Changes with Apache 2.5.1
*) mod_ssl: add support for TLSv1.3 (tested with OpenSSL v1.1.1-pre3, other libs may
- need more sugar). [Stefan Eissing]
+ need more sugar). Added configuration directives for TLSv1.3 cipher suites (which
+ are separate from previous ones) as SSL(Proxy)CipherSuiteV1_3. A great opportunity
+ to find a better name.
+ [Stefan Eissing]
*) mod_remoteip: Restore compatibility with APR 1.4 (apr_sockaddr_is_wildcard).
[Eric Covener]
SSL_CMD_ALL(CipherSuite, TAKE1,
"Colon-delimited list of permitted SSL Ciphers "
"('XXX:...:XXX' - see manual)")
+#ifdef SSL_OP_NO_TLSv1_3
+ SSL_CMD_SRV(CipherSuiteV1_3, TAKE1,
+ "Colon-delimited list of permitted TLSv1.3 Ciphers "
+ "('XXX:...:XXX' - see manual)")
+#endif
SSL_CMD_SRV(CertificateFile, TAKE1,
"SSL Server Certificate file "
"('/path/to/file' - PEM or DER encoded)")
SSL_CMD_PXY(ProxyCipherSuite, TAKE1,
"SSL Proxy: colon-delimited list of permitted SSL ciphers "
"('XXX:...:XXX' - see manual)")
+#ifdef SSL_OP_NO_TLSv1_3
+ SSL_CMD_PXY(ProxyCipherSuiteV1_3, TAKE1,
+ "SSL Proxy: colon-delimited list of permitted TLSv1.3 ciphers "
+ "('XXX:...:XXX' - see manual)")
+#endif
SSL_CMD_PXY(ProxyVerify, TAKE1,
"SSL Proxy: whether to verify the remote certificate "
"('on' or 'off')")
mctx->auth.cipher_suite = NULL;
mctx->auth.verify_depth = UNSET;
mctx->auth.verify_mode = SSL_CVERIFY_UNSET;
+ mctx->auth.cipher_suite_tlsv1_3 = NULL;
mctx->ocsp_mask = UNSET;
mctx->ocsp_force_default = UNSET;
cfgMergeString(auth.cipher_suite);
cfgMergeInt(auth.verify_depth);
cfgMerge(auth.verify_mode, SSL_CVERIFY_UNSET);
+ cfgMergeString(auth.cipher_suite_tlsv1_3);
cfgMergeInt(ocsp_mask);
cfgMergeBool(ocsp_force_default);
return NULL;
}
+const char *ssl_cmd_SSLCipherSuiteV1_3(cmd_parms *cmd,
+ void *dcfg,
+ const char *arg)
+{
+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+
+ sc->server->auth.cipher_suite_tlsv1_3 = arg;
+
+ return NULL;
+}
+
#define SSL_FLAGS_CHECK_FILE \
(SSL_PCM_EXISTS|SSL_PCM_ISREG|SSL_PCM_ISNONZERO)
return NULL;
}
+const char *ssl_cmd_SSLProxyCipherSuiteV1_3(cmd_parms *cmd,
+ void *dcfg,
+ const char *arg)
+{
+ SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;
+
+ dc->proxy->auth.cipher_suite_tlsv1_3 = arg;
+
+ return NULL;
+}
+
const char *ssl_cmd_SSLProxyVerify(cmd_parms *cmd,
void *dcfg,
const char *arg)
apr_file_t *out, const char *indent, const char **psep)
{
DMP_STRING(proxy? "SSLProxyCipherSuite" : "SSLCipherSuite", auth->cipher_suite);
+#ifdef SSL_OP_NO_TLSv1_3
+ DMP_STRING(proxy? "SSLProxyCipherSuiteV1.3" : "SSLCipherSuiteV1.3", auth->cipher_suite_tlsv1_3);
+#endif
DMP_VERIFY(proxy? "SSLProxyVerify" : "SSLVerifyClient", auth->verify_mode);
DMP_LONG( proxy? "SSLProxyVerify" : "SSLVerifyDepth", auth->verify_depth);
DMP_STRING(proxy? "SSLProxyCACertificateFile" : "SSLCACertificateFile", auth->ca_cert_file);
ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
return ssl_die(s);
}
-
+#ifdef SSL_OP_NO_TLSv1_3
+ if (mctx->auth.cipher_suite_tlsv1_3
+ && !SSL_CTX_set_ciphersuites(ctx, mctx->auth.cipher_suite_tlsv1_3)) {
+ ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO()
+ "Unable to configure permitted TLSv1.3 ciphers");
+ ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
+ return ssl_die(s);
+ }
+#endif
return APR_SUCCESS;
}
|| strcmp(a1->cipher_suite, a2->cipher_suite))) {
return 0;
}
+ /* both have the same ca cipher suite string */
+ if ((a1->cipher_suite_tlsv1_3 != a2->cipher_suite_tlsv1_3)
+ && (!a1->cipher_suite_tlsv1_3 || !a2->cipher_suite_tlsv1_3
+ || strcmp(a1->cipher_suite_tlsv1_3, a2->cipher_suite_tlsv1_3))) {
+ return 0;
+ }
return 1;
}
/** for client or downstream server authentication */
int verify_depth;
ssl_verify_t verify_mode;
+
+ /** TLSv1.3 has its separate cipher list, separate from the
+ settings for older TLS protocol versions. Since which one takes
+ effect is a matter of negotiation, we need separate settings */
+ const char *cipher_suite_tlsv1_3;
} modssl_auth_ctx_t;
#ifdef HAVE_TLS_SESSION_TICKETS
const char *ssl_cmd_SSLRandomSeed(cmd_parms *, void *, const char *, const char *, const char *);
const char *ssl_cmd_SSLEngine(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLCipherSuite(cmd_parms *, void *, const char *);
+const char *ssl_cmd_SSLCipherSuiteV1_3(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLCertificateFile(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLCertificateKeyFile(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLCertificateChainFile(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLProxyEngine(cmd_parms *cmd, void *dcfg, int flag);
const char *ssl_cmd_SSLProxyProtocol(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLProxyCipherSuite(cmd_parms *, void *, const char *);
+const char *ssl_cmd_SSLProxyCipherSuiteV1_3(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLProxyVerify(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLProxyVerifyDepth(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLProxyCACertificatePath(cmd_parms *, void *, const char *);
projects / apache / commitdiff