From 1c9a4b1a2ae249d564ce7ed443748b1d5a0122eb Mon Sep 17 00:00:00 2001 From: Stefan Eissing Date: Mon, 26 Mar 2018 13:09:27 +0000 Subject: [PATCH] On the trunk: mod_ssl: reverting r1807709 (SSLEngine with addr:port spec) as a "seemed a good idea at the time" thing. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1827760 13f79535-47bb-0310-9956-ffa450edef68 --- CHANGES | 3 - docs/manual/mod/mod_ssl.xml | 18 +----- modules/ssl/mod_ssl.c | 110 ++++++-------------------------- modules/ssl/ssl_engine_config.c | 57 ++++------------- modules/ssl/ssl_engine_init.c | 7 -- modules/ssl/ssl_private.h | 3 - 6 files changed, 36 insertions(+), 162 deletions(-) diff --git a/CHANGES b/CHANGES index 52a423b3df..9069754aa5 100644 --- a/CHANGES +++ b/CHANGES @@ -188,9 +188,6 @@ Changes with Apache 2.5.0-alpha some minor bugfixes, twiddle the build system to avoid non-pic code generation. [Stefan Eissing] - *) mod_ssl: Adding option to set a list of addr:port specs, as used in VirtualHosts - to enable SSLEngine for all matching hosts. Updated documentation. [Stefan Eissing] - *) mod_md: v0.9.1: - various fixes in MDRenewWindow handling when specifying percent. Serialization changed. If someone already used percent configurations, it is advised to change these to a new value, diff --git a/docs/manual/mod/mod_ssl.xml b/docs/manual/mod/mod_ssl.xml index 1d240f2b43..a5a4172f69 100644 --- a/docs/manual/mod/mod_ssl.xml +++ b/docs/manual/mod/mod_ssl.xml @@ -556,7 +556,7 @@ SSLSessionCacheTimeout 600 SSLEngine SSL Engine Operation Switch -SSLEngine on|off|optional|addr[:port] [addr[:port]] ... +SSLEngine on|off|optional SSLEngine off server config virtual host @@ -564,8 +564,8 @@ SSLSessionCacheTimeout 600

-This directive toggles the usage of the SSL/TLS Protocol Engine. Values 'on', -'off' and 'optional' should be used inside a VirtualHost section to enable SSL/TLS for a that virtual host. By default the SSL/TLS Protocol Engine is disabled for both the main server and all configured virtual hosts.

@@ -577,18 +577,6 @@ SSLEngine on </VirtualHost> -

The addr:port values should be used in the -global server to enable the SSL/TLS Protocol Engine for all -VirtualHosts -that match one of the addresses in the list.

-Example - -SSLEngine *:443 -<VirtualHost *:443> -#... -</VirtualHost> - -

SSLEngine can be set to optional: this enables support for RFC 2817. diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c index 3780d8c89b..4f85248fd3 100644 --- a/modules/ssl/mod_ssl.c +++ b/modules/ssl/mod_ssl.c @@ -91,7 +91,7 @@ static const command_rec ssl_config_cmds[] = { /* * Per-server context configuration directives */ - SSL_CMD_SRV(Engine, RAW_ARGS, + SSL_CMD_SRV(Engine, TAKE1, "SSL switch for the protocol engine " "('on', 'off')") SSL_CMD_SRV(FIPS, FLAG, @@ -483,75 +483,6 @@ static SSLConnRec *ssl_init_connection_ctx(conn_rec *c, return sslconn; } -static int ssl_server_addr_matches(server_addr_rec *sar, apr_sockaddr_t *sa) -{ - /* Determine if the list of server_addr_rec's matches the given socket address. - * IP Address/port may be wilcard/0 for a match to occur. */ - while (sar) { - if (apr_sockaddr_is_wildcard(sar->host_addr) - || apr_sockaddr_equal(sar->host_addr, sa)) { - if (sar->host_addr->port == sa->port - || sar->host_addr->port == 0 - || sa->port == 0) { - return 1; - } - } - sar = sar->next; - } - return 0; -} - -int ssl_server_addr_overlap(server_addr_rec *sar1, server_addr_rec *sar2) -{ - if (sar1) { - while (sar2) { - if (ssl_server_addr_matches(sar1, sar2->host_addr)) { - return 1; - } - sar2 = sar2->next; - } - } - return 0; -} - -static ssl_enabled_t ssl_srv_enabled_on(server_rec *s, apr_sockaddr_t *sa) -{ - SSLSrvConfigRec *sc = mySrvConfig(s); - if (sc->enabled == SSL_ENABLED_TRUE && sc->enabled_on) { - if (!ssl_server_addr_matches(sc->enabled_on, sa)) { - return SSL_ENABLED_FALSE; - } - } - return sc->enabled; -} - -static ssl_enabled_t ssl_conn_enabled(conn_rec *c) -{ - if (c->master) { - return ssl_conn_enabled(c->master); - } - else { - SSLConnRec *sslconn = myConnConfig(c); - if (sslconn) { - if (sslconn->disabled) { - return SSL_ENABLED_FALSE; - } - if (sslconn->is_proxy) { - if (!sslconn->dc->proxy_enabled) { - return SSL_ENABLED_FALSE; - } - } - else { - return ssl_srv_enabled_on(sslconn->server, c->local_addr); - } - } - else { - return ssl_srv_enabled_on(c->base_server, c->local_addr); - } - } - return SSL_ENABLED_TRUE; -} - static int ssl_engine_status(conn_rec *c, SSLConnRec *sslconn) { if (c->master) { @@ -566,12 +497,16 @@ static int ssl_engine_status(conn_rec *c, SSLConnRec *sslconn) return DECLINED; } } - else if (ssl_srv_enabled_on(sslconn->server, c->local_addr) != SSL_ENABLED_TRUE) { - return DECLINED; + else { + if (mySrvConfig(sslconn->server)->enabled != SSL_ENABLED_TRUE) { + return DECLINED; + } } } - else if (ssl_srv_enabled_on(c->base_server, c->local_addr) != SSL_ENABLED_TRUE) { - return DECLINED; + else { + if (mySrvConfig(c->base_server)->enabled != SSL_ENABLED_TRUE) { + return DECLINED; + } } return OK; } @@ -690,29 +625,26 @@ int ssl_init_ssl_connection(conn_rec *c, request_rec *r) return APR_SUCCESS; } -/* FIXME: if we ever want to server http: requests over TLS, this - * needs to change. We probably need the scheme in request_rec and - * return that iff it is set. */ static const char *ssl_hook_http_scheme(const request_rec *r) { - switch (ssl_conn_enabled(r->connection)) { - case SSL_ENABLED_FALSE: - case SSL_ENABLED_OPTIONAL: - return NULL; - default: - return "https"; + SSLSrvConfigRec *sc = mySrvConfig(r->server); + + if (sc->enabled == SSL_ENABLED_FALSE || sc->enabled == SSL_ENABLED_OPTIONAL) { + return NULL; } + + return "https"; } static apr_port_t ssl_hook_default_port(const request_rec *r) { - switch (ssl_conn_enabled(r->connection)) { - case SSL_ENABLED_FALSE: - case SSL_ENABLED_OPTIONAL: - return 0; - default: - return 443; + SSLSrvConfigRec *sc = mySrvConfig(r->server); + + if (sc->enabled == SSL_ENABLED_FALSE || sc->enabled == SSL_ENABLED_OPTIONAL) { + return 0; } + + return 443; } static int ssl_hook_pre_connection(conn_rec *c, void *csd) diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c index 6c65b29fe9..d929f1f12c 100644 --- a/modules/ssl/ssl_engine_config.c +++ b/modules/ssl/ssl_engine_config.c @@ -230,7 +230,6 @@ static SSLSrvConfigRec *ssl_config_server_new(apr_pool_t *p) sc->compression = UNSET; #endif sc->session_tickets = UNSET; - sc->enabled_on = NULL; modssl_ctx_init_server(sc, p); @@ -366,8 +365,6 @@ void *ssl_config_server_merge(apr_pool_t *p, void *basev, void *addv) #endif cfgMergeBool(session_tickets); - mrg->enabled_on = (add->enabled == SSL_ENABLED_UNSET)? base->enabled_on : add->enabled_on; - modssl_ctx_cfg_merge_server(p, base->server, add->server, mrg->server); return mrg; @@ -808,54 +805,24 @@ const char *ssl_cmd_SSLRandomSeed(cmd_parms *cmd, return NULL; } -const char *ssl_cmd_SSLEngine(cmd_parms *cmd, void *dcfg, const char *args) +const char *ssl_cmd_SSLEngine(cmd_parms *cmd, void *dcfg, const char *arg) { SSLSrvConfigRec *sc = mySrvConfig(cmd->server); - const char *w, *err; - server_addr_rec **psar; - server_rec s; - - w = ap_getword_conf(cmd->pool, &args); - if (*w == '\0') { - return "SSLEngine takes at least one argument"; + if (!strcasecmp(arg, "On")) { + sc->enabled = SSL_ENABLED_TRUE; + return NULL; } - - if (*args == 0) { - if (!strcasecmp(w, "On")) { - sc->enabled = SSL_ENABLED_TRUE; - sc->enabled_on = NULL; - return NULL; - } - else if (!strcasecmp(w, "Off")) { - sc->enabled = SSL_ENABLED_FALSE; - sc->enabled_on = NULL; - return NULL; - } - else if (!strcasecmp(w, "Optional")) { - sc->enabled = SSL_ENABLED_OPTIONAL; - sc->enabled_on = NULL; - return NULL; - } + else if (!strcasecmp(arg, "Off")) { + sc->enabled = SSL_ENABLED_FALSE; + return NULL; } - - memset(&s, 0, sizeof(s)); - err = ap_parse_vhost_addrs(cmd->pool, w, &s); - sc->enabled_on = s.addrs; - sc->enabled = SSL_ENABLED_TRUE; - - if (!err && *args) { - s.addrs = NULL; - err = ap_parse_vhost_addrs(cmd->pool, args, &s); - if (!err && s.addrs) { - psar = &sc->enabled_on; - while (*psar) { - psar = &(*psar)->next; - } - *psar = s.addrs; - } + else if (!strcasecmp(arg, "Optional")) { + sc->enabled = SSL_ENABLED_OPTIONAL; + return NULL; } - return err; + + return "Argument must be On, Off, or Optional"; } const char *ssl_cmd_SSLFIPS(cmd_parms *cmd, void *dcfg, int flag) diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c index 8ac64d1571..040f8a4bea 100644 --- a/modules/ssl/ssl_engine_init.c +++ b/modules/ssl/ssl_engine_init.c @@ -276,13 +276,6 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog, if (sc->enabled == SSL_ENABLED_UNSET) { sc->enabled = SSL_ENABLED_FALSE; } - /* Check if conditions to enable apply to this server at all. Conditions - * might be inherited from base server and never match a vhost. */ - if (sc->enabled_on && sc->enabled == SSL_ENABLED_TRUE) { - if (s == base_server || !ssl_server_addr_overlap(sc->enabled_on, s->addrs)) { - sc->enabled = SSL_ENABLED_FALSE; - } - } if (sc->session_cache_timeout == UNSET) { sc->session_cache_timeout = SSL_SESSION_CACHE_TIMEOUT; diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h index e3f3aa5abc..b2173e3ac5 100644 --- a/modules/ssl/ssl_private.h +++ b/modules/ssl/ssl_private.h @@ -742,7 +742,6 @@ struct SSLSrvConfigRec { #endif BOOL session_tickets; - server_addr_rec *enabled_on; /* optional list of addresses where ssl is enabled */ }; /** @@ -1088,8 +1087,6 @@ extern int ssl_running_on_valgrind; int ssl_is_challenge(conn_rec *c, const char *servername, X509 **pcert, EVP_PKEY **pkey); -int ssl_server_addr_overlap(server_addr_rec *sar1, server_addr_rec *sar2); - #endif /* SSL_PRIVATE_H */ /** @} */ -- 2.50.1