/* The #ifdef macros are only defined AFTER including the above
* therefore we cannot include these system files at the top :-(
*/
-#ifdef APR_HAVE_STDLIB_H
+#if APR_HAVE_STDLIB_H
#include <stdlib.h>
#endif
#if APR_HAVE_SYS_TIME_H
/* OCSP stapling */
#if !defined(OPENSSL_NO_OCSP) && defined(SSL_CTX_set_tlsext_status_cb)
#define HAVE_OCSP_STAPLING
+/* All exist but are no longer macros since OpenSSL 1.1.0 */
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
/* backward compatibility with OpenSSL < 1.0 */
#ifndef sk_OPENSSL_STRING_num
#define sk_OPENSSL_STRING_num sk_num
#ifndef sk_OPENSSL_STRING_pop
#define sk_OPENSSL_STRING_pop sk_pop
#endif
-#endif
+#endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L */
+#endif /* if !defined(OPENSSL_NO_OCSP) && defined(SSL_CTX_set_tlsext_status_cb) */
/* TLS session tickets */
#if defined(SSL_CTX_set_tlsext_ticket_key_cb)
|| (errnum == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE))
/**
- * CRL checking modes
+ * CRL checking mask (mode | flags)
*/
typedef enum {
- SSL_CRLCHECK_UNSET = UNSET,
- SSL_CRLCHECK_NONE = 0,
- SSL_CRLCHECK_LEAF = 1,
- SSL_CRLCHECK_CHAIN = 2
+ SSL_CRLCHECK_NONE = (0),
+ SSL_CRLCHECK_LEAF = (1 << 0),
+ SSL_CRLCHECK_CHAIN = (1 << 1),
+
+#define SSL_CRLCHECK_FLAGS (~0x3)
+ SSL_CRLCHECK_NO_CRL_FOR_CERT_OK = (1 << 2)
} ssl_crlcheck_t;
/**
* Define the SSL requirement structure
*/
typedef struct {
- char *cpExpr;
+ const char *cpExpr;
ap_expr_info_t *mpExpr;
} ssl_require_t;
int disabled;
enum {
NON_SSL_OK = 0, /* is SSL request, or error handling completed */
+ NON_SSL_SEND_REQLINE, /* Need to send the fake request line */
NON_SSL_SEND_HDR_SEP, /* Need to send the header separator */
NON_SSL_SET_ERROR_MSG /* Need to set the error message */
} non_ssl_request;
* partial fix for CVE-2009-3555. */
enum {
RENEG_INIT = 0, /* Before initial handshake */
- RENEG_REJECT, /* After initial handshake; any client-initiated
- * renegotiation should be rejected */
- RENEG_ALLOW, /* A server-initiated renegotiation is taking
- * place (as dictated by configuration) */
- RENEG_ABORT /* Renegotiation initiated by client, abort the
- * connection */
+ RENEG_REJECT, /* After initial handshake; any client-initiated
+ * renegotiation should be rejected */
+ RENEG_ALLOW, /* A server-initiated renegotiation is taking
+ * place (as dictated by configuration) */
+ RENEG_ABORT /* Renegotiation initiated by client, abort the
+ * connection */
} reneg_state;
server_rec *server;
+
+ const char *cipher_suite; /* cipher suite used in last reneg */
} SSLConnRec;
/* BIG FAT WARNING: SSLModConfigRec has unusual memory lifetime: it is
/** certificate revocation list */
const char *crl_path;
const char *crl_file;
- ssl_crlcheck_t crl_check_mode;
+ int crl_check_mask;
#ifdef HAVE_OCSP_STAPLING
/** OCSP stapling options */
long ocsp_resp_maxage;
apr_interval_time_t ocsp_responder_timeout;
BOOL ocsp_use_request_nonce;
+ apr_uri_t *proxy_uri;
#ifdef HAVE_SSL_CONF_CMD
SSL_CONF_CTX *ssl_ctx_config; /* Configuration context */
const char *ssl_cmd_SSLOCSPResponderTimeout(cmd_parms *cmd, void *dcfg, const char *arg);
const char *ssl_cmd_SSLOCSPUseRequestNonce(cmd_parms *cmd, void *dcfg, int flag);
const char *ssl_cmd_SSLOCSPEnable(cmd_parms *cmd, void *dcfg, int flag);
+const char *ssl_cmd_SSLOCSPProxyURL(cmd_parms *cmd, void *dcfg, const char *arg);
#ifdef HAVE_SSL_CONF_CMD
const char *ssl_cmd_SSLOpenSSLConfCmd(cmd_parms *cmd, void *dcfg, const char *arg1, const char *arg2);