-*- coding: utf-8 -*-
Changes with Apache 2.5.0
+ *) mod_ssl: Add support for OpenSSL 1.1.0. [Rainer Jung]
+
*) hostname: Test and log useragent_host per-request across various modules,
including the scoreboard, expression and rewrite engines, setenvif,
authz_host, access_compat, custom logging, ssl and REMOTE_HOST variables.
int i, len;
OCSP_RESPONSE *rsp;
OCSP_BASICRESP *br;
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- OCSP_RESPDATA *rd;
- STACK_OF(X509_EXTENSION) *exts;
-#endif
OCSP_SINGLERESP *single;
len = SSL_get_tlsext_status_ocsp_resp(ssl, &p); /* UNDOC */
return 0;
}
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- rd = br->tbsResponseData;
-#endif
-
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- for (i = 0; i < sk_OCSP_SINGLERESP_num(rd->responses); i++) { /* UNDOC */
-#else
for (i = 0; i < OCSP_resp_count(br); i++) {
-#endif
const unsigned char *p;
X509_EXTENSION *ext;
int idx;
ASN1_OCTET_STRING *oct1, *oct2;
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- single = sk_OCSP_SINGLERESP_value(rd->responses, i); /* UNDOC */
-#else
single = OCSP_resp_get0(br, i);
-#endif
if (!single) {
continue;
}
ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c,
"index of NID_ct_cert_scts: %d", idx);
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- exts = single->singleExtensions;
-
- ext = sk_X509_EXTENSION_value(exts, idx); /* UNDOC */
-#else
ext = OCSP_SINGLERESP_get_ext(single, idx);
-#endif
oct1 = X509_EXTENSION_get_data(ext); /* UNDOC */
p = oct1->data;
unsigned long err;
int n;
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- if ((bio = BIO_new(BIO_s_file_internal())) == NULL)
-#else
if ((bio = BIO_new(BIO_s_file())) == NULL)
-#endif
return -1;
if (BIO_read_filename(bio, file) <= 0) {
BIO_free(bio);
SSL_set_accept_state(ssl);
SSL_do_handshake(ssl);
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- if (SSL_get_state(ssl) != SSL_ST_OK) {
-#else
- if (SSL_get_state(ssl) != TLS_ST_OK) {
-#endif
+ if (!SSL_is_init_finished(ssl)) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02030)
"TLS upgrade handshake failed");
ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server);
* forbidden in the latter case, let ap_die() handle
* this recursive (same) error.
*/
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- if (SSL_get_state(ssl) != SSL_ST_OK) {
-#else
- if (SSL_get_state(ssl) != TLS_ST_OK) {
-#endif
+ if (!SSL_is_init_finished(ssl)) {
return HTTP_FORBIDDEN;
}
ctx = SSL_get_SSL_CTX(ssl);
}
else {
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
- int rc;
char peekbuf[1];
#endif
const char *reneg_support;
SSL_renegotiate(ssl);
SSL_do_handshake(ssl);
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- if (SSL_get_state(ssl) != SSL_ST_OK) {
-#else
- if (SSL_get_state(ssl) != TLS_ST_OK) {
-#endif
+ if (!SSL_is_init_finished(ssl)) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02225)
"Re-negotiation request failed");
ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server);
* It is expected to work without changes with the forthcoming 1.1.0pre3.
* See: http://marc.info/?t=145493359200002&r=1&w=2
*/
- rc = SSL_peek(ssl, peekbuf, 0);
- ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r, APLOGNO()
- "Renegotiation peek result=%d, "
- "reneg_state=%d, "
- "in_init=%d, init_finished=%d, "
- "state=%s, sslconn->ssl=%s, peer_certs=%s",
- rc, sslconn->reneg_state,
- SSL_in_init(ssl), SSL_is_init_finished(ssl),
- SSL_state_string_long(ssl),
- sslconn->ssl != NULL ? "yes" : "no",
- SSL_get_peer_certificate(ssl) != NULL ? "yes" : "no");
+ SSL_peek(ssl, peekbuf, 0);
#endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L */
sslconn->reneg_state = RENEG_REJECT;
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- if (SSL_get_state(ssl) != SSL_ST_OK) {
-#else
- if (SSL_get_state(ssl) != TLS_ST_OK) {
-#endif
+ if (!SSL_is_init_finished(ssl)) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02261)
"Re-negotiation handshake failed");
ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server);
"No cert available to check with OCSP");
return 1;
}
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- else if (cert->valid && X509_check_issued(cert,cert) == X509_V_OK) {
-#else
- /* No need to check cert->valid, because modssl_verify_ocsp() only
- * is called if OpenSSL already successfully verified the certificate
- * (parameter "ok" in ssl_callback_SSLVerify() must be true).
- */
else if (X509_check_issued(cert,cert) == X509_V_OK) {
-#endif
/* don't do OCSP checking for valid self-issued certs */
ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c,
"Skipping OCSP check for valid self-issued cert");
for (i = 0; ssl_var_lookup_ssl_cert_dn_rec[i].name != NULL; i++) {
if (strEQn(var, ssl_var_lookup_ssl_cert_dn_rec[i].name, varlen)
&& strlen(ssl_var_lookup_ssl_cert_dn_rec[i].name) == varlen) {
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- for (j = 0; j < sk_X509_NAME_ENTRY_num((STACK_OF(X509_NAME_ENTRY) *)
- xsname->entries);
- j++) {
- xsne = sk_X509_NAME_ENTRY_value((STACK_OF(X509_NAME_ENTRY) *)
- xsname->entries, j);
-#else
for (j = 0; j < X509_NAME_entry_count(xsname); j++) {
xsne = X509_NAME_get_entry(xsname, j);
-#endif
n =OBJ_obj2nid((ASN1_OBJECT *)X509_NAME_ENTRY_get_object(xsne));
static void extract_dn(apr_table_t *t, apr_hash_t *nids, const char *pfx,
X509_NAME *xn, apr_pool_t *p)
{
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- STACK_OF(X509_NAME_ENTRY) *ents = xn->entries;
-#endif
X509_NAME_ENTRY *xsne;
apr_hash_t *count;
int i, nid;
count = apr_hash_make(p);
/* For each RDN... */
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- for (i = 0; i < sk_X509_NAME_ENTRY_num(ents); i++) {
- const char *tag;
-
- xsne = sk_X509_NAME_ENTRY_value(ents, i);
-#else
for (i = 0; i < X509_NAME_entry_count(xn); i++) {
const char *tag;
xsne = X509_NAME_get_entry(xn, i);
-#endif
/* Retrieve the nid, and check whether this is one of the nids
* which are to be extracted. */
for (j = 0; j < count; j++) {
X509_EXTENSION *ext = X509_get_ext(xs, j);
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- if (OBJ_cmp(ext->object, oid) == 0) {
-#else
if (OBJ_cmp(X509_EXTENSION_get_object(ext), oid) == 0) {
-#endif
BIO *bio = BIO_new(BIO_s_mem());
/* We want to obtain a string representation of the extensions
/* OCSP stapling */
#if !defined(OPENSSL_NO_OCSP) && defined(SSL_CTX_set_tlsext_status_cb)
#define HAVE_OCSP_STAPLING
+/* All exist but are no longer macros since OpenSSL 1.1.0 */
#if OPENSSL_VERSION_NUMBER < 0x10100000L
/* backward compatibility with OpenSSL < 1.0 */
#ifndef sk_OPENSSL_STRING_num
if (bio) {
int n;
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- if ((i2a_ASN1_INTEGER(bio, cinf->cid->serialNumber) != -1) &&
-#else
ASN1_INTEGER *pserial;
OCSP_id_get0_info(NULL, NULL, NULL, &pserial, cinf->cid);
if ((i2a_ASN1_INTEGER(bio, pserial) != -1) &&
-#endif
((n = BIO_read(bio, snum, sizeof snum - 1)) > 0))
snum[n] = '\0';
BIO_free(bio);
projects / apache / commitdiff