Streamline ephemeral key handling:
- drop support for ephemeral RSA keys (only allowed/needed
for export ciphers)
- drop pTmpKeys from the per-process SSLModConfigRec, and remove
the temp key generation at startup (unnecessary for DHE/ECDHE)
- unconditionally disable null and export-grade ciphers by always
prepending "!aNULL:!eNULL:!EXP:" to any cipher suite string
- do not configure per-connection SSL_tmp_*_callbacks, as it is
sufficient to set them for the SSL_CTX
- set default curve for ECDHE at startup, obviating the need
for a per-handshake callback, for the time being (and also
configure SSL_OP_SINGLE_ECDH_USE, previously left out)
For additional background, see
https://mail-archives.apache.org/mod_mbox/httpd-dev/201309.mbox/%3C52358ED1.2070704@velox.ch%3E
Follow-up fixes for r1526168:
- drop SSL_TMP_KEY_* constants from ssl_private.h, too
- make sure we also disable aNULL, eNULL and EXP ciphers
for per-directory SSLCipherSuite directives
- apply the same treatment to SSLProxyCipherSuite
Increase minimum required OpenSSL version to 0.9.8a (in preparation
for the next mod_ssl commit, which will rely on the get_rfcX_prime_Y
functions added in that release):
- remove obsolete #defines / macros
- in ssl_private.h, regroup definitions based on whether
they depend on TLS extension support or not
- for ECC and SRP support, set HAVE_X and change the rather awkward
#ifndef OPENSSL_NO_X lines accordingly
For the discussion prior to taking this step, see
https://mail-archives.apache.org/mod_mbox/httpd-dev/201309.mbox/%3C524275C7.9060408%40velox.ch%3E
Improve ephemeral key handling (companion to r1526168):
- allow to configure custom DHE or ECDHE parameters via the
SSLCertificateFile directive, and adapt its documentation
accordingly (addresses PR 49559)
- add standardized DH parameters from RFCs 2409 and 3526,
use them based on the length of the certificate's RSA/DSA key,
and add a FAQ entry for clients which limit DH support
to 1024 bits (such as Java 7 and earlier)
- move ssl_dh_GetParamFromFile() from ssl_engine_dh.c to
ssl_util_ssl.c, and add ssl_ec_GetParamFromFile()
- drop ssl_engine_dh.c from mod_ssl
For the standardized DH parameters, OpenSSL version 0.9.8a
or later is required, which was therefore made a new minimum
requirement in r1527294.
PR 55616 (add missing APLOGNO), part 2
Submitted by: kbrand
Reviewed/backported by: jim
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1542327 13f79535-47bb-0310-9956-ffa450edef68
Spin off module-specific build options into separate build vars.
[second try, supersedes r1385214]
Add MOD_CFLAGS, MOD_LDFLAGS variables etc. to the build commands,
which are available to modules for customization on a per-subdir
basis (by adding definitions to modules.mk). Reduces the risk
of side-effects when a module needs to add CFLAGS, LDFLAGS etc.
and these would be added to the global settings (ALL_CFLAGS etc.).
Adapt build settings for mod_ssl, mod_socache_dc, mod_deflate,
mod_xml2enc, mod_proxy_html, and mod_lua to use the new MOD_xxx
build variables.
Change PICFLAGS, SHLTCFLAGS and LTCFLAGS into config vars, instead
of AC_SUBSTing them in build/rules.mk.in. For support/ab, introduce
ab_CFLAGS and ab_LDFLAGS, and define explicit make targets where
they appear at the proper position in the build commands.
Consistently use "--with-xxx=PATH" in configure help strings which
are used to specify a path to the installation directory of an
auxiliary package.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1390518 13f79535-47bb-0310-9956-ffa450edef68
Let's assume that if a system has the openssl dev headers installed in
the default location, it is very unlikely that crypto is forbidden in
the country that the system is located in.
If no ssl toolkit is found, disable mod_ssl instead of aborting.
The actual change is small, use 'diff -b' to review
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1150471 13f79535-47bb-0310-9956-ffa450edef68
via the MOD_XXX_LDADD variables.
Use APR_ADDTO instead of APR_SETVAR or direct
variable assignment.
This is especially useful when building mod_lua
or mod_deflate against a lua resp. libz which
are installed in non-standard locations.
One can add "-R ..." to MOD_LUA_LDADD and
MOD_DEFLATE_LDADD before configure to fix
the RPATH/RUNPATH of those modules.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1142938 13f79535-47bb-0310-9956-ffa450edef68
the new parser. Rework ap_expr's public interface and provide hooks for modules
to add variables and functions.
The Netware and Windows build files still need to be adjusted
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1032073 13f79535-47bb-0310-9956-ffa450edef68
* modules/ssl/ssl_util_stapling.c: New file.
* modules/ssl/config.m4, modules/ssl/mod_ssl.dsp: Build it.
* modules/ssl/ssl_toolkit_compat.h: Define HAVE_OCSP_STAPLING if
OpenSSL is of suitable version (>= 0.9.8g) and capability (TLS
extension support enabled).
* modules/ssl/mod_ssl.c: Add config directives.
* modules/ssl/ssl_private.h: Add prototypes for new functions.
(SSLModConfigRec): Add fields for stapling socache instance and
associated mutex.
(modssl_ctx_t): Add config fields for stapling.
* modules/ssl/ssl_engine_init.c (ssl_init_Module, ssl_init_Child):
Call the stapling initialization functions.
* modules/ssl/ssl_engine_config.c: Add config hooks.
* modules/ssl/ssl_scache.c: Create, initialize and destroy the socache
instance for OCSP responses.
Submitted by: Dr Stephen Henson <shenson oss-institute.org>
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@829619 13f79535-47bb-0310-9956-ffa450edef68
Switch mod_ssl to use the ap_socache interface.
* modules/ssl/ssl_scache_shmcb.c, modules/ssl/ssl_scache_memcache.c,
modules/ssl/ssl_scache_dc.c, modules/ssl/ssl_scache_dbm.c: Remove
files.
* modules/ssl/mod_ssl.c (modssl_register_scache): Remove function.
* modules/ssl/ssl_private.h: Remove modssl_sesscache_provider etc.
(SSLModConfigRec): Switch to using socache types.
* modules/ssl/ssl_engine_config.c (ssl_cmd_SSLSessionCache): Switch to
use socache provider.
* modules/ssl/ssl_engine_mutex.c, modules/ssl/ssl_scache.c: Switch to
using socache constants.
* modules/ssl/config.m4: Drop distache/memcache configuration, remove
old objects.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@645940 13f79535-47bb-0310-9956-ffa450edef68
* modules/ssl/ssl_engine_config.c (modssl_ctx_init,
modssl_ctx_cfg_merge): Initialize and merge OCSP config options.
(ssl_cmd_SSLOCSPOverrideResponder, ssl_cmd_SSLOCSPDefaultResponder,
ssl_cmd_SSLOCSPEnable): Add functions.
* modules/ssl/mod_ssl.c (ssl_config_cmds): Add config options.
* modules/ssl/ssl_private.h: Add prototypes, config options to
modssl_ctx_t.
* modules/ssl/ssl_util_ocsp.c: New file, utility interface for
dispatching OCSP requests.
* modules/ssl/ssl_engine_ocsp.c: New file, interface for performing
OCSP validation.
* modules/ssl/ssl_engine_kernel.c (ssl_callback_SSLVerify): Perform
OCSP validation if configured, and the cert is so-far verified to be
trusted. Fail if OCSP validation is configured an the optional-no-ca
check tripped.
* modules/ssl/config.m4: Check for OCSP support, build new files.
* modules/ssl/mod_ssl.dsp: Build new files.
* modules/ssl/ssl_toolkit_compat.h: Include headers for OCSP
interfaces.
PR: 41123
Submitted by: Marc Stern <marc.stern approach.be>, Joe Orton
Reviewed by: Steve Henson <steve openssl.org>
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@599385 13f79535-47bb-0310-9956-ffa450edef68
stop linking all of support/* against the SSL libraries:
* acinclude.m4 (APACHE_MODULE): Define MOD_FOO_LDADD which each
module .la library will be linked against.
(APACHE_MODPATH_ADD): Link static modules against the provided libraries.
(APACHE_CHECK_SSL_TOOLKIT): Put SSL libraries in SSL_LIBS and export
that to config_vars.mk.
* support/Makefile.in: Link ab against SSL_LIBS.
* modules/ssl/config.m4: Add SSL_LIBS and distcache libraries to
MOD_SSL_LDADD.
PR: 17217
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@102870 13f79535-47bb-0310-9956-ffa450edef68
to be included even when mod_ssl is not enabled.
* Makefile.in (install-include): Only install mod_ssl.h.
* modules/ssl/ssl_private.h: New file.
* modules/ssl/mod_ssl.h: Move everything apart from than the optional
hook definitions into ssl_private.h.
* modules/ssl/*.c: Include ssl_private.h not mod_ssl.h
* modules/ssl/config.m4: Always add the mod_ssl directory to the
include path so other modules can find mod_ssl.h.
* modules/proxy/mod_proxy.c: Include mod_ssl.h to pick up the optional
hook definitions rather than copy'n'pasting them.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@102803 13f79535-47bb-0310-9956-ffa450edef68
data corruption bugs since being apr_rmm'ified.
* config.m4, mod_ssl.dsp: Don't build ssl_util_table and
ssl_scache_shmht.
* ssl_util_table.h, ssl_util_table.c, ssl_scache_shmht.c: Removed
files.
* mod_ssl.h (SSLModConfigRec): Use a void * pointer for storing
the scache-specific data.
* ssl_engine_config.c (ssl_cmd_SSLSessionCache): Treat shmht: as
shmcb:.
* ssl_scache.c: Remove shmht hooks throughout.
* ssl_scache_shmcb.c: Remove casts to use the table_t * pointer as a
void *.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@101888 13f79535-47bb-0310-9956-ffa450edef68
Some additional work or research is required in order to pass the
perl-framework regressions, but I don't have the cycles and don't
care to leave the broken code in cvs HEAD.
REVERTING: wrowe 2003/05/19 08:13:19
Modified: modules/ssl config.m4 ssl_engine_io.c ssl_engine_kernel.c
ssl_toolkit_compat.h
Log:
Drop SSL_set_state() in favor of a proper SSL_renegotiate() to begin
rehandshaking the SSL connection, vis-a-vis ApacheSSL.
Revision Changes Path
1.15 +0 -1 httpd-2.0/modules/ssl/config.m4
1.108 +1 -1 httpd-2.0/modules/ssl/ssl_engine_io.c
1.93 +1 -1 httpd-2.0/modules/ssl/ssl_engine_kernel.c
1.34 +0 -6 httpd-2.0/modules/ssl/ssl_toolkit_compat.h
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@100004 13f79535-47bb-0310-9956-ffa450edef68
-SSL_set_state: macro in OpenSSL, might be a function in a patched sslc
-SSL_set_cert_store: patch submitted to OpenSSL, might be applied to
OpenSSL or sslc
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@94223 13f79535-47bb-0310-9956-ffa450edef68
I'm going to remove it until I or someone else can come up with a better
way to check for and link against libssl and libcrypto for mod_ssl.so.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@91950 13f79535-47bb-0310-9956-ffa450edef68
many modules depend on it, so make the check an autoconf macro.
Note that this still isn't being checked "the autoconf way", but it
is better than what we have now.
I'm not sure about the -R stuff, but I am told that Solaris won't
build without it. This is something that should be tested using
AC_TRY_LINK rather than assuming openssl isn't already on the ld path.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@89063 13f79535-47bb-0310-9956-ffa450edef68
places where people install upgraded software first, since otherwise
we will get the older versions installed by the OS distribution. That's
very bad for us because we are requiring a version of openssl that is
more recent than most of the Linux distros.
When finding the openssl helper program, check both the PATH and the default
install dirs, since openssl isn't normally included on a user's path.
Use APR_ADDTO to add to the make macros in order to avoid duplicates.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@89053 13f79535-47bb-0310-9956-ffa450edef68
