users to convert an attribute value without conversion to UTF-8. (A
public CA has issued certs with attributes tagged as the wrong ASN.1
string types.)
* modules/ssl/ssl_util_ssl.c (asn1_string_convert): Rename from
asn1_string_to_utf8; add raw argument. Reimplement _to_utf8 as
macro.
(modssl_X509_NAME_ENTRY_to_string): Add raw argument.
* modules/ssl/ssl_engine_vars.c (ssl_var_lookup_ssl_cert_dn): Use raw
string conversion if _RAW suffix is present in DN component.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1811976 13f79535-47bb-0310-9956-ffa450edef68
mod_ssl: unshare SSLSrvConfigRec instances between base server and virtual hosts. This avoids
overwrites of later initializattions (vhost_id), selective disables by "SSLEngine addr-list"
and certificate/key pickup from mod_md.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1809037 13f79535-47bb-0310-9956-ffa450edef68
mod_ssl: not using SSLV3 constant that would define what we mean by SSL version 3 if openssl does not know about SSL version 3. Then we pretend to not know about it either.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1805186 13f79535-47bb-0310-9956-ffa450edef68
LibreSSL defines OPENSSL_VERSION_NUMBER = 2.0, but is not compatible with
all of the latest OpenSSL 1.1 API.
Address this by defining MODSSL_USE_OPENSSL_PRE_1_1_API which is true for
anything but OpenSSL >= 1.1 (for now).
Proposed by: Bernard Spil <brnrd freebsd.org>
Reviewed by: ylavic
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1803396 13f79535-47bb-0310-9956-ffa450edef68
* For the time being keep on caching OCSP_RESPONSE_STATUS_TRYLATER. The effect can be limited by setting SSLStaplingErrorCacheTimeout.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1798460 13f79535-47bb-0310-9956-ffa450edef68
This is most likely a follow-up to r1628833.
At some point during the OpenSSL 1.0.2 beta, the contract for custom
extension callbacks changed from "returning -1 skips the extension" to
"returning -1 will issue a TLS fatal alert". This caused mod_ssl_ct to
abort TLS connections that it intended to ignore. Zero is the correct
return value for "do nothing" in 1.0.2.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1791845 13f79535-47bb-0310-9956-ffa450edef68
CRYPTO_THREADID_set_callback() is write-once, so if mod_ssl is unloaded
and reloaded into a different address, we'll crash if OpenSSL wasn't
also unloaded and reloaded at the same time. This can happen if another
module or library is using OpenSSL as well.
- OpenSSL 1.1.0 isn't affected.
- Certain platforms (Windows, BeOS, and POSIX-compliant systems) can
make use of the default THREADID callback in OpenSSL 1.0.x.
- If the deprecated CRYPTO_set_id_callback() is available, we can use it
instead of CRYPTO_THREADID_set_callback().
Otherwise, we have to fall back to CRYPTO_THREADID_set_callback(), but
hopefully that applies to a small percentage of users at this point.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/trunk-openssl-threadid@1791732 13f79535-47bb-0310-9956-ffa450edef68
OpenSSL team is committed to preserving safe _free(NULL) behaviors, and the
overhead of these calls in the context setup path is inconsequential.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1783434 13f79535-47bb-0310-9956-ffa450edef68
This was our first compatibility pattern but we are not preserving it, it seems
irrelevant since the death of 16 bit Windows object files.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1783432 13f79535-47bb-0310-9956-ffa450edef68
