From: Stefan Eissing Date: Thu, 7 Dec 2017 15:11:13 +0000 (+0000) Subject: On the trunk: X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=4a4e4ce638e0f61e300cb35d62fc0c6a0d583424;p=apache On the trunk: mod_ssl: renamed section SSLEngine off server config virtual host -The addr:port parameter is available in Apache 2.4.28 and later. +The addr:port parameter is available in Apache 2.4.30 and later.

@@ -2840,11 +2840,11 @@ SSLOpenSSLConfCmd SignatureAlgorithms RSA+SHA384:ECDSA+SHA256 -SSLPolicy +SSLPolicyDefine Define a named set of SSL configurations <SSLPolicy name> server config -Available in httpd 2.4.28 and later +Available in httpd 2.4.30 and later

This directive defines a set of SSL* configurations under @@ -2854,13 +2854,13 @@ to apply this configuration set in the current context.

Define and Use of a Policy -<SSLPolicy safe-stapling> +<SSLPolicyDefine safe-stapling> SSLUseStapling on SSLStaplingResponderTimeout 2 SSLStaplingReturnResponderErrors off SSLStaplingFakeTryLater off SSLStaplingStandardCacheTimeout 86400 -</SSLPolicy> +</SSLPolicyDefine> ... <VirtualHost...> @@ -2887,19 +2887,25 @@ httpd -t -D DUMP_SSL_POLICIES -

The directive can only be used in the server config (global context), so -there cannot be two policies with the same name. However, policies can +

The directive can only be used in the server config (global context). It can take +most SSL* directives, however a few can only be set once and are not allowed inside +policy defintions. These are SSLCryptoDevice, +SSLRandomSeed, +SSLSessionCache and +SSLStaplingCache. +

+

Two policies cannot have the same name. However, policies can be redefined:

Policy Overwrite -<SSLPolicy proxy-trust> +<SSLPolicyDefine proxy-trust> SSLProxyVerify require -</SSLPolicy> +</SSLPolicyDefine> ... -<SSLPolicy proxy-trust> +<SSLPolicyDefine proxy-trust> SSLProxyVerify none -</SSLPolicy> +</SSLPolicyDefine> @@ -2914,14 +2920,14 @@ an aspect of a policy:

Policy Redefine -<SSLPolicy proxy-trust> +<SSLPolicyDefine proxy-trust> SSLProxyVerify require -</SSLPolicy> +</SSLPolicyDefine> ... -<SSLPolicy proxy-trust> +<SSLPolicyDefine proxy-trust> SSLPolicy proxy-trust SSLProxyVerifyDepth 10 -</SSLPolicy> +</SSLPolicyDefine> @@ -2936,10 +2942,10 @@ be setup like this:

Include ssl-policies.conf -<SSLPolicy modern> +<SSLPolicyDefine modern> SSLPolicy modern SSLProxyVerify none -</SSLPolicy> +</SSLPolicyDefine> @@ -2952,11 +2958,11 @@ Include ssl-policies.conf SSLPolicy name server config virtual host -Available in httpd 2.4.28 and later +Available in httpd 2.4.30 and later

This directive applies the set of SSL* directives defined -under 'name' (see SSLPolicy) as the base +under 'name' (see SSLPolicyDefine) as the base settings in the current context. Apache comes with the following pre-defined policies from Mozilla, the makers of the Firefox browser (see here @@ -3029,7 +3035,7 @@ later ones overshadowing the earlier ones:

SSLProxyPolicy name server config virtual host -Available in httpd 2.4.28 and later +Available in httpd 2.4.30 and later

This directive is similar to SSLPolicy, but diff --git a/docs/manual/sections.xml b/docs/manual/sections.xml index 98707ce711..937856b4ef 100644 --- a/docs/manual/sections.xml +++ b/docs/manual/sections.xml @@ -54,7 +54,7 @@ to change the scope of other configuration directives.

ManagedDomain Proxy ProxyMatch -SSLPolicy +SSLPolicyDefine VirtualHost diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c index 9744fcebda..b8c60af065 100644 --- a/modules/ssl/mod_ssl.c +++ b/modules/ssl/mod_ssl.c @@ -312,13 +312,13 @@ static const command_rec ssl_config_cmds[] = { AP_INIT_RAW_ARGS("SSLLogLevel", ap_set_deprecated, NULL, OR_ALL, "SSLLogLevel directive is no longer supported - use LogLevel."), - AP_INIT_TAKE1("bFixed; + return mc && mc->bFixed; } /* _________________________________________________________________ @@ -635,7 +635,7 @@ static apr_array_header_t *get_policy_names(apr_pool_t *p, int create) SSLPolicyRec *ssl_policy_lookup(apr_pool_t *pool, const char *name) { - apr_hash_t *policies = get_policies(pool, 0); + apr_hash_t *policies = get_policies(pool, 1); if (policies) { return apr_hash_get(policies, name, APR_HASH_KEY_STRING); } @@ -670,7 +670,7 @@ const char *ssl_cmd_SSLPolicyDefine(cmd_parms *cmd, void *mconfig, const char *a arg = apr_pstrndup(cmd->pool, arg, endp-arg); if (!arg || !*arg) { - return " block must specify a name"; + return " block must specify a name"; } name = ap_getword_white(cmd->pool, &arg); @@ -681,6 +681,7 @@ const char *ssl_cmd_SSLPolicyDefine(cmd_parms *cmd, void *mconfig, const char *a policy = apr_pcalloc(cmd->pool, sizeof(*policy)); policy->name = name; policy->sc = ssl_config_server_new(cmd->pool); + policy->sc->mc = NULL; /* No global configs during SSLPolicy definition */ policy->dc = ssl_config_perdir_create(cmd->pool, "/");/* TODO */ ap_set_module_config(s->module_config, &ssl_module, policy->sc); @@ -846,6 +847,9 @@ const char *ssl_cmd_SSLCryptoDevice(cmd_parms *cmd, if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) { return err; } + if (!mc) { + return "SSLCryptoDevice: cannot be used inside SSLPolicyDefine"; + } if (strcEQ(arg, "builtin")) { mc->szCryptoDevice = NULL; @@ -887,6 +891,9 @@ const char *ssl_cmd_SSLRandomSeed(cmd_parms *cmd, if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) { return err; } + if (!mc) { + return "SSLRandomSeed: cannot be used inside SSLPolicyDefine"; + } if (ssl_config_global_isfixed(mc)) { return NULL; @@ -1486,6 +1493,9 @@ const char *ssl_cmd_SSLSessionCache(cmd_parms *cmd, if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) { return err; } + if (!mc) { + return "SSLSessionCache: cannot be used inside SSLPolicyDefine"; + } /* The OpenSSL session cache mode must have both the flags * SSL_SESS_CACHE_SERVER and SSL_SESS_CACHE_NO_INTERNAL set if a @@ -2110,6 +2120,9 @@ const char *ssl_cmd_SSLStaplingCache(cmd_parms *cmd, if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) { return err; } + if (!mc) { + return "SSLStaplingCache: cannot be used inside SSLPolicyDefine"; + } /* Argument is of form 'name:args' or just 'name'. */ sep = ap_strchr_c(arg, ':'); diff --git a/modules/ssl/ssl_policies.h b/modules/ssl/ssl_policies.h index 474f799668..5ce55b75ea 100644 --- a/modules/ssl/ssl_policies.h +++ b/modules/ssl/ssl_policies.h @@ -65,13 +65,13 @@ #define SSL_POLICY_MOZILLA_VERSION 4.0 -#ifdef HAVE_TLS1_X +#ifdef HAVE_TLSV1_X #define SSL_POLICY_MODERN 1 #define SSL_POLICY_MODERN_CIPHERS "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256" #define SSL_POLICY_MODERN_PROTOCOLS SSL_PROTOCOL_TLSV1_2 -#else /* ifdef HAVE_TLS1_X */ +#else /* ifdef HAVE_TLSV1_X */ #define SSL_POLICY_MODERN 0 -#endif /* ifdef HAVE_TLS1_X, else part */ +#endif /* ifdef HAVE_TLSV1_X, else part */ #define SSL_POLICY_INTERMEDIATE 1 #define SSL_POLICY_INTERMEDIATE_CIPHERS "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS" diff --git a/modules/ssl/update_policies.py b/modules/ssl/update_policies.py index 785c652065..02ca860307 100644 --- a/modules/ssl/update_policies.py +++ b/modules/ssl/update_policies.py @@ -70,7 +70,7 @@ def required_ifdef(conf): # if it has a non-1_X protocol, it works without OpenSSL 1.0.2 if not tlsv in TLS_1_X_VERSIONS: return None - return "HAVE_TLS1_X" + return "HAVE_TLSV1_X" def getPolicyDef():