Kaspar Brand [Sat, 28 Dec 2013 13:24:17 +0000 (13:24 +0000)]
Remove the hardcoded algorithm-type dependency for the SSLCertificateFile
and SSLCertificateKeyFile directives, and deprecate SSLCertificateChainFile
Splitting the patch into smaller pieces turned out to be infeasible,
unfortunately, due to the heavily intertwined code in ssl_engine_config.c,
ssl_engine_init.c and ssl_engine_pphrase.c, which all depends on the
modssl_pk_server_t data structure. For better comprehensibility,
a detailed listing of the changes follows:
ssl_private.h
- drop the X509 certs and EVP_PKEY keys arrays from modssl_pk_server_t
- use apr_array_header_t for cert_files and key_files
- drop tPublicCert from SSLModConfigRec
- drop the ssl_algo_t struct and the SSL_ALGO_* and SSL_AIDX_* constants
ssl_engine_config.c
- change to apr_array_header_t for SSLCertificate[Key]File
- drop ssl_cmd_check_aidx_max, i.e. allow an arbitrary number of certs
and keys (in theory; currently OpenSSL does not support more than
one cert/key per algorithm type)
- add deprecation warning for SSLCertificateChainFile
ssl_engine_init.c
- configure server certs/keys in ssl_init_server_certs (no longer via
ssl_pphrase_Handle in ssl_init_Module)
- in ssl_init_server_certs, read in certificates and keys with standard
OpenSSL API functions (SSL_CTX_use_*_file), and only fall back to
ssl_load_encrypted_pkey when encountering an encrypted private key
- drop ssl_server_import_cert, ssl_server_import_key, ssl_init_server_check,
and ssl_init_ctx_cleanup_server
- move the "problematic re-initialization" check to ssl_init_server_ctx
ssl_engine_pphrase.c
- use servername:port:index as the key identifier, instead of the
previously used servername:port:algorithm
- ssl_pphrase_Handle overhaul: remove all cert/public-key handling,
make it only load a single (encrypted) private key, and rename
to ssl_load_encrypted_pkey
- in the passphrase prompt message, show the private key file name
instead of the vhost id and the algorithm name
- do no longer supply the algorithm name as an argument to "exec"-type
passphrase prompting programs
ssl_util.c
- drop ssl_util_algotypeof, ssl_util_algotypestr, ssl_asn1_keystr,
and ssl_asn1_table_keyfmt
ssl_util_ssl.{c,h}
- drop SSL_read_X509
- constify the filename arg for SSL_read_PrivateKey
Ruediger Pluem [Mon, 23 Dec 2013 20:47:59 +0000 (20:47 +0000)]
* Do not perform SNI / Host header comparison in case of a forward proxy request as
in case of a forward proxy request the host header can not be used for virtual
host selection in our webserver.
Jim Jagielski [Mon, 23 Dec 2013 16:08:36 +0000 (16:08 +0000)]
Allow user to explicitly determine whether or not BSD syntax
makefiles should be created... The default is NO unless we
are on a *BSD* system, in which case we actually see if
'make' is gmake or not.
Remove <Proxy ~ wildcard-url> syntax which:
- is equivalent to <ProxyMatch wildcard-url>
- has never been documented
- incorrectly checks parameters (!cmd->path should be !cmd->path[0])
- is buggy (! is missing in front of strncasecmp)
Eric Covener [Tue, 17 Dec 2013 16:38:36 +0000 (16:38 +0000)]
Log a warning when the LDAP authn provider is configured but an AuthLDAPURL
isn't -- IOW, avoid silently skipping a misconfigured [or buggy?] LDAP provider.
'ap_getword_conf' does not return NULL but an empty string if nothing could be got.
So the message 02173 can never trigger.
Actually, this is not a problem because all calls to 'ap_unixd_set_rlimit' are done in configuration parsing functions guarded with AP_INIT_TAKE12, so we are guaranteed to have something.
Jan Kaluža [Wed, 11 Dec 2013 07:27:12 +0000 (07:27 +0000)]
Cleanup the bb brigade, because buckets inserted to it can be created from
scpool and this pool can be freed before this brigade.
POSSIBLE (but as yet unconfirmed) fix for crashes seen with threaded servers,
e.g. PR 50335.
Eric Covener [Wed, 4 Dec 2013 17:09:42 +0000 (17:09 +0000)]
Only close hdrs.fd when returning non-OK from cache_select(),
because it will be read from in the very next mod_cache callback
recall_headers(). Problem masked on unix by buffering.
Kaspar Brand [Sun, 1 Dec 2013 11:57:42 +0000 (11:57 +0000)]
SGC became dead in January 2000, effectively
(http://www.gpo.gov/fdsys/pkg/FR-2000-01-14/pdf/00-983.pdf)
Almost 14 years later, there's certainly no longer any need
to spit out some fancy log message.
Kaspar Brand [Sun, 1 Dec 2013 11:52:44 +0000 (11:52 +0000)]
Throw away the myCtxVar{Set,Get} abomination and introduce
a pphrase_cb_arg_t struct instead, for passing stuff between
ssl_pphrase_Handle and ssl_pphrase_Handle_CB. Prefer struct
members instead of using additional local variables, to make
the data flow more transparent. (Doesn't "vastly simplify"
the code yet, but hopefully we'll get there when further
stripping down ssl_pphrase_Handle.)
Jeff Trawick [Sat, 30 Nov 2013 17:56:25 +0000 (17:56 +0000)]
Add suspend_connection and resume_connection hooks to notify modules
when the thread/connection relationship changes. (Currently implemented
only for the Event MPM; should be implemented for all async MPMs.)
Kaspar Brand [Sat, 30 Nov 2013 07:44:27 +0000 (07:44 +0000)]
Tweaks for SSLOpenSSLConfCmd:
- use cfgMergeArray, and reduce the size of the initial array
- move SSL_CONF_cmd calls from ssl_init_ctx_protocol to
ssl_init_server_ctx (so they are applied after ssl_init_server_certs)
- add APLOG_DEBUG-level logging for the SSL_CONF_cmd success case
- call SSL_CONF_CTX_free(cctx) when done in ssl_init_server_ctx
Kaspar Brand [Sat, 30 Nov 2013 07:17:53 +0000 (07:17 +0000)]
Axe dead code: It wouldn't have been needed ever since httpd 2.0.35
was released in April 2002... it was fixed in the [unreleased]
SSLeay 0.9.1b, which was the basis for the initial OpenSSL 0.9.1c
release in December 1998 (specifically, it's this change to ssl_set_pkey():
https://cvs.openssl.org/filediff?f=openssl/ssl/ssl_rsa.c&v1=1.1.1.2&v2=1.1.1.3)
Kaspar Brand [Sat, 30 Nov 2013 06:49:58 +0000 (06:49 +0000)]
Remove obsolete TODOs for mod_ssl:
No, we don't - it was removed in r90511.
DH keys are changed for every connection, SSL_OP_SINGLE_DH_USE
is applied since mod_ssl's initial commit (r88988).
We no longer have our own CRL callback (delegated to OpenSSL
as of r1165056), so this is effectively moot.
ssl_engine_pphrase.c needs to be simplified, not blown up further
(see also https://issues.apache.org/bugzilla/show_bug.cgi?id=24031,
which few [if any] people really seem to miss)
Jim Jagielski [Mon, 25 Nov 2013 13:59:06 +0000 (13:59 +0000)]
Use a normalized offset point for idlers... still need to worry
that atomics work as "expected", in this case that a add32 of a -1
is the "same" as dec32 (as far as effect on idlers)
Kaspar Brand [Sat, 23 Nov 2013 13:03:25 +0000 (13:03 +0000)]
Remove SSLPKCS7CertificateFile support:
- was never documented, so very unlikely that it was ever used
- adds complexity without apparent benefit; PKCS#7 files can
be trivially converted to a file for use with SSLCertificateChainFile
(concatenated X509 CERTIFICATE chunks, openssl pkcs7 -print_certs...)
- only supports PKCS7 files with PEM encoding, i.e. relies on a
non-standardized PEM header (cf. RFC 2315 and draft-josefsson-pkix-textual)
- issues pointed out in http://mail-archives.apache.org/mod_mbox/httpd-dev/200607.mbox/%3C20060723093125.GA19423@redhat.com%3E
were never fully addressed (cf. r424707 and r424735)
- has never worked in vhost context due to a cfgMergeString
call missing from modssl_ctx_cfg_merge
Kaspar Brand [Sat, 23 Nov 2013 12:22:47 +0000 (12:22 +0000)]
Address a todo listed in
https://mail-archives.apache.org/mod_mbox/httpd-dev/200205.mbox/%3CPine.LNX.4.33.0205292300380.27841-100000%40mako.covalent.net%3E
"init functions should return status code rather than ssl_die()"
For diagnostic purposes, ssl_die() is still there, but instead
of abruptly exit(1)ing, it will return APR_EGENERAL to the
ssl_init_* callers in ssl_engine_init.c, and these will propagate
the status back to ssl_init_Module.
projects / apache / log