From 5dd473c6d4033fd02f3855daeecc4ddd3618d48f Mon Sep 17 00:00:00 2001 From: Stefan Fritsch Date: Sun, 24 Jul 2011 19:06:59 +0000 Subject: [PATCH] enable mod_ssl at level 'most' Let's assume that if a system has the openssl dev headers installed in the default location, it is very unlikely that crypto is forbidden in the country that the system is located in. If no ssl toolkit is found, disable mod_ssl instead of aborting. The actual change is small, use 'diff -b' to review git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1150471 13f79535-47bb-0310-9956-ffa450edef68 --- acinclude.m4 | 267 +++++++++++++++++++++--------------------- modules/ssl/config.m4 | 18 +-- 2 files changed, 147 insertions(+), 138 deletions(-) diff --git a/acinclude.m4 b/acinclude.m4 index e7b79c37f8..19cd90d1c3 100644 --- a/acinclude.m4 +++ b/acinclude.m4 @@ -440,81 +440,82 @@ dnl Configure for the detected openssl/ssl-c toolkit installation, giving dnl preference to "--with-ssl=" if it was specified. dnl AC_DEFUN(APACHE_CHECK_SSL_TOOLKIT,[ -if test "x$ap_ssltk_configured" = "x"; then - dnl initialise the variables we use - ap_ssltk_found="" - ap_ssltk_base="" - ap_ssltk_libs="" - ap_ssltk_type="" - - dnl Determine the SSL/TLS toolkit's base directory, if any - AC_MSG_CHECKING([for user-provided SSL/TLS toolkit base]) - AC_ARG_WITH(sslc, APACHE_HELP_STRING(--with-sslc=DIR,RSA SSL-C SSL/TLS toolkit), [ - dnl If --with-sslc specifies a directory, we use that directory or fail - if test "x$withval" != "xyes" -a "x$withval" != "x"; then - dnl This ensures $withval is actually a directory and that it is absolute - ap_ssltk_base="`cd $withval ; pwd`" - fi - ap_ssltk_type="sslc" - ]) - AC_ARG_WITH(ssl, APACHE_HELP_STRING(--with-ssl=DIR,OpenSSL SSL/TLS toolkit), [ - dnl If --with-ssl specifies a directory, we use that directory or fail - if test "x$withval" != "xyes" -a "x$withval" != "x"; then - dnl This ensures $withval is actually a directory and that it is absolute - ap_ssltk_base="`cd $withval ; pwd`" + AC_CACHE_CHECK([for SSL/TLS toolkit], [ac_cv_ssltk], [ + dnl initialise the variables we use + ac_cv_ssltk=yes + ap_ssltk_found="" + ap_ssltk_base="" + ap_ssltk_libs="" + ap_ssltk_type="" + + dnl Determine the SSL/TLS toolkit's base directory, if any + AC_MSG_CHECKING([for user-provided SSL/TLS toolkit base]) + AC_ARG_WITH(sslc, APACHE_HELP_STRING(--with-sslc=DIR,RSA SSL-C SSL/TLS toolkit), [ + dnl If --with-sslc specifies a directory, we use that directory or fail + if test "x$withval" != "xyes" -a "x$withval" != "x"; then + dnl This ensures $withval is actually a directory and that it is absolute + ap_ssltk_base="`cd $withval ; pwd`" + fi + ap_ssltk_type="sslc" + ]) + AC_ARG_WITH(ssl, APACHE_HELP_STRING(--with-ssl=DIR,OpenSSL SSL/TLS toolkit), [ + dnl If --with-ssl specifies a directory, we use that directory or fail + if test "x$withval" != "xyes" -a "x$withval" != "x"; then + dnl This ensures $withval is actually a directory and that it is absolute + ap_ssltk_base="`cd $withval ; pwd`" + fi + ]) + if test "x$ap_ssltk_base" = "x"; then + AC_MSG_RESULT(none) + else + AC_MSG_RESULT($ap_ssltk_base) fi - ]) - if test "x$ap_ssltk_base" = "x"; then - AC_MSG_RESULT(none) - else - AC_MSG_RESULT($ap_ssltk_base) - fi - dnl Run header and version checks - saved_CPPFLAGS="$CPPFLAGS" - saved_LIBS="$LIBS" - saved_LDFLAGS="$LDFLAGS" - SSL_LIBS="" - - dnl Before doing anything else, load in pkg-config variables (if not sslc). - if test "x$ap_ssltk_type" = "x" -a -n "$PKGCONFIG"; then - saved_PKG_CONFIG_PATH="$PKG_CONFIG_PATH" - if test "x$ap_ssltk_base" != "x" -a \ - -f "${ap_ssltk_base}/lib/pkgconfig/openssl.pc"; then - dnl Ensure that the given path is used by pkg-config too, otherwise - dnl the system openssl.pc might be picked up instead. - PKG_CONFIG_PATH="${ap_ssltk_base}/lib/pkgconfig${PKG_CONFIG_PATH+:}${PKG_CONFIG_PATH}" - export PKG_CONFIG_PATH - fi - ap_ssltk_libs="`$PKGCONFIG --libs-only-l openssl 2>&1`" - if test $? -eq 0; then - ap_ssltk_found="yes" - pkglookup="`$PKGCONFIG --cflags-only-I openssl`" - APR_ADDTO(CPPFLAGS, [$pkglookup]) - APR_ADDTO(INCLUDES, [$pkglookup]) - pkglookup="`$PKGCONFIG --libs-only-L --libs-only-other openssl`" - APR_ADDTO(LDFLAGS, [$pkglookup]) - APR_ADDTO(SSL_LIBS, [$pkglookup]) + dnl Run header and version checks + saved_CPPFLAGS="$CPPFLAGS" + saved_LIBS="$LIBS" + saved_LDFLAGS="$LDFLAGS" + SSL_LIBS="" + + dnl Before doing anything else, load in pkg-config variables (if not sslc). + if test "x$ap_ssltk_type" = "x" -a -n "$PKGCONFIG"; then + saved_PKG_CONFIG_PATH="$PKG_CONFIG_PATH" + if test "x$ap_ssltk_base" != "x" -a \ + -f "${ap_ssltk_base}/lib/pkgconfig/openssl.pc"; then + dnl Ensure that the given path is used by pkg-config too, otherwise + dnl the system openssl.pc might be picked up instead. + PKG_CONFIG_PATH="${ap_ssltk_base}/lib/pkgconfig${PKG_CONFIG_PATH+:}${PKG_CONFIG_PATH}" + export PKG_CONFIG_PATH + fi + ap_ssltk_libs="`$PKGCONFIG --libs-only-l openssl 2>&1`" + if test $? -eq 0; then + ap_ssltk_found="yes" + pkglookup="`$PKGCONFIG --cflags-only-I openssl`" + APR_ADDTO(CPPFLAGS, [$pkglookup]) + APR_ADDTO(INCLUDES, [$pkglookup]) + pkglookup="`$PKGCONFIG --libs-only-L --libs-only-other openssl`" + APR_ADDTO(LDFLAGS, [$pkglookup]) + APR_ADDTO(SSL_LIBS, [$pkglookup]) + fi + PKG_CONFIG_PATH="$saved_PKG_CONFIG_PATH" fi - PKG_CONFIG_PATH="$saved_PKG_CONFIG_PATH" - fi - if test "x$ap_ssltk_base" != "x" -a "x$ap_ssltk_found" = "x"; then - APR_ADDTO(CPPFLAGS, [-I$ap_ssltk_base/include]) - APR_ADDTO(INCLUDES, [-I$ap_ssltk_base/include]) - APR_ADDTO(LDFLAGS, [-L$ap_ssltk_base/lib]) - APR_ADDTO(SSL_LIBS, [-L$ap_ssltk_base/lib]) - if test "x$ap_platform_runtime_link_flag" != "x"; then - APR_ADDTO(LDFLAGS, [$ap_platform_runtime_link_flag$ap_ssltk_base/lib]) - APR_ADDTO(SSL_LIBS, [$ap_platform_runtime_link_flag$ap_ssltk_base/lib]) + if test "x$ap_ssltk_base" != "x" -a "x$ap_ssltk_found" = "x"; then + APR_ADDTO(CPPFLAGS, [-I$ap_ssltk_base/include]) + APR_ADDTO(INCLUDES, [-I$ap_ssltk_base/include]) + APR_ADDTO(LDFLAGS, [-L$ap_ssltk_base/lib]) + APR_ADDTO(SSL_LIBS, [-L$ap_ssltk_base/lib]) + if test "x$ap_platform_runtime_link_flag" != "x"; then + APR_ADDTO(LDFLAGS, [$ap_platform_runtime_link_flag$ap_ssltk_base/lib]) + APR_ADDTO(SSL_LIBS, [$ap_platform_runtime_link_flag$ap_ssltk_base/lib]) + fi fi - fi - if test "x$ap_ssltk_type" = "x"; then - dnl First check for manditory headers - AC_CHECK_HEADERS([openssl/opensslv.h openssl/ssl.h], [ap_ssltk_type="openssl"], []) - if test "$ap_ssltk_type" = "openssl"; then - dnl so it's OpenSSL - test for a good version - AC_MSG_CHECKING([for OpenSSL version]) - AC_TRY_COMPILE([#include ],[ + if test "x$ap_ssltk_type" = "x"; then + dnl First check for manditory headers + AC_CHECK_HEADERS([openssl/opensslv.h openssl/ssl.h], [ap_ssltk_type="openssl"], []) + if test "$ap_ssltk_type" = "openssl"; then + dnl so it's OpenSSL - test for a good version + AC_MSG_CHECKING([for OpenSSL version]) + AC_TRY_COMPILE([#include ],[ #if !defined(OPENSSL_VERSION_NUMBER) #error "Missing openssl version" #endif @@ -522,23 +523,23 @@ if test "x$ap_ssltk_configured" = "x"; then || ((OPENSSL_VERSION_NUMBER > 0x00907000) && (OPENSSL_VERSION_NUMBER < 0x0090702f)) #error "Insecure openssl version " OPENSSL_VERSION_TEXT #endif], - [AC_MSG_RESULT(OK)], - [dnl Replace this with OPENSSL_VERSION_TEXT from opensslv.h? - AC_MSG_RESULT([not encouraging]) - AC_MSG_WARN([OpenSSL version may contain security vulnerabilities!] - [ Ensure the latest security patches have been applied!]) - ]) - else - AC_MSG_RESULT([no OpenSSL headers found]) + [AC_MSG_RESULT(OK)], + [dnl Replace this with OPENSSL_VERSION_TEXT from opensslv.h? + AC_MSG_RESULT([not encouraging]) + AC_MSG_WARN([OpenSSL version may contain security vulnerabilities!] + [ Ensure the latest security patches have been applied!]) + ]) + else + AC_MSG_RESULT([no OpenSSL headers found]) + fi fi - fi - if test "$ap_ssltk_type" != "openssl"; then - dnl Might be SSL-C - report, then test anything relevant - AC_CHECK_HEADERS([sslc.h], [ap_ssltk_type="sslc"], [ap_ssltk_type=""]) - if test "$ap_ssltk_type" = "sslc"; then - ap_ssltk_libs="-lsslc" - AC_MSG_CHECKING([for SSL-C version]) - AC_TRY_COMPILE([#include ],[ + if test "$ap_ssltk_type" != "openssl"; then + dnl Might be SSL-C - report, then test anything relevant + AC_CHECK_HEADERS([sslc.h], [ap_ssltk_type="sslc"], [ap_ssltk_type=""]) + if test "$ap_ssltk_type" = "sslc"; then + ap_ssltk_libs="-lsslc" + AC_MSG_CHECKING([for SSL-C version]) + AC_TRY_COMPILE([#include ],[ #if !defined(SSLC_VERSION_NUMBER) #error "Missing SSL-C version" #endif @@ -546,54 +547,58 @@ if test "x$ap_ssltk_configured" = "x"; then #define stringize_ver(x) #x #error "Insecure SSL-C version " stringize_ver(SSLC_VERSION_NUMBER) #endif], - [AC_MSG_RESULT(OK)], - [dnl Replace this with SSLC_VERSION_NUMBER? - AC_MSG_RESULT([not encouraging]) - echo "WARNING: SSL-C version may contain security vulnerabilities!" - echo " Ensure the latest security patches have been applied!" - ]) + [AC_MSG_RESULT(OK)], + [dnl Replace this with SSLC_VERSION_NUMBER? + AC_MSG_RESULT([not encouraging]) + echo "WARNING: SSL-C version may contain security vulnerabilities!" + echo " Ensure the latest security patches have been applied!" + ]) + else + AC_MSG_RESULT([no SSL-C headers found]) + fi + fi + if test "x$ap_ssltk_type" = "x"; then + ac_cv_ssltk="no" + AC_MSG_WARN([...No recognized SSL/TLS toolkit detected]) else - AC_MSG_RESULT([no SSL-C headers found]) + if test "$ap_ssltk_type" = "openssl" -a "x$ap_ssltk_found" = "x"; then + ap_ssltk_found="yes" + ap_ssltk_libs="-lssl -lcrypto `$apr_config --libs`" + fi + APR_ADDTO(SSL_LIBS, [$ap_ssltk_libs]) + APR_ADDTO(LIBS, [$ap_ssltk_libs]) + APACHE_SUBST(SSL_LIBS) + + dnl Run library and function checks + liberrors="" + if test "$ap_ssltk_type" = "openssl"; then + AC_CHECK_HEADERS([openssl/engine.h]) + AC_CHECK_FUNCS([SSLeay_version SSL_CTX_new], [], [liberrors="yes"]) + AC_CHECK_FUNCS([ENGINE_init ENGINE_load_builtin_engines]) + else + AC_CHECK_FUNCS([SSLC_library_version SSL_CTX_new], [], [liberrors="yes"]) + AC_CHECK_FUNCS(SSL_set_state) + fi + dnl restore + CPPFLAGS="$saved_CPPFLAGS" + LIBS="$saved_LIBS" + LDFLAGS="$saved_LDFLAGS" + if test "x$liberrors" != "x"; then + ac_cv_ssltk=no + AC_MSG_WARN([... Error, SSL/TLS libraries were missing or unusable]) + fi fi - fi - if test "x$ap_ssltk_type" = "x"; then - AC_MSG_ERROR([...No recognized SSL/TLS toolkit detected]) - fi - - if test "$ap_ssltk_type" = "openssl" -a "x$ap_ssltk_found" = "x"; then - ap_ssltk_found="yes" - ap_ssltk_libs="-lssl -lcrypto `$apr_config --libs`" - fi - APR_ADDTO(SSL_LIBS, [$ap_ssltk_libs]) - APR_ADDTO(LIBS, [$ap_ssltk_libs]) - APACHE_SUBST(SSL_LIBS) - - dnl Run library and function checks - liberrors="" - if test "$ap_ssltk_type" = "openssl"; then - AC_CHECK_HEADERS([openssl/engine.h]) - AC_CHECK_FUNCS([SSLeay_version SSL_CTX_new], [], [liberrors="yes"]) - AC_CHECK_FUNCS([ENGINE_init ENGINE_load_builtin_engines]) - else - AC_CHECK_FUNCS([SSLC_library_version SSL_CTX_new], [], [liberrors="yes"]) - AC_CHECK_FUNCS(SSL_set_state) - fi - dnl restore - CPPFLAGS="$saved_CPPFLAGS" - LIBS="$saved_LIBS" - LDFLAGS="$saved_LDFLAGS" - if test "x$liberrors" != "x"; then - AC_MSG_ERROR([... Error, SSL/TLS libraries were missing or unusable]) - fi + ]) - dnl Adjust apache's configuration based on what we found above. - dnl (a) define preprocessor symbols - if test "$ap_ssltk_type" = "openssl"; then - AC_DEFINE(HAVE_OPENSSL, 1, [Define if SSL is supported using OpenSSL]) - else - AC_DEFINE(HAVE_SSLC, 1, [Define if SSL is supported using SSL-C]) + if test "x$ac_cv_ssltk" = "xyes" ; then + dnl Adjust apache's configuration based on what we found above. + dnl (a) define preprocessor symbols + if test "$ap_ssltk_type" = "openssl"; then + AC_DEFINE(HAVE_OPENSSL, 1, [Define if SSL is supported using OpenSSL]) + else + AC_DEFINE(HAVE_SSLC, 1, [Define if SSL is supported using SSL-C]) + fi fi -fi ]) dnl diff --git a/modules/ssl/config.m4 b/modules/ssl/config.m4 index 79f1c64bfd..a518b91e65 100644 --- a/modules/ssl/config.m4 +++ b/modules/ssl/config.m4 @@ -43,14 +43,18 @@ ssl_engine_ocsp.lo dnl ssl_util_ocsp.lo dnl " dnl # hook module into the Autoconf mechanism (--enable-ssl option) -APACHE_MODULE(ssl, [SSL/TLS support (mod_ssl)], $ssl_objs, , no, [ +APACHE_MODULE(ssl, [SSL/TLS support (mod_ssl)], $ssl_objs, , most, [ APACHE_CHECK_SSL_TOOLKIT - APR_ADDTO(MOD_SSL_LDADD, [\$(SSL_LIBS)]) - CHECK_OCSP - if test "x$enable_ssl" = "xshared"; then - # The only symbol which needs to be exported is the module - # structure, so ask libtool to hide everything else: - APR_ADDTO(MOD_SSL_LDADD, [-export-symbols-regex ssl_module]) + if test "$ac_cv_ssltk" = "yes" ; then + APR_ADDTO(MOD_SSL_LDADD, [\$(SSL_LIBS)]) + CHECK_OCSP + if test "x$enable_ssl" = "xshared"; then + # The only symbol which needs to be exported is the module + # structure, so ask libtool to hide everything else: + APR_ADDTO(MOD_SSL_LDADD, [-export-symbols-regex ssl_module]) + fi + else + enable_ssl=no fi ]) -- 2.40.0