Commit Graph

66 Commits

Author SHA1 Message Date
5e6194b6f4 merge r1693792 from trunk
Add support for extracting the msUPN and dnsSRV forms
of subjectAltName entries of type "otherName" into
SSL_{CLIENT,SERVER}_SAN_OTHER_{msUPN,dnsSRV}_n environment
variables. Addresses PR 58020.

* docs/manual/mod/mod_ssl.xml: add SSL_*_SAN_OTHER_*_n entries to the
  environment variables table

* modules/ssl/ssl_engine_vars.c: add support for retrieving the
  SSL_{CLIENT,SERVER}_SAN_OTHER_{msUPN,dnsSRV}_n variables

* modules/ssl/ssl_util_ssl.c: add parse_otherName_value, which
  currently recognizes the "msUPN" (1.3.6.1.4.1.311.20.2.3) and
  "id-on-dnsSRV" (1.3.6.1.5.5.7.8.7) otherName forms, and
  adapt modssl_X509_getSAN to take an optional otherName form
  argument for the GEN_OTHERNAME case

* modules/ssl/ssl_util_ssl.h: adapt modssl_X509_getSAN prototype

* modules/ssl/mod_ssl.c: register the id-on-dnsSRV otherName form
  OID (1.3.6.1.5.5.7.8.7) in OpenSSL's objects table

Proposed by: kbrand
Reviewed by: ylavic, jorton


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1706006 13f79535-47bb-0310-9956-ffa450edef68
2015-09-30 11:38:34 +00:00
b0dc766b75 merge r1674538, r1677143, r1677144, r1677145, r1677146, r1677149, r1677151,
r1677153, r1677154, r1677155, r1677156, r1677159, r1677830, r1677832,
r1677834, r1677835 from trunk

mod_ssl namespacing

Proposed by: kbrand
Reviewed by: ylavic, jorton


mod_ssl namespacing: Rename ssl_util_ssl.h macros from SSL_foo to MODSSL_foo.
For related discussion, see the dev@ thread starting at:
http://mail-archives.apache.org/mod_mbox/httpd-dev/201504.mbox/%3C20150415163613.GC15209%40fintan.stsp.name%3E

mod_ssl namespacing: Rename SSL_init_app_data2_idx, SSL_get_app_data2,
and SSL_set_app_data2 from SSL_* to modssl_*. Update references in
README.dsov.* files. Rename static variable SSL_app_data2_idx to just
app_data2_idx since the symbol is internal to ssl_util_ssl.c.

mod_ssl namespacing: SSL_read_PrivateKey -> modssl_read_privatekey

mod_ssl namespacing: SSL_smart_shutdown -> modssl_smart_shutdown

mod_ssl namespacing: SSL_X509_getBC -> modssl_X509_getBC

mod_ssl namespacing: Make SSL_ASN1_STRING_to_utf8 a static function inside
ssl_util_ssl.c (no callers outside this file). The new static function name
chosen is convert_asn1_to_utf8, based on the assumption that neither SSL_
nor ASN1_ are safe prefixes to use without potential future overlap.

mod_ssl namespacing: Rename SSL_X509_NAME_ENTRY_to_string to
modssl_X509_NAME_ENTRY_to_string.

mod_ssl namespacing: SSL_X509_NAME_to_string -> modssl_X509_NAME_to_string

mod_ssl namespacing: SSL_X509_getSAN -> modssl_X509_getSAN

mod_ssl namespacing: Make SSL_X509_getIDs a static function inside the
file ssl_util_ssl.c (no outside callers). Rename to just getIDs().

mod_ssl namespacing: SSL_X509_match_name -> modssl_X509_match_name

mod_ssl namespacing: SSL_X509_INFO_load_file -> modssl_X509_INFO_load_file

mod_ssl namespacing: Merge SSL_X509_INFO_load_path() into its only caller
ssl_init_proxy_certs() in ssl_engine_init.c. No functional change.
Review by: kbrand

mod_ssl namespacing: Move modssl_X509_INFO_load_file() into ssl_engine_init.c
and make it a static function called load_x509_info().

mod_ssl namespacing: Move SSL_CTX_use_certificate_chain() into ssl_engine_init.c
and make it a static function called use_certificate_chain().

mod_ssl namespacing: Rename SSL_SESSION_id2sz() to modssl_SSL_SESSION_id2sz().


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1706002 13f79535-47bb-0310-9956-ffa450edef68
2015-09-30 11:31:43 +00:00
4a431da73b Merge r1650047 from trunk:
Add support for extracting subjectAltName entries of type
rfc822Name and dNSName into SSL_{CLIENT,SERVER}_SAN_{Email,DNS}_n
variables.

* docs/manual/mod/mod_ssl.xml: add SSL_*_SAN_*_n entries to the
  environment variables table

* modules/ssl/ssl_engine_kernel.c: in ssl_hook_Fixup, add extraction
  of subjectAltName entries for the "StdEnvVars" case

* modules/ssl/ssl_engine_vars.c: add support for retrieving the
  SSL_{CLIENT,SERVER}_SAN_{Email,DNS}_n variables, either with
  individual on-demand lookup (ssl_var_lookup_ssl_cert_san),
  or with full-list extraction to the environment ("StdEnvVars")

* modules/ssl/ssl_private.h: add modssl_var_extract_san_entries prototype

* modules/ssl/ssl_util_ssl.c: implement SSL_X509_getSAN and
  SSL_ASN1_STRING_to_utf8 helper functions, with factoring out common
  code from SSL_X509_getIDs and SSL_X509_NAME_ENTRY_to_string where
  suitable. Limit SSL_X509_getSAN to the two most common subjectAltName
  entry types appearing in user or server certificates (i.e., rfc822Name
  and dNSName), for the time being.

* modules/ssl/ssl_util_ssl.h: add SSL_ASN1_STRING_to_utf8
  and SSL_X509_getSAN prototypes


Proposed by: kbrand
Reviewed by: ylavic, druggeri


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1676087 13f79535-47bb-0310-9956-ffa450edef68
2015-04-26 07:03:31 +00:00
360c7e5869 Merge r1666297 from trunk:
ssl_util: Fix possible crash (free => OPENSSL_free) and error path leaks when
checking the server certificate constraints (SSL_X509_getBC()).



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1673940 13f79535-47bb-0310-9956-ffa450edef68
2015-04-15 19:49:31 +00:00
e22d89c9d6 Merge r1601184, r1601274, r1601185 from trunk:
mod_ssl: Ensure that the SSL close notify alert is flushed to the client.
         PR54998.

Submitted By: Tim Kosse <tim.kosse filezilla-project.org>, ylavic
Committed By: ylavic


mod_ssl: SSL_smart_shutdown(): follow up to r1601184.
Use SSL_get_wbio() to comply with OPENSSL_NO_SSL_INTERN.
Stop SSL shutdown loop when flush fails.


mpm_event[opt]: Send the SSL close notify alert when the KeepAliveTimeout
                expires. PR54998.

Submitted by: ylavic
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1651077 13f79535-47bb-0310-9956-ffa450edef68
2015-01-12 13:31:16 +00:00
674752a723 Merge r1546804, r1553824, r1554192, r1555463, r1555467, r1563417, r1564760, r1565081 from trunk:
Throw away the myCtxVar{Set,Get} abomination and introduce
a pphrase_cb_arg_t struct instead, for passing stuff between
ssl_pphrase_Handle and ssl_pphrase_Handle_CB. Prefer struct
members instead of using additional local variables, to make
the data flow more transparent. (Doesn't "vastly simplify"
the code yet, but hopefully we'll get there when further
stripping down ssl_pphrase_Handle.)


Remove the hardcoded algorithm-type dependency for the SSLCertificateFile
and SSLCertificateKeyFile directives, and deprecate SSLCertificateChainFile

Splitting the patch into smaller pieces turned out to be infeasible,
unfortunately, due to the heavily intertwined code in ssl_engine_config.c,
ssl_engine_init.c and ssl_engine_pphrase.c, which all depends on the
modssl_pk_server_t data structure. For better comprehensibility,
a detailed listing of the changes follows:

ssl_private.h
- drop the X509 certs and EVP_PKEY keys arrays from modssl_pk_server_t
- use apr_array_header_t for cert_files and key_files
- drop tPublicCert from SSLModConfigRec
- drop the ssl_algo_t struct and the SSL_ALGO_* and SSL_AIDX_* constants

ssl_engine_config.c
- change to apr_array_header_t for SSLCertificate[Key]File
- drop ssl_cmd_check_aidx_max, i.e. allow an arbitrary number of certs
  and keys (in theory; currently OpenSSL does not support more than
  one cert/key per algorithm type)
- add deprecation warning for SSLCertificateChainFile

ssl_engine_init.c
- configure server certs/keys in ssl_init_server_certs (no longer via
  ssl_pphrase_Handle in ssl_init_Module)
- in ssl_init_server_certs, read in certificates and keys with standard
  OpenSSL API functions (SSL_CTX_use_*_file), and only fall back to
  ssl_load_encrypted_pkey when encountering an encrypted private key
- drop ssl_server_import_cert, ssl_server_import_key, ssl_init_server_check,
  and ssl_init_ctx_cleanup_server
- move the "problematic re-initialization" check to ssl_init_server_ctx

ssl_engine_pphrase.c
- use servername:port:index as the key identifier, instead of the
  previously used servername:port:algorithm
- ssl_pphrase_Handle overhaul: remove all cert/public-key handling,
  make it only load a single (encrypted) private key, and rename
  to ssl_load_encrypted_pkey
- in the passphrase prompt message, show the private key file name
  instead of the vhost id and the algorithm name
- do no longer supply the algorithm name as an argument to "exec"-type
  passphrase prompting programs

ssl_util.c
- drop ssl_util_algotypeof, ssl_util_algotypestr, ssl_asn1_keystr,
  and ssl_asn1_table_keyfmt

ssl_util_ssl.{c,h}
- drop SSL_read_X509
- constify the filename arg for SSL_read_PrivateKey


CodeWarrior compiler doesnt allow vars as struct inits.


Remove per-certificate chain handling code (obsoleted by
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b9fa413a08d436d6b522749b5e808fcd931fd943)


make the ppcb_arg initialization a bit more uniform and easier to read

Followup fix for r1553824:

also pass the file name to ssl_load_encrypted_pkey, to make sure that we
retry with the same filename we used for SSL_CTX_use_PrivateKey_file first


With OpenSSL 1.0.2 or later, enable OCSP stapling in a loop based on
SSL_CTX_set_current_cert(), near the end of ssl_init_server_ctx.


update APLOGNO for r1564760
Submitted by: kbrand, fuankg, kbrand, kbrand, kbrand, kbrand, kbrand
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1573360 13f79535-47bb-0310-9956-ffa450edef68
2014-03-02 20:20:14 +00:00
3329c72ae3 Merge r1546805 from trunk:
SGC became dead in January 2000, effectively
(http://www.gpo.gov/fdsys/pkg/FR-2000-01-14/pdf/00-983.pdf)
Almost 14 years later, there's certainly no longer any need
to spit out some fancy log message.

Submitted by: kbrand
Reviewed by: covener, trawick


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1555787 13f79535-47bb-0310-9956-ffa450edef68
2014-01-06 14:09:18 +00:00
507e66cc67 Merge r1526168, r1527291, r1527294, r1527295, r1527926 from trunk:
Streamline ephemeral key handling:

- drop support for ephemeral RSA keys (only allowed/needed
  for export ciphers)

- drop pTmpKeys from the per-process SSLModConfigRec, and remove
  the temp key generation at startup (unnecessary for DHE/ECDHE)

- unconditionally disable null and export-grade ciphers by always
  prepending "!aNULL:!eNULL:!EXP:" to any cipher suite string

- do not configure per-connection SSL_tmp_*_callbacks, as it is
  sufficient to set them for the SSL_CTX

- set default curve for ECDHE at startup, obviating the need
  for a per-handshake callback, for the time being (and also
  configure SSL_OP_SINGLE_ECDH_USE, previously left out)

For additional background, see
https://mail-archives.apache.org/mod_mbox/httpd-dev/201309.mbox/%3C52358ED1.2070704@velox.ch%3E


Follow-up fixes for r1526168:

- drop SSL_TMP_KEY_* constants from ssl_private.h, too

- make sure we also disable aNULL, eNULL and EXP ciphers
  for per-directory SSLCipherSuite directives

- apply the same treatment to SSLProxyCipherSuite


Increase minimum required OpenSSL version to 0.9.8a (in preparation
for the next mod_ssl commit, which will rely on the get_rfcX_prime_Y
functions added in that release):

- remove obsolete #defines / macros

- in ssl_private.h, regroup definitions based on whether
  they depend on TLS extension support or not

- for ECC and SRP support, set HAVE_X and change the rather awkward
  #ifndef OPENSSL_NO_X lines accordingly

For the discussion prior to taking this step, see
https://mail-archives.apache.org/mod_mbox/httpd-dev/201309.mbox/%3C524275C7.9060408%40velox.ch%3E


Improve ephemeral key handling (companion to r1526168):

- allow to configure custom DHE or ECDHE parameters via the
  SSLCertificateFile directive, and adapt its documentation
  accordingly (addresses PR 49559)

- add standardized DH parameters from RFCs 2409 and 3526,
  use them based on the length of the certificate's RSA/DSA key,
  and add a FAQ entry for clients which limit DH support
  to 1024 bits (such as Java 7 and earlier)

- move ssl_dh_GetParamFromFile() from ssl_engine_dh.c to
  ssl_util_ssl.c, and add ssl_ec_GetParamFromFile()

- drop ssl_engine_dh.c from mod_ssl

For the standardized DH parameters, OpenSSL version 0.9.8a
or later is required, which was therefore made a new minimum
requirement in r1527294.


PR 55616 (add missing APLOGNO), part 2
Submitted by: kbrand
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1542327 13f79535-47bb-0310-9956-ffa450edef68
2013-11-15 17:06:18 +00:00
bab5655b88 Merge r1425874, r1426850 from trunk:
mod_ssl: add support for subjectAltName-based host name checking in proxy mode
(PR 54030)

factor out code from ssl_engine_init.c:ssl_check_public_cert()
to ssl_util_ssl.c:SSL_X509_match_name()

introduce new SSLProxyCheckPeerName directive, which should eventually
obsolete SSLProxyCheckPeerCN

ssl_engine_io.c:ssl_io_filter_handshake(): avoid code duplication
when aborting with HTTP_BAD_GATEWAY


Fix warning about discarding 'const' qualifier from pointer

Submitted by: kbrand, sf
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1485667 13f79535-47bb-0310-9956-ffa450edef68
2013-05-23 12:52:04 +00:00
f5f6d48631 Merge r1429559, r1451484 from trunk:
According top my testing 'SSL_SESSION_id2sz' is 4x faster with the use 'ap_bin2hex' instead of
apr_snprintf(..., "%02X" for each character.
Output is the same.

I have left the uppercase conversion, because I'm unsure if it is usefull or not.

SSL_SESSION_id2sz is only used for logging, having it in lowercase shouldn't be an issue.
Submitted by: jailletc36
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1455223 13f79535-47bb-0310-9956-ffa450edef68
2013-03-11 16:34:19 +00:00
0b9571d910 Merge r1294471 from trunk:
properly free the GENERAL_NAMEs, as pointed out in PR 32652

Submitted by: kbrand
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1294602 13f79535-47bb-0310-9956-ffa450edef68
2012-02-28 12:07:31 +00:00
2ca9bdb39b merge r1228816 from trunk:
fix signedness issue with SSL_X509_NAME_to_string()'s maxlen argument


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1228817 13f79535-47bb-0310-9956-ffa450edef68
2012-01-08 10:12:18 +00:00
ea32bc39c2 merge r1222917 from trunk:
Set OPENSSL_NO_SSL_INTERN when compiling against OpenSSL 1.0.1
or later, so that mod_ssl retains binary compatibility with future
versions when internal structures are changed. Use API functions
where available, and fall back to direct access for OpenSSL up
to 1.0.0, where needed.

Remove SSL_make_ciphersuite() from ssl_util_ssl.[ch], as it was
never used by any released version of mod_ssl.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1222920 13f79535-47bb-0310-9956-ffa450edef68
2011-12-24 06:35:20 +00:00
2160d8594c In ssl_check_public_cert(), also take dNSNames in the subjectAltName
extension into account when checking the cert against the configured
ServerName. PR 32652, PR 47051.

Replace SSL_X509_getCN() by SSL_X509_getIDs(), which returns an array
of a cert's DNS-IDs and CN-IDs (terms as coined by RFC 6125).


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1176752 13f79535-47bb-0310-9956-ffa450edef68
2011-09-28 06:52:39 +00:00
427c85bd23 Cleanup effort in prep for GA push:
Trim trailing whitespace... no func change



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1174751 13f79535-47bb-0310-9956-ffa450edef68
2011-09-23 13:39:32 +00:00
693aab21f0 Add ssl_log_xerror() and ssl_log_rxerror(), modeled after ssl_log_cxerror().
Add SSL_X509_NAME_to_string(), which converts an X509 distinguished name
to an RFC 2253 formatted string.
Adapt ssl_log_*error() to make use of SSL_X509_NAME_to_string().


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1172797 13f79535-47bb-0310-9956-ffa450edef68
2011-09-19 20:23:27 +00:00
47cf15b852 Modify SSLProxyMachineCertificateChainFile to use X509 instead of X509_INFO and use openssl to construct the chain
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1170833 13f79535-47bb-0310-9956-ffa450edef68
2011-09-14 20:16:02 +00:00
2c24630059 Revamp CRL checking for client and remote servers:
- completely delegate CRL processing to OpenSSL
- introduce a new [Proxy]CARevocationCheck directive
- drop ssl_callback_SSLVerify_CRL from ssl_engine_kernel.c
- remove X509_STORE from modssl_ctx_t
- drop CRL store helper functions from ssl_util_ssl.c
- avoid sending "certificate_expired" SSL alerts to peers
  when the nextUpdate field of a CRL is in the past


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1165056 13f79535-47bb-0310-9956-ffa450edef68
2011-09-04 15:57:03 +00:00
9d6eb90c1e * Style fixes. No functional change.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1161011 13f79535-47bb-0310-9956-ffa450edef68
2011-08-24 08:45:18 +00:00
e5df36d18a Add SSLProxyMachineCertificateChainFile directive and documentation for bug 50812
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1160863 13f79535-47bb-0310-9956-ffa450edef68
2011-08-23 19:35:07 +00:00
2453c22a1a Enforce OpenSSL 0.9.7 as a minimum requirement in configure, and
remove #ifdef'ed code which was relevant for earlier versions only.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1154688 13f79535-47bb-0310-9956-ffa450edef68
2011-08-07 10:36:57 +00:00
7bd59fd67a Remove the ssl_toolkit_compat layer, which is no longer needed
after support for non-OpenSSL toolkits has been dropped.

Replace macros by their value proper where feasible, and keep
those definitions in ssl_private.h which depend on specific
OpenSSL versions.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1154687 13f79535-47bb-0310-9956-ffa450edef68
2011-08-07 10:34:31 +00:00
1eb818742f Drop support for the RSA BSAFE SSL-C toolkit from configure,
and remove #ifdef'ed code from mod_ssl and ab where applicable.

Consensus for dropping support for SSL/TLS toolkits other
than OpenSSL was reached on dev@httpd in June 2010 (message
with ID <20100602162310.GA11156@redhat.com> and follow-ups).


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1154683 13f79535-47bb-0310-9956-ffa450edef68
2011-08-07 10:29:09 +00:00
86a2e138ca Fix EBCDIC related cut'n'paste error
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1054453 13f79535-47bb-0310-9956-ffa450edef68
2011-01-02 18:34:17 +00:00
7403827278 Change the format of the SSL_{CLIENT,SERVER}_{I,S}_DN variables
to be RFC 2253 compatible, convert non-ASCII characters to UTF8, and 
escape other special characters with backslashes. The old format can
still be used with the LegacyDNStringFormat argument to SSLOptions.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1054323 13f79535-47bb-0310-9956-ffa450edef68
2011-01-01 23:56:24 +00:00
6da4e2a55b Fix some compiler warnings:
- suggest braces around empty body in an 'if' statement
- comparison of unsigned expression >= 0 is always true
- comparison of unsigned expression < 0 is always false

Please review carefully.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@954641 13f79535-47bb-0310-9956-ffa450edef68
2010-06-14 20:55:59 +00:00
26d31ba35b * Fix compiler warning
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@930892 13f79535-47bb-0310-9956-ffa450edef68
2010-04-05 16:10:11 +00:00
caca27d000 Code tidy, certificate extension decode can be done with the single
function X509_get_ext_d2i().


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@930131 13f79535-47bb-0310-9956-ffa450edef68
2010-04-01 23:09:11 +00:00
e171af3118 The development trunk of OpenSSL has tightened up the type safety of the STACK construct
and the functions that manipulate it.  Make httpd trunk compile against OpenSSL HEAD
as well as OpenSSL 0.9.8j.  Also, get rid of some warnings.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@748396 13f79535-47bb-0310-9956-ffa450edef68
2009-02-27 05:16:18 +00:00
de659cbed0 update license header text
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@420983 13f79535-47bb-0310-9956-ffa450edef68
2006-07-11 20:33:53 +00:00
dd95d7c37c Update the copyright year in all .c, .h and .xml files
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@395228 13f79535-47bb-0310-9956-ffa450edef68
2006-04-19 12:11:27 +00:00
5061d9fa92 No functional Change: Removing trailing whitespace. This also
means that "blank" lines consisting of just spaces or
tabs are now really blank lines


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@332306 13f79535-47bb-0310-9956-ffa450edef68
2005-11-10 15:11:44 +00:00
407dc73f43 * modules/ssl/ssl_util_ssl.c (SSL_X509_STORE_create): Catch errors
returned by X509_LOOKUP_add_dir or X509_LOOKUP_load_file to detect
malformed or misconfigured CRLs.  Clear error stack beforehand to
ensure reported errors are relevant.

PR: 36438


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@265702 13f79535-47bb-0310-9956-ffa450edef68
2005-09-01 11:58:58 +00:00
905cdf9f0b Update copyright year to 2005 and standardize on current copyright owner line.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@151408 13f79535-47bb-0310-9956-ffa450edef68
2005-02-04 20:28:49 +00:00
3ca3524c31 Move mod_ssl-internal interfaces into ssl_private.h; allow mod_ssl.h
to be included even when mod_ssl is not enabled.

* Makefile.in (install-include): Only install mod_ssl.h.

* modules/ssl/ssl_private.h: New file.

* modules/ssl/mod_ssl.h: Move everything apart from than the optional
hook definitions into ssl_private.h.

* modules/ssl/*.c: Include ssl_private.h not mod_ssl.h

* modules/ssl/config.m4: Always add the mod_ssl directory to the
include path so other modules can find mod_ssl.h.

* modules/proxy/mod_proxy.c: Include mod_ssl.h to pick up the optional
hook definitions rather than copy'n'pasting them.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@102803 13f79535-47bb-0310-9956-ffa450edef68
2004-02-28 18:06:35 +00:00
a688f06b19 fix name of The Apache Software Foundation
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@102618 13f79535-47bb-0310-9956-ffa450edef68
2004-02-09 20:31:03 +00:00
0b6155c539 fix copyright dates according to the first check in
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@102573 13f79535-47bb-0310-9956-ffa450edef68
2004-02-08 12:52:25 +00:00
4f02cb1e18 apply Apache License, Version 2.0
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@102525 13f79535-47bb-0310-9956-ffa450edef68
2004-02-06 22:58:42 +00:00
fb07607180 update license to 2004.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@102135 13f79535-47bb-0310-9956-ffa450edef68
2004-01-01 13:26:26 +00:00
2324dc4003 Use portable macro instead of the (no longer working) Apache-1.3 code
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@100314 13f79535-47bb-0310-9956-ffa450edef68
2003-06-20 12:52:18 +00:00
e25454c894 Introduce a number of SSLC hints to mod_ssl, including the following
type overrides;

    MODSSL_CLIENT_CERT_CB_ARG_TYPE
    MODSSL_PCHAR_CAST      (for a host of non-void/const sslc values)
    modssl_read_bio_cb_fn  (for several callbacks with same prototypes)

  Declare callback functions appropriately.

  And protect us from indetermineant toolkits with
  #error "Unrecognized SSL Toolkit!"


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@99183 13f79535-47bb-0310-9956-ffa450edef68
2003-04-03 04:54:20 +00:00
742af25096 finished that boring job:
update license to 2003.

Happy New Year! ;-))


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@98573 13f79535-47bb-0310-9956-ffa450edef68
2003-02-03 17:53:28 +00:00
d0dd7a4711 All we care about is the type and name, just ask for the type and name.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@98090 13f79535-47bb-0310-9956-ffa450edef68
2002-12-23 09:09:21 +00:00
5b745920ed fix the interface to PEM_read_bio_X509() with OpenSSL versions older than 0.9.4.
Submitted by:	Madhu Mathihalli <madhusudan_mathihalli@hp.com>
Reviewed by:	Jeff Trawick


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@97308 13f79535-47bb-0310-9956-ffa450edef68
2002-10-25 22:03:52 +00:00
f54ba477aa stylistic improvements
Submitted by:   Madhu Mathihalli <madhusudan_mathihalli@hp.com>
Reviewed by:	Jeff Trawick


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@97298 13f79535-47bb-0310-9956-ffa450edef68
2002-10-25 01:17:00 +00:00
0070f5cebf Remove warnings seen with Sun's Forte compiler.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@96818 13f79535-47bb-0310-9956-ffa450edef68
2002-09-15 00:00:48 +00:00
8c1cf821b8 fix SSL_X509_INFO_load_path so SSLProxyMachineCertificatePath works
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@94406 13f79535-47bb-0310-9956-ffa450edef68
2002-04-02 22:07:09 +00:00
e430071911 enable/cleanup SSL_X509_INFO_load_{file,path} functions for use in
proxy context


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@94323 13f79535-47bb-0310-9956-ffa450edef68
2002-03-30 01:41:35 +00:00
72518a3153 add modssl_dh_configure() function to fold some duplication in
get_dh{512,1024} and provide toolkit compat for sslc 2.x


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@94225 13f79535-47bb-0310-9956-ffa450edef68
2002-03-27 18:19:44 +00:00
979adbad8a sslc does not currently support X509V3_EXT_d2i
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@94216 13f79535-47bb-0310-9956-ffa450edef68
2002-03-27 05:50:56 +00:00