VladPolskiy/apache-http-server
1
0
Fork 0
mirror of https://github.com/apache/httpd.git synced 2025-08-15 23:27:39 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merged /httpd/httpd/trunk:r1851621,1852128,1862075

Browse Source 
*) mod_ssl/mod_md: reversing dependency by letting mod_ssl offer hooks for
     adding certificates and keys to a virtual host. An additional hook allows
     answering special TLS connections as used in ACME challenges.
     Adding 2 new hooks for init/get of OCSP stapling status information when
     other modules want to provide those. Falls back to own implementation with
     same behaviour as before.



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1863988 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Stefan Eissing
2019-07-30 11:23:52 +00:00
parent 84f4b09728
commit 734313ca6e
6 changed files with 253 additions and 107 deletions
Download Patch File Download Diff File Expand all files Collapse all files

116
modules/ssl/ssl_engine_init.c
View File

@ -36,6 +36,25 @@ APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ssl, SSL, int, init_server,
(server_rec *s,apr_pool_t *p,int is_proxy,SSL_CTX *ctx),
(s,p,is_proxy,ctx), OK, DECLINED)
APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ssl, SSL, int, add_cert_files,
(server_rec *s, apr_pool_t *p,
apr_array_header_t *cert_files, apr_array_header_t *key_files),
(s, p, cert_files, key_files),
OK, DECLINED)
APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ssl, SSL, int, add_fallback_cert_files,
(server_rec *s, apr_pool_t *p,
apr_array_header_t *cert_files, apr_array_header_t *key_files),
(s, p, cert_files, key_files),
OK, DECLINED)
APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ssl, SSL, int, answer_challenge,
(conn_rec *c, const char *server_name,
X509 **pcert, EVP_PKEY **pkey),
(c, server_name, pcert, pkey),
DECLINED, DECLINED)
/* _________________________________________________________________
**
** Module Initialization
@ -165,18 +184,18 @@ static void ssl_add_version_components(apr_pool_t *p,
modver, AP_SERVER_BASEVERSION, incver);
}
/**************************************************************************************************/
/* Managed Domains Interface */
static APR_OPTIONAL_FN_TYPE(md_is_managed) *md_is_managed;
static APR_OPTIONAL_FN_TYPE(md_get_certificate) *md_get_certificate;
static APR_OPTIONAL_FN_TYPE(md_is_challenge) *md_is_challenge;
/* _________________________________________________________________
**
** Let other answer special connection attempts.
** Used in ACME challenge handling by mod_md.
** _________________________________________________________________
*/
int ssl_is_challenge(conn_rec *c, const char *servername,
X509 **pcert, EVP_PKEY **pkey)
{
if (md_is_challenge) {
return md_is_challenge(c, servername, pcert, pkey);
if (APR_SUCCESS == ssl_run_answer_challenge(c, servername, pcert, pkey)) {
return 1;
}
*pcert = NULL;
*pkey = NULL;
@ -231,16 +250,6 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog,
ssl_config_global_create(base_server); /* just to avoid problems */
ssl_config_global_fix(mc);
/* Initialize our interface to mod_md, if it is loaded
*/
md_is_managed = APR_RETRIEVE_OPTIONAL_FN(md_is_managed);
md_get_certificate = APR_RETRIEVE_OPTIONAL_FN(md_get_certificate);
md_is_challenge = APR_RETRIEVE_OPTIONAL_FN(md_is_challenge);
if (!md_is_managed || !md_get_certificate) {
md_is_managed = NULL;
md_get_certificate = NULL;
}
/*
* try to fix the configuration and open the dedicated SSL
* logfile as early as possible
@ -1344,8 +1353,7 @@ static apr_status_t ssl_init_server_certs(server_rec *s,
* loaded via SSLOpenSSLConfCmd Certificate), so for 1.0.2 and
* later, we defer to the code in ssl_init_server_ctx.
*/
if ((mctx->stapling_enabled == TRUE) &&
!ssl_stapling_init_cert(s, p, ptemp, mctx, cert)) {
if (!ssl_stapling_init_cert(s, p, ptemp, mctx, cert)) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02567)
"Unable to configure certificate %s for stapling",
key_id);
@ -1739,11 +1747,13 @@ static apr_status_t ssl_init_server_ctx(server_rec *s,
apr_array_header_t *pphrases)
{
apr_status_t rv;
modssl_pk_server_t *pks;
#ifdef HAVE_SSL_CONF_CMD
ssl_ctx_param_t *param = (ssl_ctx_param_t *)sc->server->ssl_ctx_param->elts;
SSL_CONF_CTX *cctx = sc->server->ssl_ctx_config;
int i;
#endif
int n;
/*
* Check for problematic re-initializations
@ -1755,50 +1765,24 @@ static apr_status_t ssl_init_server_ctx(server_rec *s,
return APR_EGENERAL;
}
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(10083)
"Init: (%s) mod_md support is %s.", ssl_util_vhostid(p, s),
md_is_managed? "available" : "unavailable");
if (md_is_managed && md_is_managed(s)) {
modssl_pk_server_t *const pks = sc->server->pks;
if (pks->cert_files->nelts > 0 || pks->key_files->nelts > 0) {
ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, APLOGNO(10084)
"Init: (%s) You configured certificate/key files on this host, but "
"is is covered by a Managed Domain. You need to remove these directives "
"for the Managed Domain to take over.", ssl_util_vhostid(p, s));
}
else {
const char *key_file, *cert_file, *chain_file;
key_file = cert_file = chain_file = NULL;
if (md_get_certificate) {
rv = md_get_certificate(s, p, &key_file, &cert_file);
}
else {
rv = APR_ENOTIMPL;
}
if (key_file && cert_file) {
ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, s,
"%s: installing key=%s, cert=%s, chain=%s",
ssl_util_vhostid(p, s), key_file, cert_file, chain_file);
APR_ARRAY_PUSH(pks->key_files, const char *) = key_file;
APR_ARRAY_PUSH(pks->cert_files, const char *) = cert_file;
sc->server->cert_chain = chain_file;
}
if (APR_STATUS_IS_EAGAIN(rv)) {
/* Managed Domain not ready yet. This is not a reason to fail the config */
ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, APLOGNO(10085)
"Init: %s will respond with '503 Service Unavailable' for now. This "
"host is part of a Managed Domain, but no SSL certificate is "
"available (yet).", ssl_util_vhostid(p, s));
pks->service_unavailable = 1;
}
else if (rv != APR_SUCCESS) {
return rv;
}
}
/* Allow others to provide certificate files */
pks = sc->server->pks;
n = pks->cert_files->nelts;
ssl_run_add_cert_files(s, p, pks->cert_files, pks->key_files);
if (n < pks->cert_files->nelts) {
/* this overrides any old chain configuration */
sc->server->cert_chain = NULL;
}
if (apr_is_empty_array(pks->cert_files) && !sc->server->cert_chain) {
ssl_run_add_fallback_cert_files(s, p, pks->cert_files, pks->key_files);
pks->service_unavailable = 1;
ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, APLOGNO(10085)
"Init: %s will respond with '503 Service Unavailable' for now. There "
"are no SSL certificates configured and no other module contributed any.",
ssl_util_vhostid(p, s));
}
if ((rv = ssl_init_ctx(s, p, ptemp, sc->server)) != APR_SUCCESS) {
@ -1851,7 +1835,7 @@ static apr_status_t ssl_init_server_ctx(server_rec *s,
* (late) point makes sure that we catch both certificates loaded
* via SSLCertificateFile and SSLOpenSSLConfCmd Certificate.
*/
if (sc->server->stapling_enabled == TRUE) {
do {
X509 *cert;
int i = 0;
int ret = SSL_CTX_set_current_cert(sc->server->ssl_ctx,
@ -1868,7 +1852,7 @@ static apr_status_t ssl_init_server_ctx(server_rec *s,
SSL_CERT_SET_NEXT);
i++;
}
}
} while(0);
#endif
#ifdef HAVE_TLS_SESSION_TICKETS