* modules/ssl/ssl_private.h (ssl_verify_error_is_optional): Add
X509_V_ERR_CERT_HAS_EXPIRED to the list of error exceptions
permitted for "optional_no_ca" mode.
Submitted by: Naveen Albert <apache2 phreaknet.org>
PR: 60028
Github: closes#509
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1926714 13f79535-47bb-0310-9956-ffa450edef68
Previously, the SSLProtocol directive was checked at runtime. Apache quit if
the directive contained an invalid combination of protocols, and logged the
message "AH02231: No SSL protocols available [hint: SSLProtocol]".
With this change, most invalid SSLProtocol directives are detected when
checking the configuration, e.g. with \"httpd -t -f httpd.conf\".
Examples of invalid protocol combinations that are caught:
* SSLProtocol "-TLSv1"
* SSLProtocol "-all"
* SSLProtocol "TLSv1.2 -TLSv1.2"
Submitted by: Michael Kaufmann <mail michael-kaufmann.ch>
Github: closes#523
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1924955 13f79535-47bb-0310-9956-ffa450edef68
has global effect.
* modules/ssl/ssl_engine_config.c (ssl_cmd_SSLOpenSSLConfCmd):
Disallow use within vhost context.
PR: 69397
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1921336 13f79535-47bb-0310-9956-ffa450edef68
via the ENGINE API without SSLCryptoDevice configured.
* modules/ssl/ssl_engine_pphrase.c
(modssl_load_keypair_engine): Return APR_ENOTIMPL if the ENGINE
could not be loaded for the key.
(modssl_load_engine_keypair): Always try loading via ENGINE
(as prior to r1914365) but fall back to the STORE API for
the new APR_ENOTIMPL case.
Github: closes#480
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1920597 13f79535-47bb-0310-9956-ffa450edef68
* modules/ssl/ssl_private.h:
Add conn_rec and server_rec args to modssl_set_io_callbacks().
* modules/ssl/ssl_engine_io.c(modssl_set_io_callbacks):
Don't set modssl_io_cb for log levels below TRACE4.
* modules/ssl/ssl_engine_io.c(ssl_io_filter_init),
modules/ssl/ssl_engine_kernel.c(ssl_find_vhost):
Call modssl_set_io_callbacks() unconditionally.
* modules/ssl/ssl_engine_io.c(modssl_io_cb):
While at it, (cmd & BIO_CB_WRITE) is enough to differentiate a
write from read.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1918883 13f79535-47bb-0310-9956-ffa450edef68
Since r1908537 BIO_set_callback_ex is used with OpenSSL >= 3.0 instead of
BIO_set_callback to set the BIO callback. The meaning of parameters and
their range of values in the callback function set by BIO_set_callback_ex
has changed compared to the callback function set by BIO_set_callback
although parameters kept their names. Accommodate for this and adjust the
code accordingly.
Furthermore limit the size of dumps to APR_UINT16_MAX bytes. Given the length
of SSL records of 16k this should not have practical implications.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1918880 13f79535-47bb-0310-9956-ffa450edef68
refcounting issue in mod_ssl.
* modules/ssl/ssl_engine_pphrase.c (modssl_engine_cleanup):
New function.
(modssl_load_keypair_engine): Take pconf & ptemp arguments, don't
call ENGINE_finish() immediately but register the above cleanup.
(modssl_load_engine_keypair): Pass through pconf & ptemp.
* modules/ssl/ssl_engine_init.c (ssl_init_server_certs):
Pass through pconf and ptemp to modssl_load_engine_keypair.
Github: closes#446
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1918024 13f79535-47bb-0310-9956-ffa450edef68
is now approaching 15 years old.
* modules/ssl/ssl_engine_config.c (ssl_cmd_SSLInsecureRenegotiation):
Fail if used.
(ssl_config_server_new, ssl_config_server_merge): Remove insecure
reneg handling.
* modules/ssl/ssl_engine_init.c (ssl_init_ctx_protocol): Remove
insecure_reneg handling.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1917600 13f79535-47bb-0310-9956-ffa450edef68
* modules/ssl/mod_ssl_ct.c(client_extension_add_callback,
server_extension_add_callback):
Variable ext_type is unsigned, so use %u instead of %hu.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1916924 13f79535-47bb-0310-9956-ffa450edef68
Replace else with an if as the if branch no longer ensures that
custome DH parameters have been loaded.
This fixes a regression that causes the default DH parameters for a key
no longer set and thus effectively disabling DH ciphers when no explicit
DH parameters are set.
PR: 68863
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1916863 13f79535-47bb-0310-9956-ffa450edef68
Latest OpenSSL versions have OPENSSL_NO_COMP by default, avoid breaking
existing "SSLCompression off" in configurations since it's a noop.
* modules/ssl/ssl_engine_config.c(ssl_cmd_SSLCompression):
Don't fail for OPENSSL_NO_COMP if the flag is "off".
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1916561 13f79535-47bb-0310-9956-ffa450edef68
Update to avoid GCC warning for no-engine builds where the
SSLModConfigRec is not used. Also log an error for the ENOTIMPL
path.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1916057 13f79535-47bb-0310-9956-ffa450edef68
Latest OpenSSL versions removed the ENGINE API completely, still provide NULL
SSLModConfigRec::szCryptoDevice since it's used outside MODSSL_HAVE_ENGINE_API.
SSLModConfigRec is a private struct, so no MMN change.
* modules/ssl/ssl_private(SSLModConfigRec):
Provide szCryptoDevice (NULL) even if !MODSSL_HAVE_ENGINE_API.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1915889 13f79535-47bb-0310-9956-ffa450edef68
the STORE API. Separates compile-time support for the STORE API
(supported in 3.x) from support for the ENGINE API (deprecated in
3.x).
* modules/ssl/ssl_private.h: Define MODSSL_HAVE_OPENSSL_STORE for
OpenSSL 3.0+.
* modules/ssl/ssl_engine_pphrase.c (modssl_load_store_uri,
modssl_load_keypair_store): New functions.
(modssl_load_keypair_engine): Renamed from modssl_load_keypair_engine.
(modssl_load_engine_keypair): Reimplement to use new STORE-based
functions if SSLCryptoDevice was not configured, or else old
ENGINE implementation.
* modules/ssl/ssl_util.c (modssl_is_engine_id): Match pkcs11: URIs
also for the OpenSSL 3.x STORE API.
* modules/ssl/ssl_engine_init.c (ssl_init_server_certs): Tweak log
message on error paths for the provider/STORE case.
Signed-off-by: Ingo Franzki <ifranzki linux.ibm.com>
Submitted by: Ingo Franzki <ifranzki linux.ibm.com>
Github: closes#397, closes#398
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1914365 13f79535-47bb-0310-9956-ffa450edef68
Since the fix to MODSSL_USE_OPENSSL_PRE_1_1_API in r1908537, we are sure that
!defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER < 0x2070000fL
in this block.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1913838 13f79535-47bb-0310-9956-ffa450edef68
Also, always allow for "SSLCryptoDevice builtin" even if the ENGINE API is not
available, OPENSSL_NO_ENGINE or more generally with the new API (providers)
available since OpenSSL >= 3.
* ssl_private.h: Set MODSSL_HAVE_ENGINE_API to 0 if OPENSSL_NO_ENGINE.
* mod_ssl.c, ssl_engine_config.c: Don't depend on HAVE_OPENSSL_ENGINE_H and
HAVE_ENGINE_INIT to provide [ssl_cmd_]SSLCryptoDevice.
Submitted by: ylavic, jorton
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1913815 13f79535-47bb-0310-9956-ffa450edef68
SSL routines::unexpected eof while reading" when using
OpenSSL 3 by setting SSL_OP_IGNORE_UNEXPECTED_EOF if
available. [Rainer Jung]
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1912015 13f79535-47bb-0310-9956-ffa450edef68
* mod_ssl_openssl.h:
Make it the first openssl to be included openssl header, selecting the
OpenSSL api based on OPENSSL_API_COMPAT eventually.
* ssl_private.h;
Define OPENSSL_API_COMPAT to version 1.1.1 (last one supporting EGINE_ API)
before including mod_ssl_openssl.h to enable the ENGINE_ api (TODO: switch to
new "providers" api before the ENGINE_ api is abandonned..).
mod_ssl.h is now implicitely included from there.
Fix preprocessor "#define FOO (COND)" to "#if COND #define FOO 1 #else #define FOO 0".
Define MODSSL_HAVE_ENGINE_API iff OPENSSL_API_COMPAT < 3.0 (otherwise all the
engine features are disabled, only "builtin" is accepted).
Define HAVE_SRP iff OPENSSL_API_COMPAT < 3.0 (no replacement for this api
above, so it might not be implemenentedain httpd anymore at some point..).
Define X509_get_not{Before,After} if missing to the non deprecated version.
New modssl_set_io_callbacks() to factorize compat code for io callbacks.
ssl_dh_GetParamFromFile() becomes modssl_dh_from_file() for openssl < 3.0 and
modssl_dh_pkey_from_file() for openssl >= 3.0.
* mod_ssl.c, mod_ssl_ct.c, ssl_util_stapling:
Including "ssl_private.h" only is suited/enough now.
* mod_ssl_ct.c, ssl_ct_log_config:
Use EVP api with openssl >= 3 instead of the deprecated SHA256 one.
* ssl_engine_config.c(ssl_cmd_SSLCryptoDevice):
Disabled engines (besides NULL/"builtin"/NULL) unless MODSSL_HAVE_ENGINE_API.
* ssl_engine_init:
New compat modssl_runtime_lib_version() to address deprecated SSLeay().
ssl_init_Engine() does nothing unless MODSSL_HAVE_ENGINE_API.
Simplify ssl_init_server_certs() (less #ifdef-ery) with scoped local vars.
Compat loading DH parameters and EC curve from cert.
* ssl_engine_io.c, ssl_engine_kernel.c:
Implement common modssl_set_io_callbacks() and use it.
* ssl_engine_pphrase(modssl_load_engine_keypair):
Depend on MODSSL_HAVE_ENGINE_API, or return ENOTIMPL.
* ssl_util.c(modssl_is_engine_id):
No engine supported unless MODSSL_HAVE_ENGINE_API.
* ssl_util_ssl.c(modssl_dh_pkey_from_file, modssl_ec_group_from_file):
Compat with openssl >= 3.0.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1908537 13f79535-47bb-0310-9956-ffa450edef68
error was logged when "SSLProxyEngine" was only configured in the
location/proxy section and not the overall server. The connection
continued to work, the error log was in error. Fixed PR66190.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1903167 13f79535-47bb-0310-9956-ffa450edef68
* modules/ssl/ssl_private.h():
#define modssl_fips_is_enabled() and modssl_fips_enable() to wrap the
native OpenSSL FIPS functions available on OPENSSL_VERSION_NUMBER.
* modules/ssl/ssl_engine_init.c(ssl_init_Module, modssl_fips_cleanup):
Use the new wrappers instead of the OPENSSL_VERSION_NUMBER < 3.0 functions.
Submitted by: Petr Sumbera <petr.sumbera oracle.com>, ylavic
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1901470 13f79535-47bb-0310-9956-ffa450edef68
Drop noop functions for BIO methods mod_ssl doesn't implement.
OpenSSL handles missing BIO methods internally in BIO_xxxx() wrappers.
Consistently log at TRACE4 unhandled _ctrl commands, but note
these are not a "BUG" as in the previous log message.
PR: 66028
Github: closes#316
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1900309 13f79535-47bb-0310-9956-ffa450edef68
