(UseStapling, FLAG,
+ "SSL switch for the OCSP Stapling protocol " "(`on', `off')")
+ SSL_CMD_SRV(StaplingResponseTimeSkew, TAKE1,
+ "SSL stapling option for maximum time difference in OCSP responses")
+ SSL_CMD_SRV(StaplingResponderTimeout, TAKE1,
+ "SSL stapling option for OCSP responder timeout")
+ SSL_CMD_SRV(StaplingResponseMaxAge, TAKE1,
+ "SSL stapling option for maximum age of OCSP responses")
+ SSL_CMD_SRV(StaplingStandardCacheTimeout, TAKE1,
+ "SSL stapling option for normal OCSP Response Cache Lifetime")
+ SSL_CMD_SRV(StaplingReturnResponderErrors, FLAG,
+ "SSL stapling switch to return Status Errors Back to Client"
+ "(`on', `off')")
+ SSL_CMD_SRV(StaplingFakeTryLater, FLAG,
+ "SSL stapling switch to send tryLater response to client on error "
+ "(`on', `off')")
+ SSL_CMD_SRV(StaplingErrorCacheTimeout, TAKE1,
+ "SSL stapling option for OCSP Response Error Cache Lifetime")
+ SSL_CMD_SRV(StaplingForceURL, TAKE1,
+ "SSL stapling option to Force the OCSP Stapling URL")
+#endif
+
+#ifdef HAVE_SSL_CONF_CMD
+ SSL_CMD_SRV(OpenSSLConfCmd, TAKE2,
+ "OpenSSL configuration command")
+#endif
/* Deprecated directives. */
AP_INIT_RAW_ARGS("SSLLog", ap_set_deprecated, NULL, OR_ALL,
AP_INIT_RAW_ARGS("SSLLogLevel", ap_set_deprecated, NULL, OR_ALL,
"SSLLogLevel directive is no longer supported - use LogLevel."),
+ AP_INIT_TAKE1("<SSLPolicyDefine", ssl_cmd_SSLPolicyDefine, NULL, RSRC_CONF,
+ "Define a set of SSL* configurations under a new name. Such a policy may "
+ "be used in any location where the SSL* directives are viable. The policy "
+ "may contain both SSL* and SSLProxy* specific settings. Which one is applied "
+ "depends on the use."),
+ AP_INIT_TAKE1("SSLPolicy", ssl_cmd_SSLPolicyApply, NULL, RSRC_CONF,
+ "Apply the SSL* (not the SSLProxy*) settings from the policy with the given name."),
+ AP_INIT_TAKE1("SSLProxyPolicy", ssl_cmd_SSLProxyPolicyApply, NULL, RSRC_CONF|PROXY_CONF,
+ "Use the SSLProxy* settings from the policy with the given name."),
AP_END_CMD
};
/*
* the various processing hooks
*/
+static int modssl_is_prelinked(void)
+{
+ apr_size_t i = 0;
+ const module *mod;
+ while ((mod = ap_prelinked_modules[i++])) {
+ if (strcmp(mod->name, "mod_ssl.c") == 0) {
+ return 1;
+ }
+ }
+ return 0;
+}
+
static apr_status_t ssl_cleanup_pre_config(void *data)
{
/*
* Try to kill the internals of the SSL library.
*/
-#ifdef HAVE_OPENSSL
-#if OPENSSL_VERSION_NUMBER >= 0x00907001
- /* Corresponds to OPENSSL_load_builtin_modules():
- * XXX: borrowed from apps.h, but why not CONF_modules_free()
- * which also invokes CONF_modules_finish()?
- */
- CONF_modules_unload(1);
-#endif
+#ifdef HAVE_FIPS
+ FIPS_mode_set(0);
#endif
+ /* Corresponds to OBJ_create()s */
+ OBJ_cleanup();
+ /* Corresponds to OPENSSL_load_builtin_modules() */
+ CONF_modules_free();
/* Corresponds to SSL_library_init: */
EVP_cleanup();
#if HAVE_ENGINE_LOAD_BUILTIN_ENGINES
ENGINE_cleanup();
#endif
+#if OPENSSL_VERSION_NUMBER >= 0x1000200fL
+#ifndef OPENSSL_NO_COMP
+ SSL_COMP_free_compression_methods();
+#endif
+#endif
+
+ /* Usually needed per thread, but this parent process is single-threaded */
+#if MODSSL_USE_OPENSSL_PRE_1_1_API
+#if OPENSSL_VERSION_NUMBER >= 0x1000000fL
+ ERR_remove_thread_state(NULL);
+#else
ERR_remove_state(0);
+#endif
+#endif
- /* Don't call ERR_free_strings here; ERR_load_*_strings only
- * actually load the error strings once per process due to static
+ /* Don't call ERR_free_strings in earlier versions, ERR_load_*_strings only
+ * actually loaded the error strings once per process due to static
* variable abuse in OpenSSL. */
+#if (OPENSSL_VERSION_NUMBER >= 0x00090805f)
+ ERR_free_strings();
+#endif
- /* Also don't call CRYPTO_cleanup_all_ex_data here; any registered
- * ex_data indices may have been cached in static variables in
- * OpenSSL; removing them may cause havoc. Notably, with OpenSSL
+ /* Also don't call CRYPTO_cleanup_all_ex_data when linked statically here;
+ * any registered ex_data indices may have been cached in static variables
+ * in OpenSSL; removing them may cause havoc. Notably, with OpenSSL
* versions >= 0.9.8f, COMP_CTX cleanups would not be run, which
* could result in a per-connection memory leak (!). */
+ if (!modssl_running_statically) {
+ CRYPTO_cleanup_all_ex_data();
+ }
/*
* TODO: determine somewhere we can safely shove out diagnostics
apr_pool_t *plog,
apr_pool_t *ptemp)
{
+#if HAVE_VALGRIND
+ ssl_running_on_valgrind = RUNNING_ON_VALGRIND;
+#endif
+ modssl_running_statically = modssl_is_prelinked();
+
+ /* Some OpenSSL internals are allocated per-thread, make sure they
+ * are associated to the/our same thread-id until cleaned up.
+ */
+#if APR_HAS_THREADS && MODSSL_USE_OPENSSL_PRE_1_1_API
+ ssl_util_thread_id_setup(pconf);
+#endif
+
/* We must register the library in full, to ensure our configuration
* code can successfully test the SSL environment.
*/
- CRYPTO_malloc_init();
-#ifdef HAVE_OPENSSL
- ERR_load_crypto_strings();
+#if MODSSL_USE_OPENSSL_PRE_1_1_API
+ (void)CRYPTO_malloc_init();
+#else
+ OPENSSL_malloc_init();
#endif
+ ERR_load_crypto_strings();
SSL_load_error_strings();
SSL_library_init();
#if HAVE_ENGINE_LOAD_BUILTIN_ENGINES
ENGINE_load_builtin_engines();
#endif
-#ifdef HAVE_OPENSSL
OpenSSL_add_all_algorithms();
-#if OPENSSL_VERSION_NUMBER >= 0x00907001
OPENSSL_load_builtin_modules();
-#endif
-#endif
+
+ if (OBJ_txt2nid("id-on-dnsSRV") == NID_undef) {
+ (void)OBJ_create("1.3.6.1.5.5.7.8.7", "id-on-dnsSRV",
+ "SRVName otherName form");
+ }
+
+ /* Start w/o errors (e.g. OBJ_txt2nid() above) */
+ ERR_clear_error();
/*
* Let us cleanup the ssl library when the module is unloaded
/* Register to handle mod_status status page generation */
ssl_scache_status_register(pconf);
+ /* Register mutex type names so they can be configured with Mutex */
+ ap_mutex_register(pconf, SSL_CACHE_MUTEX_TYPE, NULL, APR_LOCK_DEFAULT, 0);
+#ifdef HAVE_OCSP_STAPLING
+ ap_mutex_register(pconf, SSL_STAPLING_CACHE_MUTEX_TYPE, NULL,
+ APR_LOCK_DEFAULT, 0);
+ ap_mutex_register(pconf, SSL_STAPLING_REFRESH_MUTEX_TYPE, NULL,
+ APR_LOCK_DEFAULT, 0);
+#endif
+
return OK;
}
-static SSLConnRec *ssl_init_connection_ctx(conn_rec *c)
+static SSLConnRec *ssl_init_connection_ctx(conn_rec *c,
+ ap_conf_vector_t *per_dir_config)
{
SSLConnRec *sslconn = myConnConfig(c);
+ SSLSrvConfigRec *sc;
if (sslconn) {
return sslconn;
sslconn = apr_pcalloc(c->pool, sizeof(*sslconn));
+ if (per_dir_config) {
+ sslconn->dc = ap_get_module_config(per_dir_config, &ssl_module);
+ }
+ else {
+ sslconn->dc = ap_get_module_config(c->base_server->lookup_defaults,
+ &ssl_module);
+ }
+
+ sslconn->server = c->base_server;
+ sslconn->verify_depth = UNSET;
+ sc = mySrvConfig(c->base_server);
+ sslconn->cipher_suite = sc->server->auth.cipher_suite;
+
myConnConfigSet(c, sslconn);
return sslconn;
}
-int ssl_proxy_enable(conn_rec *c)
+static int ssl_server_addr_matches(server_addr_rec *sar, apr_sockaddr_t *sa)
{
- SSLSrvConfigRec *sc = mySrvConfig(c->base_server);
-
- SSLConnRec *sslconn = ssl_init_connection_ctx(c);
-
- if (!sc->proxy_enabled) {
- ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
- "SSL Proxy requested for %s but not enabled "
- "[Hint: SSLProxyEngine]", sc->vhost_id);
+ /* Determine if the list of server_addr_rec's matches the given socket address.
+ * IP Address/port may be wilcard/0 for a match to occur. */
+ while (sar) {
+ if (apr_sockaddr_is_wildcard(sar->host_addr)
+ || apr_sockaddr_equal(sar->host_addr, sa)) {
+ if (sar->host_addr->port == sa->port
+ || sar->host_addr->port == 0
+ || sa->port == 0) {
+ return 1;
+ }
+ }
+ sar = sar->next;
+ }
+ return 0;
+}
- return 0;
+int ssl_server_addr_overlap(server_addr_rec *sar1, server_addr_rec *sar2)
+{
+ if (sar1) {
+ while (sar2) {
+ if (ssl_server_addr_matches(sar1, sar2->host_addr)) {
+ return 1;
+ }
+ sar2 = sar2->next;
+ }
}
+ return 0;
+}
- sslconn->is_proxy = 1;
- sslconn->disabled = 0;
+static ssl_enabled_t ssl_srv_enabled_on(server_rec *s, apr_sockaddr_t *sa)
+{
+ SSLSrvConfigRec *sc = mySrvConfig(s);
+ if (sc->enabled == SSL_ENABLED_TRUE && sc->enabled_on) {
+ if (!ssl_server_addr_matches(sc->enabled_on, sa)) {
+ return SSL_ENABLED_FALSE;
+ }
+ }
+ return sc->enabled;
+}
- return 1;
+static ssl_enabled_t ssl_conn_enabled(conn_rec *c)
+{
+ if (c->master) {
+ return ssl_conn_enabled(c->master);
+ }
+ else {
+ SSLConnRec *sslconn = myConnConfig(c);
+ if (sslconn) {
+ if (sslconn->disabled) {
+ return SSL_ENABLED_FALSE;
+ }
+ if (sslconn->is_proxy) {
+ if (!sslconn->dc->proxy_enabled) {
+ return SSL_ENABLED_FALSE;
+ }
+ }
+ else {
+ return ssl_srv_enabled_on(sslconn->server, c->local_addr);
+ }
+ }
+ else {
+ return ssl_srv_enabled_on(c->base_server, c->local_addr);
+ }
+ }
+ return SSL_ENABLED_TRUE;
}
-int ssl_engine_disable(conn_rec *c)
+static int ssl_engine_status(conn_rec *c, SSLConnRec *sslconn)
{
- SSLSrvConfigRec *sc = mySrvConfig(c->base_server);
+ if (c->master) {
+ return DECLINED;
+ }
+ if (sslconn) {
+ if (sslconn->disabled) {
+ return SUSPENDED;
+ }
+ if (sslconn->is_proxy) {
+ if (!sslconn->dc->proxy_enabled) {
+ return DECLINED;
+ }
+ }
+ else if (ssl_srv_enabled_on(sslconn->server, c->local_addr) != SSL_ENABLED_TRUE) {
+ return DECLINED;
+ }
+ }
+ else if (ssl_srv_enabled_on(c->base_server, c->local_addr) != SSL_ENABLED_TRUE) {
+ return DECLINED;
+ }
+ return OK;
+}
+static int ssl_engine_set(conn_rec *c,
+ ap_conf_vector_t *per_dir_config,
+ int proxy, int enable)
+{
SSLConnRec *sslconn;
+ int status;
+
+ if (proxy) {
+ sslconn = ssl_init_connection_ctx(c, per_dir_config);
+ sslconn->is_proxy = 1;
+ }
+ else {
+ sslconn = myConnConfig(c);
+ }
+
+ status = ssl_engine_status(c, sslconn);
- if (sc->enabled == SSL_ENABLED_FALSE) {
- return 0;
+ if (proxy && status == DECLINED) {
+ if (enable) {
+ SSLSrvConfigRec *sc = mySrvConfig(sslconn->server);
+ ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(01961)
+ "SSL Proxy requested for %s but not enabled "
+ "[Hint: SSLProxyEngine]", sc->vhost_id);
+ }
+ sslconn->disabled = 1;
+ }
+ else if (sslconn) {
+ sslconn->disabled = !enable;
}
- sslconn = ssl_init_connection_ctx(c);
+ return status != DECLINED;
+}
- sslconn->disabled = 1;
+static int ssl_proxy_enable(conn_rec *c)
+{
+ return ssl_engine_set(c, NULL, 1, 1);
+}
- return 1;
+static int ssl_engine_disable(conn_rec *c)
+{
+ return ssl_engine_set(c, NULL, 0, 0);
}
int ssl_init_ssl_connection(conn_rec *c, request_rec *r)
{
- SSLSrvConfigRec *sc = mySrvConfig(c->base_server);
+ SSLSrvConfigRec *sc;
SSL *ssl;
- SSLConnRec *sslconn = myConnConfig(c);
+ SSLConnRec *sslconn;
char *vhost_md5;
+ int rc;
modssl_ctx_t *mctx;
+ server_rec *server;
/*
- * Seed the Pseudo Random Number Generator (PRNG)
+ * Create or retrieve SSL context
*/
- ssl_rand_seed(c->base_server, c->pool, SSL_RSCTX_CONNECT, "");
+ sslconn = ssl_init_connection_ctx(c, r ? r->per_dir_config : NULL);
+ server = sslconn->server;
+ sc = mySrvConfig(server);
- if (!sslconn) {
- sslconn = ssl_init_connection_ctx(c);
- }
+ /*
+ * Seed the Pseudo Random Number Generator (PRNG)
+ */
+ ssl_rand_seed(server, c->pool, SSL_RSCTX_CONNECT,
+ sslconn->is_proxy ? "Proxy: " : "Server: ");
- mctx = sslconn->is_proxy ? sc->proxy : sc->server;
+ mctx = myCtxConfig(sslconn, sc);
/*
* Create a new SSL connection with the configured server SSL context and
* attach this to the socket. Additionally we register this attachment
* so we can detach later.
*/
- if (!(ssl = SSL_new(mctx->ssl_ctx))) {
- ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
+ if (!(sslconn->ssl = ssl = SSL_new(mctx->ssl_ctx))) {
+ ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(01962)
"Unable to create a new SSL connection from the SSL "
"context");
- ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, c->base_server);
+ ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, server);
c->aborted = 1;
return DECLINED; /* XXX */
}
+ rc = ssl_run_pre_handshake(c, ssl, sslconn->is_proxy ? 1 : 0);
+ if (rc != OK && rc != DECLINED) {
+ return rc;
+ }
+
vhost_md5 = ap_md5_binary(c->pool, (unsigned char *)sc->vhost_id,
sc->vhost_id_len);
if (!SSL_set_session_id_context(ssl, (unsigned char *)vhost_md5,
APR_MD5_DIGESTSIZE*2))
{
- ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
- "Unable to set session id context to `%s'", vhost_md5);
- ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, c->base_server);
+ ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(01963)
+ "Unable to set session id context to '%s'", vhost_md5);
+ ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, server);
c->aborted = 1;
}
SSL_set_app_data(ssl, c);
- SSL_set_app_data2(ssl, NULL); /* will be request_rec */
-
- sslconn->ssl = ssl;
-
- /*
- * Configure callbacks for SSL connection
- */
- SSL_set_tmp_rsa_callback(ssl, ssl_callback_TmpRSA);
- SSL_set_tmp_dh_callback(ssl, ssl_callback_TmpDH);
+ modssl_set_app_data2(ssl, NULL); /* will be request_rec */
SSL_set_verify_result(ssl, X509_V_OK);
return APR_SUCCESS;
}
+/* FIXME: if we ever want to server http: requests over TLS, this
+ * needs to change. We probably need the scheme in request_rec and
+ * return that iff it is set. */
static const char *ssl_hook_http_scheme(const request_rec *r)
{
- SSLSrvConfigRec *sc = mySrvConfig(r->server);
-
- if (sc->enabled == SSL_ENABLED_FALSE || sc->enabled == SSL_ENABLED_OPTIONAL) {
- return NULL;
+ switch (ssl_conn_enabled(r->connection)) {
+ case SSL_ENABLED_FALSE:
+ case SSL_ENABLED_OPTIONAL:
+ return NULL;
+ default:
+ return "https";
}
-
- return "https";
}
static apr_port_t ssl_hook_default_port(const request_rec *r)
{
- SSLSrvConfigRec *sc = mySrvConfig(r->server);
-
- if (sc->enabled == SSL_ENABLED_FALSE || sc->enabled == SSL_ENABLED_OPTIONAL) {
- return 0;
+ switch (ssl_conn_enabled(r->connection)) {
+ case SSL_ENABLED_FALSE:
+ case SSL_ENABLED_OPTIONAL:
+ return 0;
+ default:
+ return 443;
}
-
- return 443;
}
static int ssl_hook_pre_connection(conn_rec *c, void *csd)
{
- SSLSrvConfigRec *sc = mySrvConfig(c->base_server);
+ SSLSrvConfigRec *sc;
SSLConnRec *sslconn = myConnConfig(c);
/*
* Immediately stop processing if SSL is disabled for this connection
*/
- if (!(sc && (sc->enabled == SSL_ENABLED_TRUE ||
- (sslconn && sslconn->is_proxy))))
- {
+ if (ssl_engine_status(c, sslconn) != OK) {
return DECLINED;
}
- /*
- * Create SSL context
- */
- if (!sslconn) {
- sslconn = ssl_init_connection_ctx(c);
+ if (sslconn) {
+ sc = mySrvConfig(sslconn->server);
}
-
- if (sslconn->disabled) {
- return DECLINED;
+ else {
+ sc = mySrvConfig(c->base_server);
}
/*
* later access inside callback functions
*/
- ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c,
+ ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c, APLOGNO(01964)
"Connection to child %ld established "
"(server %s)", c->id, sc->vhost_id);
return ssl_init_ssl_connection(c, NULL);
}
+static int ssl_hook_process_connection(conn_rec* c)
+{
+ SSLConnRec *sslconn = myConnConfig(c);
+
+ if (sslconn && !sslconn->disabled) {
+ /* On an active SSL connection, let the input filters initialize
+ * themselves which triggers the handshake, which again triggers
+ * all kinds of useful things such as SNI and ALPN.
+ */
+ apr_bucket_brigade* temp;
+
+ temp = apr_brigade_create(c->pool, c->bucket_alloc);
+ ap_get_brigade(c->input_filters, temp,
+ AP_MODE_INIT, APR_BLOCK_READ, 0);
+ apr_brigade_destroy(temp);
+ }
+
+ return DECLINED;
+}
+
/*
* the module registration phase
*/
/* ssl_hook_ReadReq needs to use the BrowserMatch settings so must
* run after mod_setenvif's post_read_request hook. */
static const char *pre_prr[] = { "mod_setenvif.c", NULL };
+ /* The ssl_init_Module post_config hook should run before mod_proxy's
+ * for the ssl proxy main configs to be merged with vhosts' before being
+ * themselves merged with mod_proxy's in proxy_hook_section_post_config.
+ */
+ static const char *b_pc[] = { "mod_proxy.c", NULL};
+
ssl_io_filter_register(p);
ap_hook_pre_connection(ssl_hook_pre_connection,NULL,NULL, APR_HOOK_MIDDLE);
+ ap_hook_process_connection(ssl_hook_process_connection,
+ NULL, NULL, APR_HOOK_MIDDLE);
ap_hook_test_config (ssl_hook_ConfigTest, NULL,NULL, APR_HOOK_MIDDLE);
- ap_hook_post_config (ssl_init_Module, NULL,NULL, APR_HOOK_MIDDLE);
+ ap_hook_post_config (ssl_init_Module, NULL,b_pc, APR_HOOK_MIDDLE);
ap_hook_http_scheme (ssl_hook_http_scheme, NULL,NULL, APR_HOOK_MIDDLE);
ap_hook_default_port (ssl_hook_default_port, NULL,NULL, APR_HOOK_MIDDLE);
ap_hook_pre_config (ssl_hook_pre_config, NULL,NULL, APR_HOOK_MIDDLE);
ap_hook_child_init (ssl_init_Child, NULL,NULL, APR_HOOK_MIDDLE);
- ap_hook_check_authn (ssl_hook_UserCheck, NULL,NULL, APR_HOOK_FIRST,
- AP_AUTH_INTERNAL_PER_CONF);
- ap_hook_fixups (ssl_hook_Fixup, NULL,NULL, APR_HOOK_MIDDLE);
+ ap_hook_post_read_request(ssl_hook_ReadReq, pre_prr,NULL, APR_HOOK_MIDDLE);
ap_hook_check_access (ssl_hook_Access, NULL,NULL, APR_HOOK_MIDDLE,
AP_AUTH_INTERNAL_PER_CONF);
+ ap_hook_check_authn (ssl_hook_UserCheck, NULL,NULL, APR_HOOK_FIRST,
+ AP_AUTH_INTERNAL_PER_CONF);
ap_hook_check_authz (ssl_hook_Auth, NULL,NULL, APR_HOOK_MIDDLE,
AP_AUTH_INTERNAL_PER_CONF);
- ap_hook_post_read_request(ssl_hook_ReadReq, pre_prr,NULL, APR_HOOK_MIDDLE);
+ ap_hook_fixups (ssl_hook_Fixup, NULL,NULL, APR_HOOK_MIDDLE);
+
+ APR_OPTIONAL_HOOK(proxy, section_post_config,
+ ssl_proxy_section_post_config, NULL, NULL,
+ APR_HOOK_MIDDLE);
ssl_var_register(p);
APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable);
APR_REGISTER_OPTIONAL_FN(ssl_engine_disable);
+ APR_REGISTER_OPTIONAL_FN(ssl_engine_set);
+
+ ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "ssl",
+ AUTHZ_PROVIDER_VERSION,
+ &ssl_authz_provider_require_ssl,
+ AP_AUTH_INTERNAL_PER_CONF);
+
+ ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "ssl-verify-client",
+ AUTHZ_PROVIDER_VERSION,
+ &ssl_authz_provider_verify_client,
+ AP_AUTH_INTERNAL_PER_CONF);
}
module AP_MODULE_DECLARE_DATA ssl_module = {
ssl_config_server_merge, /* merge per-server config structures */
ssl_config_cmds, /* table of configuration directives */
ssl_register_hooks /* register hooks */
+#if defined(AP_MODULE_HAS_FLAGS)
+ ,AP_MODULE_FLAG_ALWAYS_MERGE /* flags */
+#endif
};