Add support for OpenSSL configuration commands.

author Stephen Henson <drh@apache.org>

Thu, 13 Dec 2012 14:52:47 +0000 (14:52 +0000)

committer Stephen Henson <drh@apache.org>

Thu, 13 Dec 2012 14:52:47 +0000 (14:52 +0000)
author Stephen Henson <drh@apache.org>
Thu, 13 Dec 2012 14:52:47 +0000 (14:52 +0000)
committer Stephen Henson <drh@apache.org>
Thu, 13 Dec 2012 14:52:47 +0000 (14:52 +0000)
diff --git a/CHANGES b/CHANGES

index 4770e6fa0230113cb438b0f3bead5f5847d41a6e..82b4a916e9862924043c2ea2773334079183c77b 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,8 @@
                                                           -*- coding: utf-8 -*-
  Changes with Apache 2.5.0
  
+  *) mod_ssl: Add support for OpenSSL configuration commands [Stephen Henson]
+
    *) EventOpt MPM
  
    *) mod_proxy_balancer: Improve output
diff --git a/docs/log-message-tags/next-number b/docs/log-message-tags/next-number

index 0af28381aaf23b2f4ad820fcaea6d7abb57fc5d9..1415bc57370d0d3591ce9f93aae942f6dac39ca5 100644 (file)
--- a/docs/log-message-tags/next-number
+++ b/docs/log-message-tags/next-number
@@ -1 +1 @@
-2407
+2408
diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c

index ab9a8a65ea66da5cf599a8e2cb928a34967022d0..2e50dc979eb40b9fe8924887da7893b2f06b5794 100644 (file)
--- a/modules/ssl/mod_ssl.c
+++ b/modules/ssl/mod_ssl.c
@@ -272,6 +272,11 @@ static const command_rec ssl_config_cmds[] = {
                  "SSL stapling option to Force the OCSP Stapling URL")
  #endif
  
+#ifdef HAVE_SSL_CONF_CMD
+    SSL_CMD_SRV(OpenSSLConfCmd, TAKE2,
+               "OpenSSL configuration command")
+#endif
+
      /* Deprecated directives. */
      AP_INIT_RAW_ARGS("SSLLog", ap_set_deprecated, NULL, OR_ALL,
        "SSLLog directive is no longer supported - use ErrorLog."),
diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c

index 39f20f94972083be18e9b1e6378e53c05c23e8a9..bda5c0e4e46742fb326805ab246f8a0f7f2d2c52 100644 (file)
--- a/modules/ssl/ssl_engine_config.c
+++ b/modules/ssl/ssl_engine_config.c
@@ -100,7 +100,7 @@ BOOL ssl_config_global_isfixed(SSLModConfigRec *mc)
  **  _________________________________________________________________
  */
  
-static void modssl_ctx_init(modssl_ctx_t *mctx)
+static void modssl_ctx_init(modssl_ctx_t *mctx, apr_pool_t *p)
  {
      mctx->sc                  = NULL; /* set during module init */
  
@@ -159,6 +159,9 @@ static void modssl_ctx_init(modssl_ctx_t *mctx)
      mctx->srp_unknown_user_seed = NULL;
      mctx->srp_vbase =             NULL;
  #endif
+#ifdef HAVE_SSL_CONF_CMD
+    mctx->ssl_ctx_param = apr_array_make(p, 10, sizeof(ssl_ctx_param_t));
+#endif
  }
  
  static void modssl_ctx_init_proxy(SSLSrvConfigRec *sc,
@@ -168,7 +171,7 @@ static void modssl_ctx_init_proxy(SSLSrvConfigRec *sc,
  
      mctx = sc->proxy = apr_palloc(p, sizeof(*sc->proxy));
  
-    modssl_ctx_init(mctx);
+    modssl_ctx_init(mctx, p);
  
      mctx->pkp = apr_palloc(p, sizeof(*mctx->pkp));
  
@@ -186,7 +189,7 @@ static void modssl_ctx_init_server(SSLSrvConfigRec *sc,
  
      mctx = sc->server = apr_palloc(p, sizeof(*sc->server));
  
-    modssl_ctx_init(mctx);
+    modssl_ctx_init(mctx, p);
  
      mctx->pks = apr_pcalloc(p, sizeof(*mctx->pks));
  
@@ -293,6 +296,11 @@ static void modssl_ctx_cfg_merge(modssl_ctx_t *base,
      cfgMergeString(srp_vfile);
      cfgMergeString(srp_unknown_user_seed);
  #endif
+
+#ifdef HAVE_SSL_CONF_CMD
+    apr_array_cat(mrg->ssl_ctx_param,  base->ssl_ctx_param);
+    apr_array_cat(mrg->ssl_ctx_param,  add->ssl_ctx_param);
+#endif
  }
  
  static void modssl_ctx_cfg_merge_proxy(modssl_ctx_t *base,
@@ -1848,7 +1856,18 @@ const char *ssl_cmd_SSLStaplingForceURL(cmd_parms *cmd, void *dcfg,
  }
  
  #endif /* HAVE_OCSP_STAPLING */
-
+#ifdef HAVE_SSL_CONF_CMD
+const char *ssl_cmd_SSLOpenSSLConfCmd(cmd_parms *cmd, void *dcfg,
+                                       const char *arg1, const char *arg2)
+{
+    ssl_ctx_param_t *param;
+    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+    param = apr_array_push(sc->server->ssl_ctx_param);
+    param->name = arg1;
+    param->value = arg2;
+    return NULL;
+}
+#endif
  #ifndef OPENSSL_NO_SRP
  
  const char *ssl_cmd_SSLSRPVerifierFile(cmd_parms *cmd, void *dcfg,
diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c

index 815228126b625783236de94e958208a9d18b418e..817f6fd88ceb290fb799baaa02c83cacdaab13c8 100644 (file)
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -687,6 +687,26 @@ static void ssl_init_ctx_protocol(server_rec *s,
      SSL_CTX_set_options(ctx, SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
  #endif
  
+#ifdef HAVE_SSL_CONF_CMD
+{
+    ssl_ctx_param_t *param = (ssl_ctx_param_t *)mctx->ssl_ctx_param->elts;
+    SSL_CONF_CTX *cctx;
+    int i;
+    cctx = SSL_CONF_CTX_new();
+    SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_FILE|SSL_CONF_FLAG_SERVER);
+    SSL_CONF_CTX_set_ssl_ctx(cctx, ctx);
+    for (i = 0; i < mctx->ssl_ctx_param->nelts; i++, param++) {
+        if (SSL_CONF_cmd(cctx, param->name, param->value) <= 0) {
+            ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02407)
+                    "Error SSL_CONF_cmd(%s,%s)", param->name, param->value);
+            ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
+            ssl_die(s);
+        }    
+    }
+    SSL_CONF_CTX_free(cctx);
+}
+#endif
+
  #ifdef SSL_MODE_RELEASE_BUFFERS
      /* If httpd is configured to reduce mem usage, ask openssl to do so, too */
      if (ap_max_mem_free != APR_ALLOCATOR_MAX_FREE_UNLIMITED)
diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h

index 63e401db522be244317bee6f835f439d617bb8dc..16e0bcd499ce71789094a4e222cb3096c7c48645 100644 (file)
--- a/modules/ssl/ssl_private.h
+++ b/modules/ssl/ssl_private.h
@@ -144,6 +144,10 @@
  #define HAVE_TLS_NPN
  #endif
  
+#ifdef SSL_CONF_FLAG_FILE
+#define HAVE_SSL_CONF_CMD
+#endif
+
  #if (OPENSSL_VERSION_NUMBER >= 0x10000000)
  #define MODSSL_SSL_CIPHER_CONST const
  #define MODSSL_SSL_METHOD_CONST const
@@ -620,6 +624,13 @@ typedef struct {
  } modssl_ticket_key_t;
  #endif
  
+#ifdef HAVE_SSL_CONF_CMD
+typedef struct {
+    const char *name;
+    const char *value;
+} ssl_ctx_param_t;
+#endif
+
  typedef struct SSLSrvConfigRec SSLSrvConfigRec;
  
  typedef struct {
@@ -681,7 +692,9 @@ typedef struct {
      long ocsp_resptime_skew;
      long ocsp_resp_maxage;
      apr_interval_time_t ocsp_responder_timeout;
-
+#ifdef HAVE_SSL_CONF_CMD
+    apr_array_header_t *ssl_ctx_param; /* parameters to pass to SSL_CTX */
+#endif
  } modssl_ctx_t;
  
  struct SSLSrvConfigRec {
@@ -803,6 +816,8 @@ const char *ssl_cmd_SSLOCSPResponseMaxAge(cmd_parms *cmd, void *dcfg, const char
  const char *ssl_cmd_SSLOCSPResponderTimeout(cmd_parms *cmd, void *dcfg, const char *arg);
  const char *ssl_cmd_SSLOCSPEnable(cmd_parms *cmd, void *dcfg, int flag);
  
+const char *ssl_cmd_SSLOpenSSLConfCmd(cmd_parms *cmd, void *dcfg, const char *arg1, const char *arg2);
+
  #ifndef OPENSSL_NO_SRP
  const char *ssl_cmd_SSLSRPVerifierFile(cmd_parms *cmd, void *dcfg, const char *arg);
  const char *ssl_cmd_SSLSRPUnknownUserSeed(cmd_parms *cmd, void *dcfg, const char *arg);
author	Stephen Henson <drh@apache.org>
	Thu, 13 Dec 2012 14:52:47 +0000 (14:52 +0000)
committer	Stephen Henson <drh@apache.org>
	Thu, 13 Dec 2012 14:52:47 +0000 (14:52 +0000)
CHANGES		patch \| blob \| history
docs/log-message-tags/next-number		patch \| blob \| history
modules/ssl/mod_ssl.c		patch \| blob \| history
modules/ssl/ssl_engine_config.c		patch \| blob \| history
modules/ssl/ssl_engine_init.c		patch \| blob \| history
modules/ssl/ssl_private.h		patch \| blob \| history