-*- coding: utf-8 -*-
Changes with Apache 2.5.1
+ *) mod_ssl: renamed section <SSLPolicy to <SSLPolicyDefine. Fixed behaviour
+ for new server config merge flag. Denying global, only once used directives
+ inside a SSLPolicyDefine. [Stefan Eissing]
+
*) mod_auth_basic: Be less tolerant when parsing the credencial. Only spaces
should be accepted after the authorization scheme. \t are also tolerated.
[Christophe Jaillet]
<default>SSLEngine off</default>
<contextlist><context>server config</context>
<context>virtual host</context></contextlist>
-<compatibility>The <code>addr:port</code> parameter is available in Apache 2.4.28 and later.</compatibility>
+<compatibility>The <code>addr:port</code> parameter is available in Apache 2.4.30 and later.</compatibility>
<usage>
<p>
</directivesynopsis>
<directivesynopsis type="section" idtype="section">
-<name>SSLPolicy</name>
+<name>SSLPolicyDefine</name>
<description>Define a named set of SSL configurations</description>
<syntax><SSLPolicy <em>name</em>></syntax>
<contextlist><context>server config</context></contextlist>
-<compatibility>Available in httpd 2.4.28 and later</compatibility>
+<compatibility>Available in httpd 2.4.30 and later</compatibility>
<usage>
<p>This directive defines a set of SSL* configurations under
<example><title>Define and Use of a Policy</title>
<highlight language="config">
-<SSLPolicy safe-stapling>
+<SSLPolicyDefine safe-stapling>
SSLUseStapling on
SSLStaplingResponderTimeout 2
SSLStaplingReturnResponderErrors off
SSLStaplingFakeTryLater off
SSLStaplingStandardCacheTimeout 86400
-</SSLPolicy>
+</SSLPolicyDefine>
...
<VirtualHost...>
</highlight>
</example>
-<p>The directive can only be used in the server config (global context), so
-there cannot be two policies with the same name. However, policies can
+<p>The directive can only be used in the server config (global context). It can take
+most SSL* directives, however a few can only be set once and are not allowed inside
+policy defintions. These are <directive>SSLCryptoDevice</directive>,
+<directive>SSLRandomSeed</directive>,
+<directive>SSLSessionCache</directive> and
+<directive>SSLStaplingCache</directive>.
+</p>
+<p>Two policies cannot have the same name. However, policies can
be redefined:</p>
<example><title>Policy Overwrite</title>
<highlight language="config">
-<SSLPolicy proxy-trust>
+<SSLPolicyDefine proxy-trust>
SSLProxyVerify require
-</SSLPolicy>
+</SSLPolicyDefine>
...
-<SSLPolicy proxy-trust>
+<SSLPolicyDefine proxy-trust>
SSLProxyVerify none
-</SSLPolicy>
+</SSLPolicyDefine>
</highlight>
</example>
<example><title>Policy Redefine</title>
<highlight language="config">
-<SSLPolicy proxy-trust>
+<SSLPolicyDefine proxy-trust>
SSLProxyVerify require
-</SSLPolicy>
+</SSLPolicyDefine>
...
-<SSLPolicy proxy-trust>
+<SSLPolicyDefine proxy-trust>
SSLPolicy proxy-trust
SSLProxyVerifyDepth 10
-</SSLPolicy>
+</SSLPolicyDefine>
</highlight>
</example>
<highlight language="config">
Include ssl-policies.conf
-<SSLPolicy modern>
+<SSLPolicyDefine modern>
SSLPolicy modern
SSLProxyVerify none
-</SSLPolicy>
+</SSLPolicyDefine>
</highlight>
</example>
<syntax>SSLPolicy <em>name</em></syntax>
<contextlist><context>server config</context>
<context>virtual host</context></contextlist>
-<compatibility>Available in httpd 2.4.28 and later</compatibility>
+<compatibility>Available in httpd 2.4.30 and later</compatibility>
<usage>
<p>This directive applies the set of SSL* directives defined
-under 'name' (see <directive type="section">SSLPolicy</directive>) as the <em>base</em>
+under 'name' (see <directive type="section">SSLPolicyDefine</directive>) as the <em>base</em>
settings in the current context. Apache comes with the following pre-defined policies from
Mozilla, the makers of the Firefox browser
(<a href="https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations">see here
<syntax>SSLProxyPolicy <em>name</em></syntax>
<contextlist><context>server config</context>
<context>virtual host</context></contextlist>
-<compatibility>Available in httpd 2.4.28 and later</compatibility>
+<compatibility>Available in httpd 2.4.30 and later</compatibility>
<usage>
<p>This directive is similar to <directive>SSLPolicy</directive>, but
<directive type="section" idtype="section" module="mod_md">ManagedDomain</directive>
<directive type="section" module="mod_proxy">Proxy</directive>
<directive type="section" module="mod_proxy">ProxyMatch</directive>
-<directive type="section" idtype="section" module="mod_ssl">SSLPolicy</directive>
+<directive type="section" idtype="section" module="mod_ssl">SSLPolicyDefine</directive>
<directive type="section" module="core">VirtualHost</directive>
</directivelist>
</related>
AP_INIT_RAW_ARGS("SSLLogLevel", ap_set_deprecated, NULL, OR_ALL,
"SSLLogLevel directive is no longer supported - use LogLevel."),
- AP_INIT_TAKE1("<SSLPolicy", ssl_cmd_SSLPolicyDefine, NULL, RSRC_CONF,
+ AP_INIT_TAKE1("<SSLPolicyDefine", ssl_cmd_SSLPolicyDefine, NULL, RSRC_CONF,
"Define a set of SSL* configurations under a new name. Such a policy may "
"be used in any location where the SSL* directives are viable. The policy "
"may contain both SSL* and SSLProxy* specific settings. Which one is applied "
"depends on the use."),
AP_INIT_TAKE1("SSLPolicy", ssl_cmd_SSLPolicyApply, NULL, RSRC_CONF,
- "Use the SSL* (not the SSLProxy*) settings from the policy with the given name."),
+ "Apply the SSL* (not the SSLProxy*) settings from the policy with the given name."),
AP_INIT_TAKE1("SSLProxyPolicy", ssl_cmd_SSLProxyPolicyApply, NULL, RSRC_CONF|PROXY_CONF,
"Use the SSLProxy* settings from the policy with the given name."),
AP_END_CMD
BOOL ssl_config_global_isfixed(SSLModConfigRec *mc)
{
- return mc->bFixed;
+ return mc && mc->bFixed;
}
/* _________________________________________________________________
SSLPolicyRec *ssl_policy_lookup(apr_pool_t *pool, const char *name)
{
- apr_hash_t *policies = get_policies(pool, 0);
+ apr_hash_t *policies = get_policies(pool, 1);
if (policies) {
return apr_hash_get(policies, name, APR_HASH_KEY_STRING);
}
arg = apr_pstrndup(cmd->pool, arg, endp-arg);
if (!arg || !*arg) {
- return "<SSLPolicy > block must specify a name";
+ return "<SSLPolicyDefine > block must specify a name";
}
name = ap_getword_white(cmd->pool, &arg);
policy = apr_pcalloc(cmd->pool, sizeof(*policy));
policy->name = name;
policy->sc = ssl_config_server_new(cmd->pool);
+ policy->sc->mc = NULL; /* No global configs during SSLPolicy definition */
policy->dc = ssl_config_perdir_create(cmd->pool, "/");/* TODO */
ap_set_module_config(s->module_config, &ssl_module, policy->sc);
if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) {
return err;
}
+ if (!mc) {
+ return "SSLCryptoDevice: cannot be used inside SSLPolicyDefine";
+ }
if (strcEQ(arg, "builtin")) {
mc->szCryptoDevice = NULL;
if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) {
return err;
}
+ if (!mc) {
+ return "SSLRandomSeed: cannot be used inside SSLPolicyDefine";
+ }
if (ssl_config_global_isfixed(mc)) {
return NULL;
if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) {
return err;
}
+ if (!mc) {
+ return "SSLSessionCache: cannot be used inside SSLPolicyDefine";
+ }
/* The OpenSSL session cache mode must have both the flags
* SSL_SESS_CACHE_SERVER and SSL_SESS_CACHE_NO_INTERNAL set if a
if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) {
return err;
}
+ if (!mc) {
+ return "SSLStaplingCache: cannot be used inside SSLPolicyDefine";
+ }
/* Argument is of form 'name:args' or just 'name'. */
sep = ap_strchr_c(arg, ':');
#define SSL_POLICY_MOZILLA_VERSION 4.0
-#ifdef HAVE_TLS1_X
+#ifdef HAVE_TLSV1_X
#define SSL_POLICY_MODERN 1
#define SSL_POLICY_MODERN_CIPHERS "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"
#define SSL_POLICY_MODERN_PROTOCOLS SSL_PROTOCOL_TLSV1_2
-#else /* ifdef HAVE_TLS1_X */
+#else /* ifdef HAVE_TLSV1_X */
#define SSL_POLICY_MODERN 0
-#endif /* ifdef HAVE_TLS1_X, else part */
+#endif /* ifdef HAVE_TLSV1_X, else part */
#define SSL_POLICY_INTERMEDIATE 1
#define SSL_POLICY_INTERMEDIATE_CIPHERS "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"
# if it has a non-1_X protocol, it works without OpenSSL 1.0.2
if not tlsv in TLS_1_X_VERSIONS:
return None
- return "HAVE_TLS1_X"
+ return "HAVE_TLSV1_X"
def getPolicyDef():
projects / apache / commitdiff